Difference between revisions of "How To Enable Security"
(→Set credentials on service stubs) |
|||
Line 1: | Line 1: | ||
+ | [[Category:TO BE REMOVED]] | ||
+ | |||
'''PLEASE NOTICE : this page is outdated and will not be maintained any more.''' | '''PLEASE NOTICE : this page is outdated and will not be maintained any more.''' | ||
'''Please refers to the new [[DILIGENT Security]] page.''' | '''Please refers to the new [[DILIGENT Security]] page.''' |
Latest revision as of 18:53, 6 July 2016
PLEASE NOTICE : this page is outdated and will not be maintained any more.
Please refers to the new DILIGENT Security page.
This document describes detailed steps to perform to secure DILIGENT services.
Contents
- 1 Configure DHN security
- 2 Configure service authentication
- 3 Access a service using authentication
- 4 Provide your service with credentials
- 5 Add authorization
- 6 Access a service using authorization
- 7 Extend DILIGENT authorization
- 8 Troubleshooting
Configure DHN security
This step must be performed only once when the DHN is installed. With this step CA certificates and DHN credentials are installed. At the end the container is ready to host secure services.
Install credentials
Install CA certificates
Follows this document to install trusted CA certificates in your new DHN node.
You have now to install certificates of the CA trusted in DILIGENT. You can find these certificates in rpm format here
It is always a good idea to (periodically) refresh Certificates Revocation Lists (CRL), these lists contains certificates revoked by trusted CAs. To refresh these certificate execute this command: /usr/sbin/fetch-crl -o /etc/grid-security/certificates
Install host credentials
copy host certificate and private key respectively in:
-
/etc/grid-security/hostpubliccert.pem
(please check that the certificate file has -rw-r--r-- permissions) -
/etc/grid-security/hostprivatekey.pem
(please check that the private key file has -r-------- permissions).
You can obtain host credentials (certificate and private key from an official Certification Authority)
Configure container security
Set Global security descriptor of Java-WS-Core container contained in file $GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml
.
See Media:global_security_descriptor.xml example.
Modify the $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd file adding following lines inside the <globalConfiguration>
tag:
<parameter name="logicalHost" value="yourHostName.yourDomain"> <parameter name="publishHostName" value="true"/> <parameter name="containerSecDesc" value="etc/globus_wsrf_core/global_security_descriptor.xml"/>
(of course you have to replace yourHostName and yourDomain properties with correct values, E.g: grids15.eng.it)
Deploy required libraries and services
Following libraries must be copied in the local $GLOBUS_LOCATION/lib
directory
- bcprov-jdk14-122.jar : bouncycastle encryption library
- glite-security-util-java.jar : gLite security libraries
- dvos.authentication-api.jar : authentication utility classes
- dvos.delegation-stubs.jar : delegation stubs
- dvos.authorization-stubs.jar : authorization stubs
- dvos.authorization-api.jar : authorization API
Following gar files must be deployed in your DHN
- dvos.common.gar : common DVOS classes and XML data types
- dvos.delegation-service.gar : delegation service
All these packages are available here except for the bouncycastle one (the first one) you can find here
Please install the 0_1_1 version of DVOS components (most stable versions).
Then start contianer using the -nosec
option (This disable HTTPS transport and enbale GSISecureConversation support)
Configure service authentication
This configuration protect the service against unauthenticated access, setting it each client is forced to present valid credentials. Please notice that authorization is still not enforced on the service (every authenticated client is entitled to use service operations).
Create Web Service Security Descriptor (WSSD)
Create the Web Service Security Descriptor. A different security descriptor file should be created for each interface of your service in the etc/
directory of your service. See Media:YourService-security-config-1.xml for an example.
Modify Web Service Deployment Descriptor (WSDD)
Modify the Web Service Deployment Descriptor to refer the Web Service Security Descriptor. Add following line to the service tag:
<parameter name="securityDescriptor" value="@config.dir@/YourService-security-config.xml"/>
(of course the value must be set to the name of the WSSD you just created) See Media:deploy-server-1.wsdd for an example
Then redeploy your service in the DHN container.
Access a service using authentication
In this step you'll try to access the deployed service with a client using authentication First of all try to contact your service using an unauthenticated client, you should get following Axis fault:
... GSI Secure Conversation authentication required for "{http://www.diligentproject.org/namespaces/..." operation.
This means that the GSI Secure Conversation mechanism is required to invoke the service. To enable it perform following steps.
Create plain (without roles) proxy credentials
Use this command to get new plain proxy credentials:
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem -out yourProxyFile
Set credentials on service stubs
Use following lines to load your new proxy credentials and use them to contact the service
import org.diligentproject.dvos.authentication.util.ProxyUtil; import org.diligentproject.dvos.authentication.util.ConfigureSecurity; import org.ietf.jgss.GSSCredential; ... GSSCredential cred = ProxyUtil.loadProxyCredentials("yourProxyFile"); ... YourServicePortType port = ...<getPortType> ConfigureSecurity.setSecurity(((javax.xml.rpc.Stub) port), cred);
Don't forget to add the client-config.wsdd
file in the directory where you run the client. You can, instead, add the $GLOBUS_LOCATION
as the first entry of your classpath.
