===================================== Service Certificate Integration ===================================== :version: $Revision: 1.1 $ :author: Thomas Uram :status: Draft :contact: ag-tech@mcs.anl.gov Abstract ======== This document proposes a scheme for integrating service certificates into the toolkit. The goal is to enable users to configure services to run with a particular service certificate, possibly at boot. Overview ======== The toolkit currently supports identity certificates. For the average user running the venue client, an identity certificate often suffices. However, users of the service-oriented portions of the toolkit--VenueServer, NodeService, ServiceManager, and BridgeServer--want to be able to use no-password service certificates to avoid proxy timeouts, and to enable the services to be run at boot without needing to generate a proxy. User scenario ------------- * With an existing service certificate - In View Certificates (as the user who will run the service) - Select a service certificate - Export a service profile * Without an existing service certificate - Run Certificate Request tool as the user who will run the service - Request a service certificate - Export a service profile - The scripts to run the service at boot are copied at install time; user must turn them on explicitly through the system - When the service runs, it will check for the related certificate, and attempt to retrieve it if the request exists Summary of Modifications ======================== Installation '''''''''''' - Create ServiceProfiles directory ? Automatically request certs for services that may run at boot - Startup scripts are put in place and turned off (users can turn them on outside of toolkit) ExportServiceProfileDialog '''''''''''''''''''''''''' - Dialog to take a service profile name and export a service profile - Optionally export as files and write the service profile accordingly? - Writes profile to UserConfigDir/ServiceProfiles CertificateRequestTool '''''''''''''''''''''' - Add an option to the service cert request sequence to call ExportServiceProfileDialog to export service profile CertificateManagement ''''''''''''''''''''' - Modify certificate management to tag service certificates in repository by type - Add a panel for Service Certs - Panel should include an option to export a service profile based on the selected cert; call ExportServiceProfileDialog to export service profile - Require service and service cert to match (a venue server uses a venue server service cert) Toolkit.Service ''''''''''''''' - Use specified service profile; use like-named service profile otherwise - If service cert not present - Retrieve it if the related request exists - Otherwise, LOG and exit - Accept argument to specify a service profile by name CertificateRepository ''''''''''''''''''''' - Look up certificate by DN Startup scripts ''''''''''''''' - Need VenueServer, BridgeServer, NodeService, ServiceManager - Have Win32NodeService, Win32ServiceManager - Write init.d scripts Toolkit.Service ''''''''''''''' - Add command-line argument to specify profile (--profile) Deprecated Packages ------------------- None Specifications ============== ServiceProfile class '''''''''''''''''''' ServiceProfile serviceType subject certfile keyfile Export Import ServiceProfile file format '''''''''''''''''''''''''' [ServiceProfile] service = VenueServer|BridgeServer|AGNodeService|AGServiceManager credential = Cred [Cred] type = x509 certfile = keyfile = OR subject = Security Issues =============== None Interoperability Issues ======================= None Related AGEPs ============= None Implementation ============== None yet References ========== None Copyright ========= This document is Copyright 2003, The University of Chicago/Argonne National Laboratory. .. Local Variables: mode: indented-text indent-tabs-mode: nil sentence-end-double-space: t fill-column: 70 End: