About the Toolkit

Home -> Toolkit -> Docs -> Development -> 4.1.0 -> Security

Software Links

Usage Statistics
Release Notes
Versioning
Downloads
Advisories
Licenses
CVS & Dev Tools

Getting Started

Doc Structure
A Globus Primer
Quickstart
Installing GT
Platform Notes
Migrating from GT2
Migrating from GT3

Reference

PDF version
Best Practices
Coding Guidelines
API docs
Public Interfaces
Resource Properties
Samples
Glossary
Index
Performance Studies

Common Runtime

Java WS Core
C WS Core
Python WS Core
XIO
CoG jglobus
pyGlobus

Security

Pre-WS A&A
Message-level
Authz Framework
CAS
Delegation Service
MyProxy
GSI-OpenSSH
SimpleCA

Data Mgt

RFT
GridFTP
RLS
WS RLS
OGSA-DAI
DRS

Information Svcs

WS MDS Aggregator
WS MDS Index
WS MDS Trigger
WS MDS WebMDS
WS MDS UsefulRP

Execution Mgt

WS GRAM
GTCP
CSF
WMS
Pre-WS GRAM (legacy)

GT 4.1.0: Security
Prev		Next

GT 4.1.0: Security

Abstract

Security tools are concerned with establishing the identity of users or services (authentication), protecting communications, and determining who is allowed to perform what actions (authorization), as well as with supporting functions such as managing user credentials and maintaining group membership information.

GT4 provides distinct WS and pre-WS authentication and authorization capabilities. Both build on the same base, namely standard X.509 end entity certificates and proxy certificates, which are used to identify persistent entities such as users and servers and to support the temporary delegation of privileges to other entities.

For more information about the security concepts behind GT4, see Security: Key Concepts.

For a comparison of features between Java and C code, see Security Features.

For firewall information, click here.

GT4’s WS security includes:

Message-level Security mechanisms, which implement the WS-Security standard and the WS-SecureConversation specification to provide message protection for GT4’s SOAP messages
Transport-level Security mechanisms, which use transport-level security (TLS) mechanisms; and
an Authorization Framework that allows for a variety of authorization schemes, including a “grid-mapfile” access control list, an access control list defined by a service, a custom authorization handler, and access to an authorization service via the SAML protocol.

For non-WS components, GT4 provides similar authentication, delegation, and authorization mechanisms, although with fewer authorization options. See the following components for more information:

Community Authorization Service (CAS)
Delegation Service
Credential Management
- MyProxy
- SimpleCA
Utilities
- GSI-OpenSSH
Pre-WS Authentication & Authorization

TODO: add blurb about SGAS (SweGrid Accounting System)

Table of Contents

Key Concepts

1. Overview
2. Conceptual Details
3. Related Documents

Security Features

Pre-WS Authentication and Authorization

Release Notes
Admin Guide
User's Guide
Developer's Guide
Public Interfaces
Quality Profile
Migrating Guide
GT 4.1.0 Pre-WS AA Command Reference

Message & Transport Level Security

Release Notes
Admin Guide
User's Guide
Developer's Guide
Public Interfaces
Quality Profile
Migration Guide

Authorization Framework

Release Notes
WS A&A Authorization Framework Admin Guide
User's Guide
Developer's Guide
Public Interfaces
Quality Report
Migrating Guide
A. Security Descriptors
B. PDP Reference
C. PIP Reference

Community Authorization Service (CAS)

Release Notes
CAS Admin Guide
User's Guide
Developer's Guide
Public Interfaces
Quality Report
Migrating Guide
GT 4.1.0 CAS Command Reference
D. Using CAS Command line Clients
E. Setting up CAS for GridFTP
F. GT 4.1.0 Call for Community Testing: Community Authorization Service (CAS)

Delegation Service

GT 4.1.0 Delegation Service Release Notes
Admin Guide
User's Guide
Developer's Guide
Public Interfaces
Quality Report
Migrating Guide
GT 4.1.0 Delegation Service Commandline Reference
G. GT 4.1.0 Call for Community Testing: Delegation Service

