Difference between revisions of "GHN Security Configuration"

From Gcube Wiki
Jump to: navigation, search
(Security configuration files)
 
(6 intermediate revisions by 2 users not shown)
Line 8: Line 8:
  
 
==Security configuration files==
 
==Security configuration files==
Most of the files used for the security configurations are already provided by the ws-core container: only more information is provided. The only extra file is the '''Default Security Configuration'''.
+
Most of the files used for the security configurations are already provided by the ws-core container: only more information is provided. The only extra file is the '''Default Service Security Configuration''' (''default_services_security_configuration'' in /etc/globus_wsrf_core directory).
 
For the global security configuration these files are used:
 
For the global security configuration these files are used:
  
* ''GHNConfig.xml'' (and ''GHNConfig.client.xml''), in $GLOBUS_LOCATION/config directory: contains the security status (enabled or disabled) and some global special purpose information related to the security manager chosen (see [[Security Plugins Table]] section)
+
* ''GHNConfig.xml'' (and ''GHNConfig.client.xml''), in $GLOBUS_LOCATION/config directory: contains the security status (enabled or disabled). It is also used to set some extra settings related to the choosen Security Manager or Security Controller: in this case this information has GHN scope. For example the ''VOMSServiceCredentialsSecurityManager'' needs the VOMS service url or the VO name: these parameters can be placed in the GHNConfig.xml file. To have a complete list of these parameters see [[Security Plugins Table]] section
 
* ''implementation.properties'', in $GLOBUS_LOCATION/config directory: defines the global Service Security Manager, Client Security Manager, Authentication and Authorization Controller implementations
 
* ''implementation.properties'', in $GLOBUS_LOCATION/config directory: defines the global Service Security Manager, Client Security Manager, Authentication and Authorization Controller implementations
 
* ''server-config.wsdd'', in the directory $GLOBUS_LOCATION/etc/globus_wsrf_core: contains the link to the '''Global Security Descriptor''' and the '''Default Services Security Configuration'''; it also contains other special purpose information
 
* ''server-config.wsdd'', in the directory $GLOBUS_LOCATION/etc/globus_wsrf_core: contains the link to the '''Global Security Descriptor''' and the '''Default Services Security Configuration'''; it also contains other special purpose information
Line 18: Line 18:
  
 
Per service security configuration uses the following files:
 
Per service security configuration uses the following files:
* ''Service jndi-config.xml", in the $GLOBUS_LOCATION/etc/<service> directory: contains the security status for the service (enabled or disabled), the propagation credential status and other special purpose information related to the security manager chosen (see [[Security Plugins Table]] section)
+
* ''Service jndi-config.xml", in the $GLOBUS_LOCATION/etc/<service> directory: contains the security status for the service (enabled or disabled), the propagation credential status. It can contain the extra settings described in the GHNConfig.xml bullet: in this case the scope is the specific service
* ''service.wsdd'', in the $GLOBUS_LOCATION/etc/<service> directory: contains the link to the local incoming message security descriptor and other special purpose information (if required)
+
* ''server-config.wsdd'', in the $GLOBUS_LOCATION/etc/<service> directory: contains the link to the local '''Incoming Message Security Descriptor''', set in the element ''securityDescriptor'' (see the next point) and other settings related to the web service (if required)
* ''Incoming Messages Security Descriptor'': contains information about the security protocol used and the security level (if different from the global configuration)
+
* ''Incoming Messages Security Descriptor'': contains information about the security protocol used and the security level (if different from the global configuration). Its path is set in the server-config.wsdd (see the point above).
* '' Outgoing Messages Security Descriptor'', in the jar of the stubs of the called service: contains information about the security protocol used and the security level to be used to call the related service if different from global configuration. In the stubs there is also a deployment descriptor (wsdd) with a security descriptor parameter: the security descriptor is considered only if the parameter in the wsdd is correctly set.
+
* '' Outgoing Messages Security Descriptor'', in the jar of the stubs of the called service: contains information about the security protocol used and the security level to be used to call the related service if different from global configuration. In the stubs there is also a deployment descriptor (wsdd) with an element called ''securityDescriptor'': this elements contains the name of the Outgoing Messages Security Descriptor file in the stub.
  