Then you should be able to contact your service using your credentials
Provide your service with credentials
This step enable your service to authenticating itself in outcoming requests it performs to other services
Delegate credentials to MyProxy
Use following command to delegate credentials to MyProxy (all on the same line):
java org.globus.tools.MyProxy -host grids02.eng.it -l yourMyProxyUsername \ put -cert yourPublicCert.pem -key yourPrivateKey.pem
The procedure will ask you the password to decrypt your private key and the password to protect your new myProxyAccount. As myProxyAccount you can use any string still not in use on MyProxy server, or an already existing account, providing the corresponding password.
(E.g:
java org.globus.tools.MyProxy -host grids02.eng.it \ -l roccetti put -cert certs/roccettiCert.pem -key certs/roccettiKey.pem
)
Register to the local Delegation service
In your service, usually during initialization, you should create a new CredentialsListener
and register it to the local DelegationLocalInterface
. The listener will be notified when fresh credentials will be received for your service.
credentialsListener = new SimpleCredentialsListener(); DelegationLocalInterface.registerCredentialsListener(this.credentialsListener);
Then you can get credentials from the listener and use it to authenticate invocations to other services. Previous lines of codes are usually added to the constructor of the class implementing service operations
E.g:
public class VOAdministrationService { ... private SimpleCredentialsListener credentialsListener; ... /* Constructor */ public VOAdministrationService() throws ResourceContextException, ResourceException { credentialsListener = new SimpleCredentialsListener(); DelegationLocalInterface.registerCredentialsListener(this.credentialsListener); }
At this point compile and redeploy your service and restart the container
Set-up credentials Renewal task
Now you have to instruct the CredentialsRenewal service to periodically get your credentials from MyProxy and delegate it to your service. You can do this with the following command (all on the same line):
java org.diligentproject.dvos.credentialRenewal.ui.CredentialRenewalUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /credentialsRenewal/CredentialsRenewalService \ -addCredentialsRenewal -userName:yourMyProxyUsername -password: yourMyProxyPassword \ -credentialsID:org/diligentproject/yourSubsystem/yourService \ -period:5 \ -delegationServiceURL:http://yourHostName:8080/wsrf/services/diligentproject/dvos\ /delegation/DelegationService
To perform this command you have to provide a valid proxyFile containing the Credentials-Manager role. You can get such a certificate contacting the VOMS server on grids10 using the command (on a sigle line):
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \ -out yourProxyFile -voms test_diligent:/diligent/Role=Credentials-Manager
Then your credentials will be periodically delegated to your service.
Add authorization
This step configure your service to enforce authorization at VO level
Configure VOMS credentials
VOMS credentials must be installed in the local system to verify VOMS assertions. To do this first of all copy in the /etc/grid-security/vomsdir
directory certificates of trusted VOMS servers. You can find certificates of VOMS used in DILIGENT here (please check that certificate files have -rw-r--r--
permissions).
You also need to create vomses files in /opt/glite/etc/vomses
. These files should follows this naming convention:
<name of the VO>-<hostname of the VOMS service>
(E.g: diligent-grids10.eng.it
)
The content of each file must be as follows (on one single line):
"<name of the VO>" "<hostname of the VOMS service>" "<port of the VOMS service>" "<Distinguished Name of the VOMS certificate>" "<local name of the VO>"
E.g:
"diligent" "grids10.eng.it" "15001" "/O=Grid/OU=GlobusTest/OU=simpleCA-gauss.eng.it/CN=grids10.eng.it" "diligent"
Create the VO-Handler configuration file
In order to enforce authorization you have to create a mapping between service operations and logical operations. This mapping is keep in the YourServiceHandler.properties
in the "etc" directory of your service. For an example see Media:YourServiceHandler.properties
Modify WSSD to add VO-Handler
The WSSD must be modified to enforce authorization using the VOAuthorizationHandler You have to replace the element
<authz value="none"/>
with following content:
<authz value= "VOAuthorizationPDP:org.diligentproject.dvos.authorization.handler.VOAuthorizationPDP"/>
Modify WSDD to set handler properties
You have also to tells the VOAuthorization handler where to find the configuration file and the VOMS certificates to verify authorizations. To do this add following lines to your WSDD file:
<parameter name="VOAuthorizationPDP-VOAuthorizationHandlerFile" value="@config.dir@/YourServiceHandler.properties"/> <parameter name="VOAuthorizationPDP-VOMSCertificateDirectory" value="/etc/grid-security/vomsdir/*"/>
Now the service part of the authorization is set up. Redeploy your service and restart the container.
