NCSA CyberSecurity

Author: Terry Fleury (
Last Update: June 9, 2006


Our ultimate goal is to implement secure web services. To date, efforts have been made at message-level security using specifications such as WS-Security. Efforts in transport-layer security have been made primarily by the Globus Alliance with the Globus Toolkit and the Commodity Grid (CoG) Kit. Using GT4, web services can be deployed within a globus container which itself can be deployed within Tomcat. Tomcat can then be configured with a Connector to allow all https communication to be handled by globus security mechanisms.

In the Fall of 2005, NCSA worked with the US LTER Network to create a single sign-on portal with secure access. The result was the LTERgrid Project. In this project, Bill Baker created a GSI-HTTPS connection to the web portal using HTTPG, a form of HTTPS which uses grid security credentials for the SSL connection. In parallel, work was done to expose MetaCat's search functionality as a GT4 web service.

We would now like to expand and generalize those past efforts to provide GSI-based secure connections to any web service. More specifically, we would like to be able to use X.509 proxy certificates (based on X.509 certificates as defined in RFC 3280). The Globus Toolkit has been able to generate and use proxy certificates for some time now, but recently the tools have gained support for RFC3820-style proxy certificates. Thus, our first attempt was to take a relatively simple web service and 'tweak' it to work within a GT4 container. As far as anyone could tell us, this process had not been attempted before, but several members of the globus development community thought that it shouldn't be too difficult. Unfortunatley, the web service we chose was built using a very different paradigm than a GT4 application (for one, it was built with Maven) and a 'tweak' was not going to be sufficient. In the end, we felt that considerable rewriting/restructuring would be necessary, and whatever work was done for this one web service might not be applicable to other web services. While retrofitting several web services is certainly 'doable', we would prefer to find an easier solution.

This led us to consider using Apache as a "front end" for Tomcat. In this configuration, Apache handles all of the SSL connection specifics, but by linking Apache to Tomcat with a connector, Tomcat still serves all dynamic content. The first step in this approach would be getting the SSL connection to Apache to accept proxy certificates. In April 2005, OpenSSL 0.9.7g added support for proxy certificates. However, very little documentation was available at the time and since the technology was new, no other software packages had been updated for proxy certificate support. Time has passed and the situation has improved. The current version of OpenSSL, 0.9.8a, has refined the code for proxy certificate support. More importantly, the Apache Web Server's mod_ssl works nicely with this version of OpenSSL to allow for proxy certificate verification. Once Apache is configured for https to work with proxy certificates, the only step left would be to connect Apache to Tomcat. Work is currently being pursued in this area.

At the same time that work was being done on Apache with proxy certificates, we had a group come to us asking for secure web services using Tomcat only. This is basically the problem we were trying to solve earlier when we attempted to 'tweak' a web service to work within a GT4 container. However, as time had passed and we had gained experience with efforts on proxy certificates, we discovered that Jarek Gawor at Argonne National Laboratory had worked on a subset of the Globus Toolkit which would allow for a GSI-enabled https connection to Tomcat without first having to deploy the web service within a GT4 container. The process involves downloading a few Java libraries and configuring Tomcat with a new connector for proxy certificate enabled https.


Here you will find implementation specifics on each of the scenarios above. The instructions start with configuring the server side, plus setting up Internet Explorer to verify the connection. Eventually, there will be implementation examples for writing your own clients to connect to the configured servers.

Configuring Apache To Use X.509 Proxy Certificates

Connecting Apache To Tomcat For Secure Web Services (On Hold)

Configuring Tomcat To Use X.509 Proxy Certificates

Using Internet Explorer With Proxy Certificates To Test The Server

Using Proxy Certificates With A Java Client To Connect To An Axis Web Service

Using MyProxy To Generate "Session Passwords" For Single Sign-On Applications