.files/c.gif) |
|
| Contents: |
|
|
|
|
| Related content: |
|
|
|
|
| Subscriptions: |
|
|
|
| Generating grid credentials using the Java CoG Kit
1.1
Vladimir
Silva (mailto:vsilva@us.ibm.com?cc=&subject=Using
Java technology with Globus Grid Security Infrastructure)
OGSA
development contractor, IBM
September 2003
Grid Security Infrastructure (GSI) enables secure
authentication and communication over computer networks. It is a Globus
Toolkit component that provides a number of useful services for grids,
including mutual authentication and single sign-on. However,
manipulating grid certificates using the Globus Toolkit 3.0 (GT3) in
Windows environments is an awkward situation. It usually requires that
system administrators or users install GT3 on Linux systems in order to
use the command line scripts to generate certificates. Then they must
move those certificates to their Windows systems. This article
demonstrates an easier alternative, provided by the Java CoG Kit: using
a Java class to create and sign grid proxies and
certificates.
The basics of GSI
certificates
Grid Security Infrastructure (GSI) is based on
proven standards such as public key encryption, X.509 certificates, and
the Secure Sockets Layer (SSL). Extensions to these standards have been
added for single sign-on and delegation.
One of the main concepts in GSI authentication is certificates. Every
grid service and user is identified by means of a certificate, which
contains information used to authenticate and identify that user or
service.
A GSI certificate includes information such as:
- A subject, which identifies the person or object that the
certificate represents
- The public key that belongs to the subject
- The identity of a Certificate Authority (CA) that has signed the
certificate. CAs certify that the public key and the identity both
belong to the subject.
- The digital signature of the named CA
A third-party certificate authority is used to certify the link between
the public key and the subject in the certificate. For an overview of the
Globus Toolkit security infrastructure, see "Overview of the Grid Security
Infrastructure" listed in the Resources
section of this article.
Using Java classes to generate
certificates
APIs built into the Java CoG Kit 1.1 on GT3 can
generate a user certificate or certificate request, sign certificates, and
create proxies. The certificate can serve as the basis for a Java CA
implementation, if you do not want to use the UNIX based simple CA
available at the Globus Web site. Listing
1 shows you how to get started by creating a
CertificateGenerator class.
Creating a self-signed user
certificate and private key
The first step in setting up GSI
is to create a signed user certificate and a private key. These two
arguments can later be used to generate a Globus credential, also known as
a proxy, that provides access to your grid resources.
In UNIX systems, the
$GLOBUS_LOCATION/bin/grid-cert-request.sh script will start
by creating a certificate request that must be submitted to the
Globus Certificate Authority for a signature.
The CA testifies that indeed you are the person you claim to be. In
this sample class, we will use the
COM.claymoresystems.cert.CertRequest class to make a
"self-signed" user certificate along with a private key encrypted with a
user's password. Listing
2 demonstrates this technique.
A call to the CertRequest.generateKey("RSA", 512, Pwd, bw,
true); class should do the trick. The arguments to this call
represent the following:
- A cipher used for generation (RSA).
- The strength of the certificate keys in bits (512).
- A password used to encrypt the private key.
- A buffered writer to store the private key.
Note: The CertificateRequestclass is contained in
the puretls.jar archive distributed with the GT3 Java CoG kit.
This call will return a KeyPair object that you can then
use in the following instruction to generate a self-signed certificate:
CertRequest.makeSelfSignedCert(kp, makeGridCertDN(m_OrgUnit,
m_CommonName), 31536000).
Both the user certificate and the private key are encoded in base 64
PEM format. For more information, see the java.security.*
class and the writePEM function.
Creating credentials from user
certificates
With a user certificate and private key, we are
ready to create the proxy. Note that the package
org.globus.security.* has been deprecated and replaced with
org.globus.gsi.*, which uses the open source Grid Security
Services (GSS). See "Security Library Compatibility" in the Resources
section of this article for further details.
The method in Listing
3 will create a credential compatible with GT3 or GT 2.2x.
If you have a PEM encoded proxy file (downloaded from your UNIX
system), you can use the utility method in Listing
4 to build a GlobusCredential object.
Creating a certificate
request
You may want to submit your certificate request to
be signed by another CA. The function in Listing
5 shows you how to create it.
Our certificate generator is complemented with the utility functions in
Listing
6 that are used for tasks such as:
- Encoding certificate bytes in PEM format.
- Creating X.509 names or DNs for generation purposes.
Creating a certificate generator
main function
Listing
7 provides code that illustrates how to create a
CertificateGenerator main function.
The code in Listing 7 requires the following JAR files (all of which
are distributed with GT3) to be in your classpath:
- cog-jglobus.jar
- cryptix32.jar
- cryptix-ans1.jar
- jce-jdk13-117.jar
- log4j-core.jar
- puretls.jar
A run of this class will produce the output in Listing
8.
Conclusion
This
article gives you a place to start in understanding how the grid security
infrastructure works. You can modify the Java code demonstrated here to
implement your own security or certificate authority services. These APIs
are based on proven open-source standards such as PKI and X.509
certificates. For more information see the GSI page on the Globus
site.
Resources
About the
author
Vladimir Silva was born in Quito, Ecuador. He
received a Systems Analyst degree from the Polytechnic Institute of
the Army in 1994. In the same year, he came to the United States as
an exchange student pursuing a career in Computer Science at Middle
Tennessee State University. After graduation, he joined the IBM
"Web-Ahead" technology think tank. His interests include Grid
computing, neural nets, and artificial intelligence. He also holds
numerous IT certifications including OCP, MCSD, and MCP. You can
contact Vladimir at vsilva@us.ibm.com.
|
|
.files/ibm-logo.gif){kind=logo}
.files/icon-pdf.gif){kind=icon}
.files/icon-email.gif){kind=icon}
.files\c(1).gif){kind=small}
.files/dwlogo-small.gif){kind=small}