How To Enable Security

From Gcube Wiki
Jump to: navigation, search


PLEASE NOTICE : this page is outdated and will not be maintained any more.

Please refers to the new DILIGENT Security page.

This document describes detailed steps to perform to secure DILIGENT services.

Configure DHN security

This step must be performed only once when the DHN is installed. With this step CA certificates and DHN credentials are installed. At the end the container is ready to host secure services.

Install credentials

Install CA certificates

Follows this document to install trusted CA certificates in your new DHN node.

You have now to install certificates of the CA trusted in DILIGENT. You can find these certificates in rpm format here It is always a good idea to (periodically) refresh Certificates Revocation Lists (CRL), these lists contains certificates revoked by trusted CAs. To refresh these certificate execute this command: /usr/sbin/fetch-crl -o /etc/grid-security/certificates

Install host credentials

copy host certificate and private key respectively in:

  • /etc/grid-security/hostpubliccert.pem (please check that the certificate file has -rw-r--r-- permissions)
  • /etc/grid-security/hostprivatekey.pem (please check that the private key file has -r-------- permissions).

You can obtain host credentials (certificate and private key from an official Certification Authority)

Configure container security

Set Global security descriptor of Java-WS-Core container contained in file $GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml.

See Media:global_security_descriptor.xml example.

Modify the $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd file adding following lines inside the <globalConfiguration> tag:

<parameter name="logicalHost" value="yourHostName.yourDomain">
<parameter name="publishHostName" value="true"/>

<parameter name="containerSecDesc" value="etc/globus_wsrf_core/global_security_descriptor.xml"/>

(of course you have to replace yourHostName and yourDomain properties with correct values, E.g: grids15.eng.it)

Deploy required libraries and services

Following libraries must be copied in the local $GLOBUS_LOCATION/lib directory

  • bcprov-jdk14-122.jar : bouncycastle encryption library
  • glite-security-util-java.jar : gLite security libraries
  • dvos.authentication-api.jar : authentication utility classes
  • dvos.delegation-stubs.jar : delegation stubs
  • dvos.authorization-stubs.jar : authorization stubs
  • dvos.authorization-api.jar : authorization API

Following gar files must be deployed in your DHN

  • dvos.common.gar : common DVOS classes and XML data types
  • dvos.delegation-service.gar : delegation service

All these packages are available here except for the bouncycastle one (the first one) you can find here

Please install the 0_1_1 version of DVOS components (most stable versions).

Then start contianer using the -nosec option (This disable HTTPS transport and enbale GSISecureConversation support)

Configure service authentication

This configuration protect the service against unauthenticated access, setting it each client is forced to present valid credentials. Please notice that authorization is still not enforced on the service (every authenticated client is entitled to use service operations).

Create Web Service Security Descriptor (WSSD)

Create the Web Service Security Descriptor. A different security descriptor file should be created for each interface of your service in the etc/ directory of your service. See Media:YourService-security-config-1.xml for an example.

Modify Web Service Deployment Descriptor (WSDD)

Modify the Web Service Deployment Descriptor to refer the Web Service Security Descriptor. Add following line to the service tag:

<parameter name="securityDescriptor" value="@config.dir@/YourService-security-config.xml"/> 

(of course the value must be set to the name of the WSSD you just created) See Media:deploy-server-1.wsdd for an example

Then redeploy your service in the DHN container.

Access a service using authentication

In this step you'll try to access the deployed service with a client using authentication First of all try to contact your service using an unauthenticated client, you should get following Axis fault:

... GSI Secure Conversation authentication required for
"{http://www.diligentproject.org/namespaces/..." operation.

This means that the GSI Secure Conversation mechanism is required to invoke the service. To enable it perform following steps.

Create plain (without roles) proxy credentials

Use this command to get new plain proxy credentials:

voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem -out yourProxyFile

Set credentials on service stubs

Use following lines to load your new proxy credentials and use them to contact the service

import org.diligentproject.dvos.authentication.util.ProxyUtil;
import org.diligentproject.dvos.authentication.util.ConfigureSecurity;
import org.ietf.jgss.GSSCredential;
...
GSSCredential cred = ProxyUtil.loadProxyCredentials("yourProxyFile");
...
YourServicePortType port = ...<getPortType>
ConfigureSecurity.setSecurity(((javax.xml.rpc.Stub) port), cred);

Don't forget to add the client-config.wsdd file in the directory where you run the client. You can, instead, add the $GLOBUS_LOCATION as the first entry of your classpath.

