[AG-DEV] Identity certificates

Thomas D. Uram turam at mcs.anl.gov
Fri Mar 28 00:05:56 CDT 2008 

AG2 did rely on the Globus toolkit.

AG3 does not rely on the Globus toolkit.  We are using Doc-Lit SOAP via 
Python ZSI (pywebsvcs.sourceforge.net).  You should be able to consume 
these services using other-language SOAP implementations.  If not, 
something is wrong with our WSDL, ZSI, or your other-language SOAP 
implementation.  I'll follow up on your other mail regarding the error 
message you're getting.

For what it's worth, I know other people have consumed the AG web 
services using a Java SOAP implementation (you should be able to find 
information about this in the mailing list archives).

Tom





On 3/27/08 6:53 PM, Luis Galárraga wrote:
> Thanks a lot for your help!!. We understand AG a little better now :-)
>
> Another question: we are trying to consume Venue and VenueServer web 
> services without success. Now, I understand that as AccessGrid relies 
> on Globus Toolkit (I have heard about it before, but I understand it 
> better) we need to construct clients compatible with it. Using JAX-WS 
> (used by Netbeans IDE) is not a good idea. Am I in the right way??
>
> Luis,
>
> 2008/3/27, Thomas D. Uram <turam at mcs.anl.gov <mailto:turam at mcs.anl.gov>>:
>
>     Luis:
>
>     See responses inline.
>
>     On 3/14/08 3:24 PM, Luis Galárraga wrote:
>>     Greetings Tom:
>>
>>     First of all, thanks again for your help, I have several
>>     questions, this time related to server certificates. Do the
>>     things we were talking about identity certificates apply to
>>     server certificates?. We have a developer who is working in
>>     consuming AG server web services from a Java Client. He would
>>     like to work at home, but unfortunately our request for opening
>>     certain tcp ports was denied because of security issues. I told
>>     him to run server and client in his machine. I had to make a
>>     server certificate request to be able to run the server first time:
>>     - Is it possible to omit this step?.
>     The server does require a certificate; this requirement cannot be
>     avoided.
>>     - If not, is it possible to create it with a tool like openssl.
>>     When starting server from terminal, it asks for a certificate.
>     You can build up the required certificate state completely
>     independent from the Access Grid Developers CA if you want.  In
>     that case, you'll have to make sure that the CA cert is installed
>     at both the server and at client machines.  And the CA cert will
>     have to be used to sign the certificate used to run the server. 
>     This is standard PKI practice, so you should be able to find
>     sufficient references online.  If you have trouble, please ask.
>>     - Is there a way of exporting a certificate from command line. I
>>     have a problem with the certificate management tool (it crashes
>>     unexpectedly. I reported it and there is someone working to
>>     provide you a better report) so I cannot do it through graphical
>>     interface.
>     You can use certmgr.py.  In some cases, it will be called
>     certmgr3.py.  After running it, type 'help' for a list of
>     available commands.
>
>
>>
>>     Regards,
>>     Luis
>>
>>
>>
>>     2008/3/13, Thomas D. Uram <turam at mcs.anl.gov
>>     <mailto:turam at mcs.anl.gov>>:
>>
>>         Hi Luis:
>>
>>         There are a few things you need to know in this regard:
>>
>>         - By default, AG3 venues do not require that clients have a
>>         certificate
>>         to enter.  Venues can be optionally configured to require a
>>         certificate,
>>         in which case the user must present a certificate that
>>         satisfies the
>>         access controls on the venue.
>>
>>         - You can run your own CA and issue your own
>>         certificates.  In that
>>         case, you'll need to make sure your clients have both your CA
>>         certificate and their personal certificate.
>>
>>         Otherwise, this is general PKI.  If you have other questions,
>>         don't
>>         hesitate to ask.
>>
>>         Tom
>>
>>
>>         On 3/6/08 3:41 PM, Luis Galárraga wrote:
>>         > Greetings:
>>         >
>>         > I am part of project for developing a webinar
>>         infraestructure based on
>>         > Access Grid. After a long discussion in which suggestions in
>>         this
>>         > mailing list were strongly considered, we have decided to
>>         implement a
>>         > simple client for venues (in servers 3.x) using Java Web
>>         Start Apps.
>>         > As you can see, there are many things to do, and developers have
>>         > started by making tests with the soap interfaces in the our
>>         AG server,
>>         > however they are not clear about the  concepts behind the
>>         > authentication process. We know AG uses digital certificates for
>>         > everything: users and services and those certificates are
>>         generated by
>>         > AG developers (after a process request). Can our developer team
>>         > generate certificates signed by us or it is required your sign?
>>         > Several people in our university will probably use the
>>         system so we
>>         > would like to have the privilege to generate the
>>         certificates. Could
>>         > someone explain us in a better way, the technical issues behind
>>         > authentication based on certificates (= how you implemented
>>         it)?. I
>>         > hope you can help us.
>>         >
>>         > Thanks in advance,
>>         >
>>         > Regards,
>>         > Luis Galárraga
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mcs.anl.gov/pipermail/ag-dev/attachments/20080328/0c13c138/attachment.htm>

More information about the ag-dev mailing list