Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI INFSO-RI-261611 Common Authentication Library Krzysztof Benedyczak (UWAR)

Published byNoah Douglas Bell Modified over 8 years ago

Similar presentations

Presentation on theme: "EMI INFSO-RI-261611 Common Authentication Library Krzysztof Benedyczak (UWAR)"— Presentation transcript:

1 EMI INFSO-RI-261611 Common Authentication Library Krzysztof Benedyczak (UWAR)

2 EMI AHM, Prague, November 2010 Plan ● Summary of what has been done&decided. ● General/strategic issues regarding the library. ● Review of the affected components list. ● Java API ● C API ● C++ API ● Schedule on finalization of the API & consultations with affected PTs. ● What's next?

3 EMI AHM, Prague, November 2010 Common authN library ● Aim: provide a commonly used library supporting authentication and tightly coupled functions. ● Why? ● As we have multiple libraries in our 4 stacks doing authentication. reduced maintenance uniform features for UMD ● Examples: ● In gLite some components check if DN conforms to the CA namespace without case-sensitiveness. Some with. ● In UNICORE Gateway provides more authN features then other servers.

4 EMI AHM, Prague, November 2010 What has been done/decided? ● Wiki page created. https://twiki.cern.ch/twiki/bin/view/EMI/EmiJra1T4SecurityCommonAuthNLib ● Three languages - Java, C, C++ ● Requirements were collected and unified. ● Initial list of components: ● using authentication libraries, ● implementing authentication ● was established. ● Requirements collection step showed that there are quite different opinions on the library shape and even purpose.

5 EMI AHM, Prague, November 2010 Library models and purpose ● We support TLS and X.509 authentication - obvious. Other options: ● add SAML Authentication support too or ● arbitrary protocol support (Kerberos, LDAP,...) ● Library models which were considered: ● consolidated, tuned for the concrete authN mechanism, ● pluggable with different options hidden under a common API (Joni, Andrea, Daniel) – e.g. GSS API

6 EMI AHM, Prague, November 2010 Current status ● We support TLS/X.509 only. ● If there is a need for a common SAML authentication library it will be provided as a separate entity.

7 EMI AHM, Prague, November 2010 Motivation ● Decision to use STS/SLCS/... eliminates need for wide adoption of SAML AuthN in all components. ● Currently SAML AuthN is not present (or nearly not present?) among EMI components. ● Authentication API is very dependent on the authentication mechanism and offered functionality. Therefore abstract API is very generic and hard to use. ● Different integration scenarios in various containers. ● Different credentials. ● Credentials and respective utilities are needed AFTER authN layer too. ● We don't have enough time to work for a long time on this.

8 EMI AHM, Prague, November 2010 Open topics ● General: is the current model widely accepted? ● Minor (those are for the implementation): ● Shall we support RFC 5280? – How? By default or only optionally in some selected functions? ● OCSP support?

9 EMI AHM, Prague, November 2010 List of existing authN code ● gLite: VOMS (C, Java) ● Nothing more? ● ?(KB) trustmanager, util-java, L&B,...? ● ARC: ARC Container (C++ with Java&Python bindings) ● Nothing more? E.g. update-crls, arcproxy? ● dCache: ???? ● No input so far! ● UNICORE - complete list on the wiki.

10 EMI AHM, Prague, November 2010 Review: affected components ● gLite: TFS, CREAM, WMS, VOMS Admin, Argus, SLCS ● No other components? What's about APEL*, DGAS*, BDII*, STS, delegation-java, gridsite, proxyrenewal? ● ARC: ARC Container ● Is everything using the container? E.g. libarcclient? ● dCache: No input so far!! ● ??? ● UNICORE: complete list on the wiki

11 EMI AHM, Prague, November 2010 Java API ● We want to reuse X.509 JDK code (JCA), and integrate with SSL engine (JSSE). ● It is impossible to reuse certificate validation code as implementation is hidden and it is not possible to go round proxy certificate validation (lack of CA extension) ● Additionally the JCA API is quite awkward. ● We can quite easily integrate with JSSE.

12 EMI AHM, Prague, November 2010 Java API (2) ● interface X509CertChainValidator ● Implementations are used to perform a manual certificate chain validation. Implementations shall reuse as many of CertificateChecker implementations as possible. Implementations must be thread safe. ValidationResult validate(java.security.cert.CertPath cp) ValidationResult validate(java.security.cert.X509Certificate[] cp) java.security.cert.X509Certificate[] getTrustedIssuers() void addValidationListener(ValidationListener l) void removeValidationListener(ValidationListener l) --------------------------EXAMPLE--------------------------------- OpensslCertChainValidator v = new OpensslCertChainValidator( "/my/certs", CRL.REQUIRE, OpensslCertChainValidator.NAMESPACE.IGNORE, 100); ValidationResult result = v.validate(toBeChecked);

13 EMI AHM, Prague, November 2010 Java API: validation implementations ● Internally various X509CertChainValidator implementations should reuse as much of code as possible. ● For further extensibility (new or modified validators) we can define validator building blocks (called checkers) ● May be stateful, implementations need not to be thread safe - one instance must not be used to check two certificate chains simultaneously. interface CertificateChecker { List check(X509Certificate[] cert, int position, Collection unresolvedCritExts) void init() }

14 EMI AHM, Prague, November 2010 Java API: JSSE integration ● class CanlX509TrustManager implements javax.net.ssl.X509TrustManager ● Wraps X509CertChainValidator so it can be easily used in standard Java SSL API. ● interface Credential ● java.security.KeyStore getAsKeyStore() ● javax.net.ssl.KeyManager getAsKeymanager() ● class HostnameToCertificateChecker implements javax.net.ssl.HandshakeCompletedListener ● Implementation which can be registered on a SSLSocket to verify if target hostname is matching a DN of its certificate.

