GT 4.2.1: Security


Security tools are concerned with establishing the identity of users and/or services (authentication), protecting the integrity and privacy of communications (message protection), determining and enforcing who is allowed to perform what actions on what resources (authorization), and provide (secure) logs to verify that the correct policy is enforced (accounting allows for auditing of policy compliance). It also includes supporting functions such as managing user credentials, maintaining group membership information, administering access rights, etc.

GT4 provides distinct WS and non-WS authentication and authorization capabilities. Both build on the same base, namely the standard X.509 end-entity and proxy certificates, which are used to identify persistent entities such as users and servers and to support the temporary delegation of privileges to other entities. Note that you can find information about the non-WS authentication and authorization capabilities under the GSI documentation (below).

If you want to:see:
Install and configure GSI Security
Obtain certificates Obtaining host certificates
Add authorization with a gridmap file Section 4, “Add authorization”, Section 4, “Configuring Credential Mappings” and Globus Toolkit Gridmap Processing
Use firewalls with GSI Firewall HowTo
Compare features between Java and C WS security code Security Features
Learn about the types of proxy certificates used in GT Proxy Cert Types
Use secure single-signon Delegation Service
Manage proxy certificates, use security for non-WS componentsUser's Guide
Use security for WS components (in Java)Java WS A&A
Use security for WS components (in C)C WS A&A
Delegate credentials for web servicesDelegation Service
Manage fine-grained authorization within a communityCommunity Authorization Service (CAS)
Manage credentials by storing proxies in a repositoryMyProxy
Run your own simple Certificate Authority (CA)SimpleCA
Use a single-signon remote loginGSI-OpenSSH

A. GT 4.2.1 WS Authentication & Authorization Security Features

This section provides details about some of the features of the C and Java GSI implementations.

Table A.1. GT 4.2.1 Security Features

AreaSupported FeatureGT4 C CodeGT4 Java Code
Proxy CertificateAuthentication with RFC 3820 compliant proxy certificatesYesYes
 Authentication with Globus (old OID) proxy certificatesYesYes
 Authentication with legacy (GT2) proxy certificatesAvailable, but unsupportedAvailable, but unsupported
 Delegation of proxy certificatesYesYes
X.509 ExtensionsExtended Key Usage ExtensionYesNo
CA SupportCA Signing PolicyYesNo
 Configurable trust roots (CA certificates)YesYes
RevocationCRLsYesYes
 OCSPNoNo
GSSAPIGSSAPIYes, refer to RFC 2744Yes
  GSSAPI extensions YesYes
 Integrity protection of user dataYesYes
AuthorizationUser Authorization using grid map fileYesYes
 Client-side authorization of service using hostnameYesYes
 Client-side authorization of service with wildcard matching of hostnames (e.g foo matches foo-*, foo-1, foo-bar etc)YesYes
 CAS SupportOnly in GridFTPNo
KerberosRelinking with Kerberos instead of PKIYes (kludgey)Theoretically as part of Java 1.4, but untested
SOAPSOAP independent message signingYesYes
 SOAP independent message encryptionYesYes
 Context establishment in SOAPYesYes
 Secure SOAP dispatch headersNoYes

Glossary

C

CA Certificate

The CA's certificate. This certificate is used to verify signature on certificates issued by the CA. GSI typically stores a given CA certificate in /etc/grid-security/certificates/<hash>.0, where <hash> is the hash code of the CA identity.

CA Signing Policy

The CA signing policy is used to place constraints on the information you trust a given CA to bind to public keys. Specifically it constrains the identities a CA is trusted to assert in a certificate. In GSI the signing policy for a given CA can typically be found in /etc/grid-security/certificates/<hash>.signing_policy, where <hash> is the hash code of the CA identity.

Certificate Revocation List (CRL)

A list of revoked certificates generated by the CA that originally issued them. When using GSI, this list is typically found in /etc/grid-security/certificates/<hash>.r0, where <hash> is the hash code of the CA identity.

G

grid map file

A file containing entries mapping certificate subjects to local user names. This file can also serve as a access control list for GSI enabled services and is typically found in /etc/grid-security/grid-mapfile. For more information see the Gridmap section here.

P

proxy certificate

A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.

For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.