<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Pat,<div><br></div><div>if you look in the AstroGrid security-facade library, you will find Java implementations of both the service and client ends of the CDP. These have been in use in AstroGrid services since the 2009.1 release. AFAIK, there are no outstanding bugs in the CDP implementation, but I stand ready to support it if anybody finds any.</div><div><br></div><div>The latest version is 2010.1, available in the directory at</div><div><br></div><div><a href="http://www.astrogrid.org/maven2/org/astrogrid/astrogrid-security/2010.1/">http://www.astrogrid.org/maven2/org/astrogrid/astrogrid-security/2010.1/</a></div><div><br></div><div>and the docs are on-line at</div><div><br></div><div><a href="http://software.astrogrid.org/doc/p/security/2010.1/">http://software.astrogrid.org/doc/p/security/2010.1/</a></div><div><br></div><div>It's also available through Maven-2 if you set up <a href="http://www.astrogrid.org/maven2/">http://www.astrogrid.org/maven2/</a> as one of your repositories. (Please note that the versions of many of the components linked from the front pages of web-sites <a href="http://deployer.astrogrid.org/">http://deployer.astrogrid.org/</a> and <a href="http://software.astrogrid.org/">http://software.astrogrid.org/</a> are typically out of date.)</div><div><br></div><div>The service end of this implementation is a servlet which caches the delegated credentials in a static store. The latter class has the API by which other software gets at the credentials after the CDP has run. It's designed to be plugged into any Java web-application.</div><div><br></div><div>You'll also find, in the security library, packages for creating proxy certificates and for validating chains that include proxies. These are adapted from the Java-CoG library for Globus stuff and the more-recent versions of Bouncy Castle. These utility packages might be useful separately from the CDP.</div><div><br></div><div>CDP is basically an alternative to MyProxy. Before we wrote CDP, I was trying to use MyProxy in AstroGrid and it caused a lot of problems, firstly because it was easy to misconfigure but more seriously and chronically because it needs port 7512 and many of our users found that port blocked at their own, client-site firewalls. CDP was written to fix that situation.</div><div><br></div><div>You <i>could </i>implement CDP as a facade over MyProxy. You'd need a MyProxy client in Java; there's one in the Java CoG kit, but it's intended for different use-cases and is rather hard to use for the simple ones involved here. There's also a pre-release client for MYProxy in my security library which needs finishing off and testing; I stopped work on this because I didn't have a MyProxy server-installation I trusted for use as a test fixture. My guess would be that CDP-over-MyProxy would be more code and more complicated than my pure-servlet implementation. I think it would work, but not be worth the trouble of debugging just to get CDP (note that the NCSA implementation of the server seems to depart from the documented protocol in a few subtle details, so debugging the client is loadsa fun). However, if you wanted to delegate from a web service to a grid, where the grid would use the native interface to MyProxy, then it might be good.</div><div><br></div><div>Hope this helps,</div><div><br></div><div>Guy</div><div><br></div><div><br></div><div><br><div><div><div>On 10 Sep 2010, at 21:03, Patrick Dowler wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div><br>We have gone off the deep end in using X509 certficates for several projects <br>here in CADC and specifically in using IVOA standards wherever possible. In the <br>grid processing system we have people creating and maintaining VMs and running <br>them in "the cloud". Then users wanted to create, copy, and delete VMs and <br>even share VMs with other users (eg these people can run my VM == group-read <br>permission)... the easy solution was to have users store their VMs in VOSpace <br>because it does all that.<br><br>However, to do that we now have other services which need to get the VM from <br>the VOSpace (eg the cloud system and the VM config system we setup so users <br>could boot/modify/save their VM on our side of the network) and that had to be <br>done with the users credentials. We needed to have a proxy certificate/key pair <br>we could use... we needed a standard way to do that from several places... we <br>need a credential delegation proto... heh! Here's one right here on ivoa.net <br>and it's already a standard!! <br><br>So, first thing: thanks to GWS for being ahead of the curve :-)<br><br>Has anyone implemented CDP? in java? It seems there are many ways to do X509 <br>stuff wrong that still sort of work and there is more misinformation on the net <br>than I thought possible. <br><br>Also, has anyone worked with MyProxy (from NCSA) and can you explain the <br>overlap of that with CDP? Could one build CDP REST bindings on top of MyProxy <br>and thus get some stuff for free?<br><br>Anyway, we will be implementing CDP sometime soon.<br><br>-- <br><br>Patrick Dowler<br>Tel/Tél: (250) 363-0044<br>Canadian Astronomy Data Centre<br>National Research Council Canada<br>5071 West Saanich Road<br>Victoria, BC V9E 2M7<br><br>Centre canadien de donnees astronomiques<br>Conseil national de recherches Canada<br>5071, chemin West Saanich<br>Victoria (C.-B.) V9E 2M7<br></div></blockquote></div><br></div></div></body></html>