Service Security

Authentication

GridSAM is preconfigured to perform WS-Security signature verification on all request messages and signing of all response messages. HTTPS can optionally be used to encrypt the data stream. WS-Security together with HTTPS provide strong encryption at the transport level and verification of message signature at the message level. This is the recommended setup for a secured deployment.

The WS-Security configuration files can be found in $OMII_HOME/webapps/gridsam/WEB-INF/classes/crypto.properties. For details on how to configure the security settings as well as enabling HTTPS transport, please refer to the OMII-UK Development Kit User Guide.

GridSAM also supports HTTPS mutual authentication without WS-Security.

Task: Enabling mutual authentication in the OMII container UPDATE: As of OMII-UK Server 3.4.0 HTTPS is the default,'out-of-the-box', configuarion.

GridSAM relies on the container to authenticate and obtain the user credential using transport-level or message-level security. HTTPS mutual authentication has performance advantage compared to message-level security, however losing the ability to route message across third-parties while the intermediaries can still verify the origin of the message.

NOTE: Enabling client authentication in Tomcat would cause all the services deployed in the OMII container to adopt HTTPS mutual authentication. There is no way to selectively enable HTTPS mutual authentication on a service by service basis.

To enable HTTPS Mutual Authentication without WS-Security

  1. Edit the Tomcat configuration file $OMII_HOME/apache-tomcat-5.5.23/conf/server.xml. Locate the HTTPS Connector/ element similar to this (It might be commented out if you have not enabled HTTPS in the OMII container before):
        ..
    <Connector port="8443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    ..
  2. Please ensure the Connector/ element has not been commented out. Modify the attributes as described in the Tomcat SSL Configuration guide. An example setting is shown here.
        ..
    <Connector port="8443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               sslProtocol="TLS"
               clientAuth="true"
               truststoreFile="/my/secure/dir/truststore.jks"
               truststorePass="changeit"
               keystoreFile="/my/secure/dir/keystore.jks"
               keystorePass="changeit"
               />
    ..
  3. Note the attribute clientAuth="true" enables mutual authentication, while the last four attributes specify the keystore and the truststore locations. The keystore contains the private key used to identify the server. The truststore contains trusted CA certificartes that all client access presenting a certificate that can be verified by the truststore would be trusted.
  4. Save the configuration file.
  5. Edit the configuration file $OMII_HOME/apache-tomcat-5.5.23/webapps/gridsam/WEB-INF/server-config.wsdd

    In the file, locate the element

        ..
    <service name="gridsam" style="message">
        <parameter name="className" value="org.icenigrid.gridsam.webservice.axis.GridSAMServiceAxisImpl"/>
        <parameter name="allowedMethods" value="*"/>
        <parameter name="scope" value="application"/>
        <wsdlFile>org/icenigrid/gridsam/resource/schema/wsdl/gridsam.wsdl</wsdlFile>
        <!-- comment out the following to disable WS-Security on the server -->
        <!-- <WS-Security> -->
        <requestFlow>
            <handler name="ServiceContextInitHandler" type="java:uk.ac.soton.itinnovation.grid.gridservit.axis.handlers.ServiceContextInitHandler"/>
            <handler name="SecurityContextInitHandler" type="java:uk.ac.soton.itinnovation.grid.gridservit.wss4j.handler.SecurityContextInitHandler">
                <parameter name="signaturePropFile" value="crypto.properties"/>
                <parameter name="action" value="Signature"/>
            </handler>
        </requestFlow>
        <responseFlow>
            <handler name="IntegrityEnforcementHandler" type="java:uk.ac.soton.itinnovation.grid.utils.wss4j.handler.WSOutboundHandler">
                <parameter name="signatureKeyIdentifier" value="DirectReference"/>
                <parameter name="signaturePropFile" value="crypto.properties"/>
                <parameter name="passwordCallbackClass" value="uk.ac.soton.ecs.iam.grid.utils.PWCallback"/>
                <parameter name="action" value="Signature"/>
                <parameter name="signatureParts" value="Body"/>
            </handler>
        </responseFlow>
        <!-- </WS-Security> -->
    </service>
    ..

    Comment out or remove the requestFlow/ and responseFlow/ elements so it looks like this

        ..
    <service name="gridsam" provider="java:MSG" style="message" use="literal">
        <wsdlFile>org/icenigrid/gridsam/resource/schema/wsdl/gridsam.wsdl</wsdlFile>
        <parameter name="allowedMethods" value="*"/>
        <parameter name="scope" value="application"/>
        <parameter name="className" value="org.icenigrid.gridsam.webservice.axis.GridSAMServiceAxisImpl"/>
    </section>
    ..
  6. Save the configuration file.
  7. Restart the OMII container.
  8. Test the mutual authentication settings by pointing your browser to https://yourhost:8443/. You need to have a certificate imported into your browser and the certificate is trusted by the server. You should see the Tomcat welcome screen if the authentication is successful.
  9. You can now use the gridsam-submit command to test the GridSAM service. Remember you need to turn off WS-Security by modifying the client-config.wsdd file in $OMIICLIENT_HOME/conf. Remove the WSOutboundHandler and WSDoAllReceiver handlers from the requestFlow and responseFlow sections.
        ..
    <globalConfiguration>
     <parameter name="attachment_encapsulation_format" value="axis.attachment.style.dime"/>
     <parameter name="enableNamespacePrefixOptimization" value="false"/>

      <!--

       Commented out to turn off WS-Security.

