View Source

Purpose

To provide a lightweight guide for other CBIIT applications (eg, caArray) can secure their own grid services.

Technical Details

Assumptions

JBoss 4.0.5
JAAS
Remote EJBs for business application integration
caGrid 1.3
Using BDA for JBoss container configuration of secure services
Using Common Security Module (CSM)

Changes to Application

Add CommonsGridLoginModule to JAAS login module (security-config.xml)

requires nci-commons-core version 1.2.4 or greater see http://maven.5amsolutions.com/archiva/browse/com.fiveamsolutions/nci-commons-core

requires jbosssx.jar as dependency to handle encryption of pre-shared key

<login-module code="com.fiveamsolutions.nci.commons.authentication.CommonsGridLoginModule" flag="optional">
    <module-option name="gridServicePrincipal">${gridServicePrincipal}</module-option>
    <module-option name="gridServiceCredential">${gridServiceCredential}</module-option>
    <module-option name="gridServicePrincipalSeparator">||</module-option>
</login-module>

Define gridServicePrincipal & gridServiceCredential properties within appropriate properties file so that the login module configuration file is properly configured as a part of the build and deployment process for your application
<gridServicePrincipal>Gr1DU5er</gridServicePrincipal> <gridServiceCredential>ltHZmZ1rqYq8j2uyHEABIQ==</gridServiceCredential>

Introduce a new grid service instance CSM Group

Update the application name 'po' to your application's name

INSERT INTO CSM_GROUP (GROUP_NAME, GROUP_DESC, APPLICATION_ID) VALUES ('gridClient', 'Grid Service Invocation Group', (select application_id from csm_application where application_name = 'po'));

Changes to Grid Service(s)

Alter Service Context(s) within Introduce

Modify each service context accordingly
1. Highlight Service Context, click Modify Service button
2. Under Information Page, User Resource Framework Options section, check Secure
3. Under Security Page (tab/button at top of dialogue), choose Custom
4. Then under Secure Communication tab, check Transport Layer Security, choose Privacy for Communication Method
5. Then under Authorization tab, select No for Client should connect anonymously AND select Enforce Authentication for Authorization Mechanism
6. Then under Service Credentials tab, select System for Run As

Add Service Property to your (Main Service) context within Introduce,

Select Service Properties tab, input the following values:

Key	Default Value	Description
gridServicePrincipalSeparator	\|\|	The separator used to encord the gridServicePrincipal and grid user's identity when Using the com.fiveamsolutions.nci.commons.authentication.CommonsGridLoginModule

Click Add

Save your changes within Introduce (must be successful)

Alter how remote services (eg, EJBs) are authenticated and authorized for each grid service request. As an example, create a GridSecurityJNDIServiceLocator class to authenticate using both the Grid User's Identity (eg, /O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=coppagridtest instead of a typical remote service user. In short, you'll base your implementation off of your existing Locator (eg, JNDIServiceLocator) and replace existing occurrences with the new GridSecurityJNDIServiceLocator

See http://gforge.nci.nih.gov/svnroot/coppa/trunk/code/po-grid/src/gov/nih/nci/coppa/po/grid/remote/GridSecurityJNDIServiceLocator.java

Purpose

Technical Details

Assumptions

Changes to Application

Changes to Grid Service(s)

Changes to build-pa (bda scripts)