JSTOR Access with PKI

JSTOR access with PKI

Introduction

CREN and Internet2 are both trying to interest web based publishers in providing alternatives to account/password or IP based access control to their systems. The PKI Lab team has been working on Public Key based web site authentication/authorization as a possible replacement for Dartmouth's current Kerberos/Sidecar system. We have a PKI Certificate Authority system now operating which we will be introducing for the entire campus. We are working on converting other campus applications to be able to use PK certificates. As a next step in that direction we are participating in a trial for JSTOR authorization using Client side Public Key certificates. CREN and the other participants want to find out if this is workable for Library users and if so promote it with more publishers.

This method of authentication and authorization would be used instead of IP address range restrictions. Users would be able to access JSTOR from any address on the Internet. They would not have to use the Dartmouth Web Proxy or have KClient and Sidecar software installed. Instead they would obtain a personal certificate and provide a password for their browser's certificate store when prompted. Obtaining a certificate is handled by visiting a web site and filling out the enrollment form, authenticating one time with your DND account and password.

For more information see the CREN WAVE1 project web site.

How to Participate
Institutional Setup with JSTOR
Expected Outcomes
Status
Known Problems

How to Participate

To participate in the trial, follow the instructions below.

1. Read about the basics of PKI. For a short introduction see: PKI Background and Using PKI.

2. Choose a web browser that supports client side certificates on your computer and operating system. Unfortunately Internet Explorer for the Macintosh does NOT work. For more information see: Web Browsers Supporting Personal Certificates.

3. Since your certificate is stored on the hard disk of the computer from which you obtain your certiifcate, you will need to access JSTOR from this same computer. If you need to move your certificate to another computer see the Using PKI document. If you must use more than one computer and you can't move your certificate, you can obtain a second one. (Remember though that when you later start to use certificates for signing and encryption that you will need to keep track of which certicate was used. It will be simpler in the long run to try to move your certificate instead of re-enrolling. For instructions on moving keys see: Using PKI.

4. Choose a password for your Browser's certificate store / key database. The "Using PKI" web page provides some useful suggestions on passwords.

If you had set a password and have forgotten what it is see: Reset Passwords.

5. Obtain a Dartmouth College signed certificate. Go to DND Enrollment and follow the instructions, including getting the CREN certificate. (If you have trouble send e-mail to: CA-security-officer@Dartmouth.EDU)

6. To access JSTOR with your certificate, visit the alternate JSTOR URL https://logon.jstor.org/logon/remote/.

Depending on you preferences settings, your browser may ask you to choose a certificate. For example using Mozilla, select the certificate with your name and "Dartmouth College ID" appended to it in the popup menu, then click the "OK" button

Mozilla will next prompt: "Please enter the master password for the Software Security Device" Supply the password for your browser certificate store. You should next see the JSTOR home page. JSTOR's operation should not be any different from this point.

7. If you have any trouble with access, please send a report to Robert Brentrup. Please do not call JSTOR support. For Browser and PKI trouble shooting assistance see: Testing your PKI Installation.

8. Please try this method for all of your JSTOR use until you are notified that the test is ending. Of special interest are reports of experiences with off campus use, successful or not.

Institutional Setup with JSTOR

To participate in the CREN-JSTOR pilot an institution needs to be a JSTOR subscriber and needs a CREN signed Certificate Authority from which to issue personal certificates to members of the community. (Otherwise certificates must issued through some other "known to JSTOR" root CA. To make self signed CAs work, the self signed cert would have to be added to JSTOR's production web server configurations.)

JSTOR authorization requires the issuer's DN to be added internal system tables. To arrange this the institutions PKI contact should visit the alternate JSTOR URL https://logon.jstor.org/logon/remote/ and attempt to logon with a properly signed personal certificate. This attempt should fail, but will list the institution name in the web server error logs. Call the JSTOR contact to set up your CA cert in the approval table. (Otherwise e-mail a PEM format copy of the properly signed institutional certificate to the JSTOR contact.)

Expected Outcomes

Participants will need to learn how to use a new PKI based authentication process. This process is straight-forward, but some areas of difficulty may be uncovered. Many current combinations of browser and operating systems have been tested, but older combinations may have bugs. Unfortunately the Internet Explorer browser on a Mac can't be used currently, most other popular setups are fine. One area where PKI can be more complicated than current practices are for users who routinely work from multiple computers. There are various solutions to this problem, but the most elegant aren't available right now. Certificates do need to be renewed periodically. Access to JSTOR itself seems to be transparent after the initial logon process. JSTOR is interested in learning of any problems with this. Contact Robert Brentrup who will collect and forward the information.

Pilot Status

Dartmouth College has PKI access to the JSTOR system working. A number of different staff members (from the PKI Lab and the Library) have been able to connect to JSTOR with their CREN signed Dartmouth certificates.

The JSTOR site has been tested on the campus network and using the EROLS.COM (satellite) and valley.net as ISPs. The following browsers were tested:
Success:

Netscape 4.77 on MacOS 9
Netscape 4.79 with PSM on Windows 98
Netscape 6.0.x on Windows 98/2000
Netscape 7.0 PR 1 on Windows
IE 5.5x on Windows 98/2000
IE 6.0x on windows with security patches
Opera 6.01 on Mac and Windows
Mozilla 1.1b (1.1 final should work) on MacOS 9/X, Windows, Linux
and a few others

Failure:

Netscape 6.2.3(back to 6.2.1) (The JSTOR site complains that you have not presented any credentials.)(is this auto or manual select too?)

Problems

Internet Explorer on Macintosh - no client cert support
Netscape 6.2.1-6.2.3 - bug, target site reports "no credentials were presented"

Dartmouth College PKI Lab
Last update: 22 October 2002