Table of Contents
Table of Contents
The security programming model differs between the client and server side. The client side model is programmatic in nature, i.e. security-related code is driven by making actual function calls, whereas the server-side model is declarative, i.e. security-related settings are declared in a security descriptor. For more information on the available client side calls see Chapter 4, Configuring client authentication and message/transport security. More information about the security descriptor can be found in Java WS A&A Security Descriptor Framework.
Stable interfaces:
- org.globus.wsrf.security.Constants
- org.globus.wsrf.security.SecureResource
- org.globus.wsrf.security.SecurityManager
- org.globus.wsrf.security.SecurityException
Less stable interfaces:
- org.globus.wsrf.impl.security.descriptor.ClientSecurityDescriptor
- org.globus.wsrf.impl.security.descriptor.ResourceSecurityDescriptor
Documentation for these interfaces can be found here.
Table of Contents
This service provides a mechanism for generating a security session, i.e the negotiation of a shared secret which may be used to secure a set of subsequent messages. It is based on the WS-Trust and WS-SecureConversation specifications.
RequestSecurityToken: This operation initiates a new security session negotiation. Furthermore, since the actual schema for this message is not unambiguously defined by the specifications, this is the actual schema used:
<xs:element name='RequestSecurityToken'>
<xs:complexType name='RequestSecurityTokenType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
</xs:element>
<xs:element name='RequestSecurityTokenResponse'>
<xs:complexType name='RequestSecurityTokenResponseType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
</xs:element>RequestSecurityTokenResponse: This operation continues a security session negotiation. Furthermore, since the actual schema for this message is not unambiguously defined by the specifications, this is the actual schema used:
<xs:element name='RequestSecurityTokenResponse'>
<xs:complexType name='RequestSecurityTokenResponseType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
</xs:element>
<xs:element name='RequestSecurityTokenResponse'>
<xs:complexType name='RequestSecurityTokenResponseType'>
<xs:sequence>
<xs:element ref='wst:TokenType'/>
<xs:element ref='wst:RequestType'/>
<xs:element ref='wst:BinaryExchange'
minOccurs="0"/>
<xs:element ref='wsc:SecurityContextToken'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI'/>
</xs:complexType>
</xs:element> In the above schema, the second
RequestSecurityTokenResponse element refers to the
final message in the exchange.
Both RequestSecurityToken and
RequestSecurityTokenResponse throw the following
faults:
ValueTypeNotSupportedFault: This fault indicates that the value type attribute on the binary exchange token element is not supported by the service.EncodingTypeNotSupportedFault: This fault indicates that the encoding type attribute on the binary exchange token element is not supported by the service.RequestTypeNotSupportedFault: This fault indicates that the request type specified in the request type element is not supported by the serviceTokenTypeNotSupportedFault: This fault indicates that the token type specified in the token type element is not supported by the service.MalformedMessageFault: This fault indicates that the message content received by the service does not conform to the expected content. This is necessary since the schema does not give a well defined content model.BinaryExchangeFault: This fault indicates that a failure occurred during the in the underlying security constant responsible for the session negotiation.InvalidContextIdFault: This fault indicates that the context id passed in the message is not valid within the context of this service or negotiation.
- WS-Trust WSDL
- WS-Trust XSD
- WS-SecureConversation XSD
- Secure Conversation WSDL [fixme - link]
Table of Contents
The framework implements the Web Services Security: SOAP Message Security, Web Services Security: Username Token Profile and Web Services Security: X.509 Token Profile specifications.
The transport security solution used by the framework consists of HTTP over SSL/TLS (HTTPS) using X.509 certificates. The path validation step has been augmented to support the Proxy Certificate Profile (RFC3820).
Table of Contents
- globus-credential-delegate - Delegation client
Name
globus-credential-delegate — Delegation client
Synopsis
globus-credential-delegate
Tool description
Used to contact a Delegation Factory Service and store a delegated credential. A delegated credential is created and stored in a delegated credential WS-Resource, and the Endpoint Reference(EPR) of the credential is written out to a file for further use.
