Proxy certificates in UNICORE 6

Overview

Proxy certificates are widely used in other Grid middleware systems based on GSI(Grid security intrastructure) for both authentication/authorisation and trust delegation. To ease interoperability scenarios and to allow interaction with proxy-based software, UNICORE 6 offers proxy certificate support in various areas. Since proxy certificates are considered insecure by some, the proxy support in UNICORE 6 is considered optional, and requires additional downloads and configuration.

Transport-layer security and authorisation

A plugin is available for the UNICORE gateway, which uses GSI components to establish incoming connections. In this way, users can use proxy certificates instead of an X.509 end-user certificate to establish SSL connections to a UNICORE site.

The UNICORE/X server can recognize proxy certificates and treat them appropriately, e.g. for quering the XUUDB using the correct distinguished name.

Use proxy certificates on the back-end

To use GSI-enabled software like globus-url-copy (aka GridFTP), a proxy certificate is needed. Since UNICORE uses X.509 certificates, proxy certificates are not readily available. To circumvent this, proxy certificates can optionally be created on the client, and sent to the server in the SOAP message header. The back-end can then use this proxy certificate for running GSI-based software.

Status

Most of the proxy-support code is still somewhat experimental, and not included in the default UNICORE distribution. However, it is already used in interoperability scenarios.

• back to Development

© UNICORE 2012