GT 5.0.5 GSI C Release Notes


1. Component Overview

The Globus Toolkit GSI C component provides APIs and tools for authentication, authorization and certificate management. The authentication API is built using Public Key Infrastructure (PKI) technologies, e.g. X.509 Certificates and TLS. In addition to authentication it features a delegation mechanism based upon X.509 Proxy Certificates. Authorization support takes the form of a couple of APIs. The first provides a generic authorization API that allows callouts to perform access control based on the client's credentials (i.e. the X.509 certificate chain). The second provides a simple access control list that maps authorized remote entities to local (system) user names. The second mechanism also provides callouts that allow third parties to override the default behavior and is currently used in the Gatekeeper and GridFTP servers. In addition to the above there are various lower level APIs and tools for managing, discovering and querying certificates.

2. Feature summary

Features new in GT 5.0.5

  • RIC-143: certificate verify for grid-cert-diagnostics

Other Supported Features

  • Authentication of user using standard X.509 End Entity and Proxy Certificates.
  • Delegation using X.509 Proxy Certificates.
  • Pluggable authorization based on the client's certificate chain for GridFTP and GRAM5
  • Pluggable authorization for GRAM5 based on the RSL of the job.

Deprecated Features

  • None

3. Summary of Changes in GSIC

3.1. New Features: GSIC

  • RIC-147: add globus_gsi_cred_read_cert_bio

3.2. Improvements: GSIC

None.

4. Fixed Bugs for GSIC

  • RIC-156: globus_gsi_sysconfig calls globus_i_gsi_sysconfig_create_key_string unsafely
  • RIC-162: globus_gsi_cred_verify does not do what documentation says it does
  • RIC-163: segfault in globus_gsi_cred_get_key if read_cert was used
  • RIC-213: support for private keys in PKCS8 format broken
  • RIC-215: gss_import_cred() doesn't match properly the OID passed

5. Known Problems in GSIC

  • RIC-127: GSS_I_DISALLOW_ENCRYPTION not bring enforced by GSI C GSSAPI
  • RIC-238: GSI XIO Driver hangs in delegation code

6. Technology dependencies

The GSI C component depends on the following GT components:

  • C Common Libraries

The GSI C component depends on the following 3rd party software:

  • OpenSSL

7. Tested platforms

Tested platforms for GSI C:

  • Linux

    • CentOS 6 x86_64
    • Debian 6 x86_64
    • Fedora 15 x86_64
    • Ubuntu 11.10 x86_64

  • Mac OS X

    • Mac OS X 10.7.3

  • Solaris

    • Solaris 11 11/11

8. Backward compatibility summary

Protocol changes in GSI C since GT 5.0.4

  • None

API changes since GT 5.0.4

  • None

Exception changes since GT 5.0.4

  • Not applicable

Schema changes since GT 5.0.4

  • Not applicable

9. Associated Standards

Associated standards for GSI C:

10. For More Information

See GSI C for more information about this component.

Glossary

P

proxy certificate

A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.

For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.

public key

The public part of a key pair used for cryptographic operations (e.g. signing, encrypting).