Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
Reference
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Samples
- Glossary
- Performance Studies
Common Runtime
Security
Data Mgt
Information Svcs
Execution Mgt
Table of Contents
The Web Services portion of GT 4.1.1 uses SOAP over HTTP for communicating messages.
WS Authentication and Authorization Message-Level Security implements the WS-Security standard and the WS-SecureConversation specification to provide message protection for SOAP messages. Features include authentication of the sender, encryption of the message, integrity protection of the message and replay protection.
WS Authentication and Authorization Transport-Level Security provides a secure channel by using HTTP over SSL/TLS (HTTPS) for transporting the messages. This security mechanism supports all of the security features provided by SSL/TLS with the addition of support for X.509 Proxy Certificates.
Features new in GT 4.1.1
None.
Other Supported Features
- Compliance with published IBM/Microsoft WS-Trust and WS-SecureConversation specifications
- Compliance with the Web Services Security 1.0 standard
- HTTPS support
- Message encryption, integrity protection and replay attack prevention
- Establishment of a session key for light-weight message protection
Deprecated Features
- GT 3.2 SecureConversation protocol
The following changes have occurred for Message/Transport-level Security since the last stable release, 4.0.4:
The security descriptor framework, used to configure security properties for the security framework has been enhanced. Detailed information about the framework is provided Section 1, “Security Descriptors Introduction”
Java WS Authentication code honors environment variables to pick up credential to use as described here
Java WS Authentication code allows configuration of trust certificate in non-default location as described here
- Bug 2535: <proxy-file> causes container to fail
- Bug 2651: /dev/random vs. /dev/urandom
- Bug 2743: grid-mapfile location should be in global security descriptor
- Bug 2207: Missing security error 'timestampNotOk'
- Bug 2899: relative path does not work for credentials in Security Descriptor
- Bug 2900: Job submssion does not work using relative path in global_security_descriptor.xml and absolute path in sudoers.
- Bug 2955: Job submission fails when container is started from non GLOBUS_LOCATION
- Bug 2969: Too relaxed rules on DN comparisons (all versions of GT)
- Bug 3849: Container descriptor is shared across containers in one JVM
- Bug 3891: Public credentials of client in peer subject
- Bug 3965: Credential refresh problems
- Bug 4021: globus-start-container -containerDesc not working
- Bug 4136: At least one of the headers used in dispatch was not secured error
- Bug 4146: setting default container security via environment
The following problems and limitations are known to exist for Message/Transport-level security at the time of the 4.1.1 release:
- Bug 2907 Secure Conversation (Encryption) does not provide any message level security for the SOAP headers
- Bug 3689 Possible royalty / patent issue with BouncyCastle jar IDEA Algorithm
- Bug 4350 Framework does not support independent authz scheme for GSI Transport and GSI Secure Conversation
- Bug 4507 Problem with corrupted CRL
- Bug 4535 Client security descriptor does not allow for GSI Transport configuration
WS Authentication and Authorization Message & Transport Level Security depends on the following GT components:
- The C implementation depends on C WS Core.
- The Java implementation depends on Java WS Core.
WS Authentication and Authorization Message & Transport Level Security depends on the following 3rd party software:
- Apache WSFX Security Libraries
- PureTLS Libraries
- BouncyCastle JCE provider
- Cryptix Libraries
- Apache XML Security Libraries
WS Authentication and Authorization Message & Transport Level Security should work on any platform that supports J2SE 1.3.1 or higher.
Tested Platforms for WS Authentication and Authorization Message & Transport Level Security
- Linux (Red Hat 7.3)
- Windows 2000
- Solaris 9
Associated standards for WS A&A Message/Transport-level Security:
- WS-Security
- WS-Security: X.509 Certificate Tokens
- WS-Security: Username Tokens
- WS-Trust
- WS-Secure Conversation
- WS-I Basic Security Profile
- RFC 3820 Proxy Certificates
- RFC 2818 HTTP over TLS
- RFC 2246 TLS
- JAAS
See Message & Transport Level Security for more information about this component.