Download What are Web Services? - National e

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
page
97
page
98
page
99
page
100
page
101
page
102
page
103
page
104
page
105
page
106
page
107
page
108
page
109
page
110
Document related concepts
no text concepts found
Transcript 
Web Services Session
GOSC meeting, Edinburgh,
29th October 2004.
Hong Ong
Distributed Systems Group
University of Portsmouth
[email protected]
Ariel Goyeneche
Centre for Parallel Computers
University of Westminster
[email protected]
Session Part 1: Goals



Putting Web Services into context.
How to host Web Services.
How to secure Web Services.
Session Part 2: Goals




Grid
Grid
Grid
Grid
Services introduction.
Services administration.
Services security
Service study case.
Session Part 1: outline

Putting Web Services into context:




What are Web Services?
A brief overview of Web Services core
technologies.
How to host Web Services.
How to secure Web Services hosting
environment.
What are Web Services?


Depends who you ask - you’ll get different
answers from different people.
Instead of a definition, we will describe a
Web Service as an application that:



Exposes its operations to other application via open
interoperable standards,
Communicates with other applications over the
Internet, and
Can be implemented in any programming language
or platform.
What are Web Services?

“Exposes its operation … ” 


Client app knows how to interact with the
server app in a standard way.
“Communicate … over the Internet” 

No centralized control and loosely coupled.




Message based, synchronous and asynchronous.
Use of established protocols.
Security.
“Implemented in any programming
language and platform” 

Separation of specification and
implementation.
W3C – What is a Web Service?
“A Web service is a software system designed to
support interoperable machine-to-machine interaction
over a network. It has an interface described in a
machine-processable format (specifically WSDL). Other
systems interact with the Web service in a manner
prescribed by its description using SOAP messages,
typically conveyed using HTTP with an XML
serialization in conjunction with other Web-related
standards.”
Source: W3C Working Group Note 11 February 2004
http://www.w3.org/TR/2004/NOTE-ws-arch-20040211/
Web Services Model
Service Registry
1
2
3
Service Consumer
Service Description
Messaging
Service Provider
Web Services Protocol Stack
Source: http://roadmap.cbdiforum.com/reports/protocols/
Comment on the WS Protocols


The Web Services (WS) protocol
stack includes a whole “zoo” of
newer, evolving, and growing
number of protocols.
However, the essential WS protocols
are: 4. Service publication and discovery.
3. Service and message description.
2. Message encoding.
1. Message Transport
Essential WS Protocol #1

Message transport :


How to transport messages between
applications?
Currently, this includes HTTP, SMTP,
FTP, and newer protocols, such as
Blocks Extensible Exchange Protocol
(BEEP).
Essential WS Protocol: #2

Message encoding:


How to encode messages in a common
format so that messages can be
understood at end-points?
Currently, messages are encoded in
XML format and packaged up using
SOAP.
What is SOAP?

SOAP is:





A XML based
communication
protocol.
A format for encoding
datatype instances.
Used with XML Schema.
Transport independent.
SOAP with
attachments allow
arbitrary data to be
packaged.
SOAP Header
Header Block
Header Block
SOAP Body
Body sub-element
Body sub-element
Alternatives to SOAP

XML documents over HTTP:



Most SOAP toolkits provide the mechanisms.
But these are still Web Services.
XML-RPC:



Simpler than SOAP and has longer history.
Limitations on objects that can be exposed.
With current SOAP toolkit support, there is
little reason to use.
Essential WS Protocol: #3

Service description:


How to describe the public interface of a
specific Web Service?
Currently, service description is
handled via the WSDL (Web Services
Description Language).
What is WSDL?


A WSDL is a XML
document.
A WSDL describes:




What the service can
do,
Where it resides, and
How to invoke it,
WSDL descriptions can
be made available
from a registry, e.g.,
UDDI.
Types
Messages
Port Types
Binding
Services
Essential WS Protocol: #4

Service publication and discovery:


How to publish/find other Web Services?
Currently, service discovery is
handled via the UDDI (Universal
Description, Discovery and
Integration).
What is UDDI?

UDDI began as ad hoc
consortium.


Now housed at OASIS.
UDDI is:



A Web Services API for
publishing and
discovering the
existence of Web
Services.
A registry for managing
information about Web
Services.
An Industry-wide
initiative supporting
Web Services.

