SyncGTS Configuration

[ GTS: Administrators Guide | Developers Guide | caGrid: Documentation Guides ]

<ns1:SyncDescription xmlns:ns1="http://cagrid.nci.nih.gov/12/SyncGTS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <ns1:SyncDescriptor>
        <ns1:gtsServiceURI>https://slavegts.training.cagrid.org:8443/wsrf/services/cagrid/GTS</ns1:gtsServiceURI>
	<ns1:Expiration hours="12" minutes="0" seconds="0"/>
	<ns1:TrustedAuthorityFilter xsi:type="ns2:TrustedAuthorityFilter" xmlns:ns2="http://cagrid.nci.nih.gov/8/gts">
            <ns2:Lifetime xsi:type="ns2:Lifetime">Valid</ns2:Lifetime>
            <ns2:Status xsi:type="ns2:Status">Trusted</ns2:Status>
        </ns1:TrustedAuthorityFilter>
	<ns1:PerformAuthorization>true</ns1:PerformAuthorization>
	<ns1:GTSIdentity>/O=caBIG/OU=caGrid/OU=Training Trust Fabric/CN=host/slavegts.training.cagrid.org</ns1:GTSIdentity>
    </ns1:SyncDescriptor>
	<ns1:ExcludedCAs>
	    <ns1:CASubject>O=caBIG,OU=caGrid,OU=Training Trust Fabric,CN=caGrid Training Trust Fabric CA</ns1:CASubject>
	</ns1:ExcludedCAs>
	<ns1:DeleteInvalidFiles>false</ns1:DeleteInvalidFiles>
	<ns1:CacheSize>
		<ns1:year>0</ns1:year>
		<ns1:month>1</ns1:month>
		<ns1:day>0</ns1:day>
	</ns1:CacheSize>
	<ns1:NextSync>600</ns1:NextSync>
</ns1:SyncDescription>

The root element SyncDescription contains four child elements:

1. The SyncDescriptor element provides details about the GTSs with which to sync and the criteria on which to sync.
2. The gtsServiceURI child element should contain the URI of the GTS with which to sync. Each time the SyncGTS syncs, it removes all previously discovered certificate authorities from the trust list unless they are excluded or unless they were discovered earlier and the expiration time attached to the sync has not yet expired.
3. The Expiration child element specifies how long certificate authorities discovered during this sync should be valid, provided such a buffer is important in handling unexpected errors such as a short term network outage.
4. The TrustedAuthorityFilter child element specifies the criteria that must be met in order for a certificate authority managed by a GTS to be trusted within the context of a local environment.

The following synchronization criteria may be specified per synchronization:

• Name - The name of the certificate authority within the GTS.
• CertificateDN - The Certificate Authority's subject within its certificate.
• Trust Level(s) - A trust level, or "level of assurance", specifies the level of confidence in which a given certificate authority is trusted in the grid. Each certificate authority can be assigned a set of trust levels. The TrustLevels element specifies a set of trust levels that the user requires CAs to be assigned in order to trust them.
• Lifetime - In a federated trust fabric GTSs inherit certificate authorities from other GTSs. Certificate Authorities are inherited for a specified period of time which expires if not renewed. This element allows you to specify whether or not you will accept those CAs whose lifetime expired.
• Status - Specifies the current state of the certificate authority. This allows a certificate authority to be temporarily added and removed from the trust fabric. For instance, if the security of a CA has been compromised, its status can be set to "suspended" to quickly invalidate all certificates issued and signed by the CA.
• IsAuthority - Specifies whether or not the GTS is required to be the authority for candidate certificate authorities.
• SourceGTS - Specifies which GTS must be the source of candidate certificate authorities.
• AuthorityGTS - Specifies which GTS must be the authority of candidate certificate authorities.

The PerformAuthorization child element specifies whether or not to perform authorization against the GTS being synced with. If performing authorization is requested, the GTSIdentity element should contain the grid identity of the GTS being synced with. Note that there can be multiple SyncDescriptors in a sync description. SyncGTS will process the SyncDescriptors in the order that they exist in the document. If a conflict is discovered between SyncDescriptors, the information obtained from the SyncDescriptor appearing earliest in the document is used. For example, if a certificate authority is discovered twice (through two different SyncDescriptors), the certificate authority's certificate and CRL obtained from the earlier SyncDescriptor is included in the trust list.

As mentioned earlier, each time the SyncGTS syncs, it removes all previously discovered certificate authorities from the trust list unless they are excluded or were discovered earlier and the expiration time attached to the sync has not yet expired. The ExcludedCAs element contains a list of all the CAs (by subject) that should never be removed. CAs listed in the exclude list are generally those that are used for bootstrapping the trust fabric or are outside the trust fabric. SyncGTS also provides the ability to remove any unexpected files that may exist in the Globus trusted certificates directory; the DeleteInvalidFiles element allows this to be specified. Finally, the NextSync element specifies how often (in seconds) the SyncGTS should sync with the trust fabric. This element is only used if SyncGTS is asked to run constantly, such as the service base approach.