Software Links

Usage Statistics
Release Notes
Versioning
Downloads
Advisories
Licenses
CVS & Dev Tools

Getting Started

Globus Is Modular!
Installing GT
Quickstart
Platform Notes
GT Developer's Guide
GT User's Guide
Migrating Guides

Components

Data Mgt
GridFTP
RLS
Execution Mgt
GRAM5
Security
GSI C
MyProxy
GSI-OpenSSH
SimpleCA
Common Runtime
XIO
C Common Libs

Reference

Coding Guidelines
API docs
GT Commands
Public Interfaces
Glossary

GT 5.0.3 GSI C Release Notes

Table of Contents

1. Component Overview
2. Feature summary
3. Summary of Changes in GSI
4. Bug Fixes
5. Known Problems
5.1. Limitations
5.2. Outstanding bugs
6. Technology dependencies
7. Tested platforms
8. Backward compatibility summary
9. Associated Standards
10. For More Information
Glossary

1. Component Overview

The Globus Toolkit GSI C component provides APIs and tools for authentication, authorization and certificate management. The authentication API is built using Public Key Infrastructure (PKI) technologies, e.g. X.509 Certificates and TLS. In addition to authentication it features a delegation mechanism based upon X.509 Proxy Certificates. Authorization support takes the form of a couple of APIs. The first provides a generic authorization API that allows callouts to perform access control based on the client's credentials (i.e. the X.509 certificate chain). The second provides a simple access control list that maps authorized remote entities to local (system) user names. The second mechanism also provides callouts that allow third parties to override the default behavior and is currently used in the Gatekeeper and GridFTP servers. In addition to the above there are various lower level APIs and tools for managing, discovering and querying certificates.

2. Feature summary

Features new in GT 5.0.3

  • No new features.

Other Supported Features

  • Authentication of user using standard X.509 End Entity and Proxy Certificates.
  • Delegation using X.509 Proxy Certificates.
  • Pluggable authorization based on the client's certificate chain for GridFTP and GRAM2.
  • Pluggable authorization for GRAM2 based on the RSL of the job.

Deprecated Features

  • None

3. Summary of Changes in GSI

No major changes since GT 5.0.2.

4. Bug Fixes

  • bug 7093: globus_gsi_proxy_handle_set_is_limited doesn't handle rfc proxies
  • bug 6646: gss_accept_sec_context() returns incorrect src_name for independent proxies

5. Known Problems

The following problems and limitations are known to exist for GSI C at the time of the 5.0.3 release:

  • RIC-66: nonportable shebang in globus-update-certificate-dir

5.1. Limitations

  • No known limitations exist.

5.2. Outstanding bugs

  • Bug 1239: grid grants access even though local account is locked
  • Bug 1528: Getting CA information during handshake
  • Bug 3521: Conditionally disallow grid-mapfile-{add,delete}-entry
  • Bug 3555: Implement HSPD-12/PIV-II
  • Bug 3781: GSI caching of CRLs causes problems when process lifetime exceeds CRL lifetime
  • Bug 4180: Exact syntax of grid-mapfile?
  • Bug 4788: [patch] add OCSP check to globus_i_gsi_callback_check_revoked()
  • Bug 5304: better commandline option for people who have multiple certs
  • Bug 5768: Reconfiguration of Cipher Suite
  • Bug 6384: fix leaks and unintialized memory read in GAA
  • Bug 6385: grid-change-passphrase gives obscure error for incorrect passphrase
  • Bug 6614: GT Proxy Certificates should use random serial number to prevent predictable certificate contents
  • Bug 6663: grid-cert-diagnostics doesn't check CRLs
  • Bug 6741: Allow plugins without the flavor extension in the name
  • Bug 6901: mutal auth in init_context fails for generic service
  • Bug 6964: Confusing error message from grid-cert-request
  • Bug 1476: grid-cert-request directions should be generalized
  • Bug 2983: Missing TESTS.pl script for globus_authz_test
  • Bug 3062: Missing TESTS.pl script for gaa_simple_test
  • Bug 3173: /etc/grid-security/gsi-authz.conf and gsi-gaa.conf are build dependent
  • Bug 5634: Give file location of gridmap in authz failures
  • Bug 4110: Need to add an option to grid-cert-request to control key length
  • Bug 5707: Campaign: Improve C XACML/SAML Engine
  • Bug 6706: gss_export_sec_context and gss_import_sec_context don't generate independent tokens
  • Bug 2589: Behavior of C and java grid-proxy-init differ, should be unified
  • Bug 2969: Too relaxed rules on DN comparisons (all versions of GT)

6. Technology dependencies

The GSI C component depends on the following GT components:

  • C Common Libraries

The GSI C component depends on the following 3rd party software:

  • OpenSSL

7. Tested platforms

Tested platforms for GSI C:

  • Linux

    • Debian 5.0.6 x86_64

  • Mac OS X

    • Mac OS X 10.6.6

  • Solaris

    • OpenSolaris 11 (November 2008)

8. Backward compatibility summary

Protocol changes in GSI C since GT 5.0.2

  • None

API changes since GT 5.0.2

  • None

Exception changes since GT 5.0.2

  • Not applicable

Schema changes since GT 5.0.2

  • Not applicable

9. Associated Standards

Associated standards for GSI C:

10. For More Information

See GSI C for more information about this component.

Glossary

P

proxy certificate

A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.

For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.

public key

The public part of a key pair used for cryptographic operations (e.g. signing, encrypting).