|
|
(15 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| = Projects: = | | = Projects: = |
| | | |
− | == nl.nikhef.slcshttps == | + | == Grid middleware security == |
| | | |
− | === Introduction ===
| + | This is all kinds of different security related work done within the Nikhef grid-middleware security group. See for example |
− | This project is a joined project between [http://www.mpi.nl/ The Max Planck Institute for Psycholinguistics], [http://www.surfnet.nl/ SURFnet] and [http://www.nikhef.nl/ Nikhef]. | + | * the [[GLExec|gLExec wiki pages]] (An overview of the different Nikhef tools can be found in the slightly outdated [[Site Access Control]] pages). |
| + | * [[SAC software procedures|release process of the Grid Security Middleware]] |
| | | |
− | The aim is to change the [http://www.mpi.nl/IMDI/tools/ IMDI BCBrowser] such that it can access corpora using client side certificates obtained from an online CA.
| + | It also covers work on the Risk Assessment Team for the [https://wiki.egi.eu/wiki/SVG:SVG EGI Software Vulnerability Group]. |
| | | |
− | TODO: use case description, problem, Shibboleth versus PKI Certificates...
| + | == User delegation in the CLARIN Metadata Infrastructure == |
| | | |
− | === Description ===
| + | This project was a joined project between CLARIN via the [http://www.mpi.nl/ The Max Planck Institute for Psycholinguistics (MPI)] and [http://www.nikhef.nl/ Nikhef] and supported by [http://www.biggrid.nl/ BiG Grid]. |
− | Method used by the IMDI browser to obtain a certificate, see als [[#handshake|image below]].
| + | See e.g. the [[CLARIN/OAuth2|project pages]] |
| | | |
− | From a (mostly) '''User''' point of view:
| + | == jGridstart == |
| | | |
− | # '''User''' clicks/chooses initialization option
| + | This is a Java webstart application to gently guide (new) Grid user in the process of obtaining their grid certificate. |
− | # java browser starts a webbrowser...
| + | See e.g. [[JGridstart|project page]] for more information. |
− | # which via the online CA at SURFnet...
| |
− | # redirects webbrowser to WAYF (Where Are You From) server where '''user''' chooses his ''Identity Provider''.
| |
− | # '''User''' logs in at ''IdP''
| |
− | # Webbrowser redirects back to online CA. '''User''' closes webbrowser.
| |
− | # After confirmation by '''user''', java browser now connects itself to online CA
| |
− | # java browser retrieves certificate from online CA and the '''user''' can use it to authenticate with client side certificates.
| |
| | | |
− | Technical overview:
| + | == nl.nikhef.slcshttps == |
− | | |
− | <ol>
| |
− | <li> Initialization procedure:<ol style="list-style-type:lower-alpha">
| |
− | <li> javabrowser creates a per-session keypair (i.e. never saved to disk).
| |
− | <li> javabrowser creates a certificate signing request (CSR)</ol>
| |
− | <li> javabrowser starts a webbrowser...
| |
− | <li> the URL is the online CA + a hash of the CSR.
| |
− | <li> Now the standard Shibboleth trajectory starts: Online CA redirects the browser to a WAYF where the user chooses his IdP.
| |
− | <li> User logs in at his/her IdP.
| |
− | <li> Webbrowser sends the user back to the online CA. The URL is now rewritten using [http://shibboleth.internet2.edu/ Shibboleth], and the Online CA knows that the user, who send the CSR hash, is authorized. The user now tells the javabrowser that (s)he is finished with the webbrowser.
| |
− | <li> The javabrowser sends the full CSR to the Online CA.
| |
− | <li> The Online CA:
| |
− | <ol style="list-style-type:lower-alpha">
| |
− | <li> calculates the hash
| |
− | <li> checks whether it is known/corresponds to a authorized user.
| |
− | <li> if yes, signs the CSR
| |
− | <li> sends a HTTP reply with the signed certificate.
