GT 4.1.0 Pre-WS Authentication and Authorization: Developer's Guide
Prev Part . GT 4.1.0: Pre-Web Services Authentication and Authorization Next

GT 4.1.0 Pre-WS Authentication and Authorization: Developer's Guide

Table of Contents

1. Introduction
2. Before you begin
3. Architecture and design overview
4. Public interface
5. Usage scenarios
6. Tutorials
7. Debugging
8. Troubleshooting
9. Related Documentation

1. Introduction

This component provides an API for authentication and two APIs for authorization.

The authentication API is an implementation of the GSS-API (RFC 2743 and RFC 2744) extended with the functions described in the GSS-API Extensions document.

On the authorization front there is a coarse grained API, which in addition to authorizing also provides a mapping function, and an API that allows finer grained authorization decisions to be made. The finer grained API follows the subject, object, action paradigm.

Both of the authorization APIs allow different back end implementations through the use of dynamic library loading.

2. Before you begin

2.1. Feature summary

Features new in GT 4.1.0

  • None

Other Supported Features

  • Authentication of user using standard X.509 End Entity and Proxy Certificates.
  • Delegation using X.509 Proxy Certificates.
  • Pluggable authorization based on the client's certificate chain for GridFTPD and Pre-WS GRAM.
  • Pluggable authorization for Pre-WS GRAM based on the RSL of the job.

Deprecated Features

  • None

2.2. Tested platforms

Tested platforms for Pre-WS Authentication & Authorization:

  • i386 Linux

2.3. Backward compatibility summary

Protocol changes in Pre-WS Authentication and Authorization since GT 4.0.2

  • None

API changes since GT 4.0.2

  • None

Exception changes since GT 4.0.2

  • Not applicable

Schema changes since GT 4.0.2

  • Not applicable

2.4. Technology dependencies

The Pre-WS Authentication and Authorization component depends on the following GT components:

  • C Common Libraries

The Pre-WS Authentication and Authorization component depends on the following 3rd party software:

  • OpenSSL

2.5. Security considerations

  • During host authorization, the toolkit treats DNs "hostname-*.edu" as equivalent to "hostname.edu". This means that if a service was setup to do host authorization and hence accept the certificate "hostname.edu", it would also accept certificates with DNs "hostname-*.edu".

    The feature is in place to allow a multi-homed host folowing a "hostname-interface" naming convention, to have a single host certificate. For example, host "grid.test.edu" would also accept likes of "grid-1.test.edu" or "grid-foo.test.edu".

    [Note]Note

    The wildcard character "*" matches only name of the hostand not domain components. This means that "hostname.edu" will not match "hostname-foo.sub.edu", but will match "host-foo.edu".

    [Note]Note

    If a host was set up to accept "hostname-1.edu", it will not accept any of "hostname-*.edu".

    A bug has been opened to see if this feature needs to be modfiied.

3. Architecture and design overview

3.1. Authentication

As mentioned in the introduction, the pre-WS security framework uses the GSSAPI API and extensions to it to abstract security mechanism specific details. Below the GSSAPI layer there exist multiple APIs for dealing with credential management, X.509 certificates in general and proxy certificates in particular as well as security configuration. Each of these APIs is described in more detail below.

The general design principle guiding these APIs is data encapsulation. Data structures (handles and attributes) capture and encapsulate the state of the system. These data structures are then acted upon by various getters and setters, as well as other functions.

3.1.1.  The GSS Assist API

The GSS Assist API provides helper functions wrapping the process of security (GSS) context establishment, support for gridmap authorization and various other helper functions that wrap GSSAPI functions and capture common usage.

3.1.2. GSSAPI

The GSSAPI implementation provided by the toolkit is based upon SSL/TLS with extensions to the standard path validation mechanism to handle proxy certificates. It relies upon the credential and certificate utility APIs for general certificate acquisition and inspection functionality.

