|
|
| (15 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| − | Using a [http://en.wikipedia.org/wiki/Grid_Computing computing grid] requires authorisation and authentication. This is managed by [http://en.wikipedia.org/wiki/Asymmetric_cryptography asymmetric cryptography] with client-side SSL certificates. Currently, setting this up requires the user to [http://ca.dutchgrid.nl/guide/ go through] [http://www.dutchgrid.nl/agenda/askArchive.php?base=agenda&categ=a042&id=a042s3t2/moreinfo several steps] that can by quite daunting to some. jGridStart attempts to ease this process with automation and a graphical user-interface, enabling you to quickly proceed to actually using the grid.
| + | #REDIRECT [[JGridstart]] |
| − | | |
| − | jGridStart is currently being developed. I expect a first version to be ready somewhere in May 2009. Current work-in-progress is available from:
| |
| − | | |
| − | * Latest development build of the [http://www.nikhef.nl/~wvengen/jgridstart03b/jgridstart.jnlp jGridstart] application
| |
| − | * A less recent build of the and [http://www.nikhef.nl/~wvengen/jgridstart03/jgridstart.jnlp jGridstart] application
| |
| − | * Source code at [https://ndpfsvn.nikhef.nl/repos/pdpsoft/branches/nl.nikhef.jgridstart-flyingsaucer/nl.nikhef.jgridstart active SVN branch] or [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/branches/nl.nikhef.jgridstart-flyingsaucer/nl.nikhef.jgridstart/ web access] (trunk is currently outdated, [https://ndpfsvn.nikhef.nl/repos/pdpsoft/trunk/nl.nikhef.jgridstart SVN trunk] and [https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/nl.nikhef.jgridstart/ web access])
| |
| − | * Design of the user-interface was based on [http://www.nikhef.nl/~wvengen/jgridstart02/jgridstart.jnlp this mockup], which is non-functional, of course.
| |
| − | | |
| − | [http://grix.arcs.org.au/ Grix] is an existing program that aims for the same goal. It [[User:Wvengen@nikhef.nl/JGridStart/Grix|may or may not be]] a viable solution for us.
| |
| − | | |
| − | == Planned features ==
| |
| − | * user-interface
| |
| − | ** both graphical user-interface for easy usage by unknowledgeable users
| |
| − | ** and command-line interface for cli addicts and testing.
| |
| − | ** the application should detect the state of affairs and present sensible actions
| |
| − | ** working on multiple platforms: Linux, Windows, Mac OS X at the least
| |
| − | * single point-of-entry for management of ''user'' grid certificates, including
| |
| − | ** requesting a new certificate
| |
| − | ** installing certificates into different parts of the system (like internet browsers)
| |
| − | ** rekeying an (almost expired) certificate
| |
| − | ** sending revocation requests
| |
| − | ** switching between different certificates (like the default certificate in your ~/.globus)
| |
| − | ** importing/exporting a certificate for transfer
| |
| − | ** changing the private key passphrase
| |
| − | * security checks
| |
| − | ** validate permissions of private keys
| |
| − | ** require passwords on places where private keys are stored
| |
| − | ** require passwords to pass a minimum strength test
| |
| − | ** check certificates against revocation lists
| |
| − | * adaptable configuration so it can be deployed by other parties with moderate effort
| |
| − | ** location of web forms for interaction with certificate authority
| |
| − | ** content and properties of user's certificate
| |
| − | ** name and organisation texts
| |
| − | | |
| − | | |
| − | == Roadmap ==
| |
| − | === version 0.1 ===
| |
| − | * graphical and command-line user-interface
| |
| − | * working on Linux, written with portability in mind
| |
| − | * actions: request new certificate, install, request renewal
| |
| − | * security checks
| |
| − | * unobtrusively support multiple certificates
| |
| − | | |
| − | === version 0.2 ===
| |
| − | * working on Linux, Windows, Mac OS X
| |
| − | * tests using command-line interface
| |
| − | | |
| − | === version 0.3 ===
| |
| − | * actions: request revocation, import, export, change passphrase
| |
| − | * add the notion of archived certificates (expired or revoked) and implement in user-interface
| |
| − | | |
| − | === version 0.4 ===
| |
| − | * gather and process user feedback
| |
| − | * make it work with other RA backends as well
| |
| − | | |
| − | | |
| − | == Technologies ==
| |
| − | * Programming language: [http://java.sun.com/javase/ Java] version 1.3 or 1.4 (older versions are [http://www.statowl.com/java.php hardly used] anymore).
| |
| − | ** Good news: will use 1.5 (mainly because of generics) and [http://retroweaver.sourceforge.net/ retroweaver] for downcompiling!