Release Notes
System Administrator's Guide
User's Guide
Developer's Guide
Public Interface Guide
Quality Profile
Migrating Guide
GT 4.1.0 MyProxy Command Reference

GSI-OpenSSH

Release Notes
System Administrator's Guide
User's Guide
Developer's Guide
Public Interface Guide
Quality Profile
Migrating Guide
GT 4.1.0 GSI-OpenSSH Command Line Reference

Release Notes
Admin Guide
Gt 4.1.0 SimpleCA Command Reference

List of Figures

1. The new certificate is signed by the owner, rather than a CA.
1. The new certificate is signed by the owner, rather than a CA.
2. JAX-RPC handlers involved in security related message processing on a server.
1. Delegation Service Creation
2. Delegation Service Refresh

List of Tables

1. GT 4.1.0 Security Features
1. CA files
2. Certificate request configuration files
3. Certificate request files
1. CA files
2. Certificate request configuration files
3. Certificate request files
1. CA files
2. Certificate request configuration files
3. Certificate request files
11. Common command line options
12. Certificate specific command line options
13. Command line options
14. Command line options
15. Command line options
16. Command line options
17. Command line options
18. Command line options
19. Print options
20. Validity options
21. Command line options
22. Command line options
23. Command line options
1. Client side security properties
1. Client side security properties
A.1. Security descriptor schema
A.2. Builtin PDPs
A.3. SAML Callout PDP Parameters
A.4. Authentication methods
A.5. Run-as methods
A.6. Descriptor classes
C.1. Attribute I
C.2. Attribute II
1. Database parameters
2. Command line options
3. Test database properties
4. Test properties
1. User tables
2. Action tables
3. Resource Tables
4. Policy Statement Table
5. Request methods
6. Database parameters
1. Database parameters
45. cas-proxy-init options
46. cas-wrap options
47. cas-enroll options
48. cas-remove options
D.1. cas-enroll options for namespaces
D.2. cas-remove options for namespaces
D.3. cas-enroll options for objects
D.4. cas-remove options for objects
D.5. cas-enroll options for service types
D.6. cas-remove options for service types
D.7. cas-action options for service types
D.8. cas-action options for removing service types
D.9. cas-group-admin options for adding a new user group
D.10. cas-group-add-entry options for adding a user to a user group
D.11. cas-group-remove-entry options for removing a user from a user group
D.12. cas-group-admin options for deleting a user group
D.13. cas-group-admin options for creating an object group
D.14. cas-group-add-entry options for adding a member to an object group
D.15. cas-group-remove-entry options for removing an object from an object group
D.16. cas-group-admin options for deleting an object group
D.17. cas-group-admin options for creating a service/action group
D.18. cas-group-add-entry options for adding a service/action to a serviceAction group
D.19. cas-group-remove-entry options for removing a service/action from a serviceAction group
D.20. cas-group-admin options for deleting a serviceAction group
D.21. cas-rights-admin options for granting permissions to a user group on an object or object group
D.22. cas-rights-admin options for revoking a policy in the CAS database
D.23. cas-whoami options
D.24. cas-list-object options
D.25. cas-get-object options
D.26. cas-group-list-entries options
D.27. cas-find-policies options
D.28. query-cas-service options
77. globus-credential-delegate options
78. globus-credential-refresh options
1. myproxy-server.config lines
1. myproxy-server.config lines
2. Environment variables
1. myproxy-server.config lines
2. Environment variables
84. myproxy-init options
85. myproxy-info options
86. myproxy-logon options
87. myproxy-store options
88. myproxy-retrieve options
89. myproxy-destroy options
90. myproxy-change-pass-phrase options
91. myproxy-admin-adduser options
92. myproxy-admin-change-pass options
93. myproxy-admin-query options
94. myproxy-admin-load-credential options
95. myproxy-server options
1. GSI-OpenSSH build arguments
1. CA Name components

Prev		Next
GT 4.1.0 Migrating Guide for XIO	Home	GT 4.1.0 Security: Key Concepts