This information is for a release that is no longer supported by the Globus Toolkit. The currently supported versions of the Globus Toolkit are 4.2 (recommended) and 4.0.
GSI: Developer's Guide
Overview
APIs
>Infrastructure
Acquiring certificates
Using proxy certificates
Related documents
Infrastructure
Details of GSI secure can be found in the Security for Grid Services and the GT3 Security Overview papers.
Security Features Overview
The following table breaks down the various features of GSI and indicate with which versions of the Globus Toolkit they are compatible:
| Feature | Compatible with: |
|---|---|
| X.509 certificates | GT 2.x / GT 3.x |
| TLS/SSL for authentication and message protection | GT 2.x / GT 3.x |
| X.509 Proxy Certificates for delegation and single sign-on. | GT 2.x / GT 3.x |
Credential Compatibility Long-term user and host/service credentials... Existing PKIs and certificates... |
GT 2.x / GT 3.x |
Resource Authorization A file known as |
GT 2.x / GT 3.x |
Application Interfaces Access to the security library is through the Generic Security Service API (GSSAPI), as defined by RFC 2743 with extensions as defined by the Global Grid Forum GSS-extensions document. |
GT 2.x / GT 3.x |
GSI3-secured Web Services Access to web services is secured
using the GSI3 libraries. This includes GSI3 capabilities for authentication,
authorization, delegation, message integrity and encryption. |
GT 3.x only |
No privileged services GT3 represents a redesign of the Globus Toolkit Grid Resource Acquisition and Management (GRAM) service with a strong eye towards the least privilege principle. No services in GT3 need any elevated privileges ("root" access). All privileged code is contained in two small setuid-root programs with tightly constrained functionality. |
GT 3.x only |
Use of Web Services Security Specifications GSI3 has protocols
for authentication and message protection using Web Services specifications
for securing messages using SOAP ( XML-Signature and XML-Encryption )
and the emerging WS-SecureConversation specification
for context establishing. |
GT 3.x only |
Standards-based Approach GSI3 uses technologies that are defined in either existing or proposed standards in the IETF, GGF, W3C or Oasis. GSI3 will continue to be based on only public standards. |
GT 3.x only |
Proxy Certificates format The GT3 GSI libraries support Proxy Certificates as specified in the latest IETF/Global Grid Forum draft. This includes support for both impersonation and independent proxy certificates and a framework that allows for addition of supporting other delegation policies. The GT3 GSI libraries are also backwards compatible with GT2 proxies, in that they will accept GT2 proxies and treat them as GT3 impersonation proxies. |
GT 3.x, backwards compatible with GT2.x proxies |
Enhanced client-side authorization Services in GT3 have credentials that not only indicate the resource name on which they are running, but the account in which they are running. This allows clients connecting to these services a greater level of assurance that they are interacting with an appropriate service. |
GT 3.x only |
Proxy Policy Handling
To determine the identity returned from the GSI libraries, the proxy certificate chain is walked from PC to EEC (i.e., "first certificate" is the proxy certificate not CA certificate):
Note: Identity of first certificate that is either not
a proxy or whose policy is not 'impersonation' or 'gt2-limited impersonation,
the identity of that proxy is the identity returned by GSI.
Note: Any occurrences of 'gt2-limited impersonation' in chain before certificate with returned identity. If any of these policies occur, mark proxy as limited.
Examples:
Given the following chain, the identity returned should be the identity of the EEC:
CA cert -> EEC -> Proxy 1 (Impersonation) -> Proxy 2 (Impersonation)
Given the following chain, the identity returned should be the identity of proxy #2:
CA cert -> EEC -> Proxy 1 (Impersonation) -> Proxy 2 (Independent) -> Proxy 3 (Impersonation)
Given the following chain, the identity returned should be the identity of proxy #1:
CA cert -> EEC -> Proxy 1 (Unrecognized policy) -> Proxy 2 (Impersonation)