[AG-DEV] Identity certificates
Thomas D. Uram
turam at mcs.anl.gov
Thu Mar 27 15:00:15 CDT 2008
Luis:
See responses inline.
On 3/14/08 3:24 PM, Luis Galárraga wrote:
> Greetings Tom:
>
> First of all, thanks again for your help, I have several questions,
> this time related to server certificates. Do the things we were
> talking about identity certificates apply to server certificates?. We
> have a developer who is working in consuming AG server web services
> from a Java Client. He would like to work at home, but unfortunately
> our request for opening certain tcp ports was denied because of
> security issues. I told him to run server and client in his machine. I
> had to make a server certificate request to be able to run the server
> first time:
> - Is it possible to omit this step?.
The server does require a certificate; this requirement cannot be avoided.
> - If not, is it possible to create it with a tool like openssl. When
> starting server from terminal, it asks for a certificate.
You can build up the required certificate state completely independent
from the Access Grid Developers CA if you want. In that case, you'll
have to make sure that the CA cert is installed at both the server and
at client machines. And the CA cert will have to be used to sign the
certificate used to run the server. This is standard PKI practice, so
you should be able to find sufficient references online. If you have
trouble, please ask.
> - Is there a way of exporting a certificate from command line. I have
> a problem with the certificate management tool (it crashes
> unexpectedly. I reported it and there is someone working to provide
> you a better report) so I cannot do it through graphical interface.
You can use certmgr.py. In some cases, it will be called certmgr3.py.
After running it, type 'help' for a list of available commands.
>
> Regards,
> Luis
>
>
>
> 2008/3/13, Thomas D. Uram <turam at mcs.anl.gov <mailto:turam at mcs.anl.gov>>:
>
> Hi Luis:
>
> There are a few things you need to know in this regard:
>
> - By default, AG3 venues do not require that clients have a
> certificate
> to enter. Venues can be optionally configured to require a
> certificate,
> in which case the user must present a certificate that satisfies the
> access controls on the venue.
>
> - You can run your own CA and issue your own certificates. In that
> case, you'll need to make sure your clients have both your CA
> certificate and their personal certificate.
>
> Otherwise, this is general PKI. If you have other questions, don't
> hesitate to ask.
>
> Tom
>
>
> On 3/6/08 3:41 PM, Luis Galárraga wrote:
> > Greetings:
> >
> > I am part of project for developing a webinar infraestructure
> based on
> > Access Grid. After a long discussion in which suggestions in this
> > mailing list were strongly considered, we have decided to
> implement a
> > simple client for venues (in servers 3.x) using Java Web Start Apps.
> > As you can see, there are many things to do, and developers have
> > started by making tests with the soap interfaces in the our AG
> server,
> > however they are not clear about the concepts behind the
> > authentication process. We know AG uses digital certificates for
> > everything: users and services and those certificates are
> generated by
> > AG developers (after a process request). Can our developer team
> > generate certificates signed by us or it is required your sign?
> > Several people in our university will probably use the system so we
> > would like to have the privilege to generate the certificates. Could
> > someone explain us in a better way, the technical issues behind
> > authentication based on certificates (= how you implemented it)?. I
> > hope you can help us.
> >
> > Thanks in advance,
> >
> > Regards,
> > Luis Galárraga
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080327/28c02985/attachment.htm>
More information about the ag-dev
mailing list