UDDI has three levels
for information.



White Pages - used to
query companies with
their attributes.
Yellow Pages - used to
query and categorize
businesses by
taxonomies.
Green Pages – used to
define how to interact
with the Web Services.
Web Services Toolkits
Company Product
URL
Microsoft
Visual Studio.NET
Web Services
Enhancements
msdn.microsoft.com/vstudio
msdn.microsoft.com/webservice
s/building/wse/default.aspx
IBM/open
source
Apache Axis
ws.apache.org/axis
Sun
Java Web Services
Developer Pack 1.4
java.sun.com/webservices/jwsd
p/index.jsp
BEA
WebLogic Workshop
and WebLogic Server
dev2dev.bea.com/products/wlw
orkshop81/index.jsp
Systinet
Systinet Server 5.0
www.systinet.com
Summary: Web Services
Web Services Provider
Create
Production
Platform
WSDL
describing
service
Publish
Web Services Consumer
Discover, Inspect, Contract
UDDI
Production
Platform
Deploy
Application
Operations such
as Add, Change,
and Delete
Manage
Monitor
Embed
Execute
INTERNET
Service Execution
& Management
Environment
Invoke
Service Execution
& Management
Environment
SOAP
Message via
HTTP(s)
Manage
Monitor
Application
Workflow
Request,
Process,
Payment
Session Part 1: outline


Putting Web Services into context.
How to host Web Services:


The big picture.
Tomcat, Axis, etc.




Installation,
Deployment, and
Administration.
How to secure Web services hosting
environment.
The big picture!
Database
Other
Web
Services
WS
Client
Application
WS
Client
Application
WS
Client
Application
WS 1
INTERNET
Registry
WS 2
Soap Engine
Application
Server
Legacy
App
WS 3
Additional Software

Other software you might want to
consider:



A Web server like the Apache HTTP
Server
Are you using Windows? Then, Cygwin
is for you!
And of course a web browser like the
Microsoft Internet Exploder, Netscape
Navigator, Mozilla, or Mozilla Firefox
(recommended) .
Installation Roadmap

Required packages:




1. Java and Ant
2. Tomcat
3. Axis and Xerces2-J
[optional]:



4. Database
5. jUDDI
6. UDDI4J
Step 1: Java and Ant
installation

Download binary:

Java Development Kit (JDK) version 1.4
or later:


Ant version 1.6.2 or later


http://java.sun.com/j2se/
http://ant.apache.org/
Install:

Install the JDK and Ant according to the
instructions included with the release.
Step 1: Java and Ant
installation

Set environment variables:

Windows:




set ANT_HOME=<path_to_ant>
set JAVA_HOME=<path_to_jdk>
set
PATH=%PATH%;%JAVA_HOME/bin%;%ANT_HOME%
\bin
Unix:



export JAVA_HOME=<path_to_jdk>
export ANT_HOME=<path_to_ant>
export
PATH=$PATH:$JAVA_HOME/bin:$ANT_HOME/bin
Step 2: Tomcat installation

Download and install the Tomcat 5 binary
distribution


http://jakarta.apache.org/site/binindex.cgi
Set environment variables:

Windows:



set CATALINA_HOME=<path_to_tomcat>
PATH=%PATH%;%CATALINA_HOME/bin%
Unix:


export CATALINA_HOME=<path_to_tomcat>
export PATH=$PATH:$CATALINA_HOME/bin
Step 2: Tomcat installation

Start up Tomcat 5:

Windows


Unix:


$CATALINA_HOME\bin\startup.bat
$CATALINA_HOME/bin/startup.sh
Default Web applications included with
Tomcat 5 will be available by visiting:
http://localhost:8080/

Recommend to remove jsp-examples,
servlets-examples, and webdav under
webapps/ directory.
Step 3: Axis and Xerces2-J
installation

Download Axis and Xerces2-J binary:



