NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 6

changes.mady.by.user Unknown User (matyass)

Saved on

compared with

New Version 7

changes.mady.by.user Unknown User (matyass)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Purpose

To provide a lightweight guide for other CBIIT applications (eg, caArray) can secure their own grid services.

Technical Details

Changes to Application

  • Add CommonsGridLoginModule to JAAS login module

...

  • (security-config.xml)

...

    • (warning) requires nci-commons-core

...

    • version

...

    • 1.2.4

...

    • or

...

    • greater

...

    • see

...

...

    • (warning) requires jbosssx.jar

...

    • as

...

    • dependency

...

    • to

...

    • handle

...

    • encryption

...

    • of

...

    • pre-shared

...

    • key

...

    • Code Block
      xml
      xml
      
<login-module code="com.fiveamsolutions.nci.commons.authentication.CommonsGridLoginModule" flag="optional">
    <module-option name="gridServicePrincipal">${gridServicePrincipal}</module-option>
    <module-option name="gridServiceCredential">${gridServiceCredential}</module-option>
    <module-option name="gridServicePrincipalSeparator">||</module-option>
</login-module>

...

    • Define gridServicePrincipal & gridServiceCredential properties within appropriate properties file so that the login module configuration file is properly configured as a part of the build and deployment process for your application 
       Code Block
      
        <gridServicePrincipal>Gr1DU5er</gridServicePrincipal>
        <gridServiceCredential>ltHZmZ1rqYq8j2uyHEABIQ==</gridServiceCredential>

...
Changes to Grid Service(s)
  • Alter Service Context(s) within Introduce 
    • Modify each service context accordingly 
      1. Highlight Service Context, click Modify Service button
      2. Under Information Page, User Resource Framework Options section, check Secure
      3. Under Security Page (tab/button at top of dialogue), choose Custom
      4. Then under Secure Communication tab, check Transport Layer Security, choose Privacy for Communication Method
      5. Then under Authorization tab, select No for Client should connect anonymously AND select Enforce Authentication for Authorization Mechanism
      6. Then under Service Credentials tab, select System for Run As
  • Alter how remote services are authenticated for each grid service request. As an example, create a GridSecurityJNDIServiceLocator class to authenticate using both the Grid User's Identity (eg, /O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=coppagridtest instead of a typical remote service user. In short, you'll base your implementation off of your existing Locator (eg, JNDIServiceLocator) and replace existing occurrences with the new GridSecurityJNDIServiceLocator 
     Tip
    Example GridSecurityJNDIServiceLocator implementation within COPPA PO Grid Service
    Example GridSecurityJNDIServiceLocator implementation within COPPA PO Grid Service
    See http://gforge.nci.nih.gov/svnroot/coppa/trunk/code/po-grid/src/gov/nih/nci/coppa/po/grid/remote/GridSecurityJNDIServiceLocator.java
  • Add Service Property to PAServices content, gridServicePrincipalSeparator w/ default value ||
Changes to build-pa (bda scripts)