Friday, October 5, 2007

Kerberos, Gridsphere, and a bit more

I tried to develop a portal to enable easy access between Data Capacitor and HPSS for general users authenticating through Kerberos at the beginning of the year. Here are some old notes from back then, when I struggled to install all different pieces together.

I. Prerequisite of Software, versions as of 03/12/2007
  1. Apache Ant 1.7.0
  2. Apache Tomcat 5.5.20
  3. Sun JDK 1.6
  4. GridSphere 2.2.8
  5. Apache2 web server
  6. Secure Perl web services require packages Soap:Lite and Crypt-SSLeay
  7. Axis 1.4 is needed for wsdl2java tool to convert the web services WSDL document into Java codes.

II. Installation Tweaks for authentication and security

a.) SSL configuration for Tomcat (Reference Tomcat Howto)
  1. Create a certificate keystore by executing the following and specify a password:
    $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

  2. Uncomment the "SSL HTTP/1.1 Connector" entry in $CATALINA_HOME/conf/server.xml and tweak as necessary, particularly defining the attribute "keystorePass" with the chosen password from the previous step.

    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="8443" maxhttpheadersize="8192" maxthreads="150"
    minsparethreads="25" maxsparethreads="75" enablelookups="false"
    disableuploadtimeout="true" acceptcount="100" scheme="https"
    secure="true" clientauth="false" sslprotocol="TLS"
    keystorepass="mykeystorepassword"/>



b.) Kerberos configuration for GridSphere
With the following configuration, existing GridSphere portal users can authenticate through a designated Kerberos server, assuming /etc/krb5.conf is valid.
  1. Modify the <auth-module> section for "GridSphere JAAS" in $CATALINA_HOME/webapps/gridsphere/WEB-INF/authmodules.xml, setting <active> to true. Note that the priority number in different <auth-module> sections indicates the fallback orders of multiple authentication schemes. Smaller numbers are associated with higher priorities.

  2. Create a file $CATALINA_HOME/conf/jaas.conf as following:

    Gridsphere {
    com.sun.security.auth.module.Krb5LoginModule required;
    };

  3. Modify $CATALINA HOME/bin/catalina.sh to include the following:

    export JAVA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf"

c.) HTTPS configuration for Apache2 web server on Fedora (Reference Apache Installation and Configuration Guide on Fedora Core)
  1. Create a new CA certificate

    [root@localhost root]# cd /usr/share/ssl/misc
    [root@localhost misc]# ./CA -newca
  2. Create a Certificate Signing Request (CSR)

    [root@localhost misc]# ./CA -newreq
  3. Sign the CSR

    [root@localhost misc]# ./CA -sign

  4. Store certificates in a directory

    [root@localhost var]# mkdir myCA
    [root@localhost var]# cd myCA
    [root@localhost myCA]# cp /usr/share/ssl/misc/demoCA/cacert.pem .
    [root@localhost myCA]# cp /usr/share/ssl/misc/newcert.pem ./servercert.pem
    [root@localhost myCA]# cp /usr/share/ssl/misc/newreq.pem ./serverkey.pem
    [root@localhost myCA]# ls
    cacert.pem servercert.pem serverkey.pem
    [root@localhost myCA]# cd /var/myCA
    [root@localhost myCA]# cp servercert.pem /etc/httpd/conf/ssl.crt/server.crt
    cp: overwrite `/etc/httpd/conf/ssl.crt/server.crt'? y
    [root@localhost myCA]# cp serverkey.pem /etc/httpd/conf/ssl.key/server.key
    cp: overwrite `/etc/httpd/conf/ssl.key/server.key'? y

  5. Edit ssl.conf (optional): open ssl.conf for editing, and uncomment and edit the following directives. You may want to change DocumentRoot to point to another directory, such as /var/www/ssl, and place your SSL files inside there instead.

    DocumentRoot
    ServerName
    ServerAdmin

  6. Require SSL (Data Capacitor specific): edit httpd.conf, comment the section that listens on port 80, and add SSLRequireSSL and Options ExecCGI to CGI directory configuration. e.g.

    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
    <Directory cgi-bin='' www='' var=''>
    SSLRequireSSL
    Options ExecCGI
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
    </Directory>

  7. Disabling the passphrase on startup (Optional): to startup Apache automatically on boot without user intervention, the passphrase prompt can be disabled by simply de-crypting the server key.

    # cd /etc/httpd/conf/ssl.key
    # cp server.key server.bak
    # openssl rsa -in server.bak -out server.key

d.) Java SSL configuration with self-signed certificates (Reference here)
When opening an SSL connection to a host using self-signed certificates in Java, following exceptions may be thrown:
 
javax.net.ssl.SSLHandshakeException: sun.security.validator.
ValidatorException: PKIX path building failed: sun.security.provider.certpath.
SunCertPathBuilderException: unable to find valid certification path to requested target.

To add the server's certificate to the KeyStore of trusted certificates, a simple solution is to compile and run the InstallCert program:

java InstallCert hostname

It displays the complete certificate and adds it to a Java KeyStore 'jssecacerts' in the current directory. Either configure JSSE to use it as the trust store, or copy it into $JAVA_HOME/jre/lib/security directory. For all Java applications to recognize the certificate as trusted and not just JSSE, you could also overwrite the cacerts file in that directory.

e.) Secure web services configuration:
  1. Specify the https location in the <service> tag of WSDL

  2. To encode information in both soap header and body, reference WSDL specification, or Chapter 9 of "Programming Web Services with Perl".

III. GridSphere Tips
  1. To share a variable among different portlets within an application, use setAttribute and getAttribute of PortletSession at "APPLICATION_SCOPE".

  2. For simple persistence of user information between logins, use setups for PortletPreferences.

  3. To forward username and password upon login to external secure web services, modify the login function in src/org/gridlab/gridsphere/services/core/user/impl/LoginServiceImpl.java

  4. To change logout behavior, modify the logout function in src/org/gridlab/gridsphere/servlets/GridSphereServlet.java

  5. Given a WSDL document, use wsdl2java tool in Axis package to generate corresponding Java codes; compile them with:

    javac -d . -classpath $CP *.java

    create a jar file with:

    jar -cf mywebservices.jar MyWebServices_pkg/

    and finally put the jar file in the corresponding lib directory of GridSphere portlet application. Note that jar files in the lib directory of axis need to be in the classpath.

No comments: