Correct, the client's certificate (with public key) is used, but the public key is part of the certificate chain that is sent with authentication protocols. The private key of the client is never sent to the server. You can look at the security protocol details to understand how things work: http://www.globus.org/toolkit/docs/4.2/4.2.0/security/wsaajava/pi/wsaajava-p rotocol.html Each remote endpoint has its own set of trusted CAs, that is the server will have a set of CAs it trusts, it does not use the trusted certificates from client machine. Of course, unless the CA that issued the client certificate is trusted by the server, the authentication will fail. Some of that concept is explained here: http://www.globus.org/toolkit/docs/4.2/4.2.0/security/key/security-key-conce pts.html Rachana (Please leave mailing list CCed in all your responses.)
_____ From: hawking.zn [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2008 10:50 PM To: Rachana Ananthakrishnan Subject: Re: RE: [gt-user] security configuration problem according to your words, I am very clear about the 2nd question now. Thank U. But about the first one: as I know, if authenticate, the service must check whether the EEC or proxy certificate of the client is signed by trusted CA. in this case, the service must use the publick key of the CA to decrypt the EEC's signature. If the hash of the EEC is as the same of the decrypted result, then the EEC is issued by the CA. And during the authentication, the service must obtain the publick key of the user from his EEC, to decrypt the encrypting message sent by the user. anway, I think the service must obtain the clients's credentials. It seems the service read some config file to know the location of the EEC. But when the client is on a remote system, and use other CA, how can the client send his certifcate to service? maybe I should write the codes? _____ hawking.zn 2008-07-08 _____ 发件人: Rachana Ananthakrishnan 发送时间: 2008-07-07 22:00:51 收件人: 'hawking.zn'; 'gt-user' 抄送: 主题: RE: [gt-user] security configuration problem 1. The service does not need the client's credentials. During authentication, the client uses its credential and the client's identity is established, but there is no need for the server to get the client's credential. In cases where the client delegates to the server, a new credential signed by the client credential is generated as part of delegation process, but the server never reads the client's credential. 2. If you use GSI Secure Transport (https), authentication happens on the wire and always occurs before any handler is invoked. In other cases, if you place the handler as the first one in the <requestFlow>, the handler will be run first. The order in which the handler is specified in the <requestFlow> element, is the order in which it is executed. Rachana _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hawking.zn Sent: Sunday, July 06, 2008 10:46 AM To: gt-user Subject: [gt-user] security configuration problem Hi: sorry to disturb you again. in a service's server-config.wsdd, we use security Descriptor to specify the security config. in security-config.xml, scripts will look like: <method name="destroy"> <auth-method> <GSISecureConversation/> </auth-method> under this, we should use certificate to authenticate. Question 1. How does the service know where the client's certificate locates? Since when I run the example of Math4op, I didn't point it. Question 2. If I puts a handler in the <requestFlow> of the server-config.wsdd, What's the sequence ? which is going to run first? the authentication ? or the handler? Thanks very much. _____ hawking.zn 2008-07-06
