Direct Issuance of Proxy Certificate on P-GRADE Grid Portal Without Using MyProxy

Similar documents
Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

IGI Portal architecture and interaction with a CA- online

Building Secure Applications. James Tedrick

A Centralized Multimodal Unified Authentication Platform for Web-based Application

Introduction to Programming and Computing for Scientists

Authentication Methods

MicroStrategy Intelligence Server Configuration Table of contents

Netcomm NB604N. Modem Configuration Guide. Netcomm NB604N. Configuring in Layer2 PPPoE for Windows XP and 2000 IMPORTANT MESSAGE

App Orchestration 2.0

Sophos Mobile Control as a Service Startup guide. Product version: 3.5

ISL Online Integration Manual

Active Directory Integration for Greentree

Certificate Policy for. SSL Client & S/MIME Certificates

VMware Identity Manager Administration

Sophos Mobile Control Installation guide. Product version: 3

CMDBuild Authentication (file auth.conf)

StoneGate SSL VPN Technical Note Setting up ActiveSync

MasterPass Service Provider Onboarding & Integration Guide Fileand API-Based Merchant Onboarding Version 6.10

SolarWinds Technical Reference

Sophos UTM. Remote Access via SSL Configuring Remote Client

1. Accessing the LONZA network from a private PC or Internet Café

Entrust IdentityGuard Comprehensive

Using SonicWALL NetExtender to Access FTP Servers

REMOTE ACCESS USER GUIDE

Managed Services PKI 60-day Trial Quick Start Guide

Using the MyProxy Online Credential Repository

McAfee Cloud Identity Manager

The Security Framework 4.1 Programming and Design

Accessing the Media General SSL VPN

3rd Party VoIP Phone Setup Guide (Panasonic b)

Angel Dichev RIG, SAP Labs

Creating a generic user-password application profile

Okta/Dropbox Active Directory Integration Guide

Training module 2 Installing VMware View

Analyses on functional capabilities of BizTalk Server, Oracle BPEL Process Manger and WebSphere Process Server for applications in Grid middleware

Web Authentication Application Note

Fairsail REST API: Guide for Developers

Secure Web Access Solution

GSI Credential Management with MyProxy

HTTPS Configuration for SAP Connector

Virtual Desktop and SSL VPN access with OnDemand tokencode. User Guide

Kerberos and Single Sign On with HTTP

User Guide Self Service Password Reset April 2012

Certificates in a Nutshell. Jens Jensen, STFC Leader of EUDAT AAI TF

CentraSite SSO with Trusted Reverse Proxy

Luminis Platform Banner Document Management Suite Portal Guide. Release November 2011

94x MeF e-file Application Guidelines

Configuring User Identification via Active Directory

eschoolpad for ipad INSTALLATION GUIDE v3.0 Prepared by: Avrio Solutions Company Limited

The increasing popularity of mobile devices is rapidly changing how and where we

CS255 Programming Project 2

Qvidian Playbooks & Salesforce Setup Guide. Fall Release 2013

Enhancing Web Application Security

SSO Methods Supported by Winshuttle Applications

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Interoperability in Grid Computing

SSL Certificate Generation

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

MyanPay API Integration with Magento CMS

McAfee Cloud Identity Manager

Authentication Integration

The glite File Transfer Service

1 Login to your CSUF student account and click on the Settings icon ( ) at the far right.

Avaya Identity Engines Ignition Server Release: Avaya Inc. All Rights Reserved.

mydeq Help Line (844)

WWPass External Authentication Solution for IBM Security Access Manager 8.0

SAML Authentication Quick Start Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

PaperCut Payment Gateway Module CommWeb Quick Start Guide

PowerShell Configuration Guide

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

OneLogin Integration User Guide

How to configure your Windows PC post migrating to Microsoft Office 365

Centralized Oracle Database Authentication and Authorization in a Directory

DIGIPASS Authentication for Cisco ASA 5500 Series

BizFlow 9.0 BizCoves BluePrint

Enrollment Process for Android Devices

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Perceptive Intelligent Capture Solution Configration Manager

Adobe Marketing Cloud Bloodhound for Mac 3.0

Get Success in Passing Your Certification Exam at first attempt!

A detailed walk through a CAS authentication

The GENIUS Grid Portal

Support Advisory: ArubaOS Default Certificate Expiration

Token User Guide. Version 1.0/ July 2013

SSO Plugin. HP Service Request Catalog. J System Solutions. Version 3.6

EBOX Digital Content Management System (CMS) User Guide For Site Owners & Administrators

Xerox Mobile Print Cloud

Transcription:

Direct Issuance of Proxy Certificate on P-GRADE Grid Portal Without Using MyProxy by Ng Kang Siong (ksng@mimos.my) Galoh Rashidah Haron (rashidah@mimos.my) MIMOS Berhad, Malaysia www.eu-egee.org EGEE and glite are registered trademarks

