Since the current data infrastructure of the HEP experiments is based on gridftp, most computing centres have adapted and based their own access to the data on the X.509. This is an issue for smaller experiments who do not have the resources to train their researchers about the complexities of X.509 certificates and who clearly would prefer an approach based on username/password.
On the other hand, asking computing centres to support different access strategies is not so straightforward, since it would require a significant expenditure of effort and manpower.
At CNAF we tackled this problem by creating a layer on top of the gridftp client/server that completely hides the X.509 infrastructure under an authentication/authorization process based on the Kerberos realm of our centre, and therefore based on username/password. We called this 'dataclient.'
In this article we will describe both the principles that drove its design and its general architecture, with the measures taken to simplify the user's experience and maintenance burden.