Security Setup with the Keystore Editor

Once you have obtained a password protected user keystore (in PKCS12 format, typically a file with suffix ''.p12'') with a private key and a valid certificate included, and a copy of the CA signer certificate, you can perform the security setup. Import the user keystore and the CA certificate into a UNICORE related keystore file which has to be created first or may already exist from previous imports. The keystore file is usually called ''keystore'' and is stored in your configuration directory. The UNICORE keystore must be also protected by a password to avoid unauthorized access. Once you have correctly passed the security setup, the UNICORE client will prompt you only for the UNICORE keystore's password at the next start-up.

Creating a new UNICORE keystore

Create an empty UNICORE keystore by calling the Settings->Keystore_Editor dialog. In response to the selection of ''New'' from the File menu a file chooser dialog will open in your configuration directory. You might enter ''keystore'' now which is the common UNICORE name for the password protected keystore file, however, you are free to enter a different name in a different directory.

After closing the file chooser a dialog will open where you have to specify a password for the UNICORE keystore. Preferably you should use a strong password consisting of eight characters and which contains upper and lower case characters, numbers, and punctuation. Nevertheless, weak passwords are also accepted.

The security setup is continued by importing user keystores and trusted certificates which will be listed in the sub-panels called Key Entries and Trusted Certificates. The sub-panel Rejected Entries is for information purposes about out-dated or otherwise invalid entries in the keystore. For permanent storage the modified UNICORE keystore has to be saved after the import actions.

Import of user keystore

Import an existing user keystore of format JKS or PKCS12 to the current UNICORE keystore by choosing ''Import Keystore'' from the ''Actions'' menu. In particular, this feature is used to import the *.p12 files of the user which are actually PKCS12 keystores. A file selector dialog will open where you can specify the user keystore. Because the user keystore contains a private key it is password protected and you will be prompted for the password when the keystore is loaded. The imported pairs of private keys and user certificates are then listed with their alias names in the Key entries panel.
CAUTION: loading the first user keystore may take a while (about a minute depending on your local system)!






It is possible to setup the client with more than one user certificate issued by distinct Certification Authorities. Each user key/certificate pair is stored together with all trusted certificates in an extra keystore file ''security.db_NNN.ssl'' (with NNN a hashcode number) in your configuration file to simplify the connection procedure to the servers.

The user certificates are distinguished by their alias names in the Key Entries list. The user has to define one certificate as the Default identity. Selecting a key entry enables several buttons, in particular, the ''Set as Default'' button. Without any further settings, the Default identity is used for all connections to the servers, however, it is possible to specify different identities for different servers in the Set Identity dialog. The Default identity may be changed in the course of a Client session, however, this may result in some unexpected behaviours since certain servers (which do not accept the new Default certificate) may no longer be accessible.

Import of trusted certificates

Import trusted certificates by selecting "Import certificate" from the "Actions" menu.

Trusted certificates in the UNICORE context are either the CA signer certificates of a Certificate Authority or the user certificates which were used to sign the plugin software extensions. Only the CA certificates have to be imported in the Keystore Editor directly. The certificate of a plugin developer is loaded by an extra dialog which is started automatically when the plugins are loaded.

Open existing UNICORE keystore

As an alternative to the generation of a new UNICORE keystore you can open an existing one, e.g. the keystore from an older version of the Client. You can import additional private keys from user keystores and/or trusted certificates following the procedures in the previous sections.

Open an existing keystore by using the "Open" functionality from the "File" pop-up menu. You might want to save it to its usual place $HOME/.unicore/$USER/keystore. Or use one keystore for different applications.

Check Certificate Revocation List (CRL)

The validity of a user certifcate can be checked against a Certificate Revocation List (CRL) by pressing the 'Check CRL' button. The address of the CRL is either included in the certificate itself or is taken instead from the User Defaults settings.

Export of public key

Your private key in the UNICORE keystore will be used to sign each UNICORE request you send to one of the sites in order to guarantee that the requests have not been tampered. This can be checked by using a copy of your certificate. Therefore each UNICORE site where you will use computing resources will keep a copy of your personal certificate.

To get registered as a user at a UNICORE site, the site administrator will need a copy of your certificate (not the private key!). You can export this information by selecting the 'Export public key' button which will open a file selector dialog. Send the generated file by email to the UNICORE site administrator who will perform the mapping to a valid login in the UNICORE User Database (UUDB).

Generate Certification Request

The Keystore Editor can be used to generate a certification request thus avoiding the need to perform this under Netscape. Select the feature from the "Actions" menu and provide the required information. A new private/public key pair will be generated. The public key is used to specify the certification request which you have to save to disk (the file chooser opens automatically). Send the Certification Request to a Certification Authority by mail. After receiving your certificate from the CA you have to import it under "Import certificates". It will be attached internally to your private key, and therefore will be not visible in the trusted certificates panel.

Automatic updates

If the Default certificate has been modified in the Keystore Editor several update actions will be automatically started:

Set Identity

The overall default identity for a session with the UNICORE Client is specified in the Keystore Editor. However, it is also possible to set specific identities per Usite or even per Vsite in the Settings->Set_Identity dialog which are then used for all connections to the servers. The special entry ''default'' refers always to the current default identity set in the Keystore Editor.




In expert modus it is even possible to set a default Login and Project (group) if appropriate. The typical UNICORE user will ignore these fields since the user certificate sent with a job is automatically mapped to a corresponding user Login and a Project on the Vsite. However, if a site maps a certificate to different Logins and Projects e.g. for reasons of accounting, a mapping may be specified in the Special Settings of the Job Group panel. If a user mainly submits jobs to a site supporting this feature, a default setting may be convenient.