3.1.3. The Callback API

This API provides a callback that can be plugged into the OpenSSL path validation framework. This callback provides the additions to path validation required for dealing with proxy certificates and X.509 extensions. Furthermore, it allows applications to inspect data, e.g. the validated certificate chain, after the validation is done.

3.1.4. The Certificate Utilities API

The Certificate Utilities API provides helper functions for dealing with X.509 certificates. This API does not use the "handle" concept mentioned in the introduction. Rather, it operates on datatypes provided by the OpenSSL APIs.

3.1.5. The Credential API

The Credential API deals with reading and writing certificates from and to the file system and the OpenSSL I/O abstraction layer. It also provides functions for inspecting and validating the read credentials.

3.1.6. The Proxy APIs

The Proxy APIs provide a implementation of the X.509 Proxy Certificate Extension ASN.1 structure as well as functions for creating new proxies.

3.1.7. The System Configuration API

This API serves as a abstraction layer for OS specific information needed by the security infrastructure. It provides OS specific functions for discovering certificates from a set of predefined standard locations as well as functions for doing the same for various configuration files.

3.2. Authorization

As described in the introduction the pre-WS security framework essentially provides two authorization APIs, the generic Authorization API and the Gridmap API. These APIs differ in various ways:

The Authorization API provides a framework that allows callouts to 3rd party authorization solutions, does not provide a default authorization mechanism and is geared to authorizing the subject-action-object tuple.

The Gridmap API on the other hand, while allowing for custom callouts to be plugged in and override the default behavior, provides a default authorization and mapping mechanism based on the grid map file. Also, it only furnishes the callouts with information about the entity to be authorized, i.e. it does not provide information on the action and the object, so it is somewhat simpler in its approach. Finally, it provides the ability to map authorized entities to local system entities, e.g. UNIX user names. More information on the interface used for Gridmap callouts can be found here.

4. Public interface

4.1. Semantics and syntax of APIs

Documentation for the APIs in this component can be found here:

For information on the internationalization API, see the CCommon Libraries Public Interface.

4.2. Semantics and syntax of the WSDL

This component has no WSDL interfaces.

4.3. Semantics and syntax of non-WSDL protocols

4.3.1. GSI Message Specification

The GSSAPI implementation contained in this component produces security tokens that follow an extended version of the SSL/TLS protocol. More information about the protocol can be found here.

4.4. Protocol Specifications

4.4.1. GSI Message Specification

The GSSAPI implementation contained in this component produces security tokens that follow an extended version of the SSL/TLS protocol. More information about the protocol can be found here.

4.5. Command line tools

Please see the Pre-WS A&A Command Reference.

4.6. Overview of Graphical User Interfaces

This component does not have any GUIs.

4.7. Semantics and syntax of domain-specific interface

4.7.1. Interface introduction

[provide an overview of the purpose and structure of the domain-specific interface]

4.7.2. Syntax of the interface

[list and describe detailed information here]

4.8. Configuration interface

This section describes the configuration steps required to:

  • Determine whether or not to trust certificates issued by a particular Certificate Authority (CA),
  • Provide appropriate default values for use by the grid-cert-request command, which is used to generate certificates,
  • Request service certificates, used by services to authenticate themselves to users, and
  • Specify identity mapping information.

In general, Globus tools will look for a configuration file in a user-specific location first, and in a system-wide location if no user-specific file was found. The configuration commands described here may be run by administrators to create system-wide defaults and by individuals to override those defaults.

4.8.1. Configuring Globus to Trust a Particular Certificate Authority

The Globus tools will trust certificates issued by a CA if (and only if) it can find information about the CA in the trusted certificates directory. The trusted certificates directory is located as described in Section 9, “Environment variable interface” and exists either on a per machine or on a per installation basis. The following two files must exist in the directory for each trusted CA:

Table 1. CA files

cert_hash.0 The trusted CA Certificate.
cert_hash.signing_policy A configuration file defining the distinguished names of certificates signed by the CA.

