GT4 development: Starting from scratch to authenticate each other

Source: Internet
Author: User
Tags exit command line resource socket valid port number server port
The grid security infrastructure (GSI) is the implementation of the Java Universal Security Service (Generic-SERVICE,GSS-API). GSS is used to securely exchange messages between applications that communicate with each other, providing consistent access to security services on a variety of underlying security mechanisms such as Kerberos. In this article, you will learn how to build your own client-server application using GSI/GSS-API extensions and proxy certificates. This is the basic authentication mechanism used by grid middleware.
To authenticate by impersonation

A proxy certificate is a copy certificate. Impersonation (impersonation) is a security technique that allows entity A to authorize another entity (entity B) so that B can authenticate other entities as if B were entity A. In other words, B imitates a.

So why would we want to use imitation technology? This is because it helps solve two important issues with authentication in a distributed network:

Single sign-on Why is it so important to have a single point of entry? Assuming that a user needs to run a process on multiple resources, using single sign-on, the user only needs to authenticate once, without having to authenticate each resource.
Delegates need to use delegates because the process needs to authenticate on behalf of the user. It is therefore necessary to entrust it with the necessary powers.
For ease of interpretation, suppose a user starts a remote execution service between two hosts. This service needs to authenticate on behalf of the user using a single sign-on on the resource, and then you must delegate your authority to both hosts so that they can authenticate each other. The agent certificate allows you to accomplish this task.

Authenticate with each other

When both parties have a digital certificate and both trust the Certificate Authority (CA) that signed the certificates, the two entities can perform mutual authentication to prove to each other that they are the entity they claim to be. Trusting the signing CA actually means that they must have a copy of the CA certificate (including the public key), and that the certificates are actually from these CAs. The mutual authentication process between two entities (A and B) is as follows:

A a connection to B is established. To start the authentication process, A sends its own certificate to B. This certificate declares the identity of a, the public key, and the CA used to certify the certificate.
B Verify that the certificate is valid by checking the CA's digital signature to ensure that the CA has signed the certificate and that the certificate has not been tampered with, ensuring that the certificate is valid. (B must trust the CA that signed the certificate for a).
B by generating a random message and sending it to a, request a to encrypt it to ensure that a is indeed the person identified by the certificate. A encrypts the message using its own private key and sends the result back to B. B decrypts the message using the public key of a. If the decrypted message is the same as the original random message, B can be sure that a is the identity it claims (b trust a identity).
The same operation in step 3rd must be executed again in the reverse order.
Now, a and B have been authenticated to each other.

Agent Certificate

The proxy certificate includes a new certificate, including a new public key and a new private key. This new certificate contains the identity of a modified owner, signed by the owner, and not signed by the CA. A proxy certificate has the following characteristics:

Limited lifetime it has a specific cut-off time and the agent is no longer valid.
An unencrypted private key is not valid for an agent for a long time, so its private key does not need to be saved as securely as the owner's private key. Therefore, you can use an unencrypted private key to store it in a temporary space, as long as the file permission to store the private key prevents anyone from viewing the private key.
Once created, the user can use the agent certificate and private key for authentication without requiring a password.

The agent certificate is an extension of the transport later security (TLS) protocol created by the Globus project. Globus works with Global Grid Forum, making the agent a standard extension of TLS so that the GSI agent can be used with other TLS software.

Build your own GSI-enabled client server

The name of the application we are building here is Client and Server. They are written in the Java programming language and require the GSI implementation and support library provided by commodity Grid (CoG) Kit. Building your own GSI-enabled application is simple. The skeleton of the Client and Server can be broken down into the following:

Reading command line arguments
To transfer data by establishing a socket connection between the client and the server
Load Agent Certificate
Establish security context
Exchange messages securely if needed
Cleanup work

Reading command line arguments

The first and simplest thing the Client and Server Main method needs to do is read command-line arguments.

The Client needs to use two parameters: the hostname and the port to be connected.

Listing 1. Client's host name and port

Load arguments
if (Args.length < 2)
{
System.err.println ("Usage:java {options} Client"
+ "{hostName} {port}");
System.exit (-1);
}

String hostName = args[0];
int port = integer.parseint (args[1]);

The server requires a parameter that listens for the port number used by the connection.

Listing 2. Server Port number

Read the command-line arguments
if (args.length!= 1) {
System.err.println ("Usage:java {options} Server {LocalPort}");
System.exit (-1);
}

int localport = Integer.parseint (Args[0]);

Establish a socket connection

The Java Gss-api provides a way to create and interpret tokens (opaque byte data). These tokens contain messages that are securely exchanged between the parties, but the actual method of marking the transmission depends on the exchange parties. For our purposes, a socket connection is established between the client and the server, and the data is exchanged using a stream constructed from the socket stream and the security context.

The Client needs to establish a socket connection to the Server from which to extract the stream used by the input/output, as follows:

Listing 3. Client establishes a socket connection to the Server

Socket socket = new socket (hostName, port);

DataInputStream instream =
New DataInputStream (Socket.getinputstream ());

DataOutputStream OutStream =
New DataOutputStream (Socket.getoutputstream ());

System.out.println ("client:connected to Server"
+ socket.getinetaddress ());

The server application creates a serversocket to listen to the port, giving the parameters in the following way:

ServerSocket ss = new ServerSocket (localport);

ServerSocket can then wait and accept a connection from the client, and then initialize the I/O stream for later data exchange with the client.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.