Table of Contents
The Globus Toolkit GSI C component provides APIs and tools for authentication, authorization and certificate management. The authentication API is built using Public Key Infrastructure (PKI) technologies, e.g. X.509 Certificates and TLS. In addition to authentication it features a delegation mechanism based upon X.509 Proxy Certificates. Authorization support takes the form of a couple of APIs. The first provides a generic authorization API that allows callouts to perform access control based on the client's credentials (i.e. the X.509 certificate chain). The second provides a simple access control list that maps authorized remote entities to local (system) user names. The second mechanism also provides callouts that allow third parties to override the default behavior and is currently used in the Gatekeeper and GridFTP servers. In addition to the above there are various lower level APIs and tools for managing, discovering and querying certificates.
Features new in GT 5.0.5
- RIC-143: certificate verify for grid-cert-diagnostics
Other Supported Features
- Authentication of user using standard X.509 End Entity and Proxy Certificates.
- Delegation using X.509 Proxy Certificates.
- Pluggable authorization based on the client's certificate chain for GridFTP and GRAM5
- Pluggable authorization for GRAM5 based on the RSL of the job.
Deprecated Features
- None
- RIC-156: globus_gsi_sysconfig calls globus_i_gsi_sysconfig_create_key_string unsafely
- RIC-162: globus_gsi_cred_verify does not do what documentation says it does
- RIC-163: segfault in globus_gsi_cred_get_key if read_cert was used
- RIC-213: support for private keys in PKCS8 format broken
- RIC-215: gss_import_cred() doesn't match properly the OID passed
The GSI C component depends on the following GT components:
- C Common Libraries
The GSI C component depends on the following 3rd party software:
- OpenSSL
Tested platforms for GSI C:
Linux
- CentOS 6 x86_64
- Debian 6 x86_64
- Fedora 15 x86_64
- Ubuntu 11.10 x86_64
Mac OS X
- Mac OS X 10.7.3
Solaris
- Solaris 11 11/11
Protocol changes in GSI C since GT 5.0.4
- None
API changes since GT 5.0.4
- None
Exception changes since GT 5.0.4
- Not applicable
Schema changes since GT 5.0.4
- Not applicable
Associated standards for GSI C:
- RFC 3820 Proxy Certificates
- RFC 2744 GSSAPI: C-bindings
- RFC 2743 GSSAPI
- GSSAPI Extensions
- RFC 2246 TLS
See GSI C for more information about this component.
P
- proxy certificate
A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.
For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.
- public key
The public part of a key pair used for cryptographic operations (e.g. signing, encrypting).