Overview Current issuance of proxy certificate on P-GRADE is handled by MyProxy. Need to preload user credential or proxy certificate to MyProxy. Username-password is used to login to P-GRADE and MyProxy respectively. We have made modification to eliminate the use of username-password. Made configuration change to enable SSL client certificate authentication. Generate proxy certificate directly from smart card via browser without using MyProxy. Use MyKAD, Malaysian national identity card with built-in RSA co-processor to handle X.509 certificate. To change: View -> Header and Footer 2

MyProxy for Grid Portal User Computer User 2 Web Browser username, password 2 username, password GridSphere Digital certificate based mutual authentication 4 Proxy 2 Certificate glite Computing Grids 2 3 1 MyProxy Client username, password 1 MyProxy Server User Certificate Proxy 1 Certificate

Solution Framework User Computer User 1 Web Browser Digital certificate based mutual authentication 1 GridSphere Digital certificate based mutual authentication 2 glite Computing Grids User Certificate Proxy 1 Certificate Eliminating MyProxy Client and Server

Analysis Changes Required: Client PC web browser extension program PKCS#11 or CSP interfacing MyKAD smart card. P-GRADE Add three new portlets dogenerateproxy docontinuegenerateproxy doacceptproxy Enable SSL client authentication Tomcat configuration GridSphere user configuration VOMS registration of certificate in MyKAD

Additional Module at Client PC Enabling Grids for E-sciencE Web browser extension program Generate proxy certificate using private key on MyKAD. Use PKCS#11 to interface to MyKAD in Firefox. Use CSP to interface to MyKAD in Internet Explorer. Based on the public key generated at the server embedded in HTML page. <embed type="application/pc-plugin" width=200 height=20 mnotbefore="<%=mnotbefore %>" mnotafter="<%=mnotafter %>" murl="<%=murl %>" mtarget="_self" mkey="<%=pubkey %>"> To change: View -> Header and Footer 6

dogenerateproxy Additional Portlet at P-GRADE Prepare page to capture proxy certificate lifetime. docontinuegenerateproxy Capture user entry of proxy certificate lifetime. Calculate notbefore and notafter value for proxy certificate. Generate RSA key pair for proxy certificate. Encode public key in base64 and URLencode format. Insert URLencoded public key to HTML page. Convert private key to OpenSSL PEM format and save in file. To change: View -> Header and Footer 7

doacceptproxy Enabling Grids for E-sciencE Additional Portlet at P-GRADE Target page to accept user certificate and proxy certificate generated by browser extension program. Construct proxy credential based on proxy certificate, private key and user certificate. Extract user info from user certificate. Register proxy certificate to P-GRADE. SZGStoreKey key = new SZGStoreKey(userId, new Long(System.currentTimeMillis())); int lifetime; lifetime = Integer.parseInt(m_hour); lifetime = lifetime * 3600; DownloadedFrom="Browser"; Description="Generate proxy certificate without MyProxy server"; this.cm.loadfromfile(crinstr, DownloadedFrom, lifetime, key, Description); SZGCredential[] creds = this.cm.getcredentials(userid); getcb(userid).setcurrentcredential(creds[creds.length - 1]); this.saveusrcert(userid); To change: View -> Header and Footer 8

Configuration Changes Tomcat Modify $CATALINA_HOME/conf/server.xml <Connector port="8443" minprocessors="5" maxprocessors="75" sslimplementation="org.apache.tomcat.util.net.jsse.jsseimplementation" enablelookups="true" disableuploadtimeout="true" acceptcount="100" debug="0" scheme="https" secure="true clientauth= true" sslprotocol="tls" keystorepass= password"> To change: View -> Header and Footer 9

Configuration Changes GridSphere To change: View -> Header and Footer 10

Binding User Profile to Certificate Enabling Grids for E-sciencE DN for user certificate To change: View -> Header and Footer 11

SSL client certificate authentication using smart card Enabling Grids for E-sciencE

SSL client certificate authentication using smart card Enabling Grids for E-sciencE

Generate proxy certificate directly from smart card

Generate proxy certificate directly from smart card

Generate proxy certificate directly from smart card

Generate proxy certificate directly from smart card

Set VO resources to the newly generated proxy certificate Enabling Grids for E-sciencE

Set VO resources to the newly generated proxy certificate Enabling Grids for E-sciencE

Set VO resources to the newly generated proxy certificate Enabling Grids for E-sciencE

Job submission with the newly generated proxy certificate Enabling Grids for E-sciencE

Job submission with the newly generated proxy certificate Enabling Grids for E-sciencE

Job submission with the newly generated proxy certificate Enabling Grids for E-sciencE

Future Work RFC 3820 compliance proxy certificate WMS unable to handle RFC3820 compliant proxy certificate Java workflow apps Cannot interface to user certificate either via CSP or PKCS#11 to establish full SSL certificate based authentication. User identification via userid. To change: View -> Header and Footer 24

END To change: View -> Header and Footer 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information