How to handle proxy certificates using SSL?

Background

  • RFC 5280 about X509 certificates, which has replaced RFC 3280,
  • RFC 3281 about attribute certificates, which is a good background for VOMS and
  • RFC 3820 about proxy certificates or grid proxies.

Introduction

If you understand TLS (or SSL) and how you can use X509 certificates to do mutual authentication in this protocol, then you may wonder why do you need to install a lot of grid software to do the same.

Let's see the differences:

  • proxy certificates: these are typically short lived certificates signed by a user certificate (see RFC 3821). A typical SSL library only accepts certificates signed by a real Certificate Authority (CA), thus these are refused by default.
  • CA namespace: a typical library, which checks the validity of (client or server) certificate only checks, if they were signed by a valid CA. Since we have many CAs and we would like to avoid even the accidental clash of certificate distinguised names (DN) there are additional files beside CA certificates, which describe the DNs issued by that CA.
  • VOMS attribute certificates (AC): virtual organization affiliation, group membership or role information is embedded into X509 certificates as attributes of RFC 3281 style attribute certificates. Validating and parsing of this information is typically not available in SSL libraries.

Implementations

These features are implemented by the following libraries:

Software Proxy Verification CA namespace VOMS AC
Globus GSI C C (only signing_policy) -
Java CoG Java Java (only signing_policy) -
gLite trustmanager Java Java -
gLite VOMS C/C++/Java C/C++/Java C/C++/Java
GridSite C C C

The usual question is if one needs to install the whole gLite/VDT/Globus software stack to implement these features in an SSL based software.

only signing policy: only the Globus /etc/grid-security/certificates/*.signing_policy files are supported, the EuGridPMA style *.namespaces are not.

Proxy Certificates

If one only wants to have authenticated clients connecting to the service and possible DN clashes are not perceived as a problem, then only the certificate chain validation needs to be modified.

Using Gridsite

See mod_gridsite on how to do it in a normal SSL library:

GRST_X509_check_issued_wrapper()
GRST_verify_cert_wrapper()
GRST_callback_SSLVerify_wrapper()
and mod_gridsite_server_post_config(), basically

    /* in 0.9.7 we could set the issuer-checking callback directly */
    //ctx->cert_store->check_issued = GRST_X509_check_issued_wrapper;

    /* but in case 0.9.6 we do it indirectly with another wrapper */
    SSL_CTX_set_cert_verify_callback(ctx,
                                     GRST_verify_cert_wrapper,
                                     (void *) NULL);

    /* whatever version, we can set the SSLVerify wrapper properly */
    SSL_CTX_set_verify(ctx, ctx->verify_mode,
                       GRST_callback_SSLVerify_wrapper);

Using VOMS

It is included in the voms api library, which in turn requires only OpenSSL, and is called proxy_verify_callback(). You can see how to use it by taking a look at VOMS' src/socklib/Client.cpp, particularly at the GSISocketClient::Open() method:

  SSL_METHOD *meth = NULL;
  meth = SSLv3_method();
  ctx = SSL_CTX_new(meth);

  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback);
  SSL_CTX_set_verify_depth(ctx, 100);

VOMS AC

To get the DN and the VOMS FQANs, you can either use the VOMS API -- see retrieve_voms_credentials() in CGSI_gSOAP

or you can use GridSite for that -- see check_voms_proxy() in glite-data-util-c (used by FTS).

Trustmanager and voms-java

One can use the glite-security-trustmanager package to support proxy certificates in the servers side and to make use of proxy certificates in Axis clients.

For Tomcat one has to configure the TLS certificate path validation by a convenience class provided by the package by modifying Tomcat's /etc/tomcat5/server.xml description:

<Server port="8005" shutdown="SHUTDOWN">
  <Service name="Catalina">

    <Connector port="8443" SSLEnabled="true"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               sSLImplementation="org.glite.security.trustmanager.tomcat.TMSSLImplementation"
               trustStoreDir="/etc/grid-security/certificates"
               sslCertFile="/etc/grid-security/tomcat-cert.pem"
               sslKey="/etc/grid-security/tomcat-key.pem"
               crlUpdateInterval="2h"
               log4jConfFile="/etc/tomcat5/log4j-trustmanager.properties"
               clientAuth="true" sslProtocol="TLS" 
               crlEnabled="true" crlRequired="true"/>

    <Engine name="Catalina" defaultHost="localhost">

      <Host name="localhost" appBase="webapps" />
    </Engine>
  </Service>
</Server>

Once the request is authenticated one can pick up the certificate chain inside the service by using the InitSecurityContext convenience class.

One can then retrieve the VOMS attributes from this certificate chain by using voms-java:

public static String[] getVOMSAttributes(SecurityContext sc) {
        return new org.glite.voms.VOMSValidator(sc.getClientCertChain()).validate().getAllFullyQualifiedAttr
ibutes();
}

Trustmanager client

One has to add the BoncyCastle, log4j, trustmanger and util-java jars to the classpath.

After that one has to set socket factory the Axis uses to create sockets by command line option

-Daxis.socketSecureFactory=org.glite.security.trustmanager.axis.AXISSocketFactory
-DtrustStoreDir=/etc/grid-security/certificates

The default proxy credentials can be used by:

-DgridProxyFile=/tmp/x509up_u`id -u`

or user's real credentials as:

-DsslCertFile=$HOME/.globus/usercert.pem 
-DsslKey=$HOME/.globus/userkey.pem
-DsslKeyPasswd=password

Is it available on ...?

For Globus packages have a look at the platforms of VDT 1.10!

gLite trustmanager and VOMS is officially released on SLC4 (i386 and x86_64) by gLite, while VOMS is also provided by a number of other platforms by VDT.

GridSite is released in binary packages by gLite, however it is easy to re-build it on any RPM based platform.

VOMS and GridSite both come in build flavours with or without Globus dependency.

If you have any other Grid/Globus dependency, then VOMS is probably the right choice, because it also provides full support for VOMS ACs. See glite-security-voms-api for development and glite-security-voms-api-c, glite-security-voms-api-cpp and glite-security-voms-api-noglobus for the shared libraries.

If your service is Apache based, then GridSite's mod_gridsite is the right choice and you can use gridsite-core on the client side

Links

Last edit: AkosFrohner on 2009-03-09 - 10:36

Number of topics: 1

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2009-05-19 - AkosFrohner
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback