VOMS Communication Protocol

Communication happens via GSI or SSL, with mutual authentication, confidentiality, and integrity on.

There are two messages: First the client sends the following message:

<xml version="1.0" encoding = "US-ASCII"?>

Where COMMAND is one of:

  1. Ggroupname -- Gets all group and subgroup information.
  2. Rrolename -- Gets all roles with name 'rolename'.
  3. Bgroupname:rolename -- Gets role 'rolename' in group 'groupname'.
  4. A -- Gets everything.
  5. L -- List all special queries. (deprecated)
  6. S -- Executes query . (deprecated)
  7. M -- Gets a list of all possible FQANs
  8. -- Gets the specified FQAN.

Where ORDER is: groupname:rolename,...,groupname:rolename -- The listed FQAN will be first in the AC, in the specified order, the others will follow, in an unspecified order.

Where TARGET is: target1,..,targetn -- The targets to put in the omonymous extensions. These are supposed to be fully qualified hostnames.

Where N is: Lifetime, in seconds. Default = 86400 (24 hours)

Where B is:

  1. -- Asks for OpenSSL compliant Base64 encoding rather than the one specified below (requires 1.8 server)
  2. -- Uses the custom Base64 encoding specified below.
If missing, 0 is assumed.

Where V is the version of the message. Current version is 4. If absent, version is 1.

, , and are optional.

may be repeated any number of times.

Now, the server returns an answer, in the following format:

<xml version="1.0" encoding = "US-ASCII"?>
  <error>                   (0..1) times
   <item>                  (0..n) times

Where N is the error code, and MESSAGE the corresponding message.

CODEDAC is the 'AC returned, in base 64. CODEDDATA is the output of the 'M', 'S', 'L' commands, in base64.

V is the version of the answer. If missing 1 is assumed, 3 is the current value.

Independent implementations of this encoding should be able to accept unexpected elements in both the request and answer messages, and ignore them.

Base 64 Custom Encoding

6 bit -> [a-zA-Z0-9[]]

Behaviour of Contact() and related calls:

Contact() does this:

  1. Loads the user's proxy.
  2. Contacts the server in mutual authentication.
  3. Sends the request, created taking into consideration preceding calls to SetLifetime() and Order(), if any.
  4. Receives an answer.
  5. If the answer contains an error or a warning, makes the code and message available for calls to vomsdata methods. If it is an error and not a warning, execution ends.
  6. Extracts the AC from the answer.
  7. Verifies the AC according to preceding calls to SetVerificationType()
  8. Puts the AC and the results of its parsing in the 'voms' vector.

-- VincenzoCiaschini - 16 Jul 2008

Topic revision: r1 - 2008-07-16 - VincenzoCiaschini
This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback