EToken-ca

From PDP/Grid Wiki
Revision as of 14:42, 8 March 2016 by Msalle@nikhef.nl (talk | contribs) (Created page with "EToken-ca is a package that provides full privilege and user separation for a MyProxy server running in CA mode where the private key is store on a SafeNet® eToken. == Pr...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

EToken-ca is a package that provides full privilege and user separation for a MyProxy server running in CA mode where the private key is store on a SafeNet® eToken.

Privilege separation

The MyProxy server typically runs under a dedicated account myproxy. Instead of using its builtin functionality, myproxy-server can also run a callout program, configured as certificate_issuer_program, to produce certificates based on the input consisting of a username, lifetime and certificate signing request. We use this to implement a privilege separated setup, where the myproxy-server process and myproxy account do not have access to the pincode needed to unlock the private key.

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=EToken-ca&oldid=9923"