Version 6 (modified by prateek, 7 years ago)


ABAC Tools

The proposed GENI architecture needs the following coordinators to mediate interaction between the users and the aggregate managers.

  • Identity Provider
  • Project Authority
  • Slice Authority

The coordinators need to generate ABAC credentials to perform the required operations. ABAC Tools is a set of Java programs to generate and upload ABAC credentials


CreddyPod? is a program to generate and upload generic ABAC credentials. This in turn is used by the coordinator specific programs.

The following are the required input parameters.

  • Issuer's public key certificate (issuerkey)
  • Issuer's private key (issuercert)
  • Issuer's role/attribute (role)
  • Object Identifier, if the role is specific to a particular object (roleobject)
  • Subject's public key certificate (subjectcert)
  • Subject's role/attribute (subjectrole)
  • Scope identifier, if the credential needs to be scoped to a particular identifier (scope)


PA.GeniPI <- GOC.GeniIdP.GeniPI
CreddyPod --issuerkey <path to PA's private key file> -- issuercert <path to PA's certificate file> 
          --issuerrole GeniPI --subjectcert <path to GOC's certificate file> --subjectrole GeniIdP.GeniPI

There can be cases where one entity might have its policy dependent on some other entity's policy. In such cases we need a way to link policies. We extended POD with support for links, which enable creation of unidirectional links from one identi er (subject or a subject-scope pair) to another. A fetch based on an identi er not only fetches credentials associated with it but also the ones associated with the linked identi er, if any. PodAddLink? is the tool to create a link from one identifier to another.

There is another issue with POD that gets solved with the help of links. In case of POD, a credential can be associated with only one identity: the entity uploading the credential. So, for a credential to be associated with its subject (the one for whom the credential is issued), the subject needs to get the credential from the issuer through some other channel. The way to solve this issue in POD is to make the issuer upload the credential, and then make the subject create a link to the already uploaded credential.

Identity Provider

The following are the required input parameters.

  • IdP's public key certificate (idpkey)
  • IdP's private key (idpcert)
  • Requester's public key certificate (requestercert)
  • Requester's shibboleth eduPersonPrincipalName (shibeppn)
  • Requester's shibboleth primary-affiliation (shibaffl)
  • POD URL, if different from the default instance (podurl)


IdentityProvider --idpkey IdP_private.pem --idpcert IdP_cert.pem --requestercert Alice_cert.pem --shibeppn --shibaffl faculty 

Project Authority

The following are the required input parameters.

  • PA's public key certificate (pakey)
  • PA's private key (pacert)
  • Requester's public key certificate (requestercert)
  • Project name (projectname)


ProjectAuthorityPolicy --pakey PA_private.pem --pacert PA_cert.pem --requestercert Alice_cert.pem --projectname Project1

Slice Authority

The following are the required input parameters.

  • SA's public key certificate (sakey)
  • SA's private key (sacert)
  • PA's public key identifier (paid)
  • Requester's public key certificate (requestercert)
  • Project UUID (projectuuid)
  • Slice Name (slicename)


SliceAuthorityPolicy --sakey SA_private.pem --sacert SA_cert.pem --paid <PA's public key SHA-1 hash>
                     --requestercert Alice_cert.pem --projectuuid 0cb9a18f-d541-4d64-a06c-8b2941cfe14f --slicename Slice1