Akenti Authority File

Overview

An authority file is a trusted file stored with the protected resources. There are two variations of Authority Files: the Root Authority File which is located at the top of the resource hierarchy and can set policy for all the resources in the tree; and a regular authority file which may exist at any other level of the resource hierarchy. The root authority file must exist, and must contain the list of trusted CAs and their public keys. All the other elements of a authority file are common between the two types.

Regular authority files can be placed anywhere in the resource hierarchy where a stakeholder wishes to set access policy for that resource or its subtree. If an authority file exists for a resource, it must specify at least one Use Condition which must exist and be accessible by Akenti. If an authority file exists for a resource and no matching Use Condition can be found, all access will be denied to that resource.

If no authority file exists for a resource, the access policy will be inherited from the parent resource.

Root Authority File

List of trusted CAs and their public keys.
List of places to search for Identity Certificates issued by the trusted CAs.
Global access restrictions

Regular Authority file

places to search for Certificates (Identity, Attribute, Use Condition and possibly other types. (may be in root authority file)
list of acceptable UCC issuers (defines the resource stakeholders)
URLs for Use Condition Certificates (could name a single UCC, a directory containing hash-nameed UCCs, or could be a search script)

Specification

One or more Certificate Authority elements:: UserIdCertificateAuthority <Distinguished Name><pem encoded certificate>

The CA certificates are placed in this file by the administrator of the resource tree. They are obtained in a trusted manner from the respective CAs.
One or more Certificate directory elements:: CertificateDirectory [file <pathname> | web <hostname> | ldap <hostname>]
file assumes the Akenti server has direct file read access to the directory; web assumes an MSQL server is running on the specified host; ldap assumes there is an ldap server running on the default port on the specified host.
One or more Use Condition issuers:: UseConditionCAandIssuer<CA to verify issuer> <Issuer's DN> [ OR><CA to verify issuer> <Issuer's DN>]...
If more than one UseConditionCAandIssuer are combined by "OR" Akenti need only find one UseCondition issued by either of them. If a UseConditionCAandIssuer appears on its own line, Akenti must find a UseCondition issued by it.
One or more Use Condition directories:: UseCondRequired <URL> [ OR<URL> ]...
The order of the elements is not significant except that the list of UseConditionCAandIssuers and UseConditionRequired directories are paired. At least one UseCondition must be found for each UseConditionCAandIssuer that appears on a line by itself or else access will be denied. A stakeholder should thus put all his UseConditions in one directory, so that if at least one is found then all can be found. Stakeholder responsibilities can be shared by putting more than one UseConditionCAandIssuer on a single line separated by "OR"s. Following that line, must be a line containing a list of the same number of UseConditionRequired directories also separated by "OR"s. Then if at least one UseCondition signed by one of the UseConditionCAandIssuers is found in one of the directories access checking will proceed.
Naming Web accessible directories with a terminal "/" will keep the server from having to make two requests to get the contents of the directory. UseConditions are stored by the UseCondition generator by hash names as well as the given name. The hash names are used by Akenti to find the relevant UseConditions for a resource.

Example Root Authority File

#Acceptable Certificate Authorities and their related LDAP servers
UserIdCertificateAuthority "/C=US/O=Diesel Combustion Collaboratory/OU=SNL/CN=DieselCert.ca.sandia.gov"

"-----BEGIN CERTIFICATE-----
\MIICiDCCAfGgAwIBAgIBATANBgkqhkiG9w0BAQQFADBoMQswCQYD
VQQGEwJVUzEoMCYGA1UEChMfRGllc2VsIENvbWJ1c3Rpb24gQ29sbGFib3JhdG9yeTEMMAoGA1UE\
CxMDU05MMSEwHwYDVQQDExhEaWVzZWxDZXJ0LmNhLnNhbmRpYS5nb3YwHhcNOTgwNDI3MTc1NTIw\
WhcNMDAwNDI2MTc1NTIwWjBoMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfRGllc2VsIENvbWJ1c3Rp\
b24gQ29sbGFib3JhdG9yeTEMMAoGA1UECxMDU05MMSEwHwYDVQQDExhEaWVzZWxDZXJ0LmNhLnNh\
bmRpYS5nb3YwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzWQJ/+kXTzJMZcJMACjJI+nSEh\
u9P8qq8Q6NFgdPgriFVE6tggLcFWHzI6kgvv7iVr5+nus6NOZotPOItjHEsyfRQ8YKEcZntBTkXF\
7DN93LWqlpCSchlu/sJWjwLtRSACr91C8LQKCGTWr9Ln58Ohh99wIBHeKYoSjcRWVi+pAgMBAAGj\
QjBAMB0GA1UdDgQWBBTHMjfik68SFzDCA6Ji6pU61+e5iTAfBgNVHSMEGDAWgBTHMjfik68SFzDC\
A6Ji6pU61+e5iTANBgkqhkiG9w0BAQQFAAOBgQCJpjUkl75PUrm9h3lwt6MmmilelMQGts2X5q3d\
eSxBkiPPS9paMrN8UTY/mkVC6ZwQOlZ9oplBN+wyCXFiqMnGxaIR6iN07+RahwMku8nIhbw4QZIE\
4XyLOM6yUtCIbZW3gzKvZtDKTjd+MPFARUaUanBqmkJ3jCNA3yh0Acf2ow==\
-----END CERTIFICATE-----"

