[AG-DEV] Identity certificates
Thomas D. Uram
turam at mcs.anl.gov
Fri Mar 28 00:05:56 CDT 2008
AG2 did rely on the Globus toolkit.
AG3 does not rely on the Globus toolkit. We are using Doc-Lit SOAP via
Python ZSI (pywebsvcs.sourceforge.net). You should be able to consume
these services using other-language SOAP implementations. If not,
something is wrong with our WSDL, ZSI, or your other-language SOAP
implementation. I'll follow up on your other mail regarding the error
message you're getting.
For what it's worth, I know other people have consumed the AG web
services using a Java SOAP implementation (you should be able to find
information about this in the mailing list archives).
Tom
On 3/27/08 6:53 PM, Luis Galárraga wrote:
> Thanks a lot for your help!!. We understand AG a little better now :-)
>
> Another question: we are trying to consume Venue and VenueServer web
> services without success. Now, I understand that as AccessGrid relies
> on Globus Toolkit (I have heard about it before, but I understand it
> better) we need to construct clients compatible with it. Using JAX-WS
> (used by Netbeans IDE) is not a good idea. Am I in the right way??
>
> Luis,
>
> 2008/3/27, Thomas D. Uram <turam at mcs.anl.gov <mailto:turam at mcs.anl.gov>>:
>
> Luis:
>
> See responses inline.
>
> On 3/14/08 3:24 PM, Luis Galárraga wrote:
>> Greetings Tom:
>>
>> First of all, thanks again for your help, I have several
>> questions, this time related to server certificates. Do the
>> things we were talking about identity certificates apply to
>> server certificates?. We have a developer who is working in
>> consuming AG server web services from a Java Client. He would
>> like to work at home, but unfortunately our request for opening
>> certain tcp ports was denied because of security issues. I told
>> him to run server and client in his machine. I had to make a
>> server certificate request to be able to run the server first time:
>> - Is it possible to omit this step?.
> The server does require a certificate; this requirement cannot be
> avoided.
>> - If not, is it possible to create it with a tool like openssl.
>> When starting server from terminal, it asks for a certificate.
> You can build up the required certificate state completely
> independent from the Access Grid Developers CA if you want. In
> that case, you'll have to make sure that the CA cert is installed
> at both the server and at client machines. And the CA cert will
> have to be used to sign the certificate used to run the server.
> This is standard PKI practice, so you should be able to find
> sufficient references online. If you have trouble, please ask.
>> - Is there a way of exporting a certificate from command line. I
>> have a problem with the certificate management tool (it crashes
>> unexpectedly. I reported it and there is someone working to
>> provide you a better report) so I cannot do it through graphical
>> interface.
> You can use certmgr.py. In some cases, it will be called
> certmgr3.py. After running it, type 'help' for a list of
> available commands.
>
>
>>
>> Regards,
>> Luis
>>
>>
>>
>> 2008/3/13, Thomas D. Uram <turam at mcs.anl.gov
>> <mailto:turam at mcs.anl.gov>>:
>>
>> Hi Luis:
>>
>> There are a few things you need to know in this regard:
>>
>> - By default, AG3 venues do not require that clients have a
>> certificate
>> to enter. Venues can be optionally configured to require a
>> certificate,
>> in which case the user must present a certificate that
>> satisfies the
>> access controls on the venue.
>>
>> - You can run your own CA and issue your own
>> certificates. In that
>> case, you'll need to make sure your clients have both your CA
>> certificate and their personal certificate.
>>
>> Otherwise, this is general PKI. If you have other questions,
>> don't
>> hesitate to ask.
>>
>> Tom
>>
>>
>> On 3/6/08 3:41 PM, Luis Galárraga wrote:
>> > Greetings:
>> >
>> > I am part of project for developing a webinar
>> infraestructure based on
>> > Access Grid. After a long discussion in which suggestions in
>> this
>> > mailing list were strongly considered, we have decided to
>> implement a
>> > simple client for venues (in servers 3.x) using Java Web
>> Start Apps.
>> > As you can see, there are many things to do, and developers have
>> > started by making tests with the soap interfaces in the our
>> AG server,
>> > however they are not clear about the concepts behind the
>> > authentication process. We know AG uses digital certificates for
>> > everything: users and services and those certificates are
>> generated by
>> > AG developers (after a process request). Can our developer team
>> > generate certificates signed by us or it is required your sign?
>> > Several people in our university will probably use the
>> system so we
>> > would like to have the privilege to generate the
>> certificates. Could
>> > someone explain us in a better way, the technical issues behind
>> > authentication based on certificates (= how you implemented
>> it)?. I
>> > hope you can help us.
>> >
>> > Thanks in advance,
>> >
>> > Regards,
>> > Luis Galárraga
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080328/0c13c138/attachment.htm>
More information about the ag-dev
mailing list