<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Luis:<br>
<br>
See responses inline.<br>
<br>
On 3/14/08 3:24 PM, Luis Galárraga wrote:
<blockquote
cite="mid:3666c210803141324i3f5d9835x9348b4cd35ece2e7@mail.gmail.com"
type="cite">Greetings Tom:<br>
<br>
First of all, thanks again for your help, I have several questions,
this time related to server certificates. Do the things we were talking
about identity certificates apply to server certificates?. We have a
developer who is working in consuming AG server web services from a
Java Client. He would like to work at home, but unfortunately our
request for opening certain tcp ports was denied because of security
issues. I told him to run server and client in his machine. I had to
make a server certificate request to be able to run the server first
time:<br>
- Is it possible to omit this step?. <br>
</blockquote>
The server does require a certificate; this requirement cannot be
avoided.<br>
<blockquote
cite="mid:3666c210803141324i3f5d9835x9348b4cd35ece2e7@mail.gmail.com"
type="cite">- If not, is it possible to create it with a tool like
openssl. When starting server from terminal, it asks for a certificate.<br>
</blockquote>
You can build up the required certificate state completely independent
from the Access Grid Developers CA if you want. In that case, you'll
have to make sure that the CA cert is installed at both the server and
at client machines. And the CA cert will have to be used to sign the
certificate used to run the server. This is standard PKI practice, so
you should be able to find sufficient references online. If you have
trouble, please ask.<br>
<blockquote
cite="mid:3666c210803141324i3f5d9835x9348b4cd35ece2e7@mail.gmail.com"
type="cite">- Is there a way of exporting a certificate from command
line. I have a problem with the certificate management tool (it crashes
unexpectedly. I reported it and there is someone working to provide you
a better report) so I cannot do it through graphical interface.<br>
</blockquote>
You can use certmgr.py. In some cases, it will be called certmgr3.py.
After running it, type 'help' for a list of available commands.<br>
<br>
<blockquote
cite="mid:3666c210803141324i3f5d9835x9348b4cd35ece2e7@mail.gmail.com"
type="cite"><br>
Regards,<br>
Luis<br>
<br>
<br>
<br>
<div><span class="gmail_quote">2008/3/13, Thomas D. Uram <<a
moz-do-not-send="true" href="mailto:turam@mcs.anl.gov">turam@mcs.anl.gov</a>>:</span>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi
Luis:<br>
<br>
There are a few things you need to know in this regard:<br>
<br>
- By default, AG3 venues do not require that clients have a certificate<br>
to enter. Venues can be optionally configured to require a certificate,<br>
in which case the user must present a certificate that satisfies the<br>
access controls on the venue.<br>
<br>
- You can run your own CA and issue your own certificates. In that<br>
case, you'll need to make sure your clients have both your CA<br>
certificate and their personal certificate.<br>
<br>
Otherwise, this is general PKI. If you have other questions, don't<br>
hesitate to ask.<br>
<br>
Tom<br>
<br>
<br>
On 3/6/08 3:41 PM, Luis Galárraga wrote:<br>
> Greetings:<br>
><br>
> I am part of project for developing a webinar infraestructure
based on<br>
> Access Grid. After a long discussion in which suggestions in this<br>
> mailing list were strongly considered, we have decided to
implement a<br>
> simple client for venues (in servers 3.x) using Java Web Start
Apps.<br>
> As you can see, there are many things to do, and developers have<br>
> started by making tests with the soap interfaces in the our AG
server,<br>
> however they are not clear about the concepts behind the<br>
> authentication process. We know AG uses digital certificates for<br>
> everything: users and services and those certificates are
generated by<br>
> AG developers (after a process request). Can our developer team<br>
> generate certificates signed by us or it is required your sign?<br>
> Several people in our university will probably use the system so we<br>
> would like to have the privilege to generate the certificates.
Could<br>
> someone explain us in a better way, the technical issues behind<br>
> authentication based on certificates (= how you implemented it)?. I<br>
> hope you can help us.<br>
><br>
> Thanks in advance,<br>
><br>
> Regards,<br>
> Luis Galárraga<br>
</blockquote>
</div>
<br>
</blockquote>
</body>
</html>