Command syntax
globus-credential-delegate [options] <eprFilename>
Table 1. globus-credential-delegate options
| [option1] | Enables anonymous authentication. Only supported with transport security or the GSI Secure Conversation authentication mechanism. |
| [option1] | Specifies the server's certificate file used for encryption. Only needed for the GSI Secure Message authentication mechanism. |
Table of Contents
Client-side security is set up by setting individual
properties on the javax.xml.rpc.Stub
object used for the web service method invocation or by setting properties
on a client-side security descriptor object, which in turn is propagated
to client-side security handlers by making it available as a stub object
property. Here are examples of the two approaches:
Setting a property on the stub:
// Create endpoint reference EndpointReferenceType endpoint = new EndpointReferenceType(); // Set address of service String counterAddr = "http://localhost:8080/wsrf/services/CounterService"; // Get handle to port CounterPortType port = locator.getCounterPortTypePort(endpoint); // set client authorization to self ((Stub)port)._setProperty(Constants.AUTHORIZATION, SelfAuthorization.getInstance());Setting properties using a client descriptor:
// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; // Create endpoint reference EndpointReferenceType endpoint = new EndpointReferenceType(); // Set address of service String counterAddr = "http://localhost:8080/wsrf/services/CounterService"; // Get handle to port CounterPortType port = locator.getCounterPortTypePort(endpoint); //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
If the client needs to use transport security, the following API
must be used to register the Axis transport handler for
import org.globus.axis.util.Util;
static {
Util.registerTransport();
}
|
Table 4.1. Client side security properties
| Number | Task | Stub Configuration | |
| 1. | Allows for configuration of credentials for authentication. | Property: org.globus.axis.gsi.GSIConstants.GSI_CREDENTIALS Value equals the Instance of
| |
| 2. | Allows for configuring client-side authorization. | Property: org.globus.wsrf.security.Constants.AUTHORIZATION Value equals the Instance of
If GSI Secure Transport or GSI Secure Conversation is
used, the value should be an instance of
| |
| 3. | Enable GSI Secure Conversation with specified message protection level. | 1. Property: org.globus.wsrf.security.Constants.GSI_SEC_CONV Values equal one of the following:
2. Property: org.globus.wsrf.security.Constants.GSI_SEC_CONV_SECREPLY_UNNECESSARY
If the value is set to Boolean.TRUE, the GSI Secure conversation protection is not required in the reply message. By default, if the request was secured with GSI Secure Conversation, the response is also required to have the same protection. 3. Property: You can set
the SOAP Actor of the GSI signed/encrypted SOAP message by using
the | |
| 4. | Sets the GSI delegation mode. Used for GSI
Secure Conversation only. If limited or full
delegation is chosen, then some form of client-side
authorization needs to be done (i.e client-side authorization
cannot be set to none). | Property: org.globus.axis.gsi.GSIConstants.GSI_MODE Value equals one of following:
| |
| 5. | Enables GSI Secure Transport with some protection level. | Property: org.globus.gsi.GSIConstants.GSI_TRANSPORT Values equal one of the following:
| |
| 6. | Enables anonymous authentication. This option only applies to GSI Secure Conversation and GSI Transport. | Property: org.globus.wsrf.security.Constants.GSI_ANONYMOUS Value equals one of following:
| |
| 7. | Enable GSI Secure Message with specified message protection level. | 1. Property: org.globus.wsrf.security.Constants.GSI_SEC_MSG Values equal one of the following:
2. Property: org.globus.wsrf.security.Constants.GSI_SEC_MSG_SECREPLY_UNNECESSARY
If the value is set to Boolean.TRUE, the GSI Secure Message protection is not required in the reply message. By default, if the request was secured with GSI Secure Message, the response is also required to have the same protection. 3. Property: org.globus.wsrf.security.Constants.GSI_SEC_MSG_SINGLECERT
If the value is set to Boolean.TRUE, only a single certificate is used for the GSI Secure Message request. By default, the whole certificate chain is sent. 4. Property: You can set the SOAP Actor of the signed
message using the | |
| 8. | Enable WS-Security username/password authentication. | Properties: org.globus.wsrf.security.Constants.USERNAME Value equals the username. org.globus.wsrf.security.Constants.PASSWORD Value equals the password. | |
| 9. | Sets the credential that is used to encrypt the message (typically, the recipient's public key). Used for GSI Secure Message only. | Property: org.globus.wsrf.impl.security.authentication
.Constants.PEER_SUBJECT Value
equals the instance of
The credential object needs to be wrapped in
For example,
if Subject subject = new Subject();
X509Certificate serverCert =
CertUtil.loadCertificate(publicKeyFilename);
EncryptionCredentials encryptionCreds =
new EncryptionCredentials(
new X509Certificate[] { serverCert });
subject.getPublicCredentials().add(encryptionCreds);
stub._setProperty(Constants.PEER_SUBJECT, subject);
| |
| 10. | Sets the trusted certificates location. | Property: org.globus.wsrf.security.TRUSTED_CERTIFICATES Value should be a comma-separated list of directories and file names. | |
| 11. | Sets the SAML Authorization Assertion to embed in SOAP Header. | Property: org.globus.wsrf.impl.security.authentication.Constants.SAML_AUTHZ_ASSERTION Value should be an instance of org.opensaml.SAMLAssertion. | Cannot be configured using descriptors. |
Table of Contents
Configuration of service-side security settings can be achieved by using container or service security descriptor. Some of the security configuration, like the credential to use and trusted certificates location, can also be configured using CoG properties or rely on default location. The preferred way is to provide these settings in a security descriptor.
The next section provides details on the relevant properties. An overview of the syntax of security descriptors can be found in Java WS A&A Security Descriptor Framework. Available CoG security properties can be found in Chapter 2, Configuring
The following properties are relevant to authentication and message/transport security:
Table 5.1. Configuring server side authentication and message/transport security
| Number | Task | Descriptor Configuration | Alternate Configuration |
| 1 | Credentials | Container or service descriptor configuration |
If no explicit configuration is
found, the default proxy is read from
|
| 2 | Trusted Certificates | Container security descriptor configuration | CoG Configuration |
| 3 | Limited proxy policy configuration | Container or service descriptor configuration | None. |
| 4 | Replay Attack Window | Container or service descriptor configuration | None. |
| 5 | Replay Attack Filter | Container or service descriptor configuration | None. |
| 6 | Replay timer interval | Container descriptor configuration | None. |
| 7 | Context timer interval | Container descriptor configuration | None. |
Table of Contents
Refer to Chapter 2, Configuring for environment variables. Note that the above environment variable [fixme - not clear which envar you mean] does not supersede any settings provided in security descriptors.
