IAM in Service Catalog
This page describes the steps required to establish an identity and X.509 certificate credential for a UW application.
The intended audience is application developers, system owners, system operators, support staff, and possibly even application business owners.
There are two main steps involved in establishing an identity and credential for a UW application.
To establish a DNS name for your application, refer to Managing DNS Names For Infrastructure Services Access.
To request a client certificate for your application, refer to section 1.5.2 "Requesting certificates for systems without static IPs" on UW Services CA Technical Information.
You will enter the application DNS name you established above as the first step, "1. Enter your host's fully qualified domain name" in requesting a certificate.
Q: Why do I need a DNS name?
A: Your application will be identified to the Web Service (and perhaps other UW infrastructure services) by a domain name. Unlike the domain names used by hosts, an application domain name is not associated with an IP address and its DNS entry is not used for routing. Your application DNS name will be used in Step 2 to request a client certificate.
Q: How should I choose a name?
A: Although you have a great deal of leeway choosing your application domain name, some basic guidance is:
Q: When might I need more than one name? Can multiple applications share a name?
A: UW web services identify and authenticate your application using the DNS name in your X.509 certificate. Once authenticated, and with the right authorizations, your application can access privileged data and operations. Thus, your application name will appear in audit logs reflecting the sensitive activity your application has engaged in. Where you want the access granted, or the audit log references, to identify a single application uniquely for security, diagnostic, or forensic purposes, do not share an application DNS name amongst multiple apps. Many application developers request separate domain names for their Production and Development instances of their application. On the other hand, we recommend using the same application name for multiple instances of the same application that run simultaneously for high availability. There's no need for redundant service instances to each have their own unique domain name. See also section 1.10 "When to use multiple certificates" on UW Services CA Technical Information.
Q: Why do I need a certificate?
A: Your application will use its certificate and associated private key to authenticate (i.e., prove its identity) to a SSL/TLS protected Web Service and to encrypt communications, which may include sensitive data.
Q: Can I use a certificate issued by Thawte, InCommon, or some other external CA?
A: No. UW Web Services and many other UW infrastructure services only trust the UW Services CA to authenticate UW applications. Therefore, you must obtain a client certificate from the UW Services CA.
For additional guidance, please email firstname.lastname@example.org.
Q: What if my legacy application requires a SHA-1 certificate?