 
There are also two commands, in the $GLOBUS_LOCATION/bin directory: '''gcore-start-secure-container.sh''' and '''gcore-stop-secure-container''', needed to start and stop the container with TLS support.
 
There are also two commands, in the $GLOBUS_LOCATION/bin directory: '''gcore-start-secure-container.sh''' and '''gcore-stop-secure-container''', needed to start and stop the container with TLS support.
  
 
==Security Configuration provided==
 
==Security Configuration provided==
In order to obtain TLS Authentication and SAML Authorization as global behaviour, the global configuration is the following.
+
In order to obtain TLS Authentication and SAML Authorization as global behaviour, the configuration is the following.
  
 
* both the files ''GHNConfig.xml'' and ''GHCConfig.client.xml'' file contain the parameter '''securityenabled''' set to true
 
* both the files ''GHNConfig.xml'' and ''GHCConfig.client.xml'' file contain the parameter '''securityenabled''' set to true
Line 48: Line 48:
 
    
 
    
  
the first parameter sets the relative path of the global security descriptor, the second one sets the path of the default services security configuration and the  third one is the url of a (not working) Authorization Provider: it should be replaced with the correct url.
+
the first parameter sets the relative path of the global security descriptor, the second one sets the path of the default services security configuration and the  third one is the url of an Authorization Provider (to be replaced with the correct url).
  
 
* The ''Global Security Descriptor'' is the following:
 
* The ''Global Security Descriptor'' is the following:
Line 64: Line 64:
 
</source>
 
</source>
  
where the path of the host certificate is set and the Authorization Chain is defined [[Security Library#Authorization Chain configuration|Authorization Chain configuration]]
+
where the paths to the host certificate cert/key are set and the Authorization Chain is defined [[Security Library#Authorization Chain configuration|Authorization Chain configuration]]
  
 
* The ''Default Service Security Configuration'' is the following:
 
* The ''Default Service Security Configuration'' is the following:
Line 82: Line 82:
 
</source>
 
</source>
  
where the incoming and outgoing messages behavior is defined. In particular the security protocol is GSITransport (TLS), the protection level is ''integrity'' (digital signature) and ''privacy'' (encryption) and the caller credential propagation is enabled. The enable attribute on ''in'' and ''out'' sets if the configuration should be read by the system: if the attribute is ''false'' service based configuration became mandatory. The ''override'' attribute, if set to ''true'' forces the system to adopt the global configuration even if a per service configuration exists.
+
where the incoming and outgoing messages behaviours are defined. In particular the security protocol is GSITransport (TLS), the protection level is ''integrity'' (digital signature) and ''privacy'' (encryption) and the caller credential propagation is enabled. The ''enable'' attribute on ''in'' and ''out'' specifies if the configuration should be read by the system: if the attribute is set to ''false'' the service based configuration became mandatory. The ''override'' attribute, if set to ''true'' forces the system to adopt the global configuration even if a per service configuration exists.
  
 
It is possible to change the global security configuration to satisfy some extra requirements, but the most usual changes to be performed could be:
 
It is possible to change the global security configuration to satisfy some extra requirements, but the most usual changes to be performed could be:
Line 90: Line 90:
 
* the url of the Authorization Service
 
* the url of the Authorization Service
 
* the protection level (only signature improves the performances)
 
* the protection level (only signature improves the performances)
* the credential propagation status (if the admin wants that only service credentials should be used)
+
* the credential propagation status (to force only service credentials to be used)
  