Deploy Axis and Xerces2-J




http://xml.apache.org/axis/
http://xml.apache.org/xerces2-j/
Unzip Axis and Xerces2-J.
Copy xercesImpl.jar and xmlParserAPIs.jar
from Xerces distribution into axis/lib directory
and also into $CATALINA_HOME/common/lib
directory.
Copy webapps/axis tree to
$CATALINA_HOME/webapps directory.
Startup Tomcat.
Step 3: Axis and Xerces2-J
installation
You will see some errors or warnings about
missing Activation.jar and mail.jar
 Goto:
Download the required jar files and
copy to $CATALINA_HOME/common/lib
 http://localhost:8080/axis/
Understanding Tomcat 5


Tomcat 5 implements the Servlet 2.4
and JavaServer Pages 2.0
specifications from the Java
Community Process.
Tomcat can run in three execution
modes:



Standalone (default),
In-process, and
Out-of process.
Tomcat execution modes

Standalone:



Default mode for Tomcat.
Mainly use for development.
In-process add-on:




Web server plugin, which passes servlet/JSP
requests to servlet container via JNI.
JVM is started inside a Web server’s address
space.
Suitable for multi-threaded single-process
servers.
Provides good performance but does not scale
well.
Tomcat execution modes

Out-of-process add-on.




Web server plugin, which passes
servlet/JSP requests to servlet container
via TCP/IP socket.
JVM is started outside of Web server’s
address space.
Poorer response time than in-process
add-on,
Better scalability and more stable.
Tomcat 5 Directory Structure


Key tomcat directories, all relative to
$CATALINA_HOME:
/bin


/common/lib


Log files are here by default.
/webapps


Configuration files and related DTDs.
The most important file in here is
server.xml. It is the main configuration
file for the container.
/logs


JAR files placed here are visible to all
web applications
/conf


JAR files placed here are visible both to
web applications and internal Tomcat
code (JDBC drivers).
/shared/lib


Startup, shutdown, and other scripts.
The *.sh files (Unix) are functional
duplicates of the *.bat files (Windows).
This is where your webapps go.
/work

Working directory for tomcat.
Multiple Instances of Tomcat

To share a single binary among
applications:


Set CATALINA_BASE=<path_to_tomcat1>
Make sure the <path_to_tomcat1> directory
contains the following directories:







conf/
logs/
shared/
webapps
work/
temp/
Provides some fault tolerance and allows
clustering (load balancing).
User Web Application

If you want to map a request URI
starting with a tilde character ("~")
and a username to a directory, e.g.,
http://<hostname>:<port>/~user
<Host name="localhost" ...>
...
<Listener
className="org.apache.catalina.startup.UserConfig"
directoryName="public_html"
userClass="org.apache.catalina.startup.PasswdUserDatabase"
/>
...
</Host>
Comments on Tomcat


Although Tomcat is great for running
servlets, it is not a very efficient Web
server.
Another possibility is to use Apache's
HTTP Server program (httpd) as a
Web server with connector to Tomcat
to execute servlets.
Recommended Tomcat Setup
http/80
https/443
Apache2
mod_ssl
Tomcat
mod_jk2
mod_dav
AJPV12/13
8007
Web Server Host
Understanding Axis


Axis stands for Apache eXtensible
Interaction System
Axis is:

A Distributed framework.




Similar to IIOP, RMI, CORBA.
Allows RPC and Messaging communication.
Apache Based on SOAP 1.1 + Web Services.
Implemented as a Servlet.

Requires to run in Servlet Container (e.g. Tomcat)
Axis Architecture
Client
Server
Web Service Auto Deployment

Simple Technique
(JWS)


Copy Java Source
file containing the
method(s) to be
exposed to axis
directory
Rename the java
extension to jws,
E.g,

HelloWorld.java ->
HelloWorld.jws
Web Service Deployment

Complex Technique:
Use WSDD (Web Service Deployment
Descriptor) – a preferred AXIS solution.
<deployment

xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<service name="Math" provider="java:RPC" style="wrapped" use="literal">
<parameter name="wsdlTargetNamespace" value="http://math.samples/"/>
<parameter name="className" value="samples.math.Math"/>
<operation name="add" qname="operNS:Add"
xmlns:operNS="http://math.samples/"
returnQName="retNS:AddResult"
xmlns:retNS="http://math.samples/"
returnType="rtns:float"
xmlns:rtns="http://www.w3.org/2001/XMLSchema" >
<parameter qname="pns:A" xmlns:pns="http://math.samples/"
type="tns:float" xmlns:tns="http://www.w3.org/2001/XMLSchema"/>
<parameter qname="pns:B" xmlns:pns="http://math.samples/"
type="tns:float" xmlns:tns="http://www.w3.org/2001/XMLSchema"/>
</operation>
<parameter name="allowedMethods" value="add"/>
</service>
</deployment>
Writing a Web Service (server)

