Generate and sign a use-condition certificate
Use-condition
certificates are signed documents that grant use rights for a named
resource. They can be stored anywhere that is accessible by a URL. If
you are named as a UseCondGroup Principal for a resource you can create
a
use-condition by following the steps outlined below.
Each window of the
generators contain a brief explanation of what it is doing. More
details are available by clicking on the "help" buttons on each
window. The "back" button on each window will let you go back to review
your progress so far or to correct mistakes.
- Run the script AkentiCertificateManager.sh It will
present a set of windows to step you through the process of building a
use-condition Certificate.
- The first window will ask for the name of the resource for which
you are creating this use-condition and the location of the Policy
Definition server for the resource tree. The resource name is specified
as the resource tree name and a name relative to that base. You
can use the browse button next to the Resource field
to show all the roots. If you are unsure of the exact resource name,
the browse button next to the resource field will
cause the generator to go off to the Policy Definition server and get a
list of all the resources on that server. The base URL can
optionally be created using the Directory
Builder. Supported protocols: http, https, file
By Clicking the Create
button next to the base URL field, the Directory Builder Pane will be
displayed. Select the protocol, fill in the appropriate fields,
click OK, finally click Next to continue.

- Clicking on "next" will bring up a window that asks for the
use-condition issuer and its CA. These names are taken from the policy
certificate for the resource. If your name does not appear in the list,
you are not authorized to create use-conditions for this resource. In
this case you should contact the Akenti resource administrator. At the
end of the use-condition creation process, you will be asked for the
file that contains the private key for the identity that you chose and
the passphrase that was used to encrypt that file. You must select an
name from the list, even if there is only one item, and click next.

- You are now presented with a series of Expression Builder
windows which step you though the creation of a boolean expression of
attributes and values that a user must satisfy to use the
resource. To build an expression, start by selecting an Attribute
type: Akenti, X509, or System. Next specify the
attribute's name in the Attribute
Name field then specifiy the Operator
that will be used in this expression. Enter the value in
the Value field and finally
click the Add button.

After clicking the Add
button, you must specify at least one attribute issuer and the
directory(s) where the attribute certificate(s) can be found.

To add Attribute Issuer(s) click the relative
Add button which will display
the
Akenti Principal Panel. You can either manually enter the
information in the fields or click the Search button.

Start by choosing a protocol (ldap, http,
file) and enter the
appropriate information in the relative fields or if the hint button is
enabled, you can use "hints" to fill in this information for you.

Here's an example when the hint button is enabled
and clicked
upon. Next you would click on CA from the list then click OK.
Then select the directory where the CA's Identity Certificate is located.

Next add Attribute Directory(s), the steps are
similar to adding Attribute Issuer(s).

- You may (optionally) add actions in this panel. I've added read and write and selected "local scope"
for both actions. When you are finished, click Next to continue.

- Select the duration of how long you would like this certificate
to be valid for from the pull down menu, then click Next.

- Finally you are given a window that displays what you have done
and gives you a chance to go back and make changes.

- Click next and you are
presented with a window to select the
keyfile where your private key is stored, the passphrase with which it
is encrypted and where you want to store the signed certificate. You
need to store this certificate someplace where it can be accessed via a
URL.

- After filling in all the fields click "sign and save".
- Once the certificate has been signed and saved, the generator
will go back to the first window to allow you to generate another
certificate. If you are done, click close.