| |
− | </ol>
| |
− | The signed certificate is stored inside the javabrowser and will be offered as client side certificate upon opening a HTTPS connection.
| |
− | </ol>
| |
− | | |
− | Notes:
| |
− | * In Shibboleth terminology, The Online CA is a Service Provider (SP) whose service is the creation of certificates.
| |
− | * In standard CA/RA certificate terminology, the online CA Service Provider is the CA, while the IdP plays the role of RA.
| |
− | * The SLCS model used here is similar (but not identical) to the [http://www.switch.ch SWITCH] model, which is described in detail in [https://edms.cern.ch/document/770102/ https://edms.cern.ch/document/770102/].
| |
− | * Another SLCS-like project, which is actually aiming at long-term (+/- 1 year) certificates is the [https://portal.nordu.net/display/ndgfwiki/confusa_intro Confusa/Terena] project.
| |
− | * The main ''difficulty'' for these SLCS implementations is the interaction of a standalone, non-webbrowser based tool with Shibboleth, since Shibboleth IdP's only requirement is that they work with a webbrowser. On the other hand, the private key has to be present is the tool which eventually will be using the certificate. A number of solutions have been proposed and tried, but since the IdP is only guaranteed to work with a webbrowser we believe it is best to have the javabrowser start a webbrowser. The difficulty then is to guarantee the authentication across applications. We solved this by
| |
− | ** sending a hash of the CSR during the authentication which can be checked later when the javabrowser sends the CSR itself
| |
− | ** limiting the time between authentication and sending the CSR
| |
− | ** requiring both tools to work from the same host.
| |
− | | |
− | :
| |
− | {| border="1" cellpadding="10"
| |
− | | <span id="handshake">[[Image:Imdi handshake.png||IMDI Browser handshake]]</span>
| |
− | |}
| |
− | | |
− | === Code and Files ===
| |
− | | |
− | *[http://www.nikhef.nl/grid/slcshttps/slcshttps_v0.1_full.zip full zip-archive] (Full zip including jar file, build, and javadoc)
| |
− | *[http://www.nikhef.nl/grid/slcshttps/slcshttps_v0.1_src.zip zip-archive] (Zip including only sources, run ant to get the rest)
| |
− | *[http://www.nikhef.nl/grid/slcshttps/slcshttps_jdk15_v0.1.jar JDK1.5 jarfile]
| |
− | *[http://www.nikhef.nl/grid/slcshttps/doc/ Javadoc API]
| |
− | *[https://ndpfsvn.nikhef.nl/cgi-bin/viewvc.cgi/pdpsoft/trunk/nl.nikhef.slcshttps/ SVN repository with source]
| |
− | Check out all code using
| |
− | svn checkout https://ndpfsvn.nikhef.nl/repos/pdpsoft/trunk/nl.nikhef.slcshttps
| |
− | | |
− | Note that you also need the [http://www.bouncycastle.org/ BouncyCastle provider] to build and/or run.
| |
− | Direct link to the [http://www.bouncycastle.org/download/bcprov-jdk15-144.jar JDK1.5 jarfile]
| |
− | | |
− | === Talks ===
| |
− | *[http://www.nikhef.nl/~msalle/slcshttps/MPI_talk_27052009.pdf Talk at BiGGrid meeting, Nikhef, 27 May 2009]
| |
| | | |
− | == gLite security ==
| + | This project was a joined project between [http://www.mpi.nl/ The Max Planck Institute for Psycholinguistics (MPI)], [http://www.surfnet.nl/ SURFnet] and [http://www.nikhef.nl/ Nikhef] and supported by [http://www.biggrid.nl/ BiG Grid]. |
| | | |
− | See e.g. [http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/Site_Access_Control Nikhef Site Access Control pages] | + | See the [[User:Msalle@nikhef.nl/nl.nikhef.slcshttps|project page]] for details. |