Version 8 (modified by prateek, 7 years ago)


ABAC Tools

The proposed GENI architecture needs the following coordinators to mediate interaction between the users and the aggregate managers.

  • Identity Provider
  • Project Authority
  • Slice Authority

The coordinators need to generate ABAC credentials to perform the required operations. ABAC Tools (AbacTools.jar) is a set of Java programs to generate and upload ABAC credentials.

Note: Entities are identified by their public key identifier, the SHA-1 hash of of their public key.


CreddyPod? is a program to generate and upload generic ABAC credentials. This in turn is used by the coordinator specific programs.

The following are the required input parameters.

  • Issuer's public key certificate (issuerkey)
  • Issuer's private key (issuercert)
  • Issuer's role/attribute (role)
  • Object Identifier, if the role is specific to a particular object (roleobject)
  • Subject's public key certificate (subjectcert)
  • Subject's role/attribute (subjectrole)
  • Scope identifier, if the credential needs to be scoped to a particular identifier (scope)


PA.GeniPI <- GOC.GeniIdP.GeniPI
java -cp AbacTools.jar util.CreddyPod --issuerkey <path to PA's private key file> -- issuercert <path to PA's certificate file> 
--issuerrole GeniPI --subjectcert <path to GOC's certificate file> --subjectrole GeniIdP.GeniPI

There can be cases where one entity might have its policy dependent on some other entity's policy. In such cases we need a way to link policies. We extended POD with support for links, which enable creation of unidirectional links from one identi er (subject or a subject-scope pair) to another. A fetch based on an identi er not only fetches credentials associated with it but also the ones associated with the linked identi er, if any. PodAddLink? is the tool to create a link from one identifier to another.

There is another issue with POD that gets solved with the help of links. In case of POD, a credential can be associated with only one identity: the entity uploading the credential. So, for a credential to be associated with its subject (the one for whom the credential is issued), the subject needs to get the credential from the issuer through some other channel. The way to solve this issue in POD is to make the issuer upload the credential, and then make the subject create a link to the already uploaded credential.

The following are the required input parameters

  • Source public key certificate (sourcekey)
  • Source private key (sakey)
  • Source scope, only if the source identifier is scoped (sourcescope)
  • Target public key certificate (targetcert)
  • Target scope, only if target identifier is scoped (targetscope)

An Identity Provider issues user role credentials for a user Alice and uploads them scoped to Alice's public key identifier. Alice can associate the same credentials with its own identifier by creating a link to them.

(Alice) -> (IdP, Alice)
java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/Alice_private.pem --sourcecert credentials/Alice_cert.pem 
--targetcert credentials/IdP_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Alice_cert.pem`


Identity Provider

The following are the required input parameters.

  • IdP's public key certificate (idpkey)
  • IdP's private key (idpcert)
  • Requester's public key certificate (requestercert)
  • Requester's shibboleth eduPersonPrincipalName (shibeppn)
  • Requester's shibboleth primary-affiliation (shibaffl)
  • POD URL, if different from the default instance (podurl)


java -jar AbacTools.jar IdentityProvider --idpkey IdP_private.pem --idpcert IdP_cert.pem --requestercert Alice_cert.pem 
--shibeppn --shibaffl faculty 

Project Authority

The following are the required input parameters.

  • PA's public key certificate (pakey)
  • PA's private key (pacert)
  • Requester's public key certificate (requestercert)
  • Project name (projectname)


java -jar AbacTools.jar ProjectAuthority --pakey PA_private.pem --pacert PA_cert.pem --requestercert Alice_cert.pem --projectname Project1

Slice Authority

The following are the required input parameters.

  • SA's public key certificate (sakey)
  • SA's private key (sacert)
  • PA's public key identifier (paid)
  • Requester's public key certificate (requestercert)
  • Project UUID (projectuuid)
  • Slice Name (slicename)


java -jar AbacTools.jar SliceAuthority --sakey SA_private.pem --sacert SA_cert.pem --paid <PA's public key SHA-1 hash> 
--requestercert Alice_cert.pem --projectuuid 0cb9a18f-d541-4d64-a06c-8b2941cfe14f --slicename Slice1