Security Support

Last Updated 01/27/2004

Contents

  1. Introduction
  2. Features
  3. Message Level Security
  4. Transport Level Security
  5. General Client Information

1 Introduction

GT3 Java GSI is based on the implementation of GSI in the Java CoG Kit. GT3 provides message level security (the transport layer security ('httpg') is no longer supported). The message level security is based on the WS-Security, XML Encryption and XML Signature standards.

The Java GSI implementation is an implementation of the Java GSS-API. It supports the GSS-API extensions and the new proxy certificate format specifications as defined by the Global Grid Forum and the IETF PKIX working group.

2 Features

GT3 security library features:

3 Message Level Security

Please see Message Level Security document for details.

4 Transport Level Security

Please see Transport Level Security document for details. Please note that the transport layer security ('httpg') is no longer supported.

5 General Information

5.1 GSI Client Properties

The following GSI properties can be set on the client to control the authentication/authorization process. These options are valid for both the message and transport level security mechanisms, but are not necessarily sufficient for full configuration of either mechanism. In other words, you may be required to set mechanism specific options. Information on mechanism specific properties can be found in the transport and message level security documents.
You can set these GSI properties on any service port instance by casting the instance to javax.xml.rpc.Stub class and calling ._setProperty() method. If you are dealing directly with JAX-RPC Call object use .setProperty() instead. For example:

 OGSIServiceGridLocator factoryService =
new OGSIServiceGridLocator();
Factory factory =
factoryService.getFactoryPort(new HandleType(handle));

// enable GSI Secure Conversation message level security
((Stub)factory)._setProperty(Constants.GSI_SEC_CONV,
Constants.SIGNATURE);
// enable limited delegation
((Stub)factory)._setProperty(GSIConstants.GSI_MODE,
GSIConstants.GSI_MODE_LIMITED_DELEG);
// set client authorization to none
((Stub)factory)._setProperty(Constants.AUTHORIZATION,
NoAuthorization.getInstance());

Note that the properties set on the factory stub are not inherited by any service port instance representing a service created using the factory. You will have to set seperate properties on every instance.

5.2 GSI initialization tips

Initialization of GSI on both the client and the server might be a very time consuming process on some platforms. It depends on the initialization of a secure seed needed by the random number generator for security purposes. The default seeding algorithm of Sun's VM is somewhat slow but it can be easily replaced by a better one by installing a new SecureRandom provider.
For example, for Windows users we recommend installing the InfiniteMonkey provider from ISNetworks.com (Just follow the installation instructions in their included README.TXT file and put the intifitemonkey.dll in the c:\WINNT\system32 directory)
Once the provider is properly installed the GSI initialization time will be much faster.
Also, on Unix/Linux machines, GSI will take advantage of the /dev/urandom device if installed to speed up the start up time. In the future, we will provide a SecureRandom implementation for machines without this device.

5.3 JAAS installation

This step is only necessary for J2SE 1.3.1. To install JAAS library please download "JAAS 1.0_01 Class Libraries" from http://java.sun.com/products/jaas/index-10.html. Extract the jaas-1_0_01.zip file into a temporary directory and copy the "jaas1_0_01/lib/jaas.jar" file to the lib directory of the GT3 installation.