Proxy Management Using the Network Identity Provider
The Network Identity Manager is a modular framework to manage credential on MS Windows. It provides a GUI for basic operations with credentials and make their handling more user friendly. It is primarily aimed at Kerberos but other mechanisms can be supported too via plugins. We are working on a plugin for maintanance of proxy certificates. The plugin is built upon VOMS, hence it is able to generate proxies using long-term PKI credentials stored in files, smart cards or the MS Cert Store area.
A registry record is needed that points to the cpproxycert.dll library.
The plugin is implemented by both the DLL, cpproxycert.dll and cpproxycert_en_us.dll, which are dynamicaly loaded by NetIdMgr upon start. Therefore they must be both available in directories searched by the linker.
Currently the "grid" identity is internaly tied with Kerberos and cannot be used separately. Thus it is necessary to configure the kerberos5 plugin to be able to obtain Kerberos tickets from any Kerberos realm. We are working on own identity provider plugin that will not depend on Kerberos to remove the dependency. Meantime we would provide a Kerberos server serving a fake realm that can be used to work around the necessity of having a Kerberos identity.
Getting X.509 certificates using Kerberos 5 tickets
The latest KDC server from Heimdal now supports an on-line CA compatible with kCA. It can be accessed by any k.x509 client, including the k.x509 plugin for NetIdMgr. In order to enable the kCA support on KDC the Kerberos administrator needs:
- add the kca/<kdc_host> principal