Archer Security Module

Archer Logo

Archer Desktop Client Module

Background



This module offers the machanism for credential/proxy credentials to be created and retrieved to a desktop application through the Archer Security Server.

The Archer Desktop Client Module is a desktop client for the Archer Security Server. It is built on top of the Shibboleth Desktop. It allows any desktop based application to communicate with the Archer Security Server to retrieve short term certificates and proxy credentials signed by the Archer CA.

The figure on the left hand side depicts how the Archer Desktop Module works. A Grid application running on the user desktop (Client 1 or Client 2) can talk to the Archer Desktop Module locally whenever a certificate is required. The Archer Desktop Module then makes a request to the Archer Security Provider for a short term certificate. The user is required to authenticate with his/her home IDP (the SSO). A short term certificate is created and returned to the user. The user's credential is stored on the myproxy server.

Installation and Configuration

The module can be downloaded here .
The module is compatible with Java 1.5+. It can be extracted to any folder on a desktop computer. Internet connection is required.
There is no further configuration for testing with Open IDP level2 and any IDP on the federation level 2 which does not use customized SSO page (e.g. BASIC scheme). These includes Monash, MAMS, UQ ...For testing with customized SSO page, see auth.field below.

The main configuration file is in config/archer-client.properties.
  • idp.id -- The user's home IDP.
    If this one is not set, a WAYF window will pop up for user selection.
  • auth.field -- The authentication values, e.g. username, password.
    Since Shibboleth IDP can use any customized html page for SSO, these fields are correspondent to the html form in the html login page. The user needs to drop in a configuration for this IDP to the config/idp. See open-idp-level2.properties for an example.
    If auth.field values are set, a preemptive login is carried out, i.e no GUI pop up. For example with OpenIDP level 2:
    auth.field1=myid
    auth.field2=mypass
  • cert.dir -- The location where all generated credential will be stored.
  • proxy-cred.server -- The URL of the Archer Security endpoint which creates proxy credential.
    The default value of this points to mersey.its.monash.edu.au - Archer testing server.
  • cred.server -- The URL of the Archer Security endpoint which creates credential.
    The default value of this points to mersey.its.monash.edu.au - Archer testing server.
  • Usages
    The module comes with two scripts runGetCred.sh and runGetProxy.sh.

    The user can run the runGetCred script to retrieve a X509 Certificate singed by the Archer CA. Concurrently, an encrypted private key is generated and stored locally on the desktop.
    The runGetProxy script can retrieve a proxy credential which is created from the user's credential stored on Archer's myproxy server.

    Copyright © Archer Project, Monash university