Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Method caBIG

VIEWS: 3 PAGES: 23

									caGrid Security Architecture Version 0.5
                  Installation



      caBIG Architecture Workspace Face to Face
               Georgetown University
                   August 16, 2005




                  Stephen Langella
                Ohio State University
               langella@bmi.osu.edu
Agenda

 Prerequisites
 Installation, Configuration, and Deployment
  –   Globus Security Infrastructure (GSI) Server Side
  –   Globus Security Infrastructure (GSI) Client Side
  –   caGrid Attribute Management Service (CAMS)
  –   Grid User Management Service (GUMS)
  –   Grid User Management Service (GUMS) Portal
  –   caGrid Attribute Management Service (CAMS) Portal
 Questions
Prerequisites

  Java 1.4.2
  Recommend Java1.4.2_04
  Ant version 1.6.X or higher
  Tomcat version 5.0.x or higher
  Globus Toolkit 3.2.1
GSI Server Side Installation

  Documentation
   –   globus-configuration-security.txt
  Prerequisites
   –   No Additional
  Installation Types
   –   CA Node
   –   Standard Node (most common)
  Steps
   –   Configure CA
   –   Obtain Host Certificate
   –   Create Grid Mapfile
   –   Configuring Trusted CAs
   –   Configuring Container Credentials
   –   Deploy to Tomcat
GSI Server Side Installation

  Configure CA
   –       CA Node
       •     Install Globus simpleCA
              http://www.globus.org/toolkit/docs/3.2/installation/install_config_req.html#caoption
             (Follow Steps 1-9)
   –       Standard Node
       •     Deploy Simple CA Configuration
             http://www.globus.org/toolkit/docs/3.2/installation/install_config_req.html#caoptions
             (Follow Step 20)
       •     Additional Steps
            1) Go to the directory /usr/local/globus3.2.1/setup/globus_simple_ca_@@HASH-FOR-YOUR-
             CA@@_setup/
            2) Edit both grid-cert-request-config.in and grid-security-config.in, replacing @sh@ in the first line
             with a valid shell (/bin/sh)
            3) Copy grid-cert-request-config.in to grid-cert-request-config
            4) Copy grid-security-config.in to grid-security-config
GSI Server Side Installation

  Setup GSI
   –   As root go to the directory
       $GLOBUS_LOCATION/setup/globus_simple_ca_@@HASH-FOR-YOUR-
       CA@@_setup/ and run the following:
         setup-gsi –default

  Obtain Host Certificate
   –   Create a Host Certificate Request in /etc/grid-security
   –   grid-cert-request -host 'hostname‘
   –   Have the CA administrator sign the certificate request

  Create a Grid Mapfile
   –   Used a method of Authorization
   –   As root In /etc/grid-security create the file grid-mapfile
GSI Server Side Installation

  Configuring Trusted Certificate Authorities
   –   Server Container (All Services)
       •   Method 1 - Place trusted certificate in /etc/grid-
           security/certificates naming it with a .digit extension (e.g.
           trusted-cert.1)
       •   Method 2 – Add the following parameter to the
           globusConfiguration block of the server-deploy.wsdd
               <parameter name="trustedCertificates" value="<CA certificate locations>"/>
GSI Server Side Installation

  Configuring Service Credentials/Proxy
   –   Server Container (All Services)
       •   Method 1 (Certificate) – Add the following parameter to the
           globusConfiguration block of the server-deploy.wsdd
            <parameter name=“containerCert" value="<certificate file>"/>
            <parameter name=“containerKey" value="<unencrypted key file>"/>

       •   Method 2 (Proxy) – Add the following parameter to the
           globusConfiguration block of the server-deploy.wsdd
             <parameter name=“containerProxy" value="<proxy file>"/>
GSI Service Configuration

    Documentation
      –   service-security-configuration.txt

    Configuring Services to use GSI
      –   Trusted Certificate Authorities
          •   Allows the service to specify which CAs it trusts
          • Valid Users must have a certificate from a trusted CA
      –   Service Credentials/Proxy
          • Specifies which user the service runs as.
      –   Globus Security Descriptor
          • Allows the specification of authentication requirement on individual
            methods of a grid service.
      –   Authorization Type
          •   Needs to be configured if using globus authorization mechanisms
GSI Service Configuration

    Configuring Trusted Certificate Authorities
      –   Server Container (All Services)
          •   Method 1 - Place trusted certificate in /etc/grid-security/certificates
              naming it with a .digit extension (e.g. trusted-cert.1)
          •   Method 2 – Add the following parameter to the globusConfiguration
              block of the server-deploy.wsdd
                 <parameter name="trustedCertificates" value="<CA certificate locations>"/>
      –   Grid Service
          •   Add the following parameter to the service block of the grid service’s
              server-deploy.wsdd
                 <parameter name="trustedCertificates" value="<CA certificate locations>"/>
      –   Client
          •   Place trusted certificate in USER_HOME/.globus/certificates naming it
              with a .digit extension (e.g. trusted-cert.1)
GSI Service Configuration

    Configuring Service Credentials/Proxy
      –   Server Container (All Services)
          •   Method 1 (Certificate) – Add the following parameter to the
              globusConfiguration block of the server-deploy.wsdd
                <parameter name=“containerCert" value="<certificate file>"/>
               <parameter name=“containerKey" value="<unencrypted key file>"/>
          •   Method 2 (Proxy) – Add the following parameter to the globusConfiguration
              block of the server-deploy.wsdd
                 <parameter name=“containerProxy" value="<proxy file>"/>