      <requestFlow>
       <handler type="java:uk.ac.soton.itinnovation.grid.utils.wss4j.handler.WSOutboundHandler" >
        <parameter name="action" value="Signature"/>
        <parameter name="signaturePropFile" value="crypto.properties" />
        <parameter name="signatureKeyIdentifier" value="DirectReference" />
        <parameter name="passwordCallbackClass"
          value="uk.ac.soton.ecs.iam.grid.utils.PWCallback"/>
       </handler>
      </requestFlow>
      <responseFlow>
       <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
        <parameter name="action" value="Signature"/>
        <parameter name="signaturePropFile" value="crypto.properties" />
        <parameter name="passwordCallbackClass"
          value="uk.ac.soton.ecs.iam.grid.utils.PWCallback"/>
       </handler>
      </responseFlow>
      -->

     </globalConfiguration>

    ..

    Please note this will turn off WS-Security across all the OMII client commands.

  10. In case of an authentication problem, you must ensure your OMII Client installation has a truststore that trusts the server identity.

Authorisation

The Authorisation sub-system in GridSAM provides fine-grain control of who (the distinguished name of the subject who submits the job) can submit what job (the structure of the JSDL description). The default allows any authenticated users to submit any job. Administrator is advised to read the remaining section of this guide to learn how to define your own site policy.

The WEB-INF/classes/authorisation.xml resource contains the default configuration script. The default configuration allows any users to submit any job. It is essential that service administrator should evaluate this policy before provisioning GridSAM for production use.

The configuration defines deny and allow rules that apply to the user identity (their authenticated distinguished name) and the structure of the job description (XPath pattern matching). Submission requests that match the deny directive and do match the allow directive will be permitted access. Requests that does not match the deny directive will allow access without evaluating the allow directive.

The allow or deny directives are boolean expression in Conjunctive Normal Form. The literals are one of the following

  • <true/> to indicate all will match
  • <false/> to indicate all will fail to match
  • <rule xpath="..."/> is true if the xpath yield one or more elements when matches against the JSDL request, false otherwise
  • <group name="..."/> is true if the distinguished name (DN) of the subject who is submitting the job belongs to the named group, false otherwise

    To allow users to be grouped into logical groups, the groups directive assigns user with a given distinguished name to be assigned into zero or more groups using exact or regular expression match.

    The default is "Deny all, Allow all". This essentially allows all authenticated users to submit any jobs.

Configuration

<?xml version="1.0" encoding="UTF-8"?>
<module id="authorisation" version="1.0.0">
        <contribution configuration-id="gridsam.AuthorisationRules">
        <rules>
            <deny>
                <true/>
                <!-- 
                XML Pseudo syntax - Boolean expression in Conjunctive Normal Form (A or B) and (A or !D) where A, B and D are literals
                <or>
                    <rule xpath="... xpath that matches the jsdl ..."/>?
                    <group name="... reference group name defines in groups section ..."/>?
                    <not>
                            <rule xpath="... xpath that matches the jsdl ..."/> | 
                            <group name="... reference group name defines in groups section ..."/>
                    </not>?
                    <true/>?
                    <false/>?
                </or>?
                <rule xpath="... xpath that matches the jsdl ..."/>?
                <group name="... reference group name defines in groups section ..."/>?
                <not>
                        <rule xpath="... xpath that matches the jsdl ..."/> | 
                        <group name="... reference group name defines in groups section ..."/>
                </not>?
                <true/>?
                <false/>?
                -->
            </deny>
            <allow>
                <true/>
                <!-- 
                XML Pseudo syntax - Boolean expression in Conjunctive Normal Form (A or B) and (A or !D) where A, B and D are literals
                <or>
                    <rule xpath="... xpath that matches the jsdl ..."/>?
                    <group name="... reference group name defines in groups section ..."/>?
                    <not>
                            <rule xpath="... xpath that matches the jsdl ..."/> | 
                            <group name="... reference group name defines in groups section ..."/>
                    </not>?
                    <true/>?
                    <false/>?
                </or>?
                <rule xpath="... xpath that matches the jsdl ..."/>?
                <group name="... reference group name defines in groups section ..."/>?
                <not>
                        <rule xpath="... xpath that matches the jsdl ..."/> | 
                        <group name="... reference group name defines in groups section ..."/>
                </not>?
                <true/>?
                <false/>?       
                -->
            </allow>
            <groups>
                <group name="somegroup1">
                    <!--
                    <name pattern="... regular expression to match DN ..."/>
                    <name pattern="CN=William Lee, OU=LeSC, O=Imperial, C=UK""/>
                    -->
                </group>
                <group name="somegroup2">
                    <!--
                    <name pattern="... regular expression to match DN ..."/>
                    <name pattern="CN=William Lee, OU=LeSC, O=Imperial, C=UK""/>
                    -->
                </group>
            </groups>
        </rules>
    </contribution>
</module>

CONTRIBUTION: gridsam.Authorisation - The contribution that contains the allow/deny group rules.

