Dridi, Saber schrieb: > i use the example PhysicsService with delegation from the book Globus Toolkit > 4. I use two Pc´s. The first PC will act as a client and on the second one > the globus container. > How can the CA on the second Pc create a Certificate for the client on the > first PC? >
I think you might be misunderstanding the nature of PKIs. The hierarchy between CA and "client" certificates does not have anything to do with the client-server model in Globus (or anywhere else, for that matter). In addition, the whole point of delegation is that the CA is *not* aware of any delegated credentials because they are created and signed by the client, using their own certificate and corresponding private key. So, basically the answer to your question is twofold: a) If you want to create an end-entity certificate (for a host or a person) using your SimpleCA, please refer to the Globus Installation Documentation, e.g. here: <http://www.globus.org/toolkit/docs/latest-stable/admin/install/#gtadmin-simpleca> b) If your first PC (let's call it A) wants to access a WSRF web service on your second PC (=B), and delegation is to be used, the CA does not take any part in the delegation process. Please refer to the rather extensive documentation about the Delegation Service here: <http://www.globus.org/toolkit/docs/4.2/4.2.1/security/delegation/>. You should also check out other documentation like the Globus Primer and documents like the "GT4 GSI: A Standards Perspective" PDF found here: <http://www.globus.org/toolkit/docs/4.2/4.2.1/security/GT4-GSI-Overview.pdf> to make sure you have really grasped the key security concepts in Globus. They are essential elements of any current Globus-based Grid infrastructure, so you can't overestimate their importance, IMHO. Could I please also ask you to avoid CCing [email protected] *AND* [email protected]? Doing that leads to everyone on the list getting all your mails at least twice (sometimes three times due to personal CCs that are put in by clicking "answer to all" in your mail client). It's perfectly enough to mail to [email protected] to reach all members of the list. Thank you in advance. Regards, --ck -- M. Sc. Christopher Kunz Regionales Rechenzentrum fuer Niedersachsen (RRZN) Gottfried Wilhelm Leibniz Universitaet Hannover +49 511 762-79KUNZ | [email protected]
