Grid Security Homework Exercise

Objective

The objective of this exercise is to compare protection and security approaches for virtual organizations, and to follow the simple steps of setting up a certificate for users in Grid Security Infrastructure (GSI).

Prerequisites

This exercise assumes that you have reviewed the lecture materials and notes:

and related materials specified on the lectures page.

Assignment: Answer the questions as specified. Turn in your answers to me on paper or by e-mail on the due date.

1. Compare authentication and authorization mechanisms for virtual organizations.

You may need to read about GT Security (GSI) at http://www.globus.org/toolkit/security/, "Globus Toolkit 4.0 Security" at http://www-unix.globus.org/toolkit/docs/4.0/security/ and "A Community Authorization Service for Group Collaboration" at http://www.globus.org/alliance/publications/papers/CAS_2002_Revised.pdf to complete your answers.

Compare and contrast Shibboleth, GSI, and Kerberos. First, create a table that lists the steps of each protocol as we discussed in class. As much as possible, try to aline the steps in each protocol to their counterparts. This will not be possible for every step. For example, the table may begin with:

Shibboleth GSI Kerberos

0. Assumes that Identity Provider components HS and AA and Service Provider components ACS and AR have certificates from a trusted CA. Assumes that every user and every service has a certificate from a trusted CA. Assumes that each pair of {user, Authentication Server}, {Authentication Server, TGS}, and {TGS, Service Server} share a secret key.
1. User logs in to local authentication system. User logs in to local authentication system. User logs in to local authentication system.

2. User creates a proxy certificate.

3. User contacts the target Service Provider directly.

4. The user is redirected to the WAYF, and then to the Identity Provider and is authenticated. User contacts the CAS and is authenticated. User contacts the Authentication Server and is authenticated.

5. User receives a unique handle for this session. The handle consists of ... User receives a community proxy. The proxy consists of ... User receives a Ticket Granting Ticket (TGT). The TGT consists of ...

etc. ... ... ...

I suggest that you use the HTML in the source of this document for formatting your table, although you are free to come up with a better way of formatting the table.

After you have completed your table, write three (moderate length) paragraphs, one for each of the three protocols, and comment with respect to the following points:

Where are attributes maintained for users?
What is the mechanism for controlling when and how attributes are released?
What is the mechanism for authorizing a user that presents certain attributes?
How is privacy preserved?
What are the advantages and disadvantages of this system?

2. Exercise to acquire your own Globus User Certificate on cohn.cs.kent.edu and use some Globus applications

Read Sections 2.3 on "Setting up security on your first machine" through 2.5 on "Starting the webservices container"in the Globus 4.0.x Quickstart.
Login to cohn.cs.kent.edu
Run the following command:
```
	% grid-cert-request
```

After you enter a passphrase, this creates 3 files:

        $ ls
	/home/yourusername/.globus/usercert.pem
	/home/yourusername/.globus/usercert_request.pem
	/home/yourusername/.globus/userkey.pem

Email the file usercert_request.pem to farrell@cs.kent.edu. Be careful! You can do this with the redirection
```
         mail farrell@cs.kent.edu < usercert_request.pem
```
Since you cannot access your mail on cohn, you need to use webmail or your usual mail client on neptune or poseidon to receive the reply, save it to a file, and sftp or it to cohn.
Copy the file into /home/yourusername/.globus/ and rename it as usercert.pem, thus replacing the old usercert.pem file
To test the certificates, run:
```
	% grid-proxy-init -debug -verify
```
Log the output of the test as a result of this exercise. Print the log to turn in or e-mail it along with question 1 above.
Where is the proxy certificate stored, what is it called, and what are the permissions? How is the name constructed i.e. how is it related to your user name?
Hint: look for your username in the /etc/passwd file?

Use gridftp to copy a file and verify that it is correct:

globus-url-copy gsiftp://cohn.cs.kent.edu/etc/group file:///tmp/yourusername.copy
diff /tmp/yourusername.copy /etc/group

Note that you are all members of the globus group. By examining the $GLOBUS_HOME directory, explain what rights this membership grants you?

Run the counter-client, which runs in a Webservices container:

export JAVA_HOME=/opt/IBMJava2-142/
export ANT_HOME=/usr/local/apache-ant-1.6.5/
export PATH=$ANT_HOME/bin:$JAVA_HOME/bin:$PATH
counter-client -s https://cohn.cs.kent.edu:8443/wsrf/services/CounterService

Print the results to turn in or e-mail it along with question 1 above.

	Shibboleth	GSI	Kerberos
0.	Assumes that Identity Provider components HS and AA and Service Provider components ACS and AR have certificates from a trusted CA.	Assumes that every user and every service has a certificate from a trusted CA.	Assumes that each pair of {user, Authentication Server}, {Authentication Server, TGS}, and {TGS, Service Server} share a secret key.
1.	User logs in to local authentication system.	User logs in to local authentication system.	User logs in to local authentication system.
2.		User creates a proxy certificate.
3.	User contacts the target Service Provider directly.
4.	The user is redirected to the WAYF, and then to the Identity Provider and is authenticated.	User contacts the CAS and is authenticated.	User contacts the Authentication Server and is authenticated.
5.	User receives a unique handle for this session. The handle consists of ...	User receives a community proxy. The proxy consists of ...	User receives a Ticket Granting Ticket (TGT). The TGT consists of ...
etc.	...	...	...