[AG-DEV] Identity certificates

Luis Galárraga lgalarra at fiec.espol.edu.ec
Thu Mar 27 18:53:23 CDT 2008 

Thanks a lot for your help!!. We understand AG a little better now :-)

Another question: we are trying to consume Venue and VenueServer web
services without success. Now, I understand that as AccessGrid relies on
Globus Toolkit (I have heard about it before, but I understand it better) we
need to construct clients compatible with it. Using JAX-WS (used by Netbeans
IDE) is not a good idea. Am I in the right way??

Luis,

2008/3/27, Thomas D. Uram <turam at mcs.anl.gov>:
>
>  Luis:
>
> See responses inline.
>
> On 3/14/08 3:24 PM, Luis Galárraga wrote:
>
> Greetings Tom:
>
> First of all, thanks again for your help, I have several questions, this
> time related to server certificates. Do the things we were talking about
> identity certificates apply to server certificates?. We have a developer who
> is working in consuming AG server web services from a Java Client. He would
> like to work at home, but unfortunately our request for opening certain tcp
> ports was denied because of security issues. I told him to run server and
> client in his machine. I had to make a server certificate request to be able
> to run the server first time:
> - Is it possible to omit this step?.
>
> The server does require a certificate; this requirement cannot be avoided.
>
> - If not, is it possible to create it with a tool like openssl. When
> starting server from terminal, it asks for a certificate.
>
> You can build up the required certificate state completely independent
> from the Access Grid Developers CA if you want.  In that case, you'll have
> to make sure that the CA cert is installed at both the server and at client
> machines.  And the CA cert will have to be used to sign the certificate used
> to run the server.  This is standard PKI practice, so you should be able to
> find sufficient references online.  If you have trouble, please ask.
>
> - Is there a way of exporting a certificate from command line. I have a
> problem with the certificate management tool (it crashes unexpectedly. I
> reported it and there is someone working to provide you a better report) so
> I cannot do it through graphical interface.
>
> You can use certmgr.py.  In some cases, it will be called certmgr3.py.
> After running it, type 'help' for a list of available commands.
>
>
> Regards,
> Luis
>
>
>
> 2008/3/13, Thomas D. Uram <turam at mcs.anl.gov>:
> >
> > Hi Luis:
> >
> > There are a few things you need to know in this regard:
> >
> > - By default, AG3 venues do not require that clients have a certificate
> > to enter.  Venues can be optionally configured to require a certificate,
> > in which case the user must present a certificate that satisfies the
> > access controls on the venue.
> >
> > - You can run your own CA and issue your own certificates.  In that
> > case, you'll need to make sure your clients have both your CA
> > certificate and their personal certificate.
> >
> > Otherwise, this is general PKI.  If you have other questions, don't
> > hesitate to ask.
> >
> > Tom
> >
> >
> > On 3/6/08 3:41 PM, Luis Galárraga wrote:
> > > Greetings:
> > >
> > > I am part of project for developing a webinar infraestructure based on
> > > Access Grid. After a long discussion in which suggestions in this
> > > mailing list were strongly considered, we have decided to implement a
> > > simple client for venues (in servers 3.x) using Java Web Start Apps.
> > > As you can see, there are many things to do, and developers have
> > > started by making tests with the soap interfaces in the our AG server,
> > > however they are not clear about the  concepts behind the
> > > authentication process. We know AG uses digital certificates for
> > > everything: users and services and those certificates are generated by
> > > AG developers (after a process request). Can our developer team
> > > generate certificates signed by us or it is required your sign?
> > > Several people in our university will probably use the system so we
> > > would like to have the privilege to generate the certificates. Could
> > > someone explain us in a better way, the technical issues behind
> > > authentication based on certificates (= how you implemented it)?. I
> > > hope you can help us.
> > >
> > > Thanks in advance,
> > >
> > > Regards,
> > > Luis Galárraga
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080327/7ae9a53e/attachment.htm>

More information about the ag-dev mailing list