o New FusionGrid user

  1) User clicks "Request New Certificate"
        on http://cert.fusiongrid.org
     Activates /var/html/CertReqForm.html
        Fills out form
     Info handed to /var/cgi-bin/webRequestCert.py
        Checks user not already defined
        Checks for invalid data
     Key and certificate request generated
     Request enrolled in http://fluorite.es.net:9001
        with mail address set to FusionGridRA@pppl.gov
     Request information saved in directory /var/www/CertRequests
     Key information saved in directory /var/www/CertRequests

  2) Cadsg@es.net sends e-mail to FusionGridRA@pppl.gov
     A FusionGridRA@pppl.gov clicks on url given in e-mail
      and approves certificate request
     Approval notice is mailed to FGCM@pppl.gov

  3) Cronjob on blackbird.pppl.gov runs "loadCert.py" 
       every ten minutes
     LoadCert.py reads any e-mail in fgcm@pppl.gov
       with Subject "Your Certificate Request"
     Looks for success message
         Gets Distinguished Name
         Extracts Certficate
     Update myproxy on this computer (cert.fusiongrid.org)
     Enter user into roam.fusiongrid.org
     Move info file to /var/www/Users     
     Clean up /var/www/CertRequests
     Mail user can login to roam.fusiongrid.org
       and can use cert.fusiongrid.org for myproxy

  4) Cron job at 1:11AM will syncronize myproxy at
       roam.fusiongrid.org and then user can use
       roam.fusiongrid.org for myproxy

o Accept myproxy request from user

  1) /etc/init.d/myproxy started at boottime
     Uses /var/myproxy as location for proxy files
     /var/myproxy has been updated
       by loadCert.py, submitRenewal.py
  
  2) Normal myproxy actions
       which return proxy to user

o Renew user

  1) At 2AM, renewalMail.py is run by cron from account fgcm

  2) Gets list of processed renewal users from renewalDB

  3) Interates over new renewal notifications in 
       fgcm@pppl.gov mailbox
     Checks if user exists
     Checks if certificate has already expired
     Checks if user has already responded
     Else emails user to click 
       on declineRenewal URL or
       on renewCert URL

  4) Updates renewalDB

 - Process declineRenewal URL with user argument

   1) Get Certified Name (CN) from URL parameter
     
   2) Get list of processed renewal users from renewalDB
      Mark as declined in renewalDB

 - Process renewCert URL with user argument

   1) Get Certified Name (CN) from URL parameter

   2) Get list of processed renewal users from renewalDB
     
   3) Get user information and submit renewal
       requesting current passphrase
       URL used is submitRenewal.ps

 - Submit renewal activated

   1) Get form information including Certified Name

   2) Use password to load Credential of user

   3) Active HTTPs Request on fluorite.es.et:9002
        for certbasedenrollment
      And get response

   4) Replace user's key and certificate
      Update phone/email
      Update renewal database 
      Put success message submit renew from

o Change Certificate Password request

  1) http://cert.fusiongrid.org
       User clicks on "Change certificate password"
       https://cert.fusiongrid.org/changePassword.html
     Form asks for username, old password, 
       new password, verify new password, and
       password hint.
     and then posts to cgi-bin/changePass

  2) cgi-bin/changePass verifies user from
       /var/www/Users/*.info
     Invokes myproxy-admin-change-pass
     Checks return values     
 
     Looks for password hint
     Updates /var/www/Users/*.info for user

o Password Hint request

  1) http://cert.fusiongrid.org
       User clicks on "Password Hint"
       https://cert.fusiongrid.org/hintMailer.html
     Form asks for user name
     and then posts to cgi-bin/hint.py

  2) cgi-bin/hint.py verifies user from
       /var/www/Users/*.info
     Gets password hint from *.info
     Gets e-mail address from *.info
     Mails hint to user

o Forgotten password request

  1) http://cert.fusiongrid.org
       User clicks on "Forgotten Password"
       https://cert.fusiongrid.org/recoverCert.html
     Form requests user name, new password,
       verify new password, and password hint
     Posts to cgi-bin/recoverCert

  2) cgi-bin/recoverCert verifies user from
       /var/www/Users/*.info
     Gets CN (certificate name) from *.info
     Generates New key and cerificate request
       for this CN
     
     Generates http request using information
       from *.info
     Adds comment "CERT issue Request!'
     Connects request to flourite.esnet:9002
     Updates password and password hint
     Saves *.info and *-key.pem in CertRequests

  3) Now treated as new certificate request
     i.e. FusionGrid RA gets request in e-mail
       and approves

o Remove user (Disabled)
  Disabled since insecure once pbscookie broken

   1) To restore to eliminate user

     /bin/mkdir /var/www/html/a
     s=/var/www-auxiliary/html
     /bin/cp -ip $s/a/index.html /var/www/html/a

     /bin/mkdir /var/www/cgi-bin/p
     s=/var/www-auxiliary/cgi-bin
     /bin/cp -ip $s/p/removeUser.py /var/www/cgi-bin/p
     Note: hack in a name check in copied removeUser.py
       so only that user can be removed
     Note: below required before removeUser.py will work
     /bin/cp -ip $s/p/webRequest.py /var/www/cgi-bin/p

  2) To remove later

     /bin/rm -ir /var/www/cgi-bin/p
     /bin/rm -ir /var/www/html/a

  3) http://cert.fusiongrid.org/a/index.html
     Enter username to remove and click submit

  4) removeUser.py invoked
     Gets username from form
     Calculates locations of /var/www/User/*.info,
       /var/myproxy/*.data, and /var/myproxy/*.cred files
     Verifies files exist

   5) Gets Distinguished Name (DN) for *.info file
      Connects to roam.fusiongrid with remuser= argument
        User removed on roam.fusiongrid.org
      Removes info, data, and cred file for user