Then you should be able to contact your service using your credentials

Provide your service with credentials

This step enable your service to authenticating itself in outcoming requests it performs to other services

Delegate credentials to MyProxy

Use following command to delegate credentials to MyProxy (all on the same line):

java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \
put -cert yourPublicCert.pem -key yourPrivateKey.pem

The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string still not in use on MyProxy server, or an already existing account, providing the corresponding password.

(E.g:

java org.globus.tools.MyProxy -host grids02.eng.it \
-l roccetti put -cert certs/roccettiCert.pem -key certs/roccettiKey.pem

)

Register to the local Delegation service

In your service, usually during initialization, you should create a new CredentialsListener and register it to the local DelegationLocalInterface. The listener will be notified when fresh credentials will be received for your service.

credentialsListener = new SimpleCredentialsListener();
DelegationLocalInterface.registerCredentialsListener(this.credentialsListener);

Then you can get credentials from the listener and use it to authenticate invocations to other services. Previous lines of codes are usually added to the constructor of the class implementing service operations

E.g:

public class VOAdministrationService {
 ...   
 private SimpleCredentialsListener credentialsListener;
 ...
 /* Constructor */
 public VOAdministrationService() throws ResourceContextException, ResourceException {
  credentialsListener = new SimpleCredentialsListener();
  DelegationLocalInterface.registerCredentialsListener(this.credentialsListener);
 }

At this point compile and redeploy your service and restart the container

Set-up credentials Renewal task

Now you have to instruct the CredentialsRenewal service to periodically get your credentials from MyProxy and delegate it to your service. You can do this with the following command (all on the same line):

java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI \
-proxyFile:yourProxyFile \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
 /credentialsRenewal/CredentialsRenewalService \
-addCredentialsRenewal -userName:yourMyProxyUsername -password: yourMyProxyPassword \
-credentialsID:org/diligentproject/yourSubsystem/yourService \
-period:5 \
-delegationServiceURL:http://yourHostName:8080/wsrf/services/diligentproject/dvos\
 /delegation/DelegationService

To perform this command you have to provide a valid proxyFile containing the Credentials-Manager role. You can get such a certificate contacting the VOMS server on grids10 using the command (on a sigle line):

voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \
-out yourProxyFile -voms test_diligent:/diligent/Role=Credentials-Manager

Then your credentials will be periodically delegated to your service.

Add authorization

This step configure your service to enforce authorization at VO level

Configure VOMS credentials

VOMS credentials must be installed in the local system to verify VOMS assertions. To do this first of all copy in the /etc/grid-security/vomsdir directory certificates of trusted VOMS servers. You can find certificates of VOMS used in DILIGENT here (please check that certificate files have -rw-r--r-- permissions).

You also need to create vomses files in /opt/glite/etc/vomses. These files should follows this naming convention:

<name of the VO>-<hostname of the VOMS service>

(E.g: diligent-grids10.eng.it)

The content of each file must be as follows (on one single line):

"<name of the VO>" "<hostname of the VOMS service>" "<port of the VOMS service>" 
"<Distinguished Name of the VOMS certificate>" "<local name of the VO>"

E.g:

"diligent" "grids10.eng.it" "15001" 
"/O=Grid/OU=GlobusTest/OU=simpleCA-gauss.eng.it/CN=grids10.eng.it" "diligent"

Create the VO-Handler configuration file

In order to enforce authorization you have to create a mapping between service operations and logical operations. This mapping is keep in the YourServiceHandler.properties in the "etc" directory of your service. For an example see Media:YourServiceHandler.properties

Modify WSSD to add VO-Handler

The WSSD must be modified to enforce authorization using the VOAuthorizationHandler You have to replace the element

<authz value="none"/>

with following content:

<authz value=
"VOAuthorizationPDP:org.diligentproject.dvos.authorization.handler.VOAuthorizationPDP"/>

Modify WSDD to set handler properties

You have also to tells the VOAuthorization handler where to find the configuration file and the VOMS certificates to verify authorizations. To do this add following lines to your WSDD file:

<parameter name="VOAuthorizationPDP-VOAuthorizationHandlerFile"
  value="@config.dir@/YourServiceHandler.properties"/>

<parameter name="VOAuthorizationPDP-VOMSCertificateDirectory" value="/etc/grid-security/vomsdir/*"/>

Now the service part of the authorization is set up. Redeploy your service and restart the container.

Associate user with roles

Now you have to deal with administrative issues of authorization. Usually these steps are performed by DILIGENT users in charge to manage authorization in DILIGENT (those with VOManagers and ResourceManagers roles) At the moment you can perform following steps thorugh a Command Line User Interface.