Pre-WS Globus components will honor a certificate only if:

  • its CA certificate exists (with the appropriate name) in the TRUSTED_CA directory, and
  • the certificate's distinguished name matches the pattern described in the signing policy file.

Java-based components ignore the signing policy file and will honor all valid certificates issued by trusted CAs.

The cert_hash that appears in the file names above is the hash of the CA certificate, which can be found by running the command: 

$GLOBUS_LOCATION/bin/openssl x509 -hash -noout < ca_certificate

Some CAs provide tools to install their CA certificates and signing policy files into the trusted certificates directory. You can, however, create a signing policy file by hand; the signing policy file has the following format: 

access_id_CA X509 'CA Distinguished Name'
pos_rights globus CA:sign
cond_subjects globus '"Distinguished Name Pattern"'

In the above, the CA Distinguished Name is the subject name of the CA certificate, and the Distinguished Name Pattern is a string used to match the distinguished names of certificates granted by the CA. Some very simple wildcard matching is done: if the Distinguished Name Pattern ends with a '*', then any distinguished name that matches the part of the CA subject name before the '*' is considered a match. Note: the cond_subjects line may contain a space-separated list of distinguished name patterns.

A repository of CA certificates that are widely used in academic and research settings can be found here.

4.8.2. Configuring Globus to Create Appropriate Certificate Requests

The grid-cert-request command, which is used to create certificates, uses the following configuration files:

Table 2. Certificate request configuration files

globus-user-ssl.conf Defines the distinguished name to use for a user's certificate request. The format is described here.
globus-host-ssl.conf Defines the distinguished name for a host (or service) certificate request. The format is described here.
grid-security.conf A base configuration file that contains the name and email address for the CA.
directions An optional file that may contain directions on using the CA.

Many CAs provide tools to install configuration files called globus-user-ssl.conf.cert_hash, globus-host-ssl.conf.cert_hash, grid_security.conf.cert_hash, and directions.cert_hash in the trusted certificates directory. The command: 

grid-cert-request -ca cert_hash

will create a certificate request based on the specified CA's configuration files. The command: 

grid-cert-request -ca

will list the available CAs and let the user choose which one to create a request for.

You can specify a default CA for certificate requests (i.e., a CA that will be used if grid-cert-request is invoked without the -ca flag) by making the following symbolic links (where GRID_SECURITY is the grid security directory and TRUSTED_CA is the trusted CAs directory): 

ln -s TRUSTED_CA/globus-user-ssl.conf.cert_hash \
      GRID_SECURITY/globus-user-ssl.conf
ln -s TRUSTED_CA/globus-host-ssl.conf.cert_hash \
      GRID_SECURITY/globus-host-ssl.conf
ln -s TRUSTED_CA/grid_security.conf.cert_hash \
      GRID_SECURITY/grid_security.conf

And optionally, if the CA specific directions file exists:

ln -s TRUSTED_CA/directions.cert_hash \
      GRID_SECURITY/directions

This can also be accomplished by invoking the grid-default-ca command.

The directions file may contain specific directions on how to use the CA. There are three types of printed messages:

  • REQUEST HEADER, printed to a certificate request file,
  • USER INSTRUCTIONS, printed on the screen when one requests a user certificate,
  • NONUSER INSTRUCTIONS, printed on the screen when one requests a certificate for a service.

Each message is delimited from others with lines ----- BEGIN message type TEXT ----- and ----- END message type TEXT -----. For example, the directions file would contain the following lines:

----- BEGIN REQUEST HEADER TEXT -----
This is a Certificate Request file

It should be mailed to ${GSI_CA_EMAIL_ADDR}
----- END REQUEST HEADER TEXT -----

If this file does not exist, the default messages are printed.