 
The truststore of a GHN is in the folder: /etc/grid-security/certificates. This folder should contain the trusted CA certificates and the updated revocation list stored in files named with the CA hash, for example:
 
The truststore of a GHN is in the folder: /etc/grid-security/certificates. This folder should contain the trusted CA certificates and the updated revocation list stored in files named with the CA hash, for example:
Line 97: Line 97:
 
* 2f3fadf6.r0 is the revocation list
 
* 2f3fadf6.r0 is the revocation list
 
* 2f3fadf6.namespace, 2f3fadf6.info, 2f3fadf6.crl_url, 2f3fadf6.signing_policy contain other information
 
* 2f3fadf6.namespace, 2f3fadf6.info, 2f3fadf6.crl_url, 2f3fadf6.signing_policy contain other information
 
  
 
==Per Service settings==
 
==Per Service settings==
Line 103: Line 102:
  
 
* the security status ''securityenabled'' (boolean)
 
* the security status ''securityenabled'' (boolean)
* the ''securityManagerClass'': the class of the security manager used only for the related service
+
* the ''securityManagerClass'': the class of the security manager used only by the related service
* the ''authenticationManagerClass'': the class of the authentication manager used only for the related service
+
* the ''authenticationManagerClass'': the class of the authentication manager used only by the related service
* the ''authorisationManagerClass'': the class of the authorization manager used only for the related service
+
* the ''authorisationManagerClass'': the class of the authorization manager used only by the related service
  
The parameters are not mandatory, and, if not present, the global parameters are used. By the local configuration it is possible to define some per service bahaviors, useful for services that should interact with external infrastructures. For these kind of ''Edge Services'' the most used security managers and controllers are described in the section [[Security Library#Extension Security Libraries|Extension Security Libraries]].
+
The parameters are not mandatory, and, if not present, the global parameters are used. By the local configuration it is possible to define some per service behaviours, useful for services that should interact with external infrastructures. For these kind of ''Edge Services'' the most used security managers and controllers are described in the section [[Security Library#Extension Security Libraries|Extension Security Libraries]].
 
Other possible choices are in the [[Security Plugins Table]] section, where the further configuration parameters needed are also described.
 
Other possible choices are in the [[Security Plugins Table]] section, where the further configuration parameters needed are also described.
  
Line 124: Line 123:
 
</source>
 
</source>
  
it configures TLS with encryption for the method ''about'': to configure the security features for all the methods the <source lang="xml"> <auth-method> </source> element should be placed out of the <source lang="xml"> <method> </source> element.
+
it configures TLS with encryption for the method ''about'': to configure the security features for all methods the <source lang="xml"> <auth-method> </source> element should be placed out of the <source lang="xml"> <method> </source> element.
 
The service.wsdd file should point to the local security descriptor with an element like the following:
 
The service.wsdd file should point to the local security descriptor with an element like the following:
  
Line 131: Line 130:
 
</source>
 
</source>
  
in order to tell to the server to read the local security descriptor. Otherwise the default security configuration is used.
+
in order to instrument the server to read the local security descriptor, otherwise the default security configuration is used.
 
For outgoing messages configuration the concept is similar, with the difference that, inside the wsdd internal to the stub jar, the parameter should point to the '''name''' of the security descriptor file in the jar, the path is not required.
 
For outgoing messages configuration the concept is similar, with the difference that, inside the wsdd internal to the stub jar, the parameter should point to the '''name''' of the security descriptor file in the jar, the path is not required.
  
