Projects:

nl.nikhef.slcshttps

Method

Method used by the IMDI browser to obtain a certificate, see image below

User point of view (mostly):

1. User clicks/chooses initialization option
2. java browser starts a webbrowser
3. which points to the online CA at SURFnet
4. Online CA redirects webbrowser to WAYF (Where Are You From) server where user chooses his Identity Provider
5. User logs in at IdP
6. webbrowser redirects back to online CA. User closes webbrowser.
7. After confirmation by user, java browser now connects itself to online CA
8. java browser retrieves certificate from online CA

Technical overview:

1. Initialization procedure:
   1. javabrowser creates a keypair
   2. javabrowser creates a certificate signing request (CSR)
2. javabrowser starts a webbrowser
3. the URL is the online CA + a hash of the CSR
4. Online CA redirects to the browser to the IdP via a WAYF (where are you from). This is the standard Shibboleth trajectory.
5. User logs in and the webbrowser sends the user back to the online CA. The URL is now rewritten using Shibboleth.

Files:

• full zip-archive (Full zip including jar file, build, and javadoc)
• zip-archive (Zip including only sources, run ant to get the rest)
• JDK1.5 jarfile
• Javadoc API
• SVN repository with source

Talks:

• Talk at BiGGrid meeting, Nikhef, 27 May 2009

Note that you also need the BouncyCastle provider. Direct link to the JDK1.5 jarfile

gLite security

See e.g. Nikhef Site Access Control pages