Software Links

Usage Statistics
Release Notes
Versioning
Downloads
Advisories
Licenses
CVS & Dev Tools

Getting Started

A Globus Primer
Globus Is Modular!
Quickstart
Installing GT
Platform Notes
GT Developer's Guide
GT User's Guide
Migrating Guides

Reference

Best Practices
Coding Guidelines
API docs
Public Interfaces
Resource Properties
Samples
Glossary

Manuals

Common Runtime

Java WS Core
C WS Core
Python WS Core
XIO
CoG jGlobus
pyGlobus
C Common Libs

Security

GSI C
GSI Java
Java WS A&A
C WS A&A (coming soon)
CAS
Delegation Service
MyProxy
GSI-OpenSSH
SimpleCA

Data Mgt

GridFTP
RFT
RLS
WS RLS
DRS

WS MDS

Index Service
Trigger Service
WebMDS
Aggregator Framework
UsefulRP
Info Providers

Execution Mgt

GRAM4
GridWay
GRAM2 (legacy)

GT 4.2.0 GSI C Release Notes

Table of Contents

1. Component Overview
2. Feature summary
3. Summary of Changes in GSI
4. Bug Fixes
5. Known Problems
5.1. Limitations
5.2. Outstanding bugs
6. Technology dependencies
7. Tested platforms
8. Backward compatibility summary
9. Associated Standards
10. For More Information
Glossary

1. Component Overview

The Globus Toolkit Pre-Web Services Authentication and Authorization component provides APIs and tools for authentication, authorization and certificate management. The authentication API is built using Public Key Infrastructure (PKI) technologies, e.g. X.509 Certificates and TLS. In addition to authentication it features a delegation mechanism based upon X.509 Proxy Certificates. Authorization support takes the form of a couple of APIs. The first provides a generic authorization API that allows callouts to perform access control based on the client's credentials (i.e. the X.509 certificate chain). The second provides a simple access control list that maps authorized remote entities to local (system) user names. The second mechanism also provides callouts that allow third parties to override the default behavior and is currently used in the Gatekeeper and GridFTP servers. In addition to the above there are various lower level APIs and tools for managing, discovering and querying certificates .

2. Feature summary

Features new in GT 4.2.0

  • None

Other Supported Features

  • Authentication of user using standard X.509 End Entity and Proxy Certificates.
  • Delegation using X.509 Proxy Certificates.
  • Pluggable authorization based on the client's certificate chain for GridFTP and GRAM2.
  • Pluggable authorization for GRAM2 based on the RSL of the job.

Deprecated Features

  • None

3. Summary of Changes in GSI

  • GSI C can now be built with OS-vendor supplied OpenSSL.
  • GSI C uses RFC 3820-compliant proxies by default.
  • New program grid-cert-diagnostics to help diagnose problems with security configuration.

4. Bug Fixes

  • Bug 1217: gss_export_name() does not conform to RFC 2743 section 3.2
  • Bug 1334: request for more strict format checking in grid-mapfile-check-consistency
  • Bug 1740: Implicit module activation
  • Bug 1802: accept_sec_context doesn't set LIMITED_PROXY_FLAG for GSI_3_LIMITED_PROXY
  • Bug 1847: grid-cert-request with both /etc/grid-security and $GL/share/certificates
  • Bug 1854: grid-cert-info help message is missing a word
  • Bug 1927: authz linking problems on Mac OS X
  • Bug 2035: globus_callout_read_config sets datum->next to datum
  • Bug 2180: The most trivial bug report ever
  • Bug 2207: Missing security error 'timestampNotOk'
  • Bug 2316: openssl vendorcc32 on solaris fails
  • Bug 2357: grid-mapfile* commands ignoring env var GRIDMAP
  • Bug 2368: grid-default-ca ignores X509_CERT_DIR env. variable
  • Bug 2476: 3.9.4 rc3 gaa_simple does not build with --static=1
  • Bug 2499: grid-cert-request interactive mode
  • Bug 2558: grid-default-ca doesn't work if there isn't already a default CA
  • Bug 2564: openssl in 3.9.4 isn't building for non-dbg vendorcc flavors on Solaris
  • Bug 2695: Openssl pthread build fails on Tru64

5. Known Problems

The following problems and limitations are known to exist for GSI C at the time of the 4.2.0 release:

5.1. Limitations

  • No known limitations exist.

5.2. Outstanding bugs

  • Bug 903: grid-proxy-init crashes ERROR:Couldn't create proxy certificate
  • Bug 989: Error message I get when 'grid-proxy-init' is all that's required
  • Bug 1301: random errors during ftp tests
  • Bug 1679: Unified support for emailAddress in grid-mapfile
  • Bug 1753: bug 318 resolution opens door to spoofing ?
  • Bug 1843: Cert Search Order on Windows
  • Bug 1845: globus_mutex_lock fails in gss_acquire_cred procedure
  • Bug 2589: Behavior of C and java grid-proxy-init differ, should be unified
  • Bug 2676: GSI on Windows?

6. Technology dependencies

The GSI C component depends on the following GT components:

  • C Common Libraries

The GSI C component depends on the following 3rd party software:

  • OpenSSL

7. Tested platforms

Tested platforms for GSI C:

  • i386 Linux

8. Backward compatibility summary

Protocol changes in GSI C since GT 4.0.x

  • None

API changes since GT 4.0.x

  • None

Exception changes since GT 4.0.x

  • Not applicable

Schema changes since GT 4.0.x

  • Not applicable

9. Associated Standards

Associated standards for GSI C:

10. For More Information

See GSI C for more information about this component.

Glossary

P

proxy certificate

A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.

For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.

public key

The public part of a key pair used for cryptographic operations (e.g. signing, encrypting).