ION Grid Terminology

Throughout this guide various terms and abbreviations are used that may require explanation.

Term Description
Asymmetric encryption Asymmetric encryption means that different (mathematically related) keys are used for encryption and decryption. The public key can be shared freely, while the private key must be kept secret. Asymmetric encryption is more often called public key encryption.
Public key

The public key is used to encrypt data intended for the holder of the corresponding private key. Only the private key can decrypt information encrypted with the corresponding public key.

A public key is typically distributed by sharing a certificate that vouches for its authenticity.

The public key can also be used to validate the authenticity of data signed by the corresponding private key. Such signatures are the basis of trust in a certificate – if the relying party can verify the issuer’s signature (by having access to the issuer’s public key), the public key of the certificate can be trusted.

Private key The private key must be properly protected to ensure that it is indeed kept private.
Key pair A matching pair of a public key and a private key.
Symmetric encryption In symmetric encryption, the same key is used for both encryption and decryption. It is therefore very important to protect the key from unauthorized entities.
Certificate

A certificate vouches for the authenticity of a public key. It is a signed statement from an issuer stating that the included public key belongs to the holder of the private key. The issuer is called a Certificate Authority.

A certificate can be signed by the private key itself and is called self-signed certificate.

Certificate Authority

A certificate authority (CA) is an entity that issues and revokes certificates for various uses.

Public Certificate Authorities such as VeriSign, EnTrust and Thawte are by default trusted by the most common browsers. Certificates issued by those entities are automatically trusted by the browser if they are still valid.

The certificates of a non-public (or internal) Certificate Authority are not trusted by clients automatically. This can be remedied by having the issuing certificate of the Certificate Authority imported into the Trusted Root Certificate store.

Certificate Signing Request

When a new certificate is required, a keypair is generated on the host where it will be used. The Public Key is bundled together with additional information like key usage and user/host information. The result is called a Certificate Signing Request and is packaged according to the PKCS#10 standard.

A Certificate Signing Request is submitted to a Certificate Authority for signing. The resulting issued certificate should be in a format following the PKCS#7 standard.

CA See Certificate Authority.
CSR See Certificate Signing Request.
Keystore A keystore is a collection of certificates and/or key pairs. The keystore is normally stored in a file on a hard drive. The grid uses various keystores as described in Grid Keystores.
Authentication Authentication is the process of receiving provided credentials and ensuring that the credentials are matching and correct.
Authorization Authorization is the process of validating if an authenticated used has the permission to access a specific resource.
Certificate Revocation List The Certificate Authority may provide a Certificate Revocation List (CRL) that keeps track of all revoked certificates. In order to make use of the CRL, issued certificates must include a link to where the CRL can be found
CRL See Certificate Revocation List.
Revocation Revocation is the process of a Certificate Authority to invalidate an issued certificate.
Self-signed certificate A self-signed certificate means that the signer of the certificate is the holder of the public key itself. That means that there is not any trust for the certificate by default. Extra measures must be taken in order for that certificate to be trusted by browsers and other clients/devices.
Grid-signed certificate A grid-signed certificate is a certificate issued by the grid CA. The grid CA’s issuing certificate is not automatically trusted by browsers and other devices. If the grid root certificate (issuing certificate) would be imported into every browser’s and device’s trusted root certificates store, then the grid CA becomes a trusted CA.
CA-signed certificate A CA-signed certificate means that the issuer of the certificate is a trusted entity (either an internal corporate CA or an external CA). Browsers automatically trust the certificate since the CA certificate that performs the Issuing of the certificates is in the browser’s list of trusted root certificates.
PKCS Public-Key Certificate Standards issued by RSA Security for various cryptographic uses.
LifeCycle Manager (LCM) An application lifecycle management utility used by Infor M3 and in some cases Infor Lawson. The LifeCycle Manager can be used to install and manage the grid and grid applications.
Bootstrap The Bootstrap is the name of a component used to install and manage grids without the use of LCM. The Bootstrap is used by Infor ION to manage grid instances.
SAML The Security Assertion Markup Language is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider. The grid has a SAML Session Provider which uses the WS-Federation and WS-Trust standards for authenticating users when Infor Federation Services (IFS) is used. See Installing and configuring the SAML Session Provider for further information.
Identity Provider (IdP) Identity Provider (also known as Identity Assertion Provider) is an authentication module which verifies a Security token as an alternative to explicitly authenticating a user within a security realm.
Service Provider (SP) An entity providing a service. The SAML Session Provider is a Service Provider when using IFS. The SP authenticates the users to the IdP.