Difference between revisions of "RCauth Delegation Server & MasterPortal - Credential Lifetimes"
(color coded rows) |
|||
Line 1: | Line 1: | ||
= Introduction = | = Introduction = | ||
− | The scenario described by the [[ | + | The scenario described by the [[RCauth.eu_and_MasterPortal_overview#Credential_Lifetimes | RCAuth.eu]] setup deals with several different user and proxy certificates. The credential released to the VO Portal (Science Gateway) is a proxy certificate chain containing: |
+ | * a short lived RFC3820 proxy certificate (optionally with VOMS extensions) | ||
+ | * a long lived RFC3820 proxy certificate | ||
+ | * an end entity certificate (EEC) | ||
+ | All three certificates can be created with a different lifetime, therefore lifetime configurations within this setup can be confusing. This page is dedicated to explaining every lifetime configuration you might encounter in the [[RCauth.eu_and_MasterPortal_overview | RCAuth.eu]] setup, with explanation about their location, default value and function. | ||
* The entries below marked with <span style="color: red;">'''red'''</span> are client side input parameters usually used in a request for a credential. | * The entries below marked with <span style="color: red;">'''red'''</span> are client side input parameters usually used in a request for a credential. | ||
− | * The entries below marked with <span style="color: blue;">'''blue'''</span> are server side maximums used to check for lifetime boundaries. | + | * The entries below marked with <span style="color: blue;">'''blue'''</span> are server side maximums used to check for lifetime boundaries. |
= Short Lived Proxy = | = Short Lived Proxy = |
Revision as of 12:25, 4 September 2019
Introduction
The scenario described by the RCAuth.eu setup deals with several different user and proxy certificates. The credential released to the VO Portal (Science Gateway) is a proxy certificate chain containing:
- a short lived RFC3820 proxy certificate (optionally with VOMS extensions)
- a long lived RFC3820 proxy certificate
- an end entity certificate (EEC)
All three certificates can be created with a different lifetime, therefore lifetime configurations within this setup can be confusing. This page is dedicated to explaining every lifetime configuration you might encounter in the RCAuth.eu setup, with explanation about their location, default value and function.
- The entries below marked with red are client side input parameters usually used in a request for a credential.
- The entries below marked with blue are server side maximums used to check for lifetime boundaries.
Short Lived Proxy
The lifetime of a Short Lived Proxy Certificate is determined by the following set of configurations.
Component | Sub-Component | Name | Default | Location | Description | |
Client Portal | - | proxylifetime | - | /getproxy request | Client requested lifetime value. | |
Master Portal | MP Server | defaultLifetime | 12h | MP Server configuration | In case of missing proxylifetime from the /getproxy request, this value is used to request a short lived proxy. | |
Master Portal | MP Server | max_proxy_lifetime - tolerance | 11d - 1d | MP Server configuration | Used within LifetimeValidator for validating the requested proxy lifetime value. These values are only used for validation and they do not SET any the effective proxy lifetime. The max_proxy_lifetime value should match the value of the lifetime configuration with the same name in the Credential Store. | |
Master Portal | Credential Store | max_proxy_lifetime | 11d | Credential Store configuration | Server side maximum enforced by the MyProxy Store on every released proxy. This should match the value of the MP Server configuration with the same name. |
Long Lived Proxy
The lifetime of a Long Lived Proxy Certificate is determined by the following configuration.
Component | Sub-Component | Name | Default | Location | Description | |
Master Portal | MP Client | lifetime | 11d | OA4MP Client configuration | This is a standard OA4MP Client configuration that is used as a requested certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both long lived proxy and requested end entity certificate. |
End Entity Certificate
The lifetime of a End Entity Certificate is determined by the following configuration. Note that the lifetime configuration effects both Long Lived Proxy Certificate and End Entity Certificate. This is conscious design choice because the two credentials should match up.
Component | Sub-Component | Name | Default | Location | Description | |
Master Portal | MP Client | lifetime | 11d | OA4MP Client configuration | This is a standard OA4MP Client configuration that is used as a requested certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both long lived proxy and requested end entity certificate. | |
Delegation Server | Delegation Server | - | 10d | Hardcoded by OA4MP | In case the lifetime value is missing from the /getcert request issued by the Master Portal, the lifetime of the requested certificate will default to this value. | |
Delegation Server | Online CA | MAX_LIFETIME | 11d | sysconfig value of the etoken-ca | Server side maximum enforced by the Online CA on every released certificate. |