Examples

  • Deny the "badguys" group (belongs to the "Bad Corp" organisation) with the exception that the job is either a /bin/sleep or /bin/uname
    <?xml version="1.0" encoding="UTF-8"?>
<module id="authorisation" version="1.0.0">
        <contribution configuration-id="gridsam.AuthorisationRules">
        <rules>
            <deny>
                <group name="badguys"/>
            </deny>
            <allow>
                <or>
                    <rule xpath="declare namespace jsdl='http://schemas.ggf.org/jsdl/2005/11/jsdl';
                                 declare namespace posix='http://schemas.ggf.org/jsdl/2005/11/jsdl-posix'
                                 /jsdl:JobDefinition/jsdl:JobDescription/jsdl:Application/posix:POSIXApplication/posix:Executable[text() = '/bin/sleep']"/>
                    <rule xpath="declare namespace jsdl='http://schemas.ggf.org/jsdl/2005/11/jsdl';
                                 declare namespace posix='http://schemas.ggf.org/jsdl/2005/11/jsdl-posix'
                                 /jsdl:JobDefinition/jsdl:JobDescription/jsdl:Application/posix:POSIXApplication/posix:Executable[text() = '/bin/uname']"/>
                </or>
            </allow>
            <groups>
                <group name="badguys">
                        <!--<name pattern="^CN=Duke"/>-->
                        <name pattern=".*, O=Bad Corp, C=US"/>
                </group>
                <group name="goodguy">
                        <name pattern="CN=William Lee, OU=LeSC, O=Imperial, C=UK"/>
                        <name pattern=".*, OU=GridSAM Dev, O=Imperial, C=UK"/>
                </group>
            </groups>
        </rules>
    </contribution>
</module>
  • Deny all jobs with data staging or not a /bin/sleep or /bin/uname unless the submitter is in the "goodguy" group.
    <?xml version="1.0" encoding="UTF-8"?>
<module id="authorisation" version="1.0.0">
        <contribution configuration-id="gridsam.AuthorisationRules">
        <rules>
            <deny>
                <or>
                        <rule xpath="declare namespace jsdl='http://schemas.ggf.org/jsdl/2005/11/jsdl'
                                     /jsdl:JobDefinition/jsdl:JobDescription/jsdl:DataStaging"/>
                        <not>
                                <rule xpath="declare namespace posix='http://schemas.ggf.org/jsdl/2005/11/jsdl-posix'
                                             //posix:Executable[text() = '/bin/sleep']"/>
                        </not>
                        <not>
                                <rule xpath="declare namespace posix='http://schemas.ggf.org/jsdl/2005/11/jsdl-posix'
                                             //posix:Executable[text() = '/bin/uname']"/>       
                        </not>
                </or>
            </deny>
            <allow>
                <group name="goodguy"/>
            </allow>
            <groups>
                <group name="badguys">
                        <!--<name pattern="^CN=Duke"/>-->
                        <name pattern=".*, O=Bad Corp, C=US"/>
                </group>
                <group name="goodguy">
                        <name pattern="CN=William Lee, OU=LeSC, O=Imperial, C=UK"/>
                        <name pattern=".*, OU=GridSAM Dev, O=Imperial, C=UK"/>
                </group>
            </groups>
        </rules>
    </contribution>
</module>
  • (For GridSAM installation using Basic Execution Service interface ONLY):/ Deny the ability to suspend/unsuspend the service to all except to the members of the "admin" group.
    <?xml version="1.0" encoding="UTF-8"?>
<module id="authorisation" version="1.0.0">
        <contribution configuration-id="gridsam.AuthorisationRules">
        <rules>
            <deny>
                <or>
                        <rule xpath="declare namespace jsdl='http://schemas.ggf.org/jsdl/2005/11/jsdl'
                                     /jsdl:JobDefinition/jsdl:Application/jsdl:ApplicationName[text() = 'BES-StopAcceptingNewActivities']"/>
                        <rule xpath="declare namespace jsdl='http://schemas.ggf.org/jsdl/2005/11/jsdl'
                                     /jsdl:JobDefinition/jsdl:Application/jsdl:ApplicationName[text() = 'BES-StartAcceptingNewActivities']"/>
                </or>
            </deny>
            <allow>
                <group name="admin"/>
            </allow>
            <groups>
                <group name="admin">
                        <name pattern="CN=William Lee, OU=LeSC, O=Imperial, C=UK"/>
                        <name pattern=".*, OU=GridSAM Dev, O=Imperial, C=UK"/>
                </group>
            </groups>
        </rules>
    </contribution>
</module>