The Authentication Settings

There are several settings that have to be set correctly in order to make the authentication work. In EDG and most Globus systems most of the settings are correct by default. The settings can be set in command line (AXIS) or by giving a properties class during the call to the relevant method. In both cases the settings can be given as properties or as a filename of a file that contains them (sslConfigFile)

The mandatory settings are:

Attention! Some of the settings have a different name when used in tomcat server.xml as indicated in the table below. When the settings are in a separate file referenced by the server.xml using sslConfigFile, they use the normal non-server.xml format.

Credentials

These are the credentials used to authenticate that the user is who he claims he is and by the server to prove that it is the server that it claims it is.

These can be set either using PEM encoded private key and certificate pair, by a key store or by a proxy certificate. To set the credentials using a proxy certificate, use the gridProxyFile setting. To set the credentials using private key and certificate use the sslCertfile, sslKey and sslKeyPasswd settings. To set the credentials using a key store, use the sslCertStore, sslCertStoreType and sslCertStorePasswd settings. The key store type can usually be deduced from the file ending (.p12 for "pkcs12" and .jks for "jks").

CA certificates

These are certificates of the certificate authorities that you (or ususally the system admin) trusts.

These can again be set using either PEM encoded certificates or a key store. In globus systems they are usually PEM encoded certificates in the /etc/grid-security/certificates directory with the .0 ending, which is the default setting. To override this setting, use the sslCAFiles setting. To use a key store to set the CA certificates, use the sslCAStore, sslCAStoreType and sslCAStorePasswd settings.

All settings

When using the settings in tomcat server.xml the settings names are the server.xml versions and case sensitive, but when used as a configuration file referenced from server.xml, the setting names are case insensitive. We would prefer everything to be case insensitive, but Tomcat implementation limits us. So in configuration files and in property classes all the setting names are case insensitive, so sslConfigFile = SSLConfigFile = SSLCONFIGFILE = sslconfigfile.

The configuration options that the Trust Manager support are as follows (default values are shown in [brackets]):

Setting name Name in Server.xml (if different) Explanation
Credentials
sslCertFile
sslKey
sslKeyPasswd
hostCert
hostKey
hostKeyPass
The location of the SSL/TLS credentials (PEM format). Specifies the file names of the certificate and private key. If the private key file is password protected, sslKeyPasswd must be defined as well. [undefined]
sslCertStore
sslCertStoreType
sslCertStorePasswd
keystoreFile
keystoreType
keystorePass
The location of the SSL/TLS credentials (Java format). sslCertStore specifies the file name of the java key store [undefined]. sslCertStoreType defines the keystore format [JKS], and sslCertStorePasswd the protecting password [changeit].
gridProxyFile
The location of the SSL/TLS credentials (Grid proxy format)[the grid proxy file in /tmp].
credentialsUpdateInterval
The period in which to reload the credentials definition from disk. The syntax is an integer value followed by suffixes 'seconds', 'minutes', 'hours', or 'days' where only the first character matters. [2h] = 2 hours. (also '12 D' = '12d' = '12Days' = '12 days').
CA settings
sslCAFiles caFiles Defining the set of trusted CA certificates (PEM style). This is a file pattern, where a wildcard '*' or '?' is allowed in the filename. [/etc/grid-security/certificates/*.0]
sslCAStore
sslCAStoreType
sslCAStorePasswd
truststoreFile
truststoreType
truststorePass
Defining the set of trusted CA certificates (Java style). sslCAStore specifies the file name of the java key store [undefined]. sslCAStoreType defines the keystore format [JKS], and sslCAStorePasswd the protecting password [changeit].
CRL settings
crlFiles
The location of the CRL files (PEM style). This is a file pattern, where a wildcard '*' or '?' is allowed in the filename. [/etc/grid-security/certificates/*.r0]
crlUpdateInterval
The period in which to reload the CRL files from disk. (For performance reasons, the revocation information is kept in memory.) The syntax is an integer value followed by suffixes 'seconds', 'minutes', 'hours', or 'days' where only the first character matters. [2h] = 2 hours. (also '12 D' = '12d' = '12Days' = '12 days').
crlEnabled
Can be set to "true" or "false". Defines whether the Trust Manager should verify certificates against provided CRLs. [true]
crlRequired
Can be set to "true" or "false". Defines whether the Trust Manager should require a valid CRL from a CA in order to accept certificates from that CA. When this is set to true and there is no valid CRL for that CA, all certificates from that CA are considered revoked and are rejected. [false]
General
sslConfigFile
A separate file containing the authentication settings. This is a way to reference a separate configuration file that contains all the necessary settings enabling easier management of the authentication settings. This setting is only menaingful when used in properties class given to ContextWrapper or in the input file for ChangeFactory. [undefined]
sslProtocol protocol What secure socket protocol to speak. Valid options are SSLv2, SSLv3, TLS. [TLS]
logFile
The file to put the logs into.
log4jConfFile logConfFile The log4j configuration file for logginf configuration.
sslPort port The port for the ssl communication. (Only used in the input file for the ChangeFactory.)
Settings to be implemented (depending on need and time)
sslCipher
What cipher (algorithm and strength) to use for the symmetric encryption. [(system default)]
sslCertStoreAlias
The sslCertStoreAlias defines what key in the key store to use [tomcat].
sslCertStoreKeyPasswd
The password needed to access the private key in the key store. Used in connection with sslCertStoreAlias in cases when the private key is enctrypted with different password that the keystore