DILIGENT Security
This document describes detailed steps to perform to secure DILIGENT services.
Contents
Configure DHN security
This step must be performed only once when the DHN is installed. With this step CA certificates and DHN credentials are installed. At the end the container is ready to host secure services.
Install credentials
Install CA certificates
Follows this document to install trusted CA certificates in your new DHN node.
You have now to install certificates of the CA trusted in DILIGENT. You can find these certificates in rpm format here
It is always a good idea to (periodically) refresh Certificates Revocation Lists (CRL), these lists contains certificates revoked by trusted CAs. To refresh these certificate execute this command: /usr/sbin/fetch-crl -o /etc/grid-security/certificates
Install host credentials
copy host certificate and private key respectively in:
-
/etc/grid-security/hostpubliccert.pem
(please check that the certificate file has -rw-r--r-- permissions) -
/etc/grid-security/hostprivatekey.pem
(please check that the private key file has -r-------- permissions).
You can obtain host credentials (certificate and private key from an official Certification Authority)
Configure container security
Set Global security descriptor of Java-WS-Core container contained in file $GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml
.
See Media:global_security_descriptor.xml example.
Modify the $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd file adding following lines inside the <globalConfiguration>
tag:
<parameter name="logicalHost" value="yourHostName.yourDomain"> <parameter name="publishHostName" value="true"/> <parameter name="containerSecDesc" value="etc/globus_wsrf_core/global_security_descriptor.xml"/>
(of course you have to replace yourHostName and yourDomain properties with correct values, E.g: grids15.eng.it)
Deploy required libraries and services
Following libraries must be copied in the local $GLOBUS_LOCATION/lib
directory
- bcprov-jdk14-122.jar : bouncycastle encryption library
- glite-security-util-java.jar : gLite security libraries
- dvos.authentication-api.jar : authentication utility classes
- dvos.delegation-stubs.jar : delegation stubs
- dvos.authorization-stubs.jar : authorization stubs
- dvos.authorization-api.jar : authorization API
Following gar files must be deployed in your DHN
- dvos.common.gar : common DVOS classes and XML data types
- dvos.delegation-service.gar : delegation service
All these packages are available here except for the bouncycastle one (the first one) you can find here
Please install the 0_1_1 version of DVOS components (most stable versions).
Then start contianer using the -nosec
option (This disable HTTPS transport and enbale GSISecureConversation support)
Configure service authentication
This configuration protect the service against unauthenticated access, setting it each client is forced to present valid credentials. Please notice that authorization is still not enforced on the service (every authenticated client is entitled to use service operations).
Create Web Service Security Descriptor (WSSD)
Create the Web Service Security Descriptor. A different security descriptor file should be created for each interface of your service in the etc/
directory of your service. See Media:YourService-security-config-1.xml for an example.
Modify Web Service Deployment Descriptor (WSDD)
Modify the Web Service Deployment Descriptor to refer the Web Service Security Descriptor. Add following line to the service tag:
<parameter name="securityDescriptor" value="@config.dir@/YourService-security-config.xml"/>
(of course the value must be set to the name of the WSSD you just created) See Media:deploy-server-1.wsdd for an example
Then redeploy your service in the DHN container.
Access a service using authentication
In this step you'll try to access the deployed service with a client using authentication First of all try to contact your service using an unauthenticated client, you should get following Axis fault:
... GSI Secure Conversation authentication required for "{http://www.diligentproject.org/namespaces/..." operation.
This means that the GSI Secure Conversation mechanism is required to invoke the service. To enable it perform following steps.