 
==Client configuration==
 
==Client configuration==
A Client Security Manager needs only a parameter that indicates the identity of the user who performs the call: what the ''Identity Parameter'' is, in concrete cases, depends from the implementation of the security manager and is described in the [[Security Plugins Table]] section.
+
 
However, for the clients, the binding with the Security Manager is dynamic and is performed setting the field ''GCUBEClientSecurityManager'' in ''implementation.properties'' file, for example, in the default security bundle, the configuration is the following:
+
A secure client, in general, uses https as communication protocol and a Security Manager. The Security Manager could be the default one, loaded from implementation.properties:  
  
 
<source lang="java">
 
<source lang="java">
Line 142: Line 141:
 
</source>
 
</source>
  
and means that a SAML Assertion Security Manager will be used for clients.
+
in order to easily load it, the method <source lang="java"> SecurityContextFactory.getInstance().getSecurityContext().getDefaultSecurityManager() </source> is provided in gCore framework. The Security Manager should be initialized with an Identity Parameter provided by the client.
 +
The Identity Parameter is not valid for the authentication (for this purpose only the host certificate is used), but it determines only the authorization privileges basing on the identity of the user who performs the call: what the ''Identity Parameter'' is, in concrete cases, depends on the implementation of the security manager and is described in the [[Security Plugins Table]] section.
 +
 
 +
In our infrastructure the Role or the Service ID (''serviceClass.serviceName'') should be used as Identity Parameter. The clients should provide the parameter to the Client Security Manager by the method
 +
<source lang="java">
 +
org.gcube.common.vomanagement.security.configuration.client.GCUBEClientSecurityConfigurationManager.setDefaultIdentityParameter(String)
 +
</source>
 +
 
 +
or
 +
 
 +
<source lang="java">
 +
org.gcube.common.vomanagement.security.configuration.client.GCUBEClientSecurityConfigurationManager.setIdentityParameters(Map<String, String>)
 +
</source>
 +
 
 +
if more than a single Identity is needed.
  
In the most of cases the clients, in secure mode, needs an identity parameter: it will be used to configure on the fly the Security Manager. So, if a client should be designed, a secure running mode should be planned: this running mode should perform calls in https and should use a security manager (loaded from implementation.properties, or, better, by the call <source lang="java"> SecurityContextFactory.getInstance().getSecurityContext().getDefaultSecurityManager() </source> of the SecurityContextFactory provided in gCore framework. The Security Manager should be configured by an identity loaded from startup parameters or provided by the client.
+
The way used by the client to obtain this information from the user depends on the client implementation: for example the clients used only by Infrastructure Administrators, that are placed on a trusted GHN, don't use any identity parameter (in particular their Identity is the DN of the caller host) or requires it as command line parameter.
  
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 16:36, 28 September 2011

Introduction

The GHN secure distribution bundle contains the libraries and the base configurations to set the internal infrastructure security, that is based on Transport Level Security for Authentication and SAML Assertions for Authorization. This section is composed by four parts:

  • a list and a brief description of the security configuration files
  • an overview of the security configuration provided in the secure GHN distribution
  • information about the settings to be used to face different situations (i.e. interoperability)
  • description of the client mode configuration

Security configuration files

Most of the files used for the security configurations are already provided by the ws-core container: only more information is provided. The only extra file is the Default Service Security Configuration (default_services_security_configuration in /etc/globus_wsrf_core directory). For the global security configuration these files are used:

  • GHNConfig.xml (and GHNConfig.client.xml), in $GLOBUS_LOCATION/config directory: contains the security status (enabled or disabled). It is also used to set some extra settings related to the choosen Security Manager or Security Controller: in this case this information has GHN scope. For example the VOMSServiceCredentialsSecurityManager needs the VOMS service url or the VO name: these parameters can be placed in the GHNConfig.xml file. To have a complete list of these parameters see Security Plugins Table section
  • implementation.properties, in $GLOBUS_LOCATION/config directory: defines the global Service Security Manager, Client Security Manager, Authentication and Authorization Controller implementations
  • server-config.wsdd, in the directory $GLOBUS_LOCATION/etc/globus_wsrf_core: contains the link to the Global Security Descriptor and the Default Services Security Configuration; it also contains other special purpose information
  • Global Security Descriptor: contains the link to the container certificate and the definition of the authorization chain (if exists)
  • Default Services Security Configuration: contains information about the security protocol used and the security level; it also contains information about the credential propagation behaviour

