Difference between revisions of "User:Wvengen@nikhef.nl/JGridStart"
| m (correct day typo) | m (alpha release!) | ||
| Line 1: | Line 1: | ||
| Using a [http://en.wikipedia.org/wiki/Grid_Computing computing grid] requires authorisation and authentication. This is managed by [http://en.wikipedia.org/wiki/Asymmetric_cryptography asymmetric cryptography] with client-side SSL certificates. Currently, setting this up requires the user to [http://ca.dutchgrid.nl/guide/ go through] [http://www.dutchgrid.nl/agenda/askArchive.php?base=agenda&categ=a042&id=a042s3t2/moreinfo several steps] that can by quite daunting to some. jGridStart attempts to ease this process with automation and a graphical user-interface, enabling the end-user to quickly proceed to actually using the grid. | Using a [http://en.wikipedia.org/wiki/Grid_Computing computing grid] requires authorisation and authentication. This is managed by [http://en.wikipedia.org/wiki/Asymmetric_cryptography asymmetric cryptography] with client-side SSL certificates. Currently, setting this up requires the user to [http://ca.dutchgrid.nl/guide/ go through] [http://www.dutchgrid.nl/agenda/askArchive.php?base=agenda&categ=a042&id=a042s3t2/moreinfo several steps] that can by quite daunting to some. jGridStart attempts to ease this process with automation and a graphical user-interface, enabling the end-user to quickly proceed to actually using the grid. | ||
| − | jGridStart is currently being developed. The [[User:Wvengen@nikhef.nl/JGridStart/version 1.0alpha1|first alpha version]] was  | + | jGridStart is currently being developed. The [[User:Wvengen@nikhef.nl/JGridStart/version 1.0alpha1|first alpha version]] was released at 3 Aug 2009. Latest developments are happening at: | 
| * Latest development build of the [http://www.nikhef.nl/~wvengen/jgridstart-devel/jgridstart.jnlp jGridstart] application | * Latest development build of the [http://www.nikhef.nl/~wvengen/jgridstart-devel/jgridstart.jnlp jGridstart] application | ||
| * Source code at [https://ndpfsvn.nikhef.nl/repos/pdpsoft/branches/nl.nikhef.jgridstart-flyingsaucer/nl.nikhef.jgridstart active SVN branch] or [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/branches/nl.nikhef.jgridstart-flyingsaucer/nl.nikhef.jgridstart/ web access] (trunk is currently outdated, [https://ndpfsvn.nikhef.nl/repos/pdpsoft/trunk/nl.nikhef.jgridstart SVN trunk] and [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/nl.nikhef.jgridstart/ web access]) | * Source code at [https://ndpfsvn.nikhef.nl/repos/pdpsoft/branches/nl.nikhef.jgridstart-flyingsaucer/nl.nikhef.jgridstart active SVN branch] or [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/branches/nl.nikhef.jgridstart-flyingsaucer/nl.nikhef.jgridstart/ web access] (trunk is currently outdated, [https://ndpfsvn.nikhef.nl/repos/pdpsoft/trunk/nl.nikhef.jgridstart SVN trunk] and [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/nl.nikhef.jgridstart/ web access]) | ||
Revision as of 14:22, 3 August 2009
Using a computing grid requires authorisation and authentication. This is managed by asymmetric cryptography with client-side SSL certificates. Currently, setting this up requires the user to go through several steps that can by quite daunting to some. jGridStart attempts to ease this process with automation and a graphical user-interface, enabling the end-user to quickly proceed to actually using the grid.
jGridStart is currently being developed. The first alpha version was released at 3 Aug 2009. Latest developments are happening at:
- Latest development build of the jGridstart application
- Source code at active SVN branch or web access (trunk is currently outdated, SVN trunk and web access)
Grix is an existing program that aims for the same goal. It may or may not be a viable solution for us.
Planned features
- user-interface
- both graphical user-interface for easy usage by unknowledgeable users
- and command-line interface for cli addicts and testing.
- the application should detect the state of affairs and present sensible actions
- working on multiple platforms: Linux, Windows, Mac OS X at the least
 
- single point-of-entry for management of user grid certificates, including
- requesting a new certificate
- installing certificates into different parts of the system (like internet browsers)
- rekeying an (almost expired) certificate
- sending revocation requests
- switching between different certificates (like the default certificate in your ~/.globus)
- importing/exporting a certificate for transfer
- changing the private key passphrase
 
- security checks
- validate permissions of private keys
- require passwords on places where private keys are stored
- require passwords to pass a minimum strength test
- check certificates against revocation lists
 
- adaptable configuration so it can be deployed by other parties with moderate effort
- location of web forms for interaction with certificate authority
- content and properties of user's certificate
- name and organisation texts
 
Roadmap
version 0.1
- graphical and command-line user-interface
- working on Linux, written with portability in mind
- actions: request new certificate, install, request renewal
- security checks
- unobtrusively support multiple certificates
version 0.2
- working on Linux, Windows, Mac OS X
- tests using command-line interface
version 0.3
- actions: request revocation, import, export, change passphrase
- add the notion of archived certificates (expired or revoked) and implement in user-interface
version 0.4
- gather and process user feedback
- make it work with other RA backends as well
Technologies
- Programming language: Java version 1.3 or 1.4 (older versions are hardly used anymore).
- Good news: will use 1.5 (mainly because of generics) and retroweaver for downcompiling!
 
- Deployment: Java Web Start
- Building: Ant, ProGuard
- Toolkit: Swing for portability and ease of use (optionally SwingWT for native feel?)
- with Actions for a clean design,
- browser launcher complemented with desktop integration to open external web pages, see here,
- xhtmlrenderer (aka flying saucer) for html forms, and
- Apache Commons CLI for a getopt command-line interface
 
- Cryptography: BouncyCastle
- Logging: standard Java logging (java>=1.4)
- Installation of certificates into internet browsers:
Notes of RA's
If you have something to add, please notify me!
- frequently happening problems
- people often send either a certificate signing request or the form instead of both
- people often send a renewal as new request because they forget to send an S/MIME mail
 
- feature requests
- in registration form: identity-proof-document fields don't match the web interface ("nationality" instead of "document issuing country" and "document type")
- a renewal should be sent automatically to the correct RA (same as original request but beware email changes)
- in the RA interface "Authenticate request" an additional comment field would be handy
- verify email by sending a confirmation link before accepting a certificate signing request
 
Server-side
jGridStart talks with a certificate authority using http requests. The application is delivered with a simple proof-of-concept certification authority that implements the required functionality. Also the existing DutchGrid CA web interface will be adapted to work with it.
Related documents
- Getting access to the grid, presentation and demo on jGridstart (14th of May, 2009)
- See which client certificate is installed in your browser
- Certificate Authority Operations WG
- Certificate Installation
- The ~/.globus user directory with keys and certificates
- Notes
Related software
- Grid Tools
- SpectroGrid2 with a java web start based certificate manager (also here)
- JaBaCATs Java Basic Certificate Authority Tools
- Portecle - GUI to create, manage and examine keystores, keys, certificates, requests, revocation lists and more.
- KeyTool IUI the cryptography GUI tool
- gridshib-ca contains a java web start tool that installs user certificates
- Grix is a Java gui application to help users handle security related tasks within a grid environment
- libbrowser is a Java library for accessing Internet Explorer and Mozilla keystores read/write(!) using native calls to dll/so.
