Docstoc

Method caBIG

Document Sample
Method caBIG Powered By Docstoc
					caGrid Security Architecture Version 0.5
                  Installation



      caBIG Architecture Workspace Face to Face
               Georgetown University
                   August 16, 2005




                  Stephen Langella
                Ohio State University
               langella@bmi.osu.edu
Agenda

 Prerequisites
 Installation, Configuration, and Deployment
  –   Globus Security Infrastructure (GSI) Server Side
  –   Globus Security Infrastructure (GSI) Client Side
  –   caGrid Attribute Management Service (CAMS)
  –   Grid User Management Service (GUMS)
  –   Grid User Management Service (GUMS) Portal
  –   caGrid Attribute Management Service (CAMS) Portal
 Questions
Prerequisites

  Java 1.4.2
  Recommend Java1.4.2_04
  Ant version 1.6.X or higher
  Tomcat version 5.0.x or higher
  Globus Toolkit 3.2.1
GSI Server Side Installation

  Documentation
   –   globus-configuration-security.txt
  Prerequisites
   –   No Additional
  Installation Types
   –   CA Node
   –   Standard Node (most common)
  Steps
   –   Configure CA
   –   Obtain Host Certificate
   –   Create Grid Mapfile
   –   Configuring Trusted CAs
   –   Configuring Container Credentials
   –   Deploy to Tomcat
GSI Server Side Installation

  Configure CA
   –       CA Node
       •     Install Globus simpleCA
              http://www.globus.org/toolkit/docs/3.2/installation/install_config_req.html#caoption
             (Follow Steps 1-9)
   –       Standard Node
       •     Deploy Simple CA Configuration
             http://www.globus.org/toolkit/docs/3.2/installation/install_config_req.html#caoptions
             (Follow Step 20)
       •     Additional Steps
            1) Go to the directory /usr/local/globus3.2.1/setup/globus_simple_ca_@@HASH-FOR-YOUR-
             CA@@_setup/
            2) Edit both grid-cert-request-config.in and grid-security-config.in, replacing @sh@ in the first line
             with a valid shell (/bin/sh)
            3) Copy grid-cert-request-config.in to grid-cert-request-config
            4) Copy grid-security-config.in to grid-security-config
GSI Server Side Installation

  Setup GSI
   –   As root go to the directory
       $GLOBUS_LOCATION/setup/globus_simple_ca_@@HASH-FOR-YOUR-
       CA@@_setup/ and run the following:
         setup-gsi –default

  Obtain Host Certificate
   –   Create a Host Certificate Request in /etc/grid-security
   –   grid-cert-request -host 'hostname‘
   –   Have the CA administrator sign the certificate request

  Create a Grid Mapfile
   –   Used a method of Authorization
   –   As root In /etc/grid-security create the file grid-mapfile
GSI Server Side Installation

  Configuring Trusted Certificate Authorities
   –   Server Container (All Services)
       •   Method 1 - Place trusted certificate in /etc/grid-
           security/certificates naming it with a .digit extension (e.g.
           trusted-cert.1)
       •   Method 2 – Add the following parameter to the
           globusConfiguration block of the server-deploy.wsdd
               <parameter name="trustedCertificates" value="<CA certificate locations>"/>
GSI Server Side Installation

  Configuring Service Credentials/Proxy
   –   Server Container (All Services)
       •   Method 1 (Certificate) – Add the following parameter to the
           globusConfiguration block of the server-deploy.wsdd
            <parameter name=“containerCert" value="<certificate file>"/>
            <parameter name=“containerKey" value="<unencrypted key file>"/>

       •   Method 2 (Proxy) – Add the following parameter to the
           globusConfiguration block of the server-deploy.wsdd
             <parameter name=“containerProxy" value="<proxy file>"/>
GSI Service Configuration

    Documentation
      –   service-security-configuration.txt

    Configuring Services to use GSI
      –   Trusted Certificate Authorities
          •   Allows the service to specify which CAs it trusts
          • Valid Users must have a certificate from a trusted CA
      –   Service Credentials/Proxy
          • Specifies which user the service runs as.
      –   Globus Security Descriptor
          • Allows the specification of authentication requirement on individual
            methods of a grid service.
      –   Authorization Type
          •   Needs to be configured if using globus authorization mechanisms
GSI Service Configuration

    Configuring Trusted Certificate Authorities
      –   Server Container (All Services)
          •   Method 1 - Place trusted certificate in /etc/grid-security/certificates
              naming it with a .digit extension (e.g. trusted-cert.1)
          •   Method 2 – Add the following parameter to the globusConfiguration
              block of the server-deploy.wsdd
                 <parameter name="trustedCertificates" value="<CA certificate locations>"/>
      –   Grid Service
          •   Add the following parameter to the service block of the grid service’s
              server-deploy.wsdd
                 <parameter name="trustedCertificates" value="<CA certificate locations>"/>
      –   Client
          •   Place trusted certificate in USER_HOME/.globus/certificates naming it
              with a .digit extension (e.g. trusted-cert.1)
GSI Service Configuration

    Configuring Service Credentials/Proxy
      –   Server Container (All Services)
          •   Method 1 (Certificate) – Add the following parameter to the
              globusConfiguration block of the server-deploy.wsdd
                <parameter name=“containerCert" value="<certificate file>"/>
               <parameter name=“containerKey" value="<unencrypted key file>"/>
          •   Method 2 (Proxy) – Add the following parameter to the globusConfiguration
              block of the server-deploy.wsdd
                 <parameter name=“containerProxy" value="<proxy file>"/>