15 EMI AHM, Prague, November 2010 Java API: JSSE integration ● class SocketFactoryCreator ● Simple utility allowing programmers to quickly create SSLSocket factories. class SocketFactoryCreator { static SSLServerSocketFactory createSSF(Credential c, X509CertChainValidator v) static SSLSocketFactory createSF(Credential c, X509CertChainValidator v) } -------------------------EXAMPLE------------------------------- KeystoreCertChainValidator v = new KeystoreCertChainValidator( "truststore.jks", CRL.REQUIRE, passwd, "JKS", crls, 100); Credential c = new KeystoreCredential("/my/keystore.jks", ksPasswd, keyPasswd, "JKS"); SSLServerSocketFactory sslSsf = SocketFactoryCreator.createSSF(c, v); ServerSocket sslSS = sslSsf.createServerSocket();

16 EMI AHM, Prague, November 2010 Java API: Utilities ● Testing two DNs for equality. ● What more? ● Proxy certificate utilities: ● As a class being Credential or ● X509Certificate? ● Operations: – write to disk – load from disk – ? creation of a proxy request ● Creation arguments?

17 EMI AHM, Prague, November 2010 C API ● Vinzenzo

18 EMI AHM, Prague, November 2010 C++ API ● Aleksandr

19 EMI AHM, Prague, November 2010 APIs documentation ● What exactly we shall provide? ● Overview ● Examples ● Functions or methods & classes description ● What format? ● Where to put it?

20 EMI AHM, Prague, November 2010 Short term schedule ● Finalization of the API ● Applying changes from AHM – DATE ● Documentation – How? – DATE ● Final internal review – Who which API? – DATE ● Consultations with affected PTs ● End DATE

21 EMI AHM, Prague, November 2010 What's next? ● Common authentication library Product Team ● What are the responsibilities? – (?) Actual implementation of the interface, support and evolution (?) ● Who is involved? ● Schedule: – RC: – 1.0 Final:

22 EMI INFSO-RI-261611 EMI AHM, Prague, November 2010 Thank you 22 EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611

Download ppt "EMI INFSO-RI-261611 Common Authentication Library Krzysztof Benedyczak (UWAR)"

Similar presentations

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.

Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.
CS 255 – Cryptography & Computer Security Programming Project 2 – Winter 04 Priyank Patel

CS 255 – Cryptography & Computer Security Programming Project 2 – Winter 04 Priyank Patel
EMI INFSO-RI-261611 EMI Quality Assurance Processes (PS06-4-499) Alberto Aimar (CERN) CERN IT-GT-SL Section Leader EMI SA2 QA Activity Leader.

EMI INFSO-RI EMI Quality Assurance Processes (PS ) Alberto Aimar (CERN) CERN IT-GT-SL Section Leader EMI SA2 QA Activity Leader.
Java Security Pingping Ma Nov 2 nd, 2006. Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
EMI INFSO-RI-261611 SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Software stack consolidation Balázs Kónya, Lund University 3rd EMI all-hands,

EMI is partially funded by the European Commission under Grant Agreement RI Software stack consolidation Balázs Kónya, Lund University 3rd EMI all-hands,
Overview of user client usage: ARC Iván Márton Zsombor Nagy.

Overview of user client usage: ARC Iván Márton Zsombor Nagy.
EMI 1 Release The EMI 1 (Kebnekaise) release features for the first time a complete and consolidated set of middleware components from ARC, dCache, gLite.

EMI 1 Release The EMI 1 (Kebnekaise) release features for the first time a complete and consolidated set of middleware components from ARC, dCache, gLite.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting 17.-19.10.2011, Padova, Italy.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Discovering Infrastructures with EMI Registry (EMIR) Emidio Giorgio.

EMI is partially funded by the European Commission under Grant Agreement RI Discovering Infrastructures with EMI Registry (EMIR) Emidio Giorgio.
EMI INFSO-RI-261611 Overview of the EMI development objectives Balázs Kónya (Lund University) EMI Technical Director EMI All Hands Prague, 23rd November.

EMI INFSO-RI Overview of the EMI development objectives Balázs Kónya (Lund University) EMI Technical Director EMI All Hands Prague, 23rd November.
EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
EMI INFSO-RI-261611 European Middleware Initiative (EMI) Alberto Di Meglio (CERN)

EMI INFSO-RI European Middleware Initiative (EMI) Alberto Di Meglio (CERN)

Similar presentations

Ads by Google