CertificateDirectory public ldap www-collab.ca.sandia.gov
UserIdCertificateAuthority "/C=US/O=Lawrence Berkeley National Laboratory/OU=ICS D/CN=IDCG-CA"

"-----BEGIN CERTIFICATE-----\
 MIICdDCCAd2gAwIBAgIBATANBgkqhkiG9w0BAQQFADBeMQswCQYDVQ\ 
QGEwJVUzEuMCwGA1UEChMlTGF3cmVuY2UgQmVya2VsZXkgTmF0aW9uYWwgTGFib3JhdG9yeTENMA\ 
sGA1UECxMESUNTRDEQMA4GA1UEAxMHSURDRy1DQTAeFw05NzA4MjkxNjMwNDJaFw05OTA4MjkxNj\ 
MwNDJaMF4xCzAJBgNVBAYTAlVTMS4wLAYDVQQKEyVMYXdyZW5jZSBCZXJrZWxleSBOYXRpb25hbC\ 
BMYWJvcmF0b3J5MQ0wCwYDVQQLEwRJQ1NEMRAwDgYDVQQDEwdJRENHLUNBMIGfMA0GCSqGSIb3DQ\ 
EBAQUAA4GNADCBiQKBgQDArly+tnX5eW7v4KT5CVf/IwR8rDkqniDUq34x/wqrKbM0AY+SV2hEHz\ 
+MCDgSlmPOXfwEplXW5IYYXqJ3+dK06et7mUodOhAB+0b6a8dVwul1+gRwEi80vft4+WvDUUHMZQ\ 
iq3UqFTsPN+09sW+2paqXNQZvBq2r+6/ovM4OqVwIDAQABo0IwQDAdBgNVHQ4EFgQUCQcdq1LvwV\ 
prM7kLlPLl7fmW4PswHwYDVR0jBBgwFoAUCQcdq1LvwVprM7kLlPLl7fmW4PswDQYJKoZIhvcNAQ\ 
EEBQADgYEAtcWt79TvzTl+zlkXBm8lqJPLXfsmwn0eaUGZiBkxhm5FGMUs02sUjaAUKiC6seR9xN\ 
E2C6EEJ7OyZRP7aqtNbbqeZBnUtCJN/iyFk9vQMMtJtTPr6uBbExhUaGFuJLMhHfMG/1pfDTIHQZ\ 
10Q0sF1ZmLyAdhiQBXekI5c5iheP4=\
-----END CERTIFICATE-----"

CertificateDirectory public ldap idcg-ds.lbl.gov
UseConditionCAandIssuer "/C=US/O=Lawrence Berkeley National Laboratory/OU=ICSD/CN=IDCG-CA" "/C=US/O=Lawrence Berkeley National Laboratory/OU=ICSD/CN=Srilekha Mudumbai Authority"
UseConditionCAandIssuer "/C=US/O=Lawrence Berkeley National Laboratory/OU=ICSD/C N=IDCG-CA" "/C=US/O=Lawrence Berkeley National Laboratory/OU=ICSD/CN=Mary R. Thompson"
UseCondRequired http://www-itg.lbl.gov/~mrt/Certificates/
UseCondRequired http://www-itg.lbl.gov/~mudumbai/Certificates/

Example Regular Authority File

# places to look for certificates
CertificateDirectory public ldap idcg-ds.lbl.gov

CertificateDirectory public web george
CertificateDirectory trusted file /home/users/mrt/certs

# list of acceptable use condition certificate issuers
UseConditionCAandIssuer "/C=US /O=Lawrence Berkeley National Laboratory /OU=ICSD/CN=IDCG-CA" "/C=US /O=Lawrence Berkeley National Laboratory /OU=ICSD /CN=William E. Johnston" OR "/C=US /O=Lawrence Berkeley National Laboratory /OU=ICSD/CN=IDCG-CA" "/C=US /O=Lawrence Berkeley National Laboratory /OU=ICSD /CN=Mary R. Thompson"

# list of Use Conditions
UseCondRequired http://www-itg.lbl.gov/~wej/Certificates/ OR http://imglib.lbl.gov/ImgLib/certs/diesel-collab/