This information is for a release that is no longer supported by the Globus Toolkit. The currently supported versions of the Globus Toolkit are 4.2 (recommended) and 4.0.

GT 3.0: Security Support

Last Updated 06/24/2003

Contents

  1. Introduction
  2. Features
  3. Message Level Security
  4. Transport Level Security
  5. General Client Information

1 Introduction

GT3 Java GSI is based on the implementation of GSI in the Java CoG Kit. GT3 provides transport layer security and message level security. The transport layer security is based around a new protocol called 'httpg' to indicate GSI-enabled HTTP-based protocol. The message level security is based on WS-Security, XML Encryption and XML Signature standards.

The Java GSI implementation is an implementation of the Java GSS-API. It supports the GSS-API extensions and the new proxy certificate format specifications as defined by the Global Grid Forum.

Note: Although we provide GSI transport layer security we strongly recommend using the message level security. The GSI transport layer security might be phased out at some point in the future.

2 Features

GT3 security library features:

  • Transport and message level security.
  • Instance-based security.
    • Each service instance can have its own credentials, gridmap file, etc.
  • Declarative security
    • The security behavior of a service can be specified in a security deployment descriptor.
  • Programmatic security
    • Security API are provided to service developers for fine grained security control.
  • JAAS integration.
    • Permits services to be independent from underlying authentication technologies.

3 Message Level Security

Please see Message Level Security document for details.

4 Transport Level Security

Please see Transport Level Security document for details.

5 General Information

5.1 GSI Client Properties

The following GSI properties can be set on the client to control the authentication/authorization process:

  • org.globus.axis.gsi.GSIConstants.GSI_CREDENTIALS
    • Value: org.ietf.jgss.GSSCredential instance
    • It is used to pass a specific set of credentials for authentication. By default, if not specified, the default user proxy credential is used.
  • org.globus.ogsa.impl.security.Constants.AUTHORIZATION
    • Value: org.globus.ogsa.impl.security.authorization.Authorization instance
    • It is used to set authorization type to perform. By default, if not specified, host authorization is performed.
  • org.globus.axis.gsi.GSIConstants.GSI_MODE
    • Value: One of:
      • GSIConstants.GSI_MODE_NO_DELEG - performs no delegation (default)
      • GSIConstants.GSI_MODE_LIMITED_DELEG - performs limited delegation
      • GSIConstants.GSI_MODE_FULL_DELEG - performs full delegation
    • Used for GSI Secure Conversation or transport security only. It is used to set GSI delegation mode.

You can set these GSI properties on any service port instance by casting the instance to javax.xml.rpc.Stub class and calling ._setProperty() method. If you are dealing directly with JAX-RPC Call object use .setProperty() instead. For example: 

  OGSIServiceGridLocator factoryService =
            new OGSIServiceGridLocator();
  Factory factory =
            factoryService.getFactoryPort(new HandleType(handle));

  // enable GSI Secure Conversation message level security
  ((Stub)factory)._setProperty(Constants.GSI_SEC_CONV,
                               Constants.SIGNATURE);
  // enable limited delegation
  ((Stub)factory)._setProperty(GSIConstants.GSI_MODE,
                               GSIConstants.GSI_MODE_LIMITED_DELEG);
  // set client authorization to none
  ((Stub)factory)._setProperty(Constants.AUTHORIZATION,
                               NoAuthorization.getInstance());

Note that the properties set on the factory stub are not inherited by any service port instance representing a service created using the factory. You will have to set seperate properties on every instance.

5.2 GSI initialization tips

Initialization of GSI on both the client and the server might be a very time consuming process on some platforms. It depends on the initialization of a secure seed needed by the random number generator for security purposes. The default seeding algorithm of Sun's VM is somewhat slow but it can be easily replaced by a better one by installing a new SecureRandom provider.

For example, for Windows users we recommend installing the InfiniteMonkey provider from ISNetworks.com (Just follow the installation instructions in their included README.TXT file and put the intifitemonkey.dll in the c:\WINNT\system32 directory)

Once the provider is properly installed the GSI initialization time will be much faster.

Also, on Unix/Linux machines, GSI will take advantage of the /dev/urandom device if installed to speed up the start up time. In the future, we will provide a SecureRandom implementation for machines without this device.

5.3 JAAS installation

This step is only necessary for J2SE 1.3.1. To install JAAS library please download "JAAS 1.0_01 Class Libraries" from http://java.sun.com/products/jaas/index-10.html. Extract the jaas-1_0_01.zip file into a temporary directory and copy the "jaas1_0_01/lib/jaas.jar" file to the lib directory of the GT3 installation.