Security Support
Last Updated 01/27/2004
Contents
- Introduction
- Features
- Message Level Security
- Transport Level Security
- General Client Information
1 Introduction
GT3 Java GSI is based on the implementation of GSI in the Java
CoG Kit. GT3 provides message level security (the transport layer security ('httpg') is no longer supported).
The message level security is based on the WS-Security,
XML Encryption and XML Signature standards.
The Java GSI implementation is an implementation of the Java GSS-API.
It supports the GSS-API
extensions and the new
proxy certificate format specifications as defined by the Global Grid Forum and the IETF PKIX
working group.
2 Features
GT3 security library features:
- Transport and message level security.
- Instance-based security.
- Each service instance can have its own credentials, gridmap
file, etc.
- Declarative security
- The security behavior
of a service can be specified in a security deployment descriptor. Note
that this is not the case for client, including service acting as
client, security properties. Client-side security properties still have
to be specified in the client code itself.
- Programmatic security
- Security APIs are provided to service developers for fine
grained security control.
- JAAS
integration.
- Permits services to be independent from underlying
authentication technologies.
3 Message Level Security
Please see Message Level Security
document for details.
4 Transport Level Security
Please see Transport Level
Security document for details. Please note that the transport layer security ('httpg') is no longer supported.
The following GSI properties can be set on the client to control the
authentication/authorization process. These options are valid for both
the message and transport level security mechanisms, but are not
necessarily sufficient for full configuration of either mechanism. In
other words, you may be required to set mechanism specific options.
Information on mechanism specific properties can be found in the
transport and message level security documents.
- org.globus.axis.gsi.GSIConstants.GSI_CREDENTIALS
- Value: org.ietf.jgss.GSSCredential instance
- It is used to pass a specific set of credentials for
authentication.
By default, if not specified, the default user proxy credential is used.
- Please see the Security
Library Compatibility Document for some hints on loading and
managing different GSI credentials.
- org.globus.ogsa.impl.security.Constants.AUTHORIZATION
- Value: org.globus.ogsa.impl.security.authorization.Authorization
instance
- It is used to set authorization type to perform. By default, if
not specified, host authorization is performed.
- org.globus.axis.gsi.GSIConstants.GSI_MODE
- Value: One of:
- GSIConstants.GSI_MODE_NO_DELEG - performs no delegation
(default)
- GSIConstants.GSI_MODE_LIMITED_DELEG - performs limited
delegation
- GSIConstants.GSI_MODE_FULL_DELEG - performs full delegation
- Used for GSI Secure Conversation or transport security only.
- It is used to set GSI delegation mode.
-
org.globus.ogsa.impl.security.Constants.GSI_SEC_CONV_ANON
-
Value: One of:
- Boolean.FALSE - Anonymous authentication is disabled. (default)
- Boolean.TRUE - Anonymous authentication is enabled.
- Used for GSI Secure Conversation only.
You can set these GSI properties on any service port instance by
casting the instance to javax.xml.rpc.Stub class and calling
._setProperty()
method. If you are dealing directly with JAX-RPC Call object use
.setProperty()
instead. For example:
OGSIServiceGridLocator factoryService =
new OGSIServiceGridLocator();
Factory factory =
factoryService.getFactoryPort(new HandleType(handle));
// enable GSI Secure Conversation message level security
((Stub)factory)._setProperty(Constants.GSI_SEC_CONV,
Constants.SIGNATURE);
// enable limited delegation
((Stub)factory)._setProperty(GSIConstants.GSI_MODE,
GSIConstants.GSI_MODE_LIMITED_DELEG);
// set client authorization to none
((Stub)factory)._setProperty(Constants.AUTHORIZATION,
NoAuthorization.getInstance());
Note that the properties set on the factory stub are not inherited by
any service port instance representing a service created using the
factory. You will have to set seperate properties on every instance.
5.2 GSI initialization tips
Initialization of GSI on both the client and the server might be a very
time consuming process on some platforms. It depends on the
initialization
of a secure seed needed by the random number generator for security
purposes.
The default seeding algorithm of Sun's VM is somewhat slow but it can
be
easily replaced by a better one by installing a new SecureRandom
provider.
For example, for Windows users we recommend installing the InfiniteMonkey
provider from ISNetworks.com
(Just
follow the installation instructions in their included README.TXT file
and put the intifitemonkey.dll in the c:\WINNT\system32 directory)
Once the provider is properly installed the GSI initialization time
will be much faster.
Also, on Unix/Linux machines, GSI will take advantage of the
/dev/urandom
device if installed to speed up the start up time. In the future, we
will
provide a SecureRandom implementation for machines without this device.
5.3 JAAS installation
This step is only necessary for J2SE 1.3.1. To install JAAS
library please download "JAAS 1.0_01 Class Libraries" from http://java.sun.com/products/jaas/index-10.html.
Extract the jaas-1_0_01.zip file into a temporary directory and
copy the "jaas1_0_01/lib/jaas.jar" file to the lib
directory of the GT3 installation.