4.8.3. Requesting Service Certificates

Different CAs use different mechanisms for issuing end-user certificates; some use mechanisms that are entirely web-based, while others require you to generate a certificate request and send it to the CA. If you need to create a certificate request for a service certificate, you can do so by running: 

grid-cert-request -host hostname -service service_name

where hostname is the fully-qualified name of the host on which the service will be running, and service_name is the name of the service. This will create the following three files:

Table 3. Certificate request files

GRID_SECURITY/service_name/service_namecert.pem An empty file. When you receive your actual service certificate from your CA, you should place it in this file.
GRID_SECURITY/service_name/service_namecert_request.pem The certificate request, which you should send to your CA.
GRID_SECURITY/service_name/service_namekey.pem The private key associated with your certificate request, encrypted with the pass phrase that you entered when prompted by grid-cert-request.

The grid-cert-request command recognizes several other useful options; you can list these with: 

grid-cert-request -help

4.8.4. Specifying Identity Mapping Information

Several Globus services map distinguished names (found in certificates) to local identities (e.g., unix logins). These mappings are maintained in the gridmap file. The gridmap file is discovered according to the rules described in Section 9, “Environment variable interface”. A gridmap line of the form: 

"Distinguished Name" local_name

maps the distinguished name Distinguished Name to the local name local_name. A gridmap line of the form: 

"Distinguished Name" local_name1,local_name2

maps Distinguished Name to both local_name1 and local_name2; any number of local user names may occur in the comma-separated local name list.

Several tools exist to manage grid map files. To add an entry to the grid map file, run: 

$GLOBUS_LOCATION/sbin/grid-mapfile-add-entry \
        -dn "Distinguished Name" \
        -ln local_name

To delete an entry from the gridmap file, run: 

$GLOBUS_LOCATION/sbin/grid-mapfile-delete-entry \
        -dn "Distinguished Name" \
        -ln local_name

To check the consistency of the gridmap file, run 

$GLOBUS_LOCATION/sbin/grid-mapfile-check-consistency

These commands recognize several useful options, including a -help option, which lists detailed usage information.

The location of the gridmap file is determined as follows:

  1. If the GRIDMAP environment variable is set, the gridmap file location is the value of the environment variable.

  2. Otherwise:

    • If the user is root (uid 0), then the gridmap file is /etc/grid-security/grid-mapfile.
    • Otherwise, the gridmap file is $HOME/.gridmap.

4.8.5. GSI File Permissions Requirements

4.9. Environment variable interface

4.9.1. Credentials

Credentials are looked for in the following order:

  1. service credential

  2. host credential

  3. proxy credential

  4. user credential

X509_USER_PROXY specifies the path to the proxy credential. If X509_USER_PROXY is not set, the proxy credential is created (by grid-proxy-init) and searched for (by client programs) in an operating-system-dependent local temporary file.

X509_USER_CERT and X509_USER_KEY specify the path to the end entity (user, service, or host) certificate and corresponding private key. The paths to the certificate and key files are determined as follows:

For service credentials:

  1. If X509_USER_CERT and X509_USER_KEY exist and contain a valid certificate and key, those files are used.
  2. Otherwise, if the files /etc/grid-security/service/servicecert and /etc/grid-security/service/servicekey exist and contain a valid certificate and key, those files are used.
  3. Otherwise, if the files $GLOBUS_LOCATION/etc/grid-security/service/servicecert and $GLOBUS_LOCATION/etc/grid-security/service/servicekey exist and contain a valid certificate and key, those files are used.
  4. Otherwise, if the files service/servicecert and service/servicekey in the user's .globus directory exist and contain a valid certificate and key, those files are used.

For host credentials:

  1. If X509_USER_CERT and X509_USER_CERT exist and contain a valid certificate and key, those files are used.
  2. Otherwise, if the files /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem exist and contain a valid certificate and key, those files are used.
  3. Otherwise, if the files $GLOBUS_LOCATION/etc/grid-security/hostcert.pem and $GLOBUS_LOCATION/etc/grid-security/hostkey.pem exist and contain a valid certificate and key, those files are used.
  4. Otherwise, if the files hostcert.pem and hostkey.pem in the user's .globus directory, exist and contain a valid certificate and key, those files are used.