| |
| − | * Deployment: [http://java.sun.com/javase/technologies/desktop/javawebstart/ Java Web Start]
| |
| − | * Building: [http://ant.apache.org/ Ant], [http://proguard.sourceforge.net/ ProGuard]
| |
| − | * Toolkit: [http://java.sun.com/javase/6/docs/technotes/guides/swing/ Swing] for portability and ease of use (optionally [http://swingwt.sourceforge.net/ SwingWT] for native feel?)
| |
| − | ** with [http://java.sun.com/docs/books/tutorial/uiswing/misc/action.html Actions] for a clean design,
| |
| − | ** [http://www.centerkey.com/java/browser/ browser launcher] complemented with [https://jdic.dev.java.net/ desktop integration] to open external web pages, [[User:Wvengen@nikhef.nl/BareBonesBrowserLaunch|see here]],
| |
| − | ** [https://xhtmlrenderer.dev.java.net/ xhtmlrenderer] (aka flying saucer) for html forms, and
| |
| − | ** [http://commons.apache.org/cli/ Apache Commons CLI] for a getopt command-line interface
| |
| − | * Cryptography: [http://bouncycastle.org/java.html BouncyCastle]
| |
| − | * Logging: standard [http://java.sun.com/javase/6/docs/technotes/guides/logging/ Java logging] (java>=1.4)
| |
| − | * Installation of certificates into internet browsers:
| |
| − | ** [http://www.mozilla.com/firefox/ Firefox]: [http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html certutil]
| |
| − | ** [http://www.microsoft.com/ie/ Internet Explorer]: the [http://msdn.microsoft.com/en-us/library/aa376007(VS.85).aspx CEnroll] ActiveX object
| |
| − | ** [http://www.apple.com/safari/ Safari]: using [http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/certtool.1.html certtool] (as shown [http://computing.fnal.gov/software/MacOSX/importingDOEcerts.html here])
| |
| − | ** [http://www.opera.com/ Opera]
| |
| − | | |
| − | | |
| − | == Notes of RA's ==
| |
| − | If you have something to add, please notify me!
| |
| − | * frequently happening problems
| |
| − | ** people often send either a certificate signing request or the form instead of both
| |
| − | ** people often send a renewal as new request because they forget to send an S/MIME mail
| |
| − | * feature requests
| |
| − | ** in registration form: identity-proof-document fields don't match the web interface ("nationality" instead of "document issuing country" and "document type")
| |
| − | ** a renewal should be sent automatically to the correct RA (same as original request but beware email changes)
| |
| − | ** in the RA interface "Authenticate request" an additional comment field would be handy
| |
| − | ** verify email by sending a confirmation link before accepting a certificate signing request
| |
| − | | |
| − | | |
| − | == Server-side ==
| |
| − | jGridStart talks with a certificate authority using http requests. The application is delivered with a simple proof-of-concept certification authority that implements the required functionality. Also the existing [http://ca.dutchgrid.nl/ DutchGrid CA web interface] will be adapted to work with it.
| |
| − | | |
| − | | |
| − | == Related documents ==
| |
| − | * ''[http://www.nikhef.nl/~wvengen/doc/jGridstart-20090514-demo.pdf Getting access to the grid]'', presentation and demo on jGridstart (14th of May, 2009)
| |
| − | * See which [https://www.nikhef.nl/~wvengen/testca-access/ client certificate is installed] in your browser
| |
| − | * [https://forge.gridforum.org/sf/projects/caops-wg Certificate Authority Operations WG]
| |
| − | * [[User:Wvengen@nikhef.nl/JGridStart/Certificate_Installation|Certificate Installation]
| |
| − | * [[User:Wvengen@nikhef.nl/JGridStart/Notes|Notes]]
| |
| − | | |
| − | == Related software ==
| |
| − | * [http://www.bestgrid.org/index.php/Grid_Tools Grid Tools]
| |
| − | * [http://argon.sao.nrc.ca/~spgrid/ SpectroGrid2] with a java web start based certificate manager (also [https://spectrogrid2.nrc.ca/portal/?q=node/3 here])
| |
| − | * [http://www.jabacats.com/ JaBaCATs] Java Basic Certificate Authority Tools
| |
| − | * [http://portecle.sourceforge.net/ Portecle] - GUI to create, manage and examine keystores, keys, certificates, requests, revocation lists and more.
| |
| − | * [http://yellowcat1.free.fr/keytool_iui.html KeyTool IUI] the cryptography GUI tool
| |
| − | * [http://gridshib.globus.org/docs/gridshib-ca-0.5.1/ gridshib-ca] contains a java web start tool that installs user certificates
| |
| − | * [http://grix.arcs.org.au/ Grix] is a Java gui application to help users handle security related tasks within a grid environment
| |
