Home -> Toolkit -> Docs -> 3.0 -> Gsi

GT3 Grid Security Infrastructure (GSI): Overview

• GT3 Security Overview
• Other sources of information

 GT3 Security Overview

The Grid Security Infrastructure (GSI) in the Globus Toolkit version 3 (GT3) represents the latest evolution of the Grid Security Infrastructure. GSI in GT3 builds off of the functionality present in early GT2 toolkit releases - X.509 certificates, TLS/SSL for authentication and message protection, X.509 Proxy Certificates for delegation and single sign-on.

Details of GSI secure can be found in the Security for Grid Services and the GT3 Security Overview papers. Highlighted improvements of GSI3 are:

• GSI3-secured Web Services: Access to GT3 services is secured using the GSI3 libraries. This includes GSI3 capabilities for authentication, authorization, delegation, message integrity and encryption.
  
• No privileged services: GT3 represents a redesign of the Globus Toolkit Grid Resource Acquisition and Management (GRAM) service with a strong eye towards the least privilege principle. No services in GT3 need any elevated privileges ("root" access). All privileged code is contained in two small setuid-root programs with tightly constrained functionality.
  
• Use of Web Services Security Specifications: GSI3 has protocols for authentication and message protection using Web Services specifications for securing messages using SOAP (XML-Signature and XML-Encryption) and the emerging WS-SecureConversation specification for context establishing.
  
• Standards-based Approach: GSI3 uses technologies that are defined in either existing or proposed standards in the IETF, GGF, W3C or Oasis. GSI3 will continue to be based on only public standards.
  
• Proxy Certificates format. The GT3 GSI libraries support Proxy Certificates as specified in the latest IETF/Global Grid Forum draft. This includes support for both impersonation and independent proxy certificates and a framework that allows for addition of supporting other delegation policies. The GT3 GSI libraries are also backwards compatible with GT2 proxies, in that they will accept GT2 proxies and treat them as GT3 impersonation proxies.
  
• Enhanced client-side authorization: Services in GT3 have credentials that not only indicate the resource name on which they are running, but the account in which they are running. This allows clients connecting to these services a greater level of assurance that they are interacting with an appropriate service.

Some things have not changed from GT2 to GT3, for example:

• GT2 Credential Compatibility: GT3 uses the same long-term user and host/service credentials as GT2. Existing PKIs and certificates will continue to work in GT3.
  
• Resource Authorization. GT2 used a file known as the grid-mapfile to map Grid identities (the distinguished name from a user's X.509 identity certificate) to a local identity (a Unix account name). A GT3 installation uses the same grid-mapfile as used by a GT2 installation. This will allow GT2-based grids to continue to use their existing infrastructure to manage grid-mapfiles.
  
• Application Interfaces. The GT3 security library is still accessible through the Generic Security Service API (GSSAPI), as defined by RFC 2743 with extensions as defined by the Global Grid Forum GSS-extensions document.

Other Sources of Information about GT3 Security

The following paper contains a detail description on GT3 and OGSA security:

• Security for Grid Services. V. Welch, F. Siebenlist, I. Foster, J. Bresnahan, K. Cajkowski, J. Gawor, C. Kesselman, S. Meder, L. Pearlman, S. Tuecke. To appear HPDC 2003. (PDF)
• GT3 Grid Security Infrastructure Overview. Jarek Gawor, Sam Meder, Frank Siebenlist, Von Welch (Doc)

The following are other sources of OGSA and GT3:

• OGSA Security Documents from IBM and Globus

• GGF OGSA Security WG

• Globus Project Security Standards Activities

• Globus Toolkit Firewall Requirements

• GT3 Grid Security Infrastructure: Details