Table A.1. C WS A&A Errors
| Error Code | Definition | Possible Solutions |
|---|---|---|
ERROR: Couldn't read user key: Bad passphrase key file location: /Users/bester/.globus/userkey.pem globus_credential: Error reading user credential: Can't read credential's private key from PEM OpenSSL Error: pem_lib.c:423: in library: PEM routines, function PEM_do_header: bad decrypt OpenSSL Error: evp_enc.c:509: in library: digital envelope routines, function EVP_DecryptFinal: bad decrypt Use -debug for further information. | Unable to decrypt private key | Rerun grid-proxy-init with the correct password. |
globus_gsi_gssapi: Error with gss credential handle globus_credential: Valid credentials could not be found in any of the possible locations specified by the credential search order. Valid credentials could not be found in any of the possible locations specified by the credential search order. Attempt 1 globus_credential: Error reading host credential globus_sysconfig: Error with certificate filename globus_sysconfig: Error with certificate filename globus_sysconfig: File is not owned by current user: /etc/grid-security/hostcert.pem is not owned by current user Attempt 2 globus_credential: Error reading proxy credential globus_sysconfig: Could not find a valid proxy certificate file location globus_sysconfig: Error with key filename globus_sysconfig: File does not exist: /tmp/x509up_u501 is not a valid file Attempt 3 globus_credential: Error reading user credential globus_credential: Key is password protected: GSI does not currently support password protected private keys. OpenSSL Error: pem_lib.c:401: in library: PEM routines, function PEM_do_header: bad password read | No user proxy could be found |
|
globus_gsi_gssapi: Error with GSI credential
globus_gsi_gssapi: Error with gss credential handle
globus_credential: Error with credential: The proxy credential:
/tmp/x509up_u1499
with subject: /DC=org/DC=example/DC=grid/OU=People/CN=Joe
User/CN=1235439010
expired 44 minutes ago. | Proxy has expired. | Run grid-proxy-init to generate a new proxy. |
globus_xio: The GSI XIO driver failed to establish a secure connection. The failure occured during a handshake read. globus_xio: An end of file occurred | Communication disrupted during SSL handshake | Verify with the service administrator that your certificate is signed by a certificate authority that is trusted by the service. |
globus_gsi_gssapi: Unable to verify
remote side's credentials
globus_gsi_gssapi: Unable to verify remote side's credentials: Couldn't verify
the remote certificate
OpenSSL Error: s3_pkt.c:1052: in library: SSL routines, function
SSL3_READ_BYTES: sslv3 alert bad certificate SSL alert number 42
| Unable to verify remote certificate. Often a clock-synchronization problem where the service clock is behind that of the client. | Verify that the client and service hosts have accurate time of day clocks. Use a NTP daemon if possible. |
OpenSSL Error: s3_clnt.c:894: in
library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: The certificate is not yet valid: Cert with
subject: /DC=org/DC=example/DC=grid/OU=People/CN=Joe User/CN=464555355 is not
yet valid- check clock skew between hosts.
| Unable to verify remote certificate. Often a clock-synchronization problem where the client clock is behind that of the service. | Verify that the client and service hosts have accurate time of day clocks. Use a NTP daemon if possible. |
globus_gsi_callback_module: Error with signing policy globus_sysconfig: Error getting signing policy file globus_sysconfig: File does not exist: /etc/grid-security/certificates/2b0e42b2.signing_policy is not a valid file | The service's certificate is not trusted by the client | Determine if the certificate authority used by the server is worth trusting. If so, retrieve the CA certificate and signing policy and place them in the client's trusted certificate directory. |
globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Error with signing policy globus_gsi_callback_module: Error in OLD GAA code: CA policy violation: <no reason given> | Service certificate is not trusted because the CA signing policy does not trust the CA to sign the subject name of the certificate. | Verify with the service administrator that the certificate is valid. Verify that the signing policy file is up-to-date |
Error: globus_soap_message_module: SOAP Fault Fault code: Client Fault string: globus_handler_ws_secure_message: Server Request handling failed globus_handler_ws_secure_message: Failed to verify the message: Unable to get Security header element from message attributes. | The client sent a request to a service which message security without properly invoking the security handlers | Invoke the client program with the WS-SecureMessage handler.
Typically this is done by add -m msg to the
command-line. |
Error: globus_soap_message_module: SOAP Fault
Fault code: Client
Fault string: globus_soap_message_module: Loaded message handlers do not
understand required header element:
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
Security | The client sent a request protected with message-level security but the server did not understand the required security headers | Disable WS-SecureMessage on the client |