The Fujitsu Global Cloud Platform has an XML-RPC API to communicate with. It authenticates users in two ways:
1. Client authentication (https with each user having their own certificate, obtained from the FGCP portal). 2. A signed string in each message (signed using the user's private key). The DeltaCloud architecture seems to make the assumption credentials consist of two strings (user name/pwd, api key/secret key, etc.). Do you have any suggestions for what we can do for the FGCP? If we store user certificates on the DeltaCloud server, it's easy. But if we don't (I suppose none of the other providers store user credentials on the DeltaCloud server?), we have the issue that the DeltaCloud server needs the certificate to talk to the FGCP endpoint. With the current architecture, I have thought of these solutions. 1. Store user certificates on the DeltaCloud server. The client sends the user name stored in the certificate and the certificate's password to the DeltaCloud server, which then picks the right certificate to talk to the FGCP endpoint. 2. The user converts the certificate to text format and uses that and the certificate password as credentials to the DeltaCloud server, which converts it back to a format the Ruby HTTPS APIs accept for client authentication. The disadvantage of the first option is of course the fact that users need access to the DeltaCloud server, and may feel uncomfortable storing their certificates there if it's a shared server. The disadvantage of the second option is the added complexity for the user to convert the certificate (pkcs12 -> PEM -> base64 encoding -> stripping newlines?), potential issues sending this big string with each request (performance, web server dependent HTTP header length restrictions) , and again users feeling uncomfortable sending their actual certificate somewhere (although I suppose it is equivalent to sending user/pwd with other providers). When a user certificate is issued, the user gets three files: 1. user certificate in pkcs12 format (binary) 2. public key in ssh-rsa format (useful to upload to a server instance so you can ssh to it with your certificate) 3. private key in PEM format (useful to import into putty to connect to your server instance) So this is what we have to work with. I am currently thinking to start with option 1 and investigate the feasibility of option 2 if/when users ask for it. What do you think? Do you have an idea of how most users deploy their DeltaCloud server, locally or on a shared machine? Thanks! Dies