In order to be able to access the service you have to assign logical operations (defined in [/twiki/bin/view/DILIGENT/SecuritySessionBudapest#Create_the_VO_Handler_configurat this] step) to DILIGENT roles. Roles must be defined both in VOMS and the DILIGENT authorization service by VO Managers. Logical operations need to be defined in DILIGENT authorization services and granted to VO by Resource managers. Following steps allows you to perform these settings.

Create a VOMS and DILIGENT role

To add the role to the VOMS installation please refers to VOMS documentation.

To add a role to the authorization service, as DILIGENT-VO-Manager you can execute following command:

java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
-proxyFile:yourProxyFile \
-serviceUrl:http://...VOAdminstrationService \
-createRole \
-roleName:roleName \
-roleDesc:roleDescription \
-roleID:roleId \

You have to replace arguments with correct values, E.g:

java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
-proxyFile:certs/roccettiProxy\
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
 /authorization/VOAdministrationService \
-createRole \
-roleName:ARTE_VO_Manager \
-roleDesc:Role_to_manage_the_ARTE_VO \
-roleID:r0 \

This command creates the ARTE_VO_Manager role on the authorization service hosted by grids15.eng.it

In both cases you have to be entitled to perform the {http://www.diligentproject.org/namespaces/dvos/authorization}adminVO operation (usually the DILIGENT-VO-Manager role is entitled). In case you're not allowed please ask to VO managers to perform this operation for you.

info Please notice that the creation of a new role is not a mandatory step, you can also grant permission to access your service to an existing role.

Create Logical Operations

As ResourceManager you have to define logical operations (those used in the Media:YourServiceHandler.properties file) in the authorization service. You can do this through the command:

java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
-proxyFile:yourProxyFile  \
-serviceUrl:http://...OperationAdministrationService  \
-addOperation  \
-operationID:LogicalOperationID  \
-operationName:LogicalOperationName \

you have to replace arguments with correct values, E.g:

java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
 /authorization/OperationAdministrationService  \
-addOperation  \
-operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}create-Rendering  \
-operationName:create-Rendering \

Grant Operations to a VO

As ResourceManager you have to grant logical operations to the DILIGENT VO in the authorization service. You can do this through the command:

java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
-proxyFile:yourProxyFile  \
-serviceUrl:http://...OperationAdministrationService  \
-grantOperation  \
-operationID:LogicalOperationID  \
-operationName:LogicalOperationName  \
-voID:VOIdentifier \

You have to replace arguments with correct values, E.g:

java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
 /authorization/OperationAdministrationService  \
-grantOperation  \
-operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}createResource  \
-operationName:createRenderingResource \
-voID:VO0 \

To get the list of VO identifiers you can use the command:

java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
-proxyFile:yourProxyFile  \
-serviceUrl:http://...OperationAdministrationService  \
-listExistingVOs \

E.g:

java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \
-proxyFile:/home/roccetti/certs/asterixProxy  \    
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
 /authorization/OperationAdministrationService  \
-listExistingVOs

Associate role with permissions

As DILIGENT-VO-Manager you have to associate a role with logical operations you defined through following command:

java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy  \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
 /authorization/VOAdministrationService  \
-grantPermission  \
-roleID:roleId  \
-operationID:LogicalOperationID

You have to replace arguments with proper values, E.g:

java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \
-proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \
-serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\
 /authorization/VOAdministrationService  \
-grantPermission  \
-roleID:r0  \
-operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}createResource

Access a service using authorization

In this step you'll try to access the deployed service with a client using authentication and authorization First of all try to contact your service using an authenticated client and a plain proxy, you should get following Axis fault:

org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: 
... is not authorized to use operation: ... on this service

To access the service with authroization you need to use a certificate containing a VOMS role entitled to perform operation invoked.

Create attributed proxy credentials

Use this command to get new attributed proxy credentials containing a role:

voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \
-out yourProxyFile -voms voLocalName:yourGroup/Role=yourRole

E.g:

voms-proxy-init -cert /home/roccetti/roccettiCert.pem \
-key /home/roccetti/roccettiKey.pem \
-out /home/roccetti/proxyFile \
-voms test_diligent:/diligent/Role=DILIGENT-VO-Manager

Now try to invoke your service using this certificate.

Extend DILIGENT authorization

COMING SOON

Check for Authorization using the VOQuery API library

Define new authorization handlers

Troubleshooting

Most common errors may occurs configuring security for your services are listed in the Common Security Troubleshooting page. Please refers to that page and edit it if you face a new exception related to security or if you find new reason for an already reported exception.


--Roccetti 12:16, 7 February 2007 (EET)