User Security

From Gcube Wiki
Revision as of 17:36, 30 November 2007 by Andreaturli (Talk | contribs) (Accessing a Community Portal)

Jump to: navigation, search

Security Basics

Basics of User Security. Digital Certificates, CAs etc. Authorization and Authentication procedures

The DILIGENT Security model uses Public Key Infrastructure (PKI) mechanisms to authenticate identities acting in the infrastructure.

Each authenticated invocation must be performed using valid credentials issued by a trusted Certification Authority (CA).

Acquiring a Digital Certificate

The standard procedure for acquiring a Digital Certificate from the appropriate accredited Certification Authority is based on a certain number of steps.

First of all users has to request a CA certificate and to install it on his browser. CA policy requests that in your institute a Registration Authority (RA) is defined. A Registration Authority is a person responsible to identify user for CA.

Second needed step is request a digital certificate to a local Registration Authority. The Registration Authority will start a simple procedure and will give to user an ID. After receiving this ID, user can compile his personal data for CA. The ID verifies them. Then user's browser will ask him for a password: this password is used to the encrypt the private key before saving it locally.

The browser will generate the couple of private-public and it will send your public key to the CA to be signed. Typically in a few days user will receive an email from CA with an URL.

It is necessary use the same browser and the same machine used to generate the couple private-public key to connect to that URL. The browser will install the certificate (i.e. your public key signed by CA) and user will be prompted for the password to access to the private key. At this point the certificate plus your private key are saved encrypted on the configuration files of your web browser.

This certifcate can be exported on your filesystem as backup.

Accessing a Community Portal

DILIGENT infrastructure is able to provide credentials to user without a personal certificate. These credentials are generated in a transparently way for the user through the DILIGENT Portal.

In particular DILIGENT portal login phase is subdivided in two main steps:

  • Insert UserName and Password

FirstStep.png

  • Specify the "Digital Library to Load".

SecondStep.png

This second choice will affect the available credentials for the user during the session.

In fact choosing a Digital Library, the user inherits all the privileges he has in terms of group membership and roles in DILIGENT VOMS.