Difference between revisions of "RCauth Delegation Server & MasterPortal - Credential Lifetimes"

From PDP/Grid Wiki
Jump to navigationJump to search
(short lived proxies)
(long lived proxy & eec)
Line 50: Line 50:
  
 
= Long Lived Proxy =
 
= Long Lived Proxy =
 +
 +
The lifetime of a Long Lived Proxy Certificate is determined by the following configuration.
  
 
{| class="wikitable"
 
{| class="wikitable"
 
|| '''Component'''
 
|| '''Component'''
 
|| '''Sub-Component'''
 
|| '''Sub-Component'''
|| '''Name'''
+
| style="width: 15%;"| '''Name'''
|| '''Default'''
+
| style="width: 5%;" | '''Default'''
 
|| '''Location'''
 
|| '''Location'''
 
|| '''Description'''
 
|| '''Description'''
Line 64: Line 66:
 
|| ''lifetime''
 
|| ''lifetime''
 
|| 11d
 
|| 11d
|| zxc
+
|| [http://grid.ncsa.illinois.edu/myproxy/oauth/client/manuals/parameters.xhtml#tags OA4MP Client configuration]
|| zxc
+
|| This is a standard OA4MP Client configuration that is used as a requested certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both long lived proxy and requested end entity certificate.
  
 
|}
 
|}
Line 71: Line 73:
 
= End Entity Certificate =
 
= End Entity Certificate =
  
 +
The lifetime of a End Entity Certificate is determined by the following configuration. Note that the ''lifetime'' configuration effects both Long Lived Proxy Certificate and End Entity Certificate. This is conscious design choice because the two credentials should match up.
  
 
{| class="wikitable"
 
{| class="wikitable"
 
|| '''Component'''
 
|| '''Component'''
 
|| '''Sub-Component'''
 
|| '''Sub-Component'''
|| '''Name'''
+
| style="width: 15%;"| '''Name'''
|| '''Default'''
+
| style="width: 5%;" | '''Default'''
 
|| '''Location'''
 
|| '''Location'''
 
|| '''Description'''
 
|| '''Description'''
Line 85: Line 88:
 
|| ''lifetime''
 
|| ''lifetime''
 
|| 11d
 
|| 11d
|| zxc
+
|| [http://grid.ncsa.illinois.edu/myproxy/oauth/client/manuals/parameters.xhtml#tags OA4MP Client configuration]
|| zxc
+
|| This is a standard OA4MP Client configuration that is used as a requested certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both long lived proxy and requested end entity certificate.
  
 
|-
 
|-
Line 93: Line 96:
 
|| -
 
|| -
 
|| 10d
 
|| 10d
|| zxc
+
|| [https://sourceforge.net/p/cilogon/code/HEAD/tree/trunk/edu.uiuc.ncsa/myproxy/oa4mp-server-api/src/main/java/edu/uiuc/ncsa/myproxy/oa4mp/server/servlet/ACS2.java#l62 Hardcoded by OA4MP]
|| zxc
+
|| In case the ''lifetime'' value is missing from the /getcert request issued by the Master Portal, the lifetime of the requested certificate will default to this value.
  
 
|-
 
|-
Line 101: Line 104:
 
|| ''MAX_LIFETIME''
 
|| ''MAX_LIFETIME''
 
|| 11d
 
|| 11d
|| zxc
+
|| sysconfig value of the [http://ndpfsvn.nikhef.nl/viewvc/pdpsoft/trunk/eu.rcauth.pilot-ica/CA/etoken-ca/ etoken-ca]
|| zxc
+
|| Server side maximum enforced by the Online CA on every released certificate. 
  
 
|}
 
|}

Revision as of 13:33, 30 August 2016

Introduction

The scenario described by the RCAuth.eu setup deals with certificates no multiple levels. The credential released to the Service Provider Portal (Science Gateway) is a certificate chain containing : a short lived proxy certificate, a long lived proxy certificate, and an end entity certificate. All three certificates can be created with a different lifetime, therefore lifetime configurations within this setup can be confusing. This page is dedicated to explaining every lifetime configuration you might encounter in the RCAuth.eu setup, with explanation about their location, default value and function.

Short Lived Proxy

The lifetime of a Short Lived Proxy Certificate is determined by the following set of configurations.

Component Sub-Component Name Default Location Description
Client Portal - proxylifetime - /getproxy request Client requested lifetime value.
Master Portal MP Server defaultLifetime 12h MP Server configuration In case of missing proxylifetime from the /getproxy request, this value is used to request a short lived proxy.
Master Portal MP Server max_proxy_lifetime - tolerance 11d - 1d MP Server configuration Used within LifetimeValidator for validating the requested proxy lifetime value. These values are only used for validation and they do not SET any the effective proxy lifetime. The max_proxy_lifetime value should match the value of the lifetime configuration with the same name in the Credential Store.
Master Portal Credential Store max_proxy_lifetime 11d Credential Store configuration Server side maximum enforced by the MyProxy Store on every released proxy. This should match the value of the MP Server configuration with the same name.

Long Lived Proxy

The lifetime of a Long Lived Proxy Certificate is determined by the following configuration.

Component Sub-Component Name Default Location Description
Master Portal MP Client lifetime 11d OA4MP Client configuration This is a standard OA4MP Client configuration that is used as a requested certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both long lived proxy and requested end entity certificate.

End Entity Certificate

The lifetime of a End Entity Certificate is determined by the following configuration. Note that the lifetime configuration effects both Long Lived Proxy Certificate and End Entity Certificate. This is conscious design choice because the two credentials should match up.

Component Sub-Component Name Default Location Description
Master Portal MP Client lifetime 11d OA4MP Client configuration This is a standard OA4MP Client configuration that is used as a requested certificate lifetime. In the context of the Master Portal this value will determine the lifetime of both long lived proxy and requested end entity certificate.
Delegation Server Delegation Server - 10d Hardcoded by OA4MP In case the lifetime value is missing from the /getcert request issued by the Master Portal, the lifetime of the requested certificate will default to this value.
Delegation Server Online CA MAX_LIFETIME 11d sysconfig value of the etoken-ca Server side maximum enforced by the Online CA on every released certificate.