Associate user with roles
Now you have to deal with administrative issues of authorization. Usually these steps are performed by DILIGENT users in charge to manage authorization in DILIGENT (those with VOManagers and ResourceManagers roles) At the moment you can perform following steps thorugh a Command Line User Interface.
In order to be able to access the service you have to assign logical operations (defined in [/twiki/bin/view/DILIGENT/SecuritySessionBudapest#Create_the_VO_Handler_configurat this] step) to DILIGENT roles. Roles must be defined both in VOMS and the DILIGENT authorization service by VO Managers. Logical operations need to be defined in DILIGENT authorization services and granted to VO by Resource managers. Following steps allows you to perform these settings.
Create a VOMS and DILIGENT role
To add the role to the VOMS installation please refers to VOMS documentation.
To add a role to the authorization service, as DILIGENT-VO-Manager you can execute following command:
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://...VOAdminstrationService \ -createRole \ -roleName:roleName \ -roleDesc:roleDescription \ -roleID:roleId \
You have to replace arguments with correct values, E.g:
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \ -proxyFile:certs/roccettiProxy\ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/VOAdministrationService \ -createRole \ -roleName:ARTE_VO_Manager \ -roleDesc:Role_to_manage_the_ARTE_VO \ -roleID:r0 \
This command creates the ARTE_VO_Manager role on the authorization service hosted by grids15.eng.it
In both cases you have to be entitled to perform the {http://www.diligentproject.org/namespaces/dvos/authorization}adminVO
operation (usually the DILIGENT-VO-Manager role is entitled). In case you're not allowed please ask to VO managers to perform this operation for you.
Please notice that the creation of a new role is not a mandatory step, you can also grant permission to access your service to an existing role.
Create Logical Operations
As ResourceManager you have to define logical operations (those used in the Media:YourServiceHandler.properties file) in the authorization service. You can do this through the command:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://...OperationAdministrationService \ -addOperation \ -operationID:LogicalOperationID \ -operationName:LogicalOperationName \
you have to replace arguments with correct values, E.g:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/OperationAdministrationService \ -addOperation \ -operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}create-Rendering \ -operationName:create-Rendering \
Grant Operations to a VO
As ResourceManager you have to grant logical operations to the DILIGENT VO in the authorization service. You can do this through the command:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://...OperationAdministrationService \ -grantOperation \ -operationID:LogicalOperationID \ -operationName:LogicalOperationName \ -voID:VOIdentifier \
You have to replace arguments with correct values, E.g:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/OperationAdministrationService \ -grantOperation \ -operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}createResource \ -operationName:createRenderingResource \ -voID:VO0 \
To get the list of VO identifiers you can use the command:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:yourProxyFile \ -serviceUrl:http://...OperationAdministrationService \ -listExistingVOs \
E.g:
java org.diligentproject.dvos.authorization.ui.OperationAdministrationUI \ -proxyFile:/home/roccetti/certs/asterixProxy \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/OperationAdministrationService \ -listExistingVOs
Associate role with permissions
As DILIGENT-VO-Manager you have to associate a role with logical operations you defined through following command:
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \ -proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/VOAdministrationService \ -grantPermission \ -roleID:roleId \ -operationID:LogicalOperationID
You have to replace arguments with proper values, E.g:
java org.diligentproject.dvos.authorization.ui.VOAdministrationUI \ -proxyFile:/home/roccetti/certs/INFNRoccetti_proxy \ -serviceUrl:http://grids15.eng.it:8080/wsrf/services/diligentproject/dvos\ /authorization/VOAdministrationService \ -grantPermission \ -roleID:r0 \ -operationID:{http\://www.diligentproject.org/namespaces/demo/renderer}createResource
Access a service using authorization
In this step you'll try to access the deployed service with a client using authentication and authorization First of all try to contact your service using an authenticated client and a plain proxy, you should get following Axis fault:
org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException: ... is not authorized to use operation: ... on this service
To access the service with authroization you need to use a certificate containing a VOMS role entitled to perform operation invoked.
Create attributed proxy credentials
Use this command to get new attributed proxy credentials containing a role:
voms-proxy-init -cert yourPublicCert.pem -key yourPrivateKey.pem \ -out yourProxyFile -voms voLocalName:yourGroup/Role=yourRole
E.g:
voms-proxy-init -cert /home/roccetti/roccettiCert.pem \ -key /home/roccetti/roccettiKey.pem \ -out /home/roccetti/proxyFile \ -voms test_diligent:/diligent/Role=DILIGENT-VO-Manager
Now try to invoke your service using this certificate.
Extend DILIGENT authorization
COMING SOON
Check for Authorization using the VOQuery API library
Define new authorization handlers
Troubleshooting
Most common errors may occurs configuring security for your services are listed in the Common Security Troubleshooting page. Please refers to that page and edit it if you face a new exception related to security or if you find new reason for an already reported exception.
--Roccetti 12:16, 7 February 2007 (EET)