Home -> Toolkit -> Docs -> Development -> 3.9.5 -> Security -> Delegation -> Admin

GT 3.9.5 Delegation Service: System Administrator's Guide

• Introduction
• Building and Installing
• Configuring
• Deploying
• Testing
• Security Considerations
• Troubleshooting

Introduction

This guide contains advanced configuration information for system administrators working with the Delegation Service. It provides references to information on procedures typically performed by system administrators, including installation, configuring, deploying, and testing the installation.

This information is in addition to the basic installation instructions in the GT 3.9.5 System Administrator's Guide.

Building and Installing

Refer to System Administrator's guide for installation instructions.

Configuring

Configuration overview

The security settings for Delegation Factory Service and Delegation Service can be configured by modifying the security descriptor. It allows for configuring in the credentials that will be used by the service, type of authentication and authorization that needs to be enforced.

By default, the following configuration is installed:

• Delegation Factory Service:
  • Credentials set for use by container is used. If that is not specified, default credentials are used.
  • GSI Secure message authentication is enforced for requestSecurityToken operation. No authentication is required for all other operations.
  • Gridmap authorizatin is done and the gridmap file is read from /etc/grid-security/grid-mapfile.
• Delegation Service
• Credentials set for use by container is used. If that is not specified, default credentials are used.
• GSI Secure message authentication is enforced for refresh operation. No authentication is required for all other operations.
• Gridmap authorization is done and the gridmap file is read from /etc/grid-security/grid-mapfile.

Note: Changing required authentication and authorization method will require suitable changes to the clients that contact this service.

Syntax of the interface

To alter security descriptor configuration refer to Security Descriptors.

To alter security configuration for Delegation Factory Service, edit file $GLOBUS_LOCATION/etc/globus_delegation_service/factory-security-config.xml

To alter security configuration for Delegation Service, edit file $GLOBUS_LOCATION/etc/globus_delegation_service/service-security-config.xml

Deploying

[information about deploying the component into various containers/environments]

Testing

• Install delegation service test package (gt4-cas-delegation-test-3.9-src_bundle.tar.gz using GPT build FILLME: instructions into GLOBUS_LOCATION
• To run tests,

  ant -f share/globus_wsrf_test/runtests.xml runServer -Dtests.jar=$GLOBUS_LOCATION/lib/globus_delegation_test.jar

• Test reports are put in $GLOBUS_LOCATION/share/globus_wsrf_test/tests/test-reports in a file called TEST-org.globus.delegation.service.PackageTests.xml

Security Considerations

Key Pair Reuse

The current design re-uses the keys associated with the delegation service for each of the proxy certificates delegated to it. During a security review it was pointed out that while this was fine from a cryptographic standpoint, compromising this single long lived key pair may significantly extend the time for which a single intrusion (presuming a exploitable security flaw making the intrusion possible) is effective.

This can be remedied by either frequently regenerating the key pair used by the delegation service, which can be accomplished with a simple cron job, or by generating a new key pair for each new delegation. The later of these approaches requires changes to the design and may be adopted in future versions of the toolkit. For the time being we recommend the former approach should this issue concern you.

Troubleshooting

[help for common problems sysadmins may experience]