In general apply the following steps:

Server Side:






Define a java interface
Write a Java class(es) that implements the interface
you have defined and compile it.
Move your compiled class to your web server’s
appropriate directory (e.g.
%CATALINA_HOME%\webapps\axis\WEBINF\classes)
Use org.apache.axis.wsdl.WSDL2Java tool to
generate a WSDL document
Write a deployment descriptor
Use org.apache.axis.client.AdminClient tool to deploy
your service to your hosting environment (e.g.
Tomcat)
Writing a Web Service (client)

Client Side:




Assuming that you know the service URL
(I.e. by pass service discovery); obtain the
WSDL document for the service
Run org.apache.axis.wsdl.WSDL2Java tool
to generate client side stubs and data types
fro the WSDL doc.
Write a client java class that uses service
locator and other java classes to access the
service interface (see Apache Axis User
Guide for details)
Compile and run the client
More Information


Wainright, P., “Professional Apache,”
Wrox Press Ltd.
Online articles:



httpd.apache/org/docs/
jakarta.apache.org/tomcat/docs/
java.sun.com/products/servlet/2.2/
More Information

Java APIs for Web Services

SOAP messages as Java objects


Programming Model


JAX-RPC ( JSR101), JSR109, EJB2.1
Accessing WSDL descriptions


SAAJ ( SOAP with Attachments API for Java)
JWSDL (JSR110)
Accessing Web Services Registries

JAXR (Java API for XML Registries)
Session Part 1: outline



Putting Web Services into context.
How to host Web Services.
How to secure Web Services hosting
environment:


Some highlights on securing hosting
environment,
Standard way of working together securely:



WS-Security,
XML Encryption, and
XML Signature.
Common Attack Types

Some common ones:







Denial of Service to a server,
Interception and manipulation of messages,
Forged client requests,
Forged server responses,
Attempts to read the server file
system/database
Attempts to write to the server file
system/database
All reasons to follow guidelines at
http://www.owasp.org/
How?

Secure the whole stack:




Web Service container,
The Host operating system,
Apply security patches (daily), and
Defence in Depth.
Danger!
Source: XML and Web Services: Are We Secure Yet? JAVAPRO
Instead…
Source: XML and Web Services: Are We Secure Yet? JAVAPRO
Securing Tomcat

$CATALINA_HOME/conf/:



server.xml: global configuration file.
web.xml: configures Tomcat contexts
catalina.policy: configure the security
policy
Securing Tomcat

Assume that all incoming data is
untrusted:



Check parameters,
Only accept a string containing the
characters/regular expression expected,
and check its length.
Better yet apply other higher level
checks 'userID==session.userID' that
you can.
Securing Tomcat 5


Enabling SSL in Tomcat 5
Edit server.xml
<!-- SSL/TLS Connector configuration using the SSL
domain keystore -->
<Connector
address=“127.0.0.1"
port="8443" scheme="https" secure="true" >
clientAuth = "false"
keystoreFile=“e-Science cert"
keystorePass="changeit”
keystoreType=“PKCS12”
protocol="TLS"/>
</Connector>
Securing Axis

Monitor for troubles.




Monitor Load.
Monitor the Mailing Lists.
Turn off JMX - JMX connects nicely to SNMP!!
Preventions:





Disguise,
Cut down the build,
Stop service listing,
Keep stack traces out of the responses,
Stop auto-generating WSDL.
Securing Axis

More preventions:





Servlets2.3: use filters for extra
authentication
Log things.
Run Axis with reduced Java rights.
Run the web server with reduced rights.
Turn off attachments if you’re not going
to use them. Otherwise, apply security
filters to attachments.
Securing Web Services

Issues include:




Message Integrity,
Message Confidentiality, and
Authentication.
Technologies include:




Secure Sockets Layer (SSL),
Transport Layer Security (TLS),
Message Encryption, and
Digital Signatures.
Working Together Securely

Web Service Security today


Point to Point: SSL and basic authentication
SSL + Client Side Certificates + basic auth.


