Table of Contents
The Globus Toolkit GSI C component provides APIs and tools for authentication, authorization and certificate management. The authentication API is built using Public Key Infrastructure (PKI) technologies, e.g. X.509 Certificates and TLS. In addition to authentication it features a delegation mechanism based upon X.509 Proxy Certificates. Authorization support takes the form of a couple of APIs. The first provides a generic authorization API that allows callouts to perform access control based on the client's credentials (i.e. the X.509 certificate chain). The second provides a simple access control list that maps authorized remote entities to local (system) user names. The second mechanism also provides callouts that allow third parties to override the default behavior and is currently used in the Gatekeeper and GridFTP servers. In addition to the above there are various lower level APIs and tools for managing, discovering and querying certificates.
Features new in GT 5.2.1
- None.
Other Supported Features
- Uses internet-standard GSSAPI for security operations.
- Supports certificate-based authentication, using both standard X.509 End Entity and Proxy Certificates.
- Supports delegation of user rights to services using standard X.509 Proxy Certificates.
- Supports authorization based on client certificate chains, including support for X.509v3 certificate extensions.
- Provides tools for managing certificates, proxies, trust roots, and credential identity mapping tables.
Deprecated Features
- None
- RIC-204: GSSAPI Test compile failure for Solaris
- RIC-213: support for private keys in PKCS8 format broken
- RIC-215: gss_import_cred() doesn't match properly the OID passed
- RIC-227: Potentially unsafe format strings in GSI
- RIC-231: grid-cert-request prints incorrect path in diagnostic message
- RIC-237: globus-gsi-cert-utils-progs RPM has missing dependency
- RIC-239: GSSAPI Token inspection fails when using TLS 1.2
- RIC-243: gss_import_cred can't handle non-null terminated token
- RIC-248: grid-cert-request can't use non-default CA when a default isn't set
- RIC-254: gssapi probe for whether it can use openssl internals doesn't always work
The GSI C component depends on the following GT components:
- C Common Libraries
The GSI C component depends on the following 3rd party software:
- OpenSSL
Tested platforms for GSI C:
Linux
- CentOS 5, 6 i386, x86_64
- Debian 6, 7 (testing) i386, x86_64
- Fedora 15, 16 i386, x86_64
- Red Hat Enterprise Server 5, 6 i386, x86_64
- Scientific Linux 5, 6 i386, x86_64
- Ubuntu 10.04LTS, 10.10, 11.04, 11.10, 12.04 (testing) i386, x86_64
Mac OS X
- Mac OS X 10.7 (Lion)
Solaris
- Solaris 11 x86_64
Protocol changes in GSI C since GT 5.2.0
- None
API changes since GT 5.2.0
- None
Exception changes since GT 5.2.0
- Not applicable
Schema changes since GT 5.2.0
- Not applicable
Associated standards for GSI C:
See GSI C for more information about this component.
P
- proxy certificate
A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.
For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.
- public key
The public part of a key pair used for cryptographic operations (e.g. signing, encrypting).