Motivation
Our ultimate goal is to implement secure web services. To date, efforts
have been made at message-level security using specifications such as
WS-Security.
Efforts in transport-layer security have been made primarily by the
Globus Alliance with the
Globus Toolkit and the
Commodity Grid (CoG) Kit. Using
GT4,
web services can be deployed within a globus container which itself can be
deployed within
Tomcat. Tomcat can
then be configured with a Connector to allow all https communication to be
handled by
globus
security mechanisms.
In the Fall of 2005, NCSA worked with the
US LTER Network to create a single sign-on
portal with secure access.
The result was the
LTERgrid
Project. In this project,
Bill
Baker created a
GSI-HTTPS
connection to the web portal using HTTPG, a form of HTTPS which uses
grid security credentials for the SSL connection. In parallel, work
was done to expose MetaCat's search functionality as a
GT4
web service.
We would now like to expand and generalize those past efforts to provide
GSI-based secure connections to any web service. More specifically, we
would like to be able to use
X.509 proxy certificates
(based on X.509
certificates as defined in
RFC 3280). The Globus
Toolkit has been able to
generate and use proxy certificates for some time now, but recently the
tools have gained support for RFC3820-style proxy certificates. Thus,
our first attempt was to take a relatively simple web service and 'tweak' it
to work within a GT4 container. As far as anyone could tell us, this process
had not been attempted before, but several members of the globus development
community thought that it shouldn't be too difficult. Unfortunatley, the
web service we chose was built using a very different paradigm than a GT4
application (for one, it was built with
Maven) and a 'tweak'
was not going to be sufficient. In the end, we
felt that considerable rewriting/restructuring would be necessary, and
whatever work was done for this one web service might not be applicable to
other web services. While retrofitting several web services is certainly
'doable', we would prefer to find an easier solution.
This led us to consider using Apache as a "front end" for Tomcat. In this
configuration, Apache handles all of the SSL connection specifics, but by
linking Apache to Tomcat with a
connector, Tomcat still
serves all dynamic
content. The first step in this approach would be getting the SSL
connection to Apache to accept proxy certificates. In April 2005, OpenSSL
0.9.7g added support for proxy certificates. However, very little
documentation was available at the time and since the technology was new, no
other software packages had been updated for proxy certificate support.
Time has passed and the situation has improved. The current version of
OpenSSL,
0.9.8a, has
refined the code for proxy certificate support. More
importantly, the Apache Web Server's
mod_ssl works nicely with this version
of OpenSSL to allow for proxy certificate verification. Once Apache is
configured for https to work with proxy certificates, the only step left
would be to
connect Apache to Tomcat. Work is currently being pursued in this area.
At the same time that work was being done on Apache with proxy certificates,
we had a group come to us asking for secure web services using Tomcat
only. This is basically the problem we were trying to solve
earlier when we attempted to 'tweak' a web service to work within a GT4
container. However, as time had passed and we had gained experience with
efforts on proxy certificates, we discovered that
Jarek Gawor at
Argonne National Laboratory had worked on
a subset of the Globus Toolkit which would allow for a GSI-enabled https
connection to Tomcat without first having to deploy the web service within a
GT4 container. The process involves downloading a few Java libraries and
configuring Tomcat with a new connector for proxy certificate enabled https.
Implementation
Here you will find implementation specifics on each of the scenarios above.
The instructions start with configuring the server side, plus setting up
Internet Explorer to verify the connection. Eventually, there will be
implementation examples for writing your own clients to connect to the
configured servers.
Configuring Apache To Use X.509 Proxy
Certificates
Connecting Apache To Tomcat For Secure Web Services
(On Hold)
Configuring Tomcat To Use X.509 Proxy
Certificates
Using Internet Explorer With Proxy Certificates To
Test The Server
Using Proxy Certificates With A Java Client To Connect
To An Axis Web Service
Using MyProxy To Generate "Session Passwords" For
Single Sign-On Applications