Proxy Cert Authentication
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Proxy Cert Authentication
by André Höing
::
Rate this Message:
Hi UNICORE Team,
I have got some questions about the Proxy Certificate Handling/Support for UNICORE 6. I read the tutorial pages on the Sourceforge Wiki and had a deeper look on the source code. Are the following statements correct? 1, The CertAuthHandler creates a Proxy Certificate and puts it in the SOAP Header. The actual connection to the UNICORE Service is still established via the original certificate and therewith the User is the consignor. 2. ProxyCertInHandler extracts the Certificate and stores it in the security tokens of the message. Via the callback mechanism, the certificate is stored into the client object for the xnjs? 3. What is the method SecurityManager.handleProxyCert for? When I am using the ProxyCertXHandler, it does nothing with the proxy cert stored in the security tokens. In my case, tokens.getUser() is emtpy and therewith the method takes the Consignor CertPath. Because of 1. this is of course the orginal certificate of the user and not the proxy-cert. Is this correct? Thanks for the help. Regards, André -- André Höing Technische Universitaet Berlin Faculty of Electrical Engineering and Computer Science Department of Telecommunication Systems Complex and Distributed IT Systems Secr. EN 59 Einsteinufer 17 10587 Berlin Phone: +49 30 314 78946 Fax: +49 30 314 21114 e-mail: andre.hoeing@... WWW: http://www.cit.tu-berlin.de/ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Unicore-support mailing list Unicore-support@... https://lists.sourceforge.net/lists/listinfo/unicore-support |
|
|
Re: Proxy Cert Authentication
by Bernd Schuller
::
Rate this Message:
hi André,
On Mi, 2009-08-19 at 15:36 +0200, André Höing wrote: > Hi UNICORE Team, > > I have got some questions about the Proxy Certificate Handling/Support > for UNICORE 6. > > I read the tutorial pages on the Sourceforge Wiki and had a deeper look > on the source code. Are the following statements correct? > > 1, The CertAuthHandler creates a Proxy Certificate and puts it in the > SOAP Header. The actual connection to the UNICORE Service is still > established via the original certificate and therewith the User is the > consignor. yes the ProxyCertOutHandler does that. This has absolutely no authentication function, it is just used to provide a proxy cert (generated on the client!) for use on the server-side. The prime use case is gridftp. The UNICORE security layer does not knw anything about this, since the normal end-user key is used for signing messages and for doing SSL. > 2. ProxyCertInHandler extracts the Certificate and stores it in the > security tokens of the message. Via the callback mechanism, the > certificate is stored into the client object for the xnjs? > yes. > 3. What is the method SecurityManager.handleProxyCert for? When I am > using the ProxyCertXHandler, it does nothing with the proxy cert stored > in the security tokens. In my case, tokens.getUser() is emtpy and > therewith the method takes the Consignor CertPath. Because of 1. this is > of course the orginal certificate of the user and not the proxy-cert. Is > this correct? 1) is not relevant here, this handleProxyCert() is for the *other* use of proxies, i.e. when people want use them for SSL (in interoperability scenarios when a globus-based client is used to access UNICORE resources). In this scenario the private key is *NOT* available server-side, just the public key. There is some messy (and buggy) code that deals with the proxy certificate and tries to extract the real user DN from it. In "normal" UNICORE one would never use this, of course. Many features like message signing and trust delegation simply do not work if this proxy stuff is enabled... The main message is there are two ways to use proxies in UNICORE that have nothing to do with each other. 1) end-user cert is used for security, but a proxy cert is generated for using non-UNICORE grid software 2) proxy is used globus-style (not quite since we do not do delegation using proxies) for SSL Hope this helps, and best regards, Bernd. > > Thanks for the help. > > Regards, > André > > -- Dr. Bernd Schuller Distributed Systems and Grid Computing Juelich Supercomputing Centre, http://www.fz-juelich.de/jsc Phone: +49 246161-8736 (fax -8556) Personal blog: www.jroller.com/page/gridhaus ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Unicore-support mailing list Unicore-support@... https://lists.sourceforge.net/lists/listinfo/unicore-support |
| Free embeddable forum powered by Nabble | Forum Help |
