Grid Certificate Authority, Grid Certificates and MyProxy Servers
The Globus ToolKit uses public key cryptography. The UC Grid Portal has a Simple Certificate Authority for the Grid (Grid CA) associated with it. When a user requests a username in order to access one of the Campus Grids in the UC system, that user will be issued a certificate signed by the UC Grid’s CA. The certificate consists of two parts, the public key and the private key. With the UCLA Grid Architecture, these are never returned to the user. Instead, the certificate is automatically digitally signed by the CA and the public key and private keys are stored in two MyProxy servers, one at the UC Grid Portal and the other at the Campus Grid Portal. The digital signature of the CA guarantees that the certificate has not been tampered with. The user never handles the certificate and may not even know that a certificate exists.
To use a Grid Portal, a user must login by providing his/her username and passphrase. This provides access to the user’s private key. Once the UC Grid has been set up, when a user logs into the UC Grid Portal, that portal will look up the user in its MyProxy Server; when a user logs into a Campus Grid Portal, that Grid Portal will look up the user in its own MyProxy Server. If for some reason, its MyProxy Server is unavailable or the user is not found there, the Campus Grid Portal can look for the user in the MyProxy Server belonging to the UC Grid. Once the user has been validated, UGP will retriev a proxy certificate for the user from the MyProxy Server. The proxy certificate has a limited lifespan, normally one day, The Grid Portal uses that proxy certificate on the user’s behalf every time it contacts one of the clusters, via its Grid Appliance, to perform a service for that user. The proxy certificate is destroyed once the user logs out.