IBM Skip to main content
Search for:   within 
      Search help  
     IBM home  |  Products & services  |  Support & downloads   |  My account

developerWorks > Grid computing | Java technology
developerWorks
Using Java technology with Globus Grid Security Infrastructure
174 KBe-mail it!
Contents:
The basics of GSI certificates
Using Java classes to generate certificates
Creating a self-signed user certificate and private key
Creating credentials from user certificates
Creating a certificate request
Creating a certificate generator main function
Conclusion
Resources
About the author
Rate this article
Related content:
Grid Job submission using the Java CoG Kit
Querying the Grid with the Globus Toolkit Monitoring and Discovery Service
Implementing a Grid information provider with the Monitoring and Discovery Service
Transferring files with GridFTP
Subscriptions:
dW newsletters
dW Subscription
(CDs and downloads)
Generating grid credentials using the Java CoG Kit 1.1

Level: Intermediate

Vladimir Silva (mailto:vsilva@us.ibm.com?cc=&subject=Using Java technology with Globus Grid Security Infrastructure)
OGSA development contractor, IBM
September 2003

Grid Security Infrastructure (GSI) enables secure authentication and communication over computer networks. It is a Globus Toolkit component that provides a number of useful services for grids, including mutual authentication and single sign-on. However, manipulating grid certificates using the Globus Toolkit 3.0 (GT3) in Windows environments is an awkward situation. It usually requires that system administrators or users install GT3 on Linux systems in order to use the command line scripts to generate certificates. Then they must move those certificates to their Windows systems. This article demonstrates an easier alternative, provided by the Java CoG Kit: using a Java class to create and sign grid proxies and certificates.

The basics of GSI certificates
Grid Security Infrastructure (GSI) is based on proven standards such as public key encryption, X.509 certificates, and the Secure Sockets Layer (SSL). Extensions to these standards have been added for single sign-on and delegation.

One of the main concepts in GSI authentication is certificates. Every grid service and user is identified by means of a certificate, which contains information used to authenticate and identify that user or service.

A GSI certificate includes information such as:

  • A subject, which identifies the person or object that the certificate represents
  • The public key that belongs to the subject
  • The identity of a Certificate Authority (CA) that has signed the certificate. CAs certify that the public key and the identity both belong to the subject.
  • The digital signature of the named CA

A third-party certificate authority is used to certify the link between the public key and the subject in the certificate. For an overview of the Globus Toolkit security infrastructure, see "Overview of the Grid Security Infrastructure" listed in the Resources section of this article.

Using Java classes to generate certificates
APIs built into the Java CoG Kit 1.1 on GT3 can generate a user certificate or certificate request, sign certificates, and create proxies. The certificate can serve as the basis for a Java CA implementation, if you do not want to use the UNIX based simple CA available at the Globus Web site. Listing 1 shows you how to get started by creating a CertificateGenerator class.

Creating a self-signed user certificate and private key
The first step in setting up GSI is to create a signed user certificate and a private key. These two arguments can later be used to generate a Globus credential, also known as a proxy, that provides access to your grid resources.

In UNIX systems, the $GLOBUS_LOCATION/bin/grid-cert-request.sh script will start by creating a certificate request that must be submitted to the Globus Certificate Authority for a signature.

The CA testifies that indeed you are the person you claim to be. In this sample class, we will use the COM.claymoresystems.cert.CertRequest class to make a "self-signed" user certificate along with a private key encrypted with a user's password. Listing 2 demonstrates this technique.

A call to the CertRequest.generateKey("RSA", 512, Pwd, bw, true); class should do the trick. The arguments to this call represent the following:

  • A cipher used for generation (RSA).
  • The strength of the certificate keys in bits (512).
  • A password used to encrypt the private key.
  • A buffered writer to store the private key.

Note: The CertificateRequestclass is contained in the puretls.jar archive distributed with the GT3 Java CoG kit.

This call will return a KeyPair object that you can then use in the following instruction to generate a self-signed certificate: CertRequest.makeSelfSignedCert(kp, makeGridCertDN(m_OrgUnit, m_CommonName), 31536000).

Both the user certificate and the private key are encoded in base 64 PEM format. For more information, see the java.security.* class and the writePEM function.

Creating credentials from user certificates
With a user certificate and private key, we are ready to create the proxy. Note that the package org.globus.security.* has been deprecated and replaced with org.globus.gsi.*, which uses the open source Grid Security Services (GSS). See "Security Library Compatibility" in the Resources section of this article for further details.

The method in Listing 3 will create a credential compatible with GT3 or GT 2.2x.

If you have a PEM encoded proxy file (downloaded from your UNIX system), you can use the utility method in Listing 4 to build a GlobusCredential object.

Creating a certificate request
You may want to submit your certificate request to be signed by another CA. The function in Listing 5 shows you how to create it.

Our certificate generator is complemented with the utility functions in Listing 6 that are used for tasks such as:

  • Encoding certificate bytes in PEM format.
  • Creating X.509 names or DNs for generation purposes.

Creating a certificate generator main function
Listing 7 provides code that illustrates how to create a CertificateGenerator main function.

The code in Listing 7 requires the following JAR files (all of which are distributed with GT3) to be in your classpath:

  • cog-jglobus.jar
  • cryptix32.jar
  • cryptix-ans1.jar
  • jce-jdk13-117.jar
  • log4j-core.jar
  • puretls.jar

A run of this class will produce the output in Listing 8.

Conclusion
This article gives you a place to start in understanding how the grid security infrastructure works. You can modify the Java code demonstrated here to implement your own security or certificate authority services. These APIs are based on proven open-source standards such as PKI and X.509 certificates. For more information see the GSI page on the Globus site.

Resources

About the author
Vladimir Silva was born in Quito, Ecuador. He received a Systems Analyst degree from the Polytechnic Institute of the Army in 1994. In the same year, he came to the United States as an exchange student pursuing a career in Computer Science at Middle Tennessee State University. After graduation, he joined the IBM "Web-Ahead" technology think tank. His interests include Grid computing, neural nets, and artificial intelligence. He also holds numerous IT certifications including OCP, MCSD, and MCP. You can contact Vladimir at vsilva@us.ibm.com.


174 KBe-mail it!

What do you think of this document?
Killer! (5) Good stuff (4) So-so; not bad (3) Needs work (2) Lame! (1)

Comments?



developerWorks > Grid computing | Java technology
developerWorks
  About IBM  |  Privacy  |  Terms of use  |  Contact