Stakeholder's Guide to Akenti

Mary Thompson and Srilekha Mudumbai
/home/g1/proj//Akenti/docs/admin/stakeholder.html

Introduction

Akenti access control is implemented by as set of policy certificates and distributed use-condition and attribute certificates. These certificates express the conditions that the various stakeholders wish to impose on access to their resources. Stakeholders are identified by entries in the resource's policy certificate (.htauthority). CA information, Attribute, values, attribute issuers, and actions are defined in the resource attribute file (.resattributes). The three certficate types can be created and signed by either of two methods.

Table of Contents

  1. Exporting your User Identity for use in signing
  2. Command line generation of certificates
  3. Generating a Use Condition Certificate
  4. Generating an Attribute Certificate

1. Export your Identity Certificate

If you are a resource stakeholder and wish to sign Akenti certificates you must have your private key and identity saved in a PKCS12 format file, where the generator programs can use it for signing. If you are using Netscape to handle your identity certificates, you can export any of your certificates as a PKCS12 file by going to the security menu->certificates->Yours, select the identity you want to use, and click export which will create a PKCS12 format file with the extension .p12.The identity you choose, must be listed as a stakeholder in the Authorization file for the resouce that you want to control.

2.Command line generation of certificates

This approach is mainly useful for small test setups where there are not too many certificates to be generated. It has the advantage of not requiring a Resource Definition server to be running or the need for a resattributes file. The disadvantage is any contextual mistakes in the XML description of the certificate will not be caught until you attempt to use the certificate in an authorization. The method is to create an XML description of the certificate following the Akenti Certificate XML DTD . Examples of XML certificates can be found in policy certificate, attribute certificate and use-condition certificate. Then call the CertGen.java program withthe XML file, a PKCS12 file containing the signers private key and the passphrase for the key file. CertGen will create a new unique id, update the notBefore time to the current time, and write a certificate that contains the new XML and a signed base64 encoded version of it. CertGen verifies the XML syntax, but has no way of checking if the content of the certificate is reasonable. After generating a certificate with CertGen it should be verified with verifyAkentiCert. This will check that the certificate is in fact signed by the principal specified in the issurer field, and that the syntax of the Distinguished names is corret and a few other things.

3. Generate and sign a use-condition certificate

Use-condition certificates are signed documents that grant use rights for a named resource. They can be stored anywhere that is accessible by a URL. If you are named as a UseCondGroup Principal for a resource you can create a use-condition by following the steps outlined below. Each window of the generators contain a brief explanation of what it is doing. More details are available by clicking on the "help" buttons on each window. The "back" button on each window will let you go back to review your progress so far or to correct mistakes.

Generate and sign an Attribute Certificate

If you have included any attributes in your use-conditions that can are not included in Identity Certificates (ones other than "o","ou" and "cn"), you will need to issue attribute certificates for each person who you want to have that attribute. For example, if you chose group/my_friends, you need to issue an Attribute Certificate for each person you want to be in the group my_friends.