Administration
Host Certificates
Dorian: Administrators Guide | Developers Guide | Users Guide | caGrid: Documentation Guides
Overview
In order to establish a secure communication mechanism between client and services and so that a service can authenticate with other services, Web/Grid services are required to have PKI credentials or host credentials. A host credential consists of a X.509 certificate and private key. Dorian provides the ability to issue host certificates to users, such that they may operate Grid services. Dorian will only issue host certificates to users that have accounts with Dorian. User that have accounts with Dorian may request a host certificate for there services. Depending on Dorian's configuration , Dorian may immediately issue the host certificate or may require administrative approval, in which case the user will need to wait until an administrator approves their request. Host certificates that are issued by Dorian are bound to a specific user account. The user that the host certificate is bound to is referred to as the owner of the host certificate. The account status of a host certificate's owner effects the status of the host certificate. If the owner's account is suspended, the host certificate will be suspended. If the owner's account is removed, the host certificate will be revoked. The owner of a host certificate can be reassigned by a Dorian administrator.
Each host certificate maintained by Dorian is assigned a status, below is a table describing the possible statuses for host certificates
| Status |
Description |
|---|---|
| Active |
The host certificate is Active and in good standing. |
| Compromised |
A host certificate that was issued and was permanently revoked. |
| Pending |
A host certificate that was requested but has not yet been issued because administrative approval is required. |
| Rejected |
A host certificate that was requested but was not issued because the request was rejected by an administrator. |
| Suspended |
A host certificate that was issued but has been temporarily revoked. |
Dorian will only issue one host certificate per host, if the host credentials for a host are lost and new ones are required the status of the original credentials must be set to Compromised before the new credentials can be issued. Host certificates cannot be deleted from the system, host certificates that are no longer active or have been compromised should have their status set to Compromised.
For security purposes and to give administrators insight on an individual host certificate record, Dorian maintains a list of auditing information for each host certificate. The following is a list of auditing information maintained by Dorian for each host certificate:
| Audit Information |
Description |
|---|---|
| HostCertificateRequested |
Documents when and by whom the host certificate was requested. |
| HostCertificateApproved |
Documents when and by whom the host certificate was approved. |
| HostCertificateUpdated |
Documents when, what, and by whom the host certificate was updated. |
| HostCertificateRenewed |
Documents when and by whom the host certificate was renewed. |