Electric Wizard
Wed 27 Jan 2010
One of the underpinning technologies of the grid are the digital certificates which authenticate users. This creates a single sign on for users and can make grid life a whole lot easier once in place. However it is this last piece which is important, "once in place". For some users the use of digital certificates is new and not necessarily very clear. However, certificates themselves are not difficult: it is the tools that we use to manage them that need to become easier, optimised to help users with the things they have to do. The team at NGS are working on this problem, developing a tool called Certificate Management Wizard or Cert Wizard.
|
Cert Wizard started life as MyProxy Uploader,a Java application developed by NGS and used by NGS and TeraGrid to manage your grid credentials and your grid settings on your local machine. For most users obtaining their certificate and installing it in their browser is a straight forward process and is explained fully when you first get your grid certificate. Taking this certificate and using it on the grid can be a little more complex and the Cert Wizard simplifies this. Jens Jensen, CA manager for the UK e-Science CA, said: "Some users, particularly from the less technical research areas, have for years found certificates hard to manage, and the solution has in the past been to let them do their work via portals. We now also have the Shibboleth CA which will let people "log in" and use the NGS with a certificate they need not know about, but is still tied to portal work on the NGS. We now have an opportunity to improve certificate management for all users, and at the same time introduce some interesting features which will help us modernise the CA for the next decade." |
 Cert Wizard interface |
Apart from easing the user through the initial application, another aim of CertWizard is to remove the need to convert certificates between the versions used by Grid middleware and the version used in browsers, one of the most tedious tasks in certificate management. CertWizard also includes an experimental facility to talk to browsers’ keystores directly, but this depends on some new technology so will take a while to stabilise.
Users will be able to use CertWizard to get certificates and update them from the CA, but can also be used to manage the "proxy" certificates which travel around the grid to do work on behalf of the user, as well as membership of virtual organisations. This has certain advantages: if CertWizard is started once a week to renew this proxy, it can also automatically keep an eye on the user's personal certificate and request that it be renewed when it is about to expire. It will even include a feature to renew a certificate after it has expired.
To start with the application exports your credentials from your browser, and installs and configures them on your computer. It then asks you for details on the other certificates which you will require on your computer, such as the issuing bodies' certificates. These both allow you to authenticate to the grid but also to help you identify trusted services.
Managing digital identities and authentication tokens is, perhaps surprisingly, difficult. As a rule of thumb, the more you can access with your digital identity, the harder it is to get and maintain it. A portal password is easy to remember, but just gives you access to one portal, with usually a limited range of jobs. Shibboleth credentials are somewhat more work, but will eventually give you access to all of NGS. Certificates from the UK e-Science CA are trusted on Grids all over the world, so users will necessarily have to jump through some hoops so we can give the global grids a sufficiently high level of assurance. The team working on CertWizard are confident that their work, along with other work to modernise the CA, will ease the work for users, while still retaining the high level of assurance required by the global grids.
Once you have gone through these steps Cert Wizard is your one stop shop for:
- Creating VOMS Enabled Grid Credentials
- Storing and retrieving your credentials in a MyProxy server so that you and other applications can access them remotely whenever required.
- Managing your certificate; change passwords, check validity etc.
To get your own grid certificate start here:
http://www.ngs.ac.uk/certoverview
To use the Cert Wizard, it (and full instructions) can be found at http://www.ngs.ac.uk/tools/certwizard
© Copyright GridPP
If you wish to reproduce this piece please credit GridPP and contact Neasan O'Neill to say you are using it