Per service security configuration uses the following files:

  • Service jndi-config.xml", in the $GLOBUS_LOCATION/etc/<service> directory: contains the security status for the service (enabled or disabled), the propagation credential status. It can contain the extra settings described in the GHNConfig.xml bullet: in this case the scope is the specific service
  • server-config.wsdd, in the $GLOBUS_LOCATION/etc/<service> directory: contains the link to the local Incoming Message Security Descriptor, set in the element securityDescriptor (see the next point) and other settings related to the web service (if required)
  • Incoming Messages Security Descriptor: contains information about the security protocol used and the security level (if different from the global configuration). Its path is set in the server-config.wsdd (see the point above).
  • Outgoing Messages Security Descriptor, in the jar of the stubs of the called service: contains information about the security protocol used and the security level to be used to call the related service if different from global configuration. In the stubs there is also a deployment descriptor (wsdd) with an element called securityDescriptor: this elements contains the name of the Outgoing Messages Security Descriptor file in the stub.

There are also two commands, in the $GLOBUS_LOCATION/bin directory: gcore-start-secure-container.sh and gcore-stop-secure-container, needed to start and stop the container with TLS support.

Security Configuration provided

In order to obtain TLS Authentication and SAML Authorization as global behaviour, the configuration is the following.

  • both the files GHNConfig.xml and GHCConfig.client.xml file contain the parameter securityenabled set to true
  • the implementation.properties file contains the fields:
                GCUBEServiceSecurityManager = org.gcube.common.vomanagement.security.configuration.GCUBESamlAssertionServiceSecurityManager
                GCUBEServiceAuthenticationController = org.gcube.common.core.security.impl.GCUBESimpleServiceAuthController
                GCUBEServiceAuthorizationController = org.gcube.common.core.security.impl.GCUBEAuthzChainAuthorizationController


further information about the meaning of this security manager and the auth and authz controller are in Security Plugins Table section

  • the server-config.wsdd file contains the following parameters
               <parameter name="containerSecDesc" value="etc/globus_wsrf_core/global_security_descriptor.xml"/>
               <parameter name="defaultSecurityConfiguration" value="etc/globus_wsrf_core/default_services_security_configuration.xml"/>
               <parameter name="pip-authzXACMLServiceUrl" value="https://grids03.eng.it:8152/authz"/>


the first parameter sets the relative path of the global security descriptor, the second one sets the path of the default services security configuration and the third one is the url of an Authorization Provider (to be replaced with the correct url).

  • The Global Security Descriptor is the following:
         <securityConfig xmlns="http://www.globus.org">
              <credential>
                  <key-file value="/etc/grid-security/containerkey.pem"/>
                  <cert-file value="/etc/grid-security/containercert.pem"/>
              </credential>
             <authz value="pip:org.gcube.common.vomanagement.security.authorisation.control.impl.xacml.XACMLServiceNameBasedPIP pip:org.gcube.common.vomanagement.security.authorisation.control.impl.xacml.XACMLBasedPDP"/> 
 
        </securityConfig>

where the paths to the host certificate cert/key are set and the Authorization Chain is defined Authorization Chain configuration

  • The Default Service Security Configuration is the following:
        <services_security xmlns="http://www.d4science.eu">
	     <in enabled="true" override="false">
		<auth_method>GSITransport</auth_method>
		<protection_level>integrity,privacy</protection_level>
	     </in>
	     <out enabled="true" override="true">
		<auth_method>GSITransport</auth_method>
		<protection_level>integrity,privacy</protection_level>
	     </out>
	    <propagateCallerCredentials override="false" value="true"/>  
       </services_security>

where the incoming and outgoing messages behaviours are defined. In particular the security protocol is GSITransport (TLS), the protection level is integrity (digital signature) and privacy (encryption) and the caller credential propagation is enabled. The enable attribute on in and out specifies if the configuration should be read by the system: if the attribute is set to false the service based configuration became mandatory. The override attribute, if set to true forces the system to adopt the global configuration even if a per service configuration exists.

