Software Links
Getting Started
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide
- Migrating Guides
Reference
Manuals
Common Runtime
Security
- GSI C
- GSI Java
- Java WS A&A
- C WS A&A (coming soon)
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
Data Mgt
WS MDS
Execution Mgt
Table of Contents
Client security descriptors from a file can be configured directly on the stub as follows:
// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR_FILE, CLIENT_DESC);
A
ClientSecurityDescriptorobject can be constructed from a file and configured directly on the stub as follows:// Client security descriptor file String CLIENT_DESC = "org/globus/wsrf/samples/counter/client/client-security-config.xml"; ClientSecurityDescriptor desc = new ClientSecurityDescriptor(CLIENT_DESC); //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR, desc);
![[Note]](/docbook-images/note.gif)
Note This takes precedence over 1
A client security descriptors object can be created and get/set methods can be used to set security properties. The object can then be configured on the stub as follows:
ClientSecurityDescriptor desc = new ClientSecurityDescriptor(); // set security properties on the above object using set/get object //Set descriptor on Stub ((Stub)port)._setProperty(Constants.CLIENT_DESCRIPTOR, desc);
To initialize the descriptor, use the API in
org.globus.wsrf.impl.security.descriptor.ClientSecurityConfig.Note This takes precedence over 1
The client can be configured with credentials using the descriptor. The credentials can be set using either: a) the path to a proxy file, or b) the path to a certificate and key file. The credentials can be configured by adding one of the following blocks to the client security descriptor.
Example for option (a):
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<proxy-file value="proxyFile"/>
...
</clientSecurityConfig>
Example for option (b):
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<credential>
<cert-key-files>
<key-file value="keyFile"/>
<cert-file value="certFile"/>
</cert-key-files>
</credential>
...
</clientSecurityConfig>
If credentials are not configured using any of the above methods, then the underlying CoG JGlobus library is used. This will attempt to load the proxy certificate of the user that is running the container as described inSection 5, “Proxy file Location”.
The <authz> element is used to determine the mechanism
to use to authorize the server that is being contacted. Note that the security
descriptor cannot be used to configure custom client authorization. Refer to Authorization domain-level interface for
details. The following values are currently supported:
| Configuration | Funcationality |
none
| No authorization is done. |
self
| Self authorization is done, i.e the server should be running with the same credentials as the client. |
host
| Host authorization is done, i.e the server should be running with credentials that have the host name it is running on embedded in it. |
hostSelf
| Host authorization is done (i.e the server should be running with credentials that have the host name it is running on embedded in it). If that fails, an attempt at self authorization (i.e the server should be runnign with same credentials as client) is made. |
| any other string | Identity authorization is done using the value as the identity, i.e the server should be running with identity specified as value. |
The following sample configures self authorization:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client"> ... <authz value="self"/> ... </clientSecurityConfig>
The client can be configured to do GSI Secure Conversation using the element
<GSISecureConversation>. The following subelements
can be used to set various properties
| Element | Functionality |
<integrity>
| Sets protection level to signature. |
<privacy>
| Sets protection level to encryption (signature is also done). |
<anonymous>
| Server is accessed as anonymous. |
<delegation value="
type of delegation
">
| Determines the type of delegation to be done. The value can
be set to full or
limited. If the
delegation element is not used, no
delegation is done. If delegation is enabled, some form of
client authorization is required. |
<context-lifetime>
| Determines the lifetime of the context established. If not specified, the least lifetime of the chain of certificates used in establishing the context is used as the context lifetime. |
The following sample sets GSI Secure Conversation with privacy and full delegation:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<GSISecureConversation>
<privacy/>
<delegation value="full"/>
</GSISecureConversation>
...
</clientSecurityConfig>
The client can be configured to do GSI Secure Message using the element
<GSISecureMessage>. The following subelements can be
used to set various properties:
| Element | Functionality |
<integrity>
| Sets protection level to signature |
<privacy>
| Sets protection level to encryption (signature is also done) |
<peer-credential value="
path to file with credentials to encrypt with
">
| Sets the path to the file containing the credential to use if privacy protection is chosen. |
The following sample sets GSI Secure Message with integrity:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<GSISecureMessage>
<integrity/>
</GSISecureMessage>
...
</clientSecurityConfig>
The client can be configured to do GSI Secure Transport using the element
<GSISecureTransport>. The following subelements can
be used to set various properties
| Element | Functionality |
<integrity>
| Sets protection level to signature. |
<privacy>
| Sets protection level to encryption (signature is also done). |
<anonymous>
| Server is accessed as anonymous. |
The following sample sets GSI Secure Transport with privacy and anonymous:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
...
<GSISecureTransport>
<privacy/>
<anonymous/>
</GSISecureTransport>
...
</clientSecurityConfig>
Username/password can be used for authentication by the client. This is configured
using the <username> and <passwordType>
elements. The username element allows for a string to be
configured and the password configuration consists of a
password and a type string.
Example configuration:
<clientSecurityConfig xmlns="http://www.globus.org/security/descriptor/client">
<usernameType>
<username value="tester1"/>
<passwordType>
<password value="TY^*(Hyu"/>
<type value="someType"/>
</passwordType>
</usernameType>
</clientSecurityConfig>
Client side trusted credentials are configured similar to the container security descriptor as described inSection 11, “Trusted Certificates”. The outer element and schema for client security descriptor should be used as described in Section 1, “Security Descriptor Schemas”.
If this configuration is not set, the underlying CoG JGlobus library is used to pick up trusted certificates. The library attempts to load the certificates as described in Section 1, “Trusted Certificates Location” .