Security tools are concerned with establishing the identity of users and/or services (authentication), protecting the integrity and privacy of communications (message protection), determining and enforcing who is allowed to perform what actions on what resources (authorization), and provide (secure) logs to verify that the correct policy is enforced (accounting allows for auditing of policy compliance). It also includes supporting functions such as managing user credentials, maintaining group membership information, administering access rights, etc.
GT4 provides distinct WS and non-WS authentication and authorization capabilities. Both build on the same base, namely the standard X.509 end-entity and proxy certificates, which are used to identify persistent entities such as users and servers and to support the temporary delegation of privileges to other entities. Note that you can find information about the non-WS authentication and authorization capabilities under the GSI documentation (below).
- Security Key Concepts
Grid Security Infrastructure (GSI)
Web Services Authentication and Authorization (WS A&A)
Security Services
Run your own Certificate Authority (CA)
Utilities
| If you want to: | see: |
|---|---|
| Install and configure GSI Security |
|
| Obtain certificates | Obtaining host certificates |
| Add authorization with a gridmap file | Section 4, “Add authorization”, Section 4, “Configuring Credential Mappings” and Globus Toolkit Gridmap Processing |
| Use firewalls with GSI | Firewall HowTo |
| Compare features between Java and C WS security code | Security Features |
| Learn about the types of proxy certificates used in GT | Proxy Cert Types |
| Use secure single-signon | Delegation Service |
| Manage proxy certificates, use security for non-WS components | User's Guide |
| Use security for WS components (in Java) | Java WS A&A |
| Use security for WS components (in C) | C WS A&A |
| Delegate credentials for web services | Delegation Service |
| Manage fine-grained authorization within a community | Community Authorization Service (CAS) |
| Manage credentials by storing proxies in a repository | MyProxy |
| Run your own simple Certificate Authority (CA) | SimpleCA |
| Use a single-signon remote login | GSI-OpenSSH |
This section provides details about some of the features of the C and Java GSI implementations.
Table A.1. GT 4.2.1 Security Features
| Area | Supported Feature | GT4 C Code | GT4 Java Code |
|---|---|---|---|
| Proxy Certificate | Authentication with RFC 3820 compliant proxy certificates | Yes | Yes |
| Authentication with Globus (old OID) proxy certificates | Yes | Yes | |
| Authentication with legacy (GT2) proxy certificates | Available, but unsupported | Available, but unsupported | |
| Delegation of proxy certificates | Yes | Yes | |
| X.509 Extensions | Extended Key Usage Extension | Yes | No |
| CA Support | CA Signing Policy | Yes | No |
| Configurable trust roots (CA certificates) | Yes | Yes | |
| Revocation | CRLs | Yes | Yes |
| OCSP | No | No | |
| GSSAPI | GSSAPI | Yes, refer to RFC 2744 | Yes |
| GSSAPI extensions | Yes | Yes | |
| Integrity protection of user data | Yes | Yes | |
| Authorization | User Authorization using grid map file | Yes | Yes |
| Client-side authorization of service using hostname | Yes | Yes | |
| Client-side authorization of service with wildcard matching of hostnames (e.g foo matches foo-*, foo-1, foo-bar etc) | Yes | Yes | |
| CAS Support | Only in GridFTP | No | |
| Kerberos | Relinking with Kerberos instead of PKI | Yes (kludgey) | Theoretically as part of Java 1.4, but untested |
| SOAP | SOAP independent message signing | Yes | Yes |
| SOAP independent message encryption | Yes | Yes | |
| Context establishment in SOAP | Yes | Yes | |
| Secure SOAP dispatch headers | No | Yes |
C
- CA Certificate
The CA's certificate. This certificate is used to verify signature on certificates issued by the CA. GSI typically stores a given CA certificate in
/etc/grid-security/certificates/, where <hash> is the hash code of the CA identity.<hash>.0- CA Signing Policy
The CA signing policy is used to place constraints on the information you trust a given CA to bind to public keys. Specifically it constrains the identities a CA is trusted to assert in a certificate. In GSI the signing policy for a given CA can typically be found in
/etc/grid-security/certificates/, where <hash> is the hash code of the CA identity.<hash>.signing_policy- Certificate Revocation List (CRL)
A list of revoked certificates generated by the CA that originally issued them. When using GSI, this list is typically found in
/etc/grid-security/certificates/, where <hash> is the hash code of the CA identity.<hash>.r0
G
- grid map file
A file containing entries mapping certificate subjects to local user names. This file can also serve as a access control list for GSI enabled services and is typically found in
/etc/grid-security/grid-mapfile. For more information see the Gridmap section here.
P
- proxy certificate
A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.
For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.