Difference between revisions of "OAuth for MyProxy GetProxy Endpoint"
From PDP/Grid Wiki
Jump to navigationJump to search (ncsa-security-all section) |
(typos) |
||
Line 152: | Line 152: | ||
==== Server ==== | ==== Server ==== | ||
− | The OA4MP Server has both GetCert and GetProxy Endpoints available at the same time, but the MyProxy Server in its backend can only be configured to return '''either''' EEC '''or''' Proxy Certificate. Therefore caution must be taken to only expose the GetProxy Endpoint in case the backend MyProxy is configured to issue Proxy Certificates, otherwise you will end up getting | + | The OA4MP Server has both GetCert and GetProxy Endpoints available at the same time, but the MyProxy Server in its backend can only be configured to return '''either''' EEC '''or''' Proxy Certificate. Therefore caution must be taken to only expose the GetProxy Endpoint in case the backend MyProxy is configured to issue Proxy Certificates, otherwise you will end up getting EEC from the GetProxy Endpoint instead of the desired proxy. |
'''Note:''' Do not use the GetProxy Endpoint when the backend MyProxy Server is configured as a CA issuing End Entity Certificates! | '''Note:''' Do not use the GetProxy Endpoint when the backend MyProxy Server is configured as a CA issuing End Entity Certificates! | ||
Line 160: | Line 160: | ||
[[File:Getproxy_servlet_seq.svg]] | [[File:Getproxy_servlet_seq.svg]] | ||
− | * Step 1 : As mentioned above, the key and CSR generation has been moved away from the OA4MP Client into the Server. The ''verifyAndGet'' method creates a new keypair and saves the resulting private key and CSR into the transaction. The proxylifetime, voname and vomses are | + | * Step 1 : As mentioned above, the key and CSR generation has been moved away from the OA4MP Client into the Server. The ''verifyAndGet'' method creates a new keypair and saves the resulting private key and CSR into the transaction. The proxylifetime, voname and vomses are stripped off from the request and saved in the transaction. |
* Step 2 : The ''checkMPConnection'' method initiates a new MyProxy connection | * Step 2 : The ''checkMPConnection'' method initiates a new MyProxy connection | ||
Line 176: | Line 176: | ||
The original OA4MP uses ''MyX509Certificates'' as a container to transmit and receive certificate chains. With the extension of GetProxy Endpoint, this container class is no longer sufficient to transmit proxies around, because it cannot hold the proxy's private key. A new container under the name of ''MyX509Proxy'' has been implemented which extends ''MyX509Certificates''. | The original OA4MP uses ''MyX509Certificates'' as a container to transmit and receive certificate chains. With the extension of GetProxy Endpoint, this container class is no longer sufficient to transmit proxies around, because it cannot hold the proxy's private key. A new container under the name of ''MyX509Proxy'' has been implemented which extends ''MyX509Certificates''. | ||
− | The ''ProxyUtil'' class | + | The ''ProxyUtil'' class holds a set of static methods used for proxy transformation and generation. This class works with the aid of a newly introduced dependency: [https://github.com/eu-emi/canl-java/ canl-java]. At the time of this writing the canl version integrated was version [http://search.maven.org/#artifactdetails|eu.eu-emi.security|canl|2.2.0|jar 2.2.0]. |
A new request server called ''PPServer2'' (Protected Proxy Server 2) has been added after the model of ''PAServer2'' used for GetCert Requests. The new ''PPServer2'' class sets [[#Protocol Specification | GetProxy request parameters]] and creates a ''MyX509Proxy'' out of the response. | A new request server called ''PPServer2'' (Protected Proxy Server 2) has been added after the model of ''PAServer2'' used for GetCert Requests. The new ''PPServer2'' class sets [[#Protocol Specification | GetProxy request parameters]] and creates a ''MyX509Proxy'' out of the response. |