Access Keys:
Skip to content (Access Key - 0)

GTS

Trust Federation

[ GTS: Administrators Guide | Developers Guide | caGrid: Documentation Guides ]

Overview

Redundancy, scalability, and extensibility are critical properties of a federated trust fabric. Serious performance implications will occur if all entities in the grid are discovering and performing validation against a trust fabric maintained in a central GTS. In order to enable a federated trust fabric, each GTS can be administered to synchronize with a set of authoritative GTSs. GTSs can inherit both trust levels and trusted certificate authorities from its authority GTS(s).  The figure to the right illustrates an example of how multiple GTSs can be deployed to create and manage a federated trust fabric.  In the example there are five GTSs: caGrid GTS, TeraGrid GTS, OSU GTS, caGrid/TeraGrid GTS, and UT GTS.

  • The caGrid GTS has no authority GTSs; it manages the certificate authorities A and S.
  • The TeraGrid GTS has no authority GTSs; it manages the certificate authorities X and S.
  • The OSU GTS has one authority GTS, the caGrid GTS. The OSU GTS inherits the certificate authorities A andS from its authority, the caGrid GTS. The OSU GTS manages an additional certificate authority B. The OSU GTS is an example of how the global trust fabric can be extended to include local trusted certificate authorities, in this case, the additional certificate authority B.
  • The caGrid/TeraGrid GTS has two authority GTSs: the caGrid GTS and the TeraGrid GTS. The TeraGrid GTS inherits CA A from the caGrid GTS and CA X from the TeraGrid GTS. Since the caGrid GTS has a higher priority then the TeraGrid GTS, it inherits CA S from the caGrid GTS. The caGrid/TeraGrid GTS is an example of how two existing trust fabrics from two different Grids can be joined together.
  • The UT GTS has one authority GTS, the TeraGrid GTS. The UT GTS inherits CA X and CA S from the TeraGrid GTS. The UT GTS is an example of standing up a GTS for better redundancy and scalability.

Registering an authority GTS requires the specification of the following properties:

  • Service URL - Service URL of the authority GTS.
  • Priority - The priority of this authority GTS compared to other authority GTS(s)
  • Sync Levels of Assurance - Whether or not the levels of assurance registered with the authority should be inherited.
  • Time to Live (TTL) - How long certificate authorities obtained from the authority GTS should be kept, the TTL is reset when the GTS syncs with the authority.
  • Perform Authorization - Whether or not the GTS should perform client side identity authorization with the authority.
  • Service Identity - The service identity of the authority GTS this is used for performing client side identity authorization.

Trust Fabric Federation

Managing Authorities

The GAARDS UI allows GTS administrators to search for and manage a GTS's authorities. This can be accomplished by completing the following steps:

  1. Launch the GAARDS UI
  2. Login as a GTS administrator.
  3. From the Trust Fabric menu, select Trust Federation, this will launch the Trust Federation Window.
  4. From the Service drop down select the GTS you desire to search.
  5. Click the Search button.

After the search has completed, the authorities registered with GTS you selected will be listed in the table below the Search button.  You can view the details of an individual authority by selecting it in the table and by clicking the View button.  This will launch View/Modify Authority Window for the authority you selected.   This window contains the following information describing the authority:

Attribute Description
GTS URL
The service URL of the authority GTS.
Priority
The priority of the authority with respect to other authorities registered with the GTS.
Synchronize Assurance Levels*
Whether or not to sync the levels of assurance.
Perform Authorization*
Whether or not the GTS should perform client side identity authorization with the authority.
Authorization Identity*
The service identity of the authority GTS this is used for performing client side identity authorization.
Time to Live
How long certificate authorities obtained from the authority GTS should be kept, the TTL is reset when the GTS syncs with the authority.

The attributes in the above table denoted with a * can be updated by GTS administrators.  To update these attributes, make the desired changes and click the Update button.

GTS Authorities

GTS Authority

Add Authority

The GAARDS UI provides a method for GTS administrators to register an authority with the GTS.  This can be accomplished by completing the following steps:

  1. Launch the GAARDS UI
  2. Login as a GTS administrator.
  3. From the Trust Fabric menu, select Trust Federation, this will launch the Trust Federation Window.
  4. From the Service drop down select the GTS you desire to add an authority to.
  5. Click the Add button, this will launch the Add Authority Window.
  6. In the GTS URL text box, enter the service URL of the authority GTS.
  7. From the Priority drop down, select the priority this authority has with respect to other authorities registered with the GTS.
  8. From the Synchronize Assurance Levels drop down specify whether or not the GTS should inherit the level(s) of assurance from this authority.
  9. From the Perform Authorization drop down, specify whether or not the GTS should perform client side authorization with the Authority.
  10. If the authorization will be performed with the authority, in the Authorization Identity text box, enter the identity of the authority.
  11. In the Time to Live drop downs specify how long certificate authorities inherited from this authority should be valid for with out being refreshed.
  12. Click the Add button, this will register the authority with the GTS.

Add GTS Authority

Managing Priorities

The GAARDS UI provides a method for GTS administrators to manage the priority of authority GTS(s).  This can be accomplished by completing the following steps:

  1. Launch the GAARDS UI
  2. Login as a GTS administrator.
  3. From the Trust Fabric menu, select Trust Federation, this will launch the Trust Federation Window.
  4. From the Service drop down select the GTS.
  5. Click the Search button, this will list all the authorities registered with the selected GTS in the table below.
  6. Select the desired Authority GTS to change the priority of.
  7. Click Increase Priority button to increase the priority of the selected Authority GTS or select the Decrease Priority button to decrease the priority of the selected Authority GTS. (The Authority GTS with the lowest number has the highest priority).
  8. Once the priorities of the Authorities GTSs are organized properly, click the Update Priorities button to commit the priorities to the GTS.

Remove Authority

The GAARDS UI provides a method for GTS administrators to remove am authority from the GTS.  This can be accomplished by completing the following steps:

  1. Launch the GAARDS UI
  2. Login as a GTS administrator.
  3. From the Trust Fabric menu, select Trust Federation, this will launch the Trust Federation Window.
  4. From the Service drop down select the GTS you wish to remove an authority from.
  5. Click the Search button, this will list all the authorities registered with the selected GTS in the table below.
  6. Select the authority you wish to remove.
  7. Click the Remove button.
Last edited by
Sarah Honacki (855 days ago)
Adaptavist Theme Builder Powered by Atlassian Confluence