Changes between Initial Version and Version 1 of GENIDeveloper/ToolCertificates

03/06/14 16:47:51 (6 years ago)



  • GENIDeveloper/ToolCertificates

    v1 v1  
     1= GENI Tool Certificates =
     2GENI tools must communicate with GENI services (member authorities, slice authorities, aggregate managers, etc.) via SSL with a client-side certificate. Tools that run on the experimenter's computer can use the experimenter's certificate and private key for these communications because they are under the control of the experimenter. Tools that run on remote servers ("hosted tools"), like web-based tools or long-running services, should use their own certificate and private key for secure communications. When hosted tools want to invoke GENI services on behalf of experimenters they should use a "speaks-for" credential provided to them by the experimenter.
     4= Requesting a tool certificate =
     5Requesting a GENI tool certificate is easy. A GENI tool developer creates a certificate signing request (CSR) and associated private key. The CSR is sent to a GENI Clearinghouse for signing and a tool certificate is returned. This certificate contains the public key that matches the private key generated (or used) when the CSR was created.
     7 1. Choose a unique name for your tool and tool instance for the tool URN. The general form is ''tool''-''instance''. For example, `portal-gpo` for the GENI Portal running at the GPO, or `genidesktop-uky` for the GENI Desktop running at the University of Kentucky.
     8  a. [ggw:GAPI_AM_API_DRAFT#ToolCertificates Specifics about allowed characters, maximum lengths, etc.]
     9 1. Choose an email address for administrators of your tool. This will probably be an email list but could be the email address of an individual.
     10 1. Create a certificate signing request
     11  a. If you want to generate a new private key (preferred):
     13openssl req -batch -new -newkey rsa:2048 -keyout PRIVATE_KEY_FILE -out CSR_FILE
     15  a. If you have a private key already:
     17openssl req -batch -new -key PRIVATE_KEY_FILE -out CSR_FILE
     19 1. [ Create a ticket] requesting a tool certificate
     20  a. Edit the summary to say something like "Sign CSR for YOUR_TOOL at YOUR_INSTANCE"
     21  a. Include the unique name (tool and instance) in the description
     22  a. Include the administrator email address in the description
     23  a. Include `` in the "Cc" field (done if you use the link above)
     24  a. Attach the CSR to the ticket
     25 1. We'll create a new certificate from the attached CSR and attach the resulting certificate to the ticket. You can then download the certificate and use it with the private key used when you created the CSR.