Thisdocumentprovides an introduction tousing message levelsecurity, inparticular GSI Secure Conversation message levelsecurity, withthe Globus Toolkit3. Itisbased upon and replicates documentation listed insection 10 butcombines this intoa (hopefully) more coherentand usefulform.
[...]... Deployment Descriptor Locations The securityConfig parameter is used for persistent services For example: The instance-securityConfig parameter is used for transient services created by factory services For example: The location of the security deployment descriptor... performed, the access to the service is allowed The method cannot be specified with any other authentication method Note that the org.globus.ogsa.impl .security. authentication.SecurityPolicyHandler handler must be installed properly in order for this to work (see section 6.1) If the security deployment descriptor is not specified, authentication method enforcement is not performed SECURITY- FOR- DUMMIES- v1.2... service has one set) 6.6.3 Default Security Deployment Descriptor The security deployment descriptor in org/globus/ogsa/impl /security/ descriptor/gsi -security- config.xml provides is a generic descriptor that can be used to secure a service with GSI secure conversation authentication mechanism SECURITY- FOR- DUMMIES- v1.2 26 7 Client Development 7.1 Security Handlers Message level security is handled by a few... grid-cert-request -help provides a list of options to the grid-cert-request program SECURITY- FOR- DUMMIES- v1.2 20 6 Configuring Server-side Security 6.1 Security Handlers Message level security is handled by a few client- and server- side Axis/JAX-RPC handlers These handlers must be properly installed in order for the message level security to work The /webapps/ogsa/WEB-INF/server-config.wsdd file must... client-side security handlers SECURITY- FOR- DUMMIES- v1.2 12 Client Hosting Environment Sec Msg Handler Client Service WS-Sec Client Handler Server Hosting Environment Figure 4: Client-side security – GSI XML Signature 3.5.1 Outbound Client-side Security Handlers GSI Secure Conversation – Secure Conversation Service Handler • • • • • Only operational for GSI Secure Conversation Establishes a security session... 6.6.2 Security Deployment Descriptor Content The security deployment descriptor is contained within a element Method-based security properties (for some properties) can be contained within elements For example, the following security deployment descriptor specifies that: • • All methods are to be run with the security. .. Issue An older version of Xalan was shipped with Java 1.4.0/1.4.1 than the version the GT3 security libraries require The $GLOBUS_LOCATION/lib/xalan.jar file should be used SECURITY- FOR- DUMMIES- v1.2 14 5 Globus Toolkit Installation This section describes information relating to configuring GT3 for security and for generating and installing host private keys and certificates 5.1 Install Globus Toolkit... the setup-gsi program so you can skip this section SECURITY- FOR- DUMMIES- v1.2 16 If you did not have root access then you should ask your administrator to create the directory /etc/gridsecurity and make it world-readable: # mkdir /etc/grid -security # chmod 0755 /etc/grid -security In /etc/grid -security make a certificates directory # mkdir /etc/grid -security/ certificates This can either be a copy of... Conversation authentication is to be applied on all method calls SECURITY- FOR- DUMMIES- v1.2 23 The following security deployment descriptor specifies that: • • • All methods are to be run with the security identity of the caller GSI Secure Conversation authentication... certificate requests See http://www.globus.org /security/ config.html SECURITY- FOR- DUMMIES- v1.2 17 grid-mapfile • • • This file contains authorization information and information to map Grid identities (e.g X509 subject names) to local system identities (e.g Unix user IDs) See section 5.4 The file can have UNIX permission 600 – world-readable only grid -security. conf globus-user-ssl.conf globus-host-ssl.conf . Security for Dummies Project Title: OGSA-DAI Document Title: Security for Dummies Document Identifier: SECURITY- FOR- DUMMIES- v1.2 Editor: Mike Jackson. certificates is conjecture (!). SECURITY- FOR- DUMMIES- v1.2 5 2 Security Concepts This section provides a brief overview of general security concepts for reference or refreshment. 2.1. the code. 3.3 Message Level Security • Based on the following standards o WS -Security o XML Encryption SECURITY- FOR- DUMMIES- v1.2 9 o XML Signature • Security is applied entirely