Projects:

nl.nikhef.slcshttps

Method

Method used by the IMDI browser to obtain a certificate, see image below

User point of view (mostly):

1. User clicks/chooses initialization option
2. java browser starts a webbrowser
3. which points to the online CA at SURFnet
4. Online CA redirects webbrowser to WAYF (Where Are You From) server where user chooses his Identity Provider
5. User logs in at IdP
6. webbrowser redirects back to online CA. User closes webbrowser.
7. After confirmation by user, java browser now connects itself to online CA
8. java browser retrieves certificate from online CA

Technical overview:

1. Initialization procedure:
   1. javabrowser creates a keypair
   2. javabrowser creates a certificate signing request (CSR)
2. javabrowser starts a webbrowser
3. the URL is the online CA + a hash of the CSR
4. Online CA redirects to the browser to the IdP via a WAYF (where are you from). This is the standard Shibboleth trajectory.
5. User logs in at his/her IdP
6. webbrowser sends the user back to the online CA. The URL is now rewritten using Shibboleth, and the Online CA knows the user who send the CSR hash is authorized. The user now tells the javabrowser that (s)he is finished with the webbrowser.
7. The javabrowser now sends directly the full CSR to the Online CA
8. The Online CA now:
   1. calculates the hash
   2. checks whether it is known/corresponds to a authorized user
   3. if yes, signs the CSR
   4. sends a HTTP reply with the signed certificate

   The signed certificate is stored inside the javabrowser and will be offered as client side certificate upon opening a HTTPS connection.

Files:

• full zip-archive (Full zip including jar file, build, and javadoc)
• zip-archive (Zip including only sources, run ant to get the rest)
• JDK1.5 jarfile
• Javadoc API
• SVN repository with source

Talks:

• Talk at BiGGrid meeting, Nikhef, 27 May 2009

Note that you also need the BouncyCastle provider. Direct link to the JDK1.5 jarfile

gLite security

See e.g. Nikhef Site Access Control pages