      –   Grid Service
          •   Method 1 (Certificate) – Add the following parameter to the service block of
              the grid service’s server-deploy.wsdd
               <parameter name=“serviceCert" value="<certificate file>"/>
               <parameter name=“serviceKey" value="<unencrypted key file>"/>
          •   Method 2 (Proxy) – Add the following parameter to the service block of the
              grid service’s server-deploy.wsdd
                 <parameter name=“serviceProxy" value="<proxy file>"/>
GSI Service Configuration

    Configuring the Globus Security Descriptor
      –   Allows the specification of authentication requirement on individual
          methods of a grid service.
      –   Persistent Services - Add the following parameter to the service block
          of the grid service’s server-deploy.wsdd
          <parameter name="securityConfig" value="my-security-config.xml"/>
      –   Transient Services - Add the following parameter to the service block
          of the grid service’s server-deploy.wsdd
          <parameter name="instance-securityConfig" value="my-security-config.xml"/>

             <securityConfig xmlns="http://www.globus.org" xmlns:ogsi="http://www.gridforum.org/namespaces/2003/03/OGSI">
                <method name="ogsi:findServiceData" >
                   <auth-method>
                   <none/>
                   </auth-method>
                </method>
                <method name="ogsi:subscribe" >
                   <auth-method>
                      <none/>
                   </auth-method>
                 </method>

             <!-- default auth-method for any other method -->
                <auth-method>
                 <gsi/>
                </auth-method>
             </securityConfig>
GSI Service Configuration

    Configuring Authorization Type
      –    If using the grid map mechanism provided by globus, add the following parameter
           to the service’s server-deploy.wsdd
           •   <parameter name="authorization" value=“gridmap"/>


      –    If using AuthorizationManager mechanism , add the following parameter to the
           service’s server-deploy.wsdd
           •   <parameter name="authorization" value=“none"/>

    Configuring a Service to use the Authorization Manager
      –    Add SOAP handler to request flow in service’s wsdd
      <requestFlow>
           <handler type="java:gov.nih.nci.cagrid.security.handlers.CaBIGAuthorizationHandler“/>
      </requestFlow>
      –    Creates callback to Authorization Manager implementation specified in service’s wsdd
           parameter :
          <parameter name="caBIGAuthorizationManager"
             value="gov.nih.nci.cagrid.security.UnPermissiveAuthorizationManager"/>
GSI Client Side Installation

     Configuring the Client Side
      –   Configuring Trusted Certificate Authorities
          •   Place trusted certificate in USER_HOME/.globus/certificates
              naming it with a .digit extension (e.g. trusted-cert.1)
caGrid Attribute Management Service

  Documentation
   – cagrid-security-architecture-v0.5.doc
   – cams-admin-guide-v0.5.doc

  Prerequisites
   –   Global Model Exchange (GME)
   –   Mobius Mako (In Distribution)
   –   Mysql

  Steps
   –   Obtain CAMS 0.5 Distribution
   –   Configuring CAMS
   –   Deploy
caGrid Attribute Management Service

  Configuring CAMS
   –   etc/cams-conf.xml
   –   Common Things to Configure
       •   Mysql database
       •   Default Permissions
       •MakoDB Configuration File
   –   MakoDB Configuration File
       •   Specify Global Model Exchange
           (GME)
  Deploy
   –   From Distribution
       •   Type: ant deploy
Grid User Management Service

  Documentation
   –   cagrid-security-architecture-v0.5.doc
   –   cams-gums-guide-v0.5.doc
  Platforms
   –   Supported on platforms which SimpleCA support (linux,solaris,etc.)
  Prerequisites
   –   Mysql
   –   Globus simpleCA
   –   SMTP
   –   CAMS
  Steps
   –   Obtain GUMS 0.5 Distribution
   –   Configuring GUMS
   –   Deploy
Grid User Management Service

  Configuring GUMS
   –   etc/gums-conf.xml
   –   Common Things to Configure
       •   Mysql database
       •   Required Information
       •   CAMS Service
       •   SimpleCA Binary Directory
       •   SimpleCA Hash
       •   SimpleCA Password
       •   SMTP Server
  Deploy
   –   From Distribution Type
       •   ant deploy
GUMS Portal

 Documentation
  – cagrid-security-architecture-
    v0.5.doc
  – gums-user-guide-v0.5.doc

 Prerequisites
   –   Globus Client Side Configured
   –   GUMS Service Running

 Steps
   –   Obtain GUMS 0.5 Distribution
   –   Configuring GUMS Portal
   –   Running GUMS Portal
GUMS Portal




 Configuring GUMS Portal
   –   etc/gums-portal-conf.xml
   –   Common Things to Configure
       •   GUMS Service ID
       •   Attribute Viewers
 Running Portal
   –   From Distribution Type
       •   ant portal
CAMS Portal

 Documentation
  – cagrid-security-architecture-
    v0.5.doc
  – cams-user-guide-v0.5.doc

 Prerequisites
   –   Globus Client Side Configured
   –   CAMS Service Running

 Steps
   –   Obtain CAMS 0.5 Distribution
   –   Configuring CAMS Portal
   –   Running CAMS Portal
CAMS Portal

 Configuring CAMS Portal
   –   etc/cams-portal-conf.xml
   –   Common Things to Configure
       •   GUMS Configuration Resource (GUMS Portal Configuration)
       •   CAMS Services
       •   Attribute Types (No required)

 Running Portal
   –   From Distribution Type
       •   ant portal
Questions?

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:10/2/2012
language:English
pages:23