It is possible to change the global security configuration to satisfy some extra requirements, but the most usual changes to be performed could be:

  • the security status (enabled or disabled)
  • the path of the host certificate
  • the url of the Authorization Service
  • the protection level (only signature improves the performances)
  • the credential propagation status (to force only service credentials to be used)

The truststore of a GHN is in the folder: /etc/grid-security/certificates. This folder should contain the trusted CA certificates and the updated revocation list stored in files named with the CA hash, for example:

  • 2f3fadf6.0 is a certificate
  • 2f3fadf6.r0 is the revocation list
  • 2f3fadf6.namespace, 2f3fadf6.info, 2f3fadf6.crl_url, 2f3fadf6.signing_policy contain other information

Per Service settings

The Service jndi-config.xml contains the following parameters:

  • the security status securityenabled (boolean)
  • the securityManagerClass: the class of the security manager used only by the related service
  • the authenticationManagerClass: the class of the authentication manager used only by the related service
  • the authorisationManagerClass: the class of the authorization manager used only by the related service

The parameters are not mandatory, and, if not present, the global parameters are used. By the local configuration it is possible to define some per service behaviours, useful for services that should interact with external infrastructures. For these kind of Edge Services the most used security managers and controllers are described in the section Extension Security Libraries. Other possible choices are in the Security Plugins Table section, where the further configuration parameters needed are also described.

An example of Service Security Descriptor is the following:

	<method name="about">
		<auth-method>
			<GSITransport>
			<protection-level> 
			<privacy/>
			</protection-level> 
			</GSITransport>
		</auth-method>
	</method>
it configures TLS with encryption for the method about: to configure the security features for all methods the
 <auth-method>
element should be placed out of the
 <method>
element.

The service.wsdd file should point to the local security descriptor with an element like the following:

  <parameter name="securityDescriptor" value="etc/org.acme.sample/security_descriptor.xml"/>

in order to instrument the server to read the local security descriptor, otherwise the default security configuration is used. For outgoing messages configuration the concept is similar, with the difference that, inside the wsdd internal to the stub jar, the parameter should point to the name of the security descriptor file in the jar, the path is not required.

Client configuration

A secure client, in general, uses https as communication protocol and a Security Manager. The Security Manager could be the default one, loaded from implementation.properties:

GCUBEClientSecurityManager = org.gcube.common.vomanagement.security.configuration.client.GCUBESamlAssertionAutoInsertClientSecurityManager
in order to easily load it, the method
 SecurityContextFactory.getInstance().getSecurityContext().getDefaultSecurityManager()
is provided in gCore framework. The Security Manager should be initialized with an Identity Parameter provided by the client.

The Identity Parameter is not valid for the authentication (for this purpose only the host certificate is used), but it determines only the authorization privileges basing on the identity of the user who performs the call: what the Identity Parameter is, in concrete cases, depends on the implementation of the security manager and is described in the Security Plugins Table section.

In our infrastructure the Role or the Service ID (serviceClass.serviceName) should be used as Identity Parameter. The clients should provide the parameter to the Client Security Manager by the method

org.gcube.common.vomanagement.security.configuration.client.GCUBEClientSecurityConfigurationManager.setDefaultIdentityParameter(String)

or

org.gcube.common.vomanagement.security.configuration.client.GCUBEClientSecurityConfigurationManager.setIdentityParameters(Map<String, String>)

if more than a single Identity is needed.

The way used by the client to obtain this information from the user depends on the client implementation: for example the clients used only by Infrastructure Administrators, that are placed on a trusted GHN, don't use any identity parameter (in particular their Identity is the DN of the caller host) or requires it as command line parameter.