      –   Grid Service
          •   Method 1 (Certificate) – Add the following parameter to the service block of
              the grid service’s server-deploy.wsdd
               <parameter name=“serviceCert" value="<certificate file>"/>
               <parameter name=“serviceKey" value="<unencrypted key file>"/>
          •   Method 2 (Proxy) – Add the following parameter to the service block of the
              grid service’s server-deploy.wsdd
                 <parameter name=“serviceProxy" value="<proxy file>"/>
GSI Service Configuration

    Configuring the Globus Security Descriptor
      –   Allows the specification of authentication requirement on individual
          methods of a grid service.
      –   Persistent Services - Add the following parameter to the service block
          of the grid service’s server-deploy.wsdd
          <parameter name="securityConfig" value="my-security-config.xml"/>
      –   Transient Services - Add the following parameter to the service block
          of the grid service’s server-deploy.wsdd
          <parameter name="instance-securityConfig" value="my-security-config.xml"/>

             <securityConfig xmlns="http://www.globus.org" xmlns:ogsi="http://www.gridforum.org/namespaces/2003/03/OGSI">
                <method name="ogsi:findServiceData" >
                   <auth-method>
                   <none/>
                   </auth-method>
                </method>
                <method name="ogsi:subscribe" >
                   <auth-method>
                      <none/>
                   </auth-method>
                 </method>

             <!-- default auth-method for any other method -->
                <auth-method>
                 <gsi/>
                </auth-method>
             </securityConfig>
GSI Service Configuration

    Configuring Authorization Type
      –    If using the grid map mechanism provided by globus, add the following parameter
           to the service’s server-deploy.wsdd
           •   <parameter name="authorization" value=“gridmap"/>


      –    If using AuthorizationManager mechanism , add the following parameter to the
           service’s server-deploy.wsdd
           •   <parameter name="authorization" value=“none"/>

    Configuring a Service to use the Authorization Manager
      –    Add SOAP handler to request flow in service’s wsdd
      <requestFlow>
           <handler type="java:gov.nih.nci.cagrid.security.handlers.CaBIGAuthorizationHandler“/>
      </requestFlow>
      –    Creates callback to Authorization Manager implementation specified in service’s wsdd
           parameter :
          <parameter name="caBIGAuthorizationManager"
             value="gov.nih.nci.cagrid.security.UnPermissiveAuthorizationManager"/>
GSI Client Side Installation

     Configuring the Client Side
      –   Configuring Trusted Certificate Authorities
          •   Place trusted certificate in USER_HOME/.globus/certificates
              naming it with a .digit extension (e.g. trusted-cert.1)
caGrid Attribute Management Service

  Documentation
   – cagrid-security-architecture-v0.5.doc
   – cams-admin-guide-v0.5.doc

  Prerequisites
   –   Global Model Exchange (GME)
   –   Mobius Mako (In Distribution)
   –   Mysql

  Steps
   –   Obtain CAMS 0.5 Distribution
   –   Configuring CAMS
   –   Deploy
caGrid Attribute Management Service

  Configuring CAMS
   –   etc/cams-conf.xml
   –   Common Things to Configure
       •   Mysql database
       •   Default Permissions
       •MakoDB Configuration File
   –   MakoDB Configuration File
       •   Specify Global Model Exchange
           (GME)
  Deploy
   –   From Distribution
       •   Type: ant deploy
Grid User Management Service

  Documentation
   –   cagrid-security-architecture-v0.5.doc
   –   cams-gums-guide-v0.5.doc
  Platforms
   –   Supported on platforms which SimpleCA support (linux,solaris,etc.)
  Prerequisites
   –   Mysql
   –   Globus simpleCA
   –   SMTP
   –   CAMS
  Steps
   –   Obtain GUMS 0.5 Distribution
   –   Configuring GUMS
   –   Deploy
Grid User Management Service

  Configuring GUMS
   –   etc/gums-conf.xml
   –   Common Things to Configure
       •   Mysql database
       •   Required Information
       •   CAMS Service
       •   SimpleCA Binary Directory
       •   SimpleCA Hash
       •   SimpleCA Password
       •   SMTP Server
  Deploy
   –   From Distribution Type
       •   ant deploy
GUMS Portal

 Documentation
  – cagrid-security-architecture-
    v0.5.doc
  – gums-user-guide-v0.5.doc

 Prerequisites
   –   Globus Client Side Configured
   –   GUMS Service Running

 Steps
   –   Obtain GUMS 0.5 Distribution
   –   Configuring GUMS Portal
   –   Running GUMS Portal
GUMS Portal




 Configuring GUMS Portal
   –   etc/gums-portal-conf.xml
   –   Common Things to Configure
       •   GUMS Service ID
       •   Attribute Viewers
 Running Portal
   –   From Distribution Type
       •   ant portal
CAMS Portal

 Documentation
  – cagrid-security-architecture-
    v0.5.doc
  – cams-user-guide-v0.5.doc

 Prerequisites
   –   Globus Client Side Configured
   –   CAMS Service Running

 Steps
   –   Obtain CAMS 0.5 Distribution
   –   Configuring CAMS Portal
   –   Running CAMS Portal
CAMS Portal

 Configuring CAMS Portal
   –   etc/cams-portal-conf.xml
   –   Common Things to Configure
       •   GUMS Configuration Resource (GUMS Portal Configuration)
       •   CAMS Services
       •   Attribute Types (No required)

 Running Portal
   –   From Distribution Type
       •   ant portal
Questions?

								
To top