Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.

Published byJesse McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF."— Presentation transcript:

1 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF 2012, Prague

2 EMI INFSO-RI-261611 Common security layer (PKI) used but no common code in applications – Expensive maintenance – No common profile for SSL and X.509 – Difficult to add new features – Security audit of code quite hard Adapting CANL decreases cost of maintenance and further develpment Motivation

3 EMI INFSO-RI-261611 Simple API to support authentication using X.509 TLS/SSL – Delegation, authorization, other sec. mechanisms, out of scope Functionality to deal with Grid specifics Cover popular languages – Native API for C,C++,Java APIs easy to understood and use – Differences between the bindings Main Goals

4 EMI INFSO-RI-261611 APIs designed and underwent detailed expert reviews Implementations delivered as part of EMI-2 Main features provided by all three libs – Credentials handling – Trust store handling – Name constraints checking – CRL – Proxy: verification, generation, proxy CSRs, utilities – Partially unified error codes and messages Current Status

5 EMI INFSO-RI-261611 Differences are mostly between Java and non- Java. Truststores – Java: several different – C&C++: only OpenSSL-style Distinguished names handling – Java: extensive support, RFC 2253 based – C & C++: minimal handling, currently OpenSLL syntax is used – C & C++ will add (configurable) support for RFC 2253, with RFC format being the suggested one. No network IO in Java (integrated with Java API) API Differences

6 EMI INFSO-RI-261611 API documentations available – JAVA: http://unicore-dev.zam.kfa- juelich.de/documentation/canl-1.0.1/manual.pdfhttp://unicore-dev.zam.kfa- juelich.de/documentation/canl-1.0.1/manual.pdf – C: http://egee.cesnet.cz/cvsweb/SEC/canl.pdfhttp://egee.cesnet.cz/cvsweb/SEC/canl.pdf – C++: Comments included in header files Samples of codes provided – Connection establishment, delegation, proxy mgmt Developers will need to replace their code with calls to canl Integration with applications

7 EMI INFSO-RI-261611 Example C: proxy creation ctx = canl_create_ctx(); /* First create a certificate request with a brand-new keypair */ ret = canl_cred_new(ctx, &proxy); ret = canl_cred_new_req(ctx, proxy, bits); /*Create key-pairs implicitly*/ ret = canl_cred_set_lifetime(ctx, proxy, lifetime); ret = canl_cred_set_cert_type(ctx, proxy, CANL_RFC); /* Load the signing credentials */ ret = canl_cred_new(ctx, &signer); ret = canl_cred_load_cert_file(ctx, signer, user_cert); ret = canl_cred_load_priv_key_file(ctx, signer, user_key, NULL, NULL); /* Create the proxy certificate and store it in a file*/ ret = canl_cred_sign_proxy(ctx, signer, proxy); ret = canl_cred_save_proxyfile(ctx, proxy, output);

8 EMI INFSO-RI-261611 Example C++: delegation, proxies //EEC acquisition AuthN::Context full_ctx(AuthN::Context::ClientFullContext); AuthN::Credentials eec_cred(full_ctx); //Proxy request AuthN::Context empty_ctx(AuthN::Context::EmptyContext); AuthN::ProxyCredentialsRequest proxyreq(empty_ctx); proxyreq.MakeKeys(1024); AuthN::Credentials::Extension policy; policy.value = "my test proxy policy"; proxyreq.SetPolicy(policy); proxyreq.SetValidFrom(time(NULL)); proxyreq.SetValidTill(time(NULL) + 3600*12); //Proxy signing AuthN::Credentials proxy(empty_ctx); AuthN::Status st = eec_cred.Sign(proxyreq, proxy, opensslcnf); std::string cert, key, chain; proxy.GetCertificate(cert); proxy.GetPrivateKey(key); proxy.GetChain(chain);

9 EMI INFSO-RI-261611 Example Java: Chain verification /* * Validates toBeChecked chain using Openssl style truststore, from * the /etc/grid-security/certificates directory. Both kinds of * namespaces are checked and forced if are present. Truststore is * reread every minute. The additional settings are not defined and * so defaults are used: CRLs are forced if are present. Proxy * certificates are supported. */ X509Certificate[] toBeChecked = null; X509CertChainValidator vff = new OpensslCertChainValidator( "/etc/grid-security/certificates", NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS, 60000); ValidationResult result = vff.validate(toBeChecked); if (result.isValid()) { //... } else { List errors = result.getErrors(); //... }

10 EMI INFSO-RI-261611 Thank you

Download ppt "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF."

Similar presentations

Innovations in OSGi How to prevent patent applications.

Innovations in OSGi How to prevent patent applications.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Mobile Application Architecture Initiative Steve Wheat Chief IT Architect.

Mobile Application Architecture Initiative Steve Wheat Chief IT Architect.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
X.509 Certificate management in.Net By, Vishnu Kamisetty

X.509 Certificate management in.Net By, Vishnu Kamisetty
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Similar presentations

Ads by Google