|
|
Line 1: |
Line 1: |
− | This document describes detailed steps to perform to secure DILIGENT services. | + | This page describes the security model adopted in the DILIGENT infrastructure |
| | | |
− | =Configure DHN security= | + | ==Authentication Model== |
| + | The DILIGENT Security will exploit PKI mechanisms to authenticate identities acting in the infrastructure. |
| | | |
− | This step must be performed only once when the DHN is installed. With this step CA certificates and DHN credentials are installed. At the end the container is ready to host secure services.
| + | ==Authentication Mechanism== |
| + | The mechanism used in DILIGENT to authenticate service invocatons is the [http://specs.xmlsoap.org/ws/2005/02/sc/WS-SecureConversation.pdf WS-SecureConversation] one. The Java WS-Core container provides a built-in implementation of this standard called GSI-SecureConversation. |
| | | |
− | ==Install credentials==
| + | This choice is driven by the need to delegate caller credentials to invoked services. |
| + | The HTTPS mechanism (also available in the Java-WS-Core) cannot interoperate with the GSI-SecureConversation one, thus preventing the exploiting of both mechanisms in the DILIGENT infrastructure. For this reason the HTTPS mechanism has been discarded. |
| | | |
− | ===Install CA certificates=== | + | ==The DL context== |
| + | Each |
| | | |
− | Follows [http://glite.web.cern.ch/glite/packages/R3.0/R20060502/doc/installation_guide_3.0-2.html#_Toc135537472 this] document to install trusted CA certificates in your new DHN node.
| + | ==Identity of services acting in a Single DL== |
| | | |
− | You have now to install certificates of the CA trusted in DILIGENT. You can find these certificates in rpm format [http://dlib.sns.it/bscw/bscw.cgi/0/19457 here]
| + | ==Identity of services acting in mutiple DLs== |
− | It is always a good idea to (periodically) refresh Certificates Revocation Lists (CRL), these lists contains certificates revoked by trusted CAs. To refresh these certificate execute this command: <code>/usr/sbin/fetch-crl -o /etc/grid-security/certificates</code>
| + | |
− | | + | |
− | ===Install host credentials=== | + | |
− | | + | |
− | copy host certificate and private key respectively in:
| + | |
− | | + | |
− | * <code>/etc/grid-security/hostpubliccert.pem</code> (please check that the certificate file has -rw-r--r-- permissions)
| + | |
− | * <code>/etc/grid-security/hostprivatekey.pem</code> (please check that the private key file has -r-------- permissions).
| + | |
− | | + | |
− | You can obtain host credentials (certificate and private key from an official Certification Authority)
| + | |
− | | + | |
− | ===Configure container security===
| + | |
− | | + | |
− | Set Global security descriptor of Java-WS-Core container contained in file <code>$GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml</code>.
| + | |
− | | + | |
− | See [[Media:global_security_descriptor.xml]] example.
| + | |
− | | + | |
− | Modify the $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd file adding following lines inside the <code><globalConfiguration></code> tag:
| + | |
− | | + | |
− | <parameter name="logicalHost" value="yourHostName.yourDomain">
| + | |
− | <parameter name="publishHostName" value="true"/>
| + | |
− |
| + | |
− | <parameter name="containerSecDesc" value="etc/globus_wsrf_core/global_security_descriptor.xml"/>
| + | |
− | | + | |
− | (of course you have to replace yourHostName and yourDomain properties with correct values, E.g: grids15.eng.it)
| + | |
− | | + | |
− | ==Deploy required libraries and services==
| + | |
− | | + | |
− | Following libraries must be copied in the local <code>$GLOBUS_LOCATION/lib</code> directory
| + | |
− | | + | |
− | * bcprov-jdk14-122.jar : bouncycastle encryption library
| + | |
− | * glite-security-util-java.jar : gLite security libraries
| + | |
− | * dvos.authentication-api.jar : authentication utility classes
| + | |
− | * dvos.delegation-stubs.jar : delegation stubs
| + | |
− | * dvos.authorization-stubs.jar : authorization stubs
| + | |
− | * dvos.authorization-api.jar : authorization API
| + | |
− | | + | |
− | Following gar files must be deployed in your DHN
| + | |
− | | + | |
− | * dvos.common.gar : common DVOS classes and XML data types
| + | |
− | * dvos.delegation-service.gar : delegation service
| + | |
− | | + | |
− | All these packages are available [http://grids17.eng.it/engrepository/ here] except for the bouncycastle one (the first one) you can find [http://www.bouncycastle.org/download/bcprov-jdk14-122.jar here]
| + | |
− | | + | |
− | Please install the 0_1_1 version of DVOS components (most stable versions).
| + | |
− | | + | |
− | Then start contianer using the <code>-nosec</code> option (This disable HTTPS transport and enbale GSISecureConversation support)
| + | |
− | | + | |
− | =Configure service authentication= | + | |
− | | + | |
− | This configuration protect the service against unauthenticated access, setting it each client is forced to present valid credentials. Please notice that authorization is still not enforced on the service (every authenticated client is entitled to use service operations).
| + | |
− | | + | |
− | ==Create Web Service Security Descriptor (WSSD)==
| + | |
− | | + | |
− | Create the Web Service Security Descriptor. A different security descriptor file should be created for each interface of your service in the <code>etc/</code> directory of your service. See [[Media:YourService-security-config-1.xml]] for an example.
| + | |
The DILIGENT Security will exploit PKI mechanisms to authenticate identities acting in the infrastructure.
This choice is driven by the need to delegate caller credentials to invoked services.
The HTTPS mechanism (also available in the Java-WS-Core) cannot interoperate with the GSI-SecureConversation one, thus preventing the exploiting of both mechanisms in the DILIGENT infrastructure. For this reason the HTTPS mechanism has been discarded.