For user credentials:

  1. If X509_USER_CERT and X509_USER_KEY exist and contain a valid certificate and key, those files are used.
  2. Otherwise, if the files usercert.pem and userkey.pem exist in the user's .globus directory, those files are used.
  3. Otherwise, if a PKCS-12 file called usercred.p12 exists in the user's .globus directory, the certificate and key are read from that file.

4.9.2. Gridmap file

GRIDMAP specifies the path to the grid map file, which is used to map distinguished names (found in certificates) to local names (such as login accounts). The location of the grid map file is determined as follows:

  1. If the GRIDMAP environment variable is set, the grid map file location is the value of that environment variable.

  2. Otherwise:

    • If the user is root (uid 0), then the grid map file is /etc/grid-security/grid-mapfile.
    • Otherwise, the grid map file is $HOME/.gridmap.

4.9.3. Trusted CAs directory

X509_CERT_DIR is used to specify the path to the trusted certificates directory. This directory contains information about which CAs are trusted (including the CA certificates themselves) and, in some cases, configuration information used by grid-cert-request to formulate certificate requests. The location of the trusted certificates directory is determined as follows:

  1. If the X509_CERT_DIR environment variable is set, the trusted certificates directory is the value of that environment variable.
  2. Otherwise, if $HOME/.globus/certificates exists, that directory is the trusted certificates directory.
  3. Otherwise, if /etc/grid-security/certificates exists, that directory is the trusted certificates directory.
  4. Finally, if $GLOBUS_LOCATION/share/certificates exists, then it is the trusted certificates directory.

4.9.4. GSI authorization callout configuration file

GSI_AUTHZ_CONF is used to specify the path to the GSI authorization callout configuration file. This file is used to configure authorization callouts used by both the gridmap and the authorization API. The location of the GSI authorization callout configuration file is determined as follows:

  1. If the GSI_AUTHZ_CONF environment variable is set, the authorization callout configuration file location is the value of this environment variable.
  2. Otherwise, if /etc/grid-security/gsi-authz.conf exists, then this file is used.
  3. Otherwise, if $GLOBUS_LOCATION/etc/gsi-authz.conf exists, then this file is used.
  4. Finally, if $HOME/.gsi-authz.conf exists, then this file is used.

4.9.5. GAA (Generic Authorization and Access control) configuration file

GSI_GAA_CONF is used to specify the path to the GSI GAA (Generic Authorization and Access control) configuration file. This file is used to configure policy language specific plugins to the GAA-API. The location of the GSI GAA configuration file is determined as follows:

  1. If the GSI_GAA_CONF environment variable is set, the GAA configuration file location is the value of this environment variable.
  2. Otherwise, if /etc/grid-security/gsi-gaa.conf exists, then this file is used.
  3. Otherwise, if $GLOBUS_LOCATION/etc/gsi-gaa.conf exists, then this file is used.
  4. Finally, if $HOME/.gsi-gaa.conf exists, then this file is used.

4.9.6. Grid security directory

GRID_SECURITY_DIR specifies a path to a directory containing configuration files that specify default values to be placed in certificate requests. This environment variable is used only by the grid-cert-request and grid-default-ca commands.

The location of the grid security directory is determined as follows:

  1. If the GRID_SECURITY_DIR environment variable is set, the grid security directory is the value of that environment variable.
  2. If the configuration files exist in /etc/grid-security, the grid security directory is that directory.
  3. if the configuration files exist in $GLOBUS_LOCATION/etc, the grid security directory is that directory.

5. Usage scenarios

There is no content available at this time.

6. Tutorials

There are no tutorials available at this time

7. Debugging

There is no content available at this time.

8. Troubleshooting

There is no content available at this time.

9. Related Documentation

Prev Up Next
GT4: Security: Pre-WS Authentication & Authorization User's Guide Home GT4 Pre-WS AA Public Interfaces