Security Support

Security Support

Last Updated 01/27/2004

Contents

  1. Introduction
  2. Features
  3. Message Level Security
  4. Transport Level Security
  5. General Client Information

1 Introduction

GT3 Java GSI is based on the implementation of GSI in the Java CoG Kit. GT3 provides message level security (the transport layer security ('httpg') is no longer supported). The message level security is based on the WS-Security, XML Encryption and XML Signature standards.

The Java GSI implementation is an implementation of the Java GSS-API. It supports the GSS-API extensions and the new proxy certificate format specifications as defined by the Global Grid Forum and the IETF PKIX working group.

2 Features

GT3 security library features:
  • Transport and message level security.
  • Instance-based security.
    • Each service instance can have its own credentials, gridmap file, etc.
  • Declarative security
    • The security behavior of a service can be specified in a security deployment descriptor. Note that this is not the case for client, including service acting as client, security properties. Client-side security properties still have to be specified in the client code itself.
  • Programmatic security
    • Security APIs are provided to service developers for fine grained security control.
  • JAAS integration.
    • Permits services to be independent from underlying authentication technologies.

3 Message Level Security

 Please see Message Level Security document for details.

4 Transport Level Security

Please see Transport Level Security document for details. Please note that the transport layer security ('httpg') is no longer supported.

5 General Information

5.1 GSI Client Properties

The following GSI properties can be set on the client to control the authentication/authorization process. These options are valid for both the message and transport level security mechanisms, but are not necessarily sufficient for full configuration of either mechanism. In other words, you may be required to set mechanism specific options. Information on mechanism specific properties can be found in the transport and message level security documents.
  • org.globus.axis.gsi.GSIConstants.GSI_CREDENTIALS
    • Value: org.ietf.jgss.GSSCredential instance
    • It is used to pass a specific set of credentials for authentication. By default, if not specified, the default user proxy credential is used.
    • Please see the Security Library Compatibility Document for some hints on loading and managing different GSI credentials.
  • org.globus.ogsa.impl.security.Constants.AUTHORIZATION
    • Value: org.globus.ogsa.impl.security.authorization.Authorization instance
    • It is used to set authorization type to perform. By default, if not specified, host authorization is performed.
  • org.globus.axis.gsi.GSIConstants.GSI_MODE
    • Value: One of:
      • GSIConstants.GSI_MODE_NO_DELEG - performs no delegation (default)
      • GSIConstants.GSI_MODE_LIMITED_DELEG - performs limited delegation
      • GSIConstants.GSI_MODE_FULL_DELEG - performs full delegation
    • Used for GSI Secure Conversation or transport security only.
    • It is used to set GSI delegation mode.
  • org.globus.ogsa.impl.security.Constants.GSI_SEC_CONV_ANON
    • Value: One of:
      • Boolean.FALSE - Anonymous authentication is disabled. (default)
      • Boolean.TRUE - Anonymous authentication is enabled.
    • Used for GSI Secure Conversation only.
You can set these GSI properties on any service port instance by casting the instance to javax.xml.rpc.Stub class and calling ._setProperty() method. If you are dealing directly with JAX-RPC Call object use .setProperty() instead. For example:

 OGSIServiceGridLocator factoryService =
           new OGSIServiceGridLocator();
 Factory factory =
           factoryService.getFactoryPort(new HandleType(handle));

 // enable GSI Secure Conversation message level security
 ((Stub)factory)._setProperty(Constants.GSI_SEC_CONV,
                              Constants.SIGNATURE);
 // enable limited delegation
 ((Stub)factory)._setProperty(GSIConstants.GSI_MODE,
                              GSIConstants.GSI_MODE_LIMITED_DELEG);
 // set client authorization to none
 ((Stub)factory)._setProperty(Constants.AUTHORIZATION,
                              NoAuthorization.getInstance());

Note that the properties set on the factory stub are not inherited by any service port instance representing a service created using the factory. You will have to set seperate properties on every instance.

5.2 GSI initialization tips

Initialization of GSI on both the client and the server might be a very time consuming process on some platforms. It depends on the initialization of a secure seed needed by the random number generator for security purposes. The default seeding algorithm of Sun's VM is somewhat slow but it can be easily replaced by a better one by installing a new SecureRandom provider.
For example, for Windows users we recommend installing the InfiniteMonkey provider from ISNetworks.com (Just follow the installation instructions in their included README.TXT file and put the intifitemonkey.dll in the c:\WINNT\system32 directory)
Once the provider is properly installed the GSI initialization time will be much faster.
Also, on Unix/Linux machines, GSI will take advantage of the /dev/urandom device if installed to speed up the start up time. In the future, we will provide a SecureRandom implementation for machines without this device.

5.3 JAAS installation

This step is only necessary for J2SE 1.3.1. To install JAAS library please download "JAAS 1.0_01 Class Libraries" from http://java.sun.com/products/jaas/index-10.html. Extract the jaas-1_0_01.zip file into a temporary directory and copy the "jaas1_0_01/lib/jaas.jar" file to the lib directory of the GT3 installation.