m.riedel@fz-juelich.de wrote:
Hi,
- The gLite CREAM CE can be accessed either with pure TLS (X509 certificate) or using GSI (proxy-based) authentication. I think that the same holds for other gLite components as well.
So your service can work w/o proxies? Maybe for the initial AuthN yes - but for further use I guess you require a proxy for forwarding to CREAM or so?!
You can invoke any CREAM operation using either a plain X509 certificate, or a proxy certificate. In either case you can use the service without problems. HOWEVER, in order to submit a job you NEED to delegate a proxy to CREAM by first invoking the delegation port-type. Once you have delegated a proxy, you can create/cancel/monitor your jobs with plain X509 certificates. Note that in order to contact the delegation port-type you can use either an X509 certificate, or a proxy certificate. So, a client with *only* an X509 certificate can perform any operation on CREAM, PROVIDED that FIRST it delegates its credential to CREAM by performing a delegation operation. A client with a delegated proxy can also execute any operation on CREAM, provided that it further delegates its credentials to CREAM. This is the problem you mentioned which we experienced during the OMII-EU project: BES clients were not executing the delegation operation, so the service did not have any delegated credentials to use. We then implemented a horrible workaround in CREAM which was fine for demonstration purposes, but unfortunately can not be applied for any real use. Moreno -- Moreno Marzolla INFN Sezione di Padova, via Marzolo 8, 35131 PADOVA, Italy EMail: moreno.marzolla@pd.infn.it Phone: +39 049 8277103 WWW : http://www.dsi.unive.it/~marzolla Fax : +39 049 8756233