Difference between revisions of "User:Wvengen@nikhef.nl/JGridStart"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 1: Line 1:
 +
Please find the new website [[JGridstart]] here.
 +
 +
-----
 
Using a [http://en.wikipedia.org/wiki/Grid_Computing computing grid] requires authorisation and authentication. This is managed by [http://en.wikipedia.org/wiki/Asymmetric_cryptography asymmetric cryptography] with client-side SSL certificates. Currently, setting this up requires the user to [http://ca.dutchgrid.nl/guide/ go through] [http://www.dutchgrid.nl/agenda/askArchive.php?base=agenda&categ=a042&id=a042s3t2/moreinfo several steps] that can by quite daunting to some. jGridStart attempts to ease this process with automation and a graphical user-interface, enabling the end-user to quickly proceed to actually using the grid.
 
Using a [http://en.wikipedia.org/wiki/Grid_Computing computing grid] requires authorisation and authentication. This is managed by [http://en.wikipedia.org/wiki/Asymmetric_cryptography asymmetric cryptography] with client-side SSL certificates. Currently, setting this up requires the user to [http://ca.dutchgrid.nl/guide/ go through] [http://www.dutchgrid.nl/agenda/askArchive.php?base=agenda&categ=a042&id=a042s3t2/moreinfo several steps] that can by quite daunting to some. jGridStart attempts to ease this process with automation and a graphical user-interface, enabling the end-user to quickly proceed to actually using the grid.
  

Revision as of 13:08, 27 August 2009

Please find the new website JGridstart here.


Using a computing grid requires authorisation and authentication. This is managed by asymmetric cryptography with client-side SSL certificates. Currently, setting this up requires the user to go through several steps that can by quite daunting to some. jGridStart attempts to ease this process with automation and a graphical user-interface, enabling the end-user to quickly proceed to actually using the grid.

jGridStart is currently being developed.

 The first alpha version was released at 3 Aug 2009.
 Please help us testing!

Latest developments are happening at:

Planned features

  • user-interface
    • both graphical user-interface for easy usage by unknowledgeable users
    • and command-line interface for cli addicts and testing.
    • the application should detect the state of affairs and present sensible actions
    • working on multiple platforms: Linux, Windows, Mac OS X at the least
  • single point-of-entry for management of user grid certificates, including
    • requesting a new certificate
    • installing certificates into different parts of the system (like internet browsers)
    • rekeying an (almost expired) certificate
    • sending revocation requests
    • switching between different certificates (like the default certificate in your ~/.globus)
    • importing/exporting a certificate for transfer
    • changing the private key passphrase
  • security checks
    • validate permissions of private keys
    • require passwords on places where private keys are stored
    • require passwords to pass a minimum strength test
    • check certificates against revocation lists
  • adaptable configuration so it can be deployed by other parties with moderate effort
    • location of web forms for interaction with certificate authority
    • content and properties of user's certificate
    • name and organisation texts


Roadmap

version 0.1

  • graphical and command-line user-interface
  • working on Linux, written with portability in mind
  • actions: request new certificate, install, request renewal
  • security checks
  • unobtrusively support multiple certificates

version 0.2

  • working on Linux, Windows, Mac OS X
  • tests using command-line interface

version 0.3

  • actions: request revocation, import, export, change passphrase
  • add the notion of archived certificates (expired or revoked) and implement in user-interface

version 0.4

  • gather and process user feedback
  • make it work with other RA backends as well


Technologies

Notes of RA's

If you have something to add, please notify me!

  • frequently happening problems
    • people often send either a certificate signing request or the form instead of both
    • people often send a renewal as new request because they forget to send an S/MIME mail
  • feature requests
    • in registration form: identity-proof-document fields don't match the web interface ("nationality" instead of "document issuing country" and "document type")
    • a renewal should be sent automatically to the correct RA (same as original request but beware email changes)
    • in the RA interface "Authenticate request" an additional comment field would be handy
    • verify email by sending a confirmation link before accepting a certificate signing request


Server-side

jGridStart talks with a certificate authority using http requests. The application is delivered with a simple proof-of-concept certification authority that implements the required functionality. Also the existing DutchGrid CA web interface will be adapted to work with it.


Related documents

Related software

  • Grid Tools
  • SpectroGrid2 with a java web start based certificate manager (also here)
  • JaBaCATs Java Basic Certificate Authority Tools
  • Portecle - GUI to create, manage and examine keystores, keys, certificates, requests, revocation lists and more.
  • KeyTool IUI the cryptography GUI tool
  • gridshib-ca contains a java web start tool that installs user certificates
  • Grix is a Java gui application to help users handle security related tasks within a grid environment (discussion)
  • libbrowser is a Java library for accessing Internet Explorer and Mozilla keystores read/write(!) using native calls to dll/so.