Depends on the https transport!
What WS-Security Standards do and why


Security in the SOAP Header not the transport!
Allows for the creation of an Enterprise
Services Bus


http://www.oreilly.com/catalog/esb/index.html
BPEL - Business Process Execution Language for Web
Services
WS-Security Stack
WS-Security


Standard signature and encryption
techniques can be used to sign and
encrypt an XML document.
But,


These techniques are generally tied to
transmission (e.g., SSL) and don’t protect the
document once it arrives.
Document needs to be sent as a whole, and
different parts might have different security
requirements.


Transmission system can’t be expected to respect
these differences
E.g., company needs to know customer’s name and
address, but not credit card number.
WS-Security


A standard set of SOAP extensions that
can be used to implement a variety of
security models and encryption
techniques.
It is not a protocol:

Supports:




Token (passwords, keys, certificates) transmission,
Message integrity,
Message encryption.
Depends on:


XML Signature, and
XML Encryption
Session Part 2: Goals




Grid
Grid
Grid
Grid
Services introduction
Services administration.
Services security
Service study case.
Session Part 2: outline

Grid Services introduction:






What are Grid Services?
Grid Services vs. Web Services.
A bit of OGSA, OGSI, WSRF, etc?
Grid Services administration.
Grid Services security
Grid Service study case.
Grid Services introduction
… Web services successfully implement
applications that manage state today, we
need to define conventions for managing
state so that applications discover,
inspect, and interact with stateful
resources in standard and
interoperable ways….
www.globus.org
Grid Services introduction
Grid Services vs. Web Services






Web Services is more stable, mature, etc.
Web Services has many middleware options to
decide at the time of implementation and
programming languages.
Grid Services has few middleware choices.
Grid Services is changing.. and changing…
(OGSA, WSRF, etc?)
Web services is supported for all the major
software companies.
But…Grid Services has standard interfaces to
interoperate!
OGSA, OGSI, WSRF, etc?


Open Grid Services Architecture (OGSA)
http://www.globus.org/ogsa/
"The Physiology of the Grid"
Description:







OGSA service model.
Factories and instances.
Service lifetime management.
Managing Grid Service handles and references.
Service Information and Discovery.
Notification.
Other interfaces.
OGSA, OGSI, WSRF, etc?


Open Grid Services infrastructure (OGSI)
http://www.globus.org/ogsa/
"OGSI refers to the base infrastructure on which
OGSA is built "
Specification 1.0:







Service data.
Core Grid Service Properties (time, lifetime).
PortTypes.
Handle Resolvers.
Notifications
Factory portType.
Servicegroup.
OGSI
OGSI/OGSA -> WSRF
OGSI/OGSA
WS-Resource
Framework
(WSRF)
WS
OGSI/OGSA -> WSRF
Grid Service middleware:
Globus Toolkit


The Globus Toolkit is an open source
software toolkit used for building grids:
http://www-unix.globus.org/toolkit/
Latest Release version: 3.2



GT3
OGSA/OGSI implementation
Latest Development Release version:
3.9.2



GT4
WSRF implementation
Stable …. January 2005?
Session Part 2: outline


Grid Services introduction.
Grid Services administration:





Why Globus?
Tomcat Web application contexts.
GT3 using tomcat.
Grid Services Security
Grid Service study case.
Why Globus Toolkit / Why
GT3?




eScience applications running using
GT3.
Administration issues GT3 are similar
to the information provided about
GT4.
Security issues are similar to GT4.
Review of Web Services + Tomcat
(session Part 1).
GT3 configuration options

Own GT3 container:


Testing purposes.
Tomcat container:


Several application contexts.
One application context per user.
Multiple Web application
contexts

Advantages:





Tomcat is a Java servlet container which
supports multiple web application contexts that
can be restarted individually.
Administrator can concentrate on a single well
supported installation instead of many single
containers.
Enables only one network port (e.g. 8080) to
be opened in the firewall.
It takes less resources, in particular threads
and memory.
Hosting of Grid Services and Web Services.
Multiple Web application
contexts

Disadvantages:


A potential security issue is that files
located in the various web application
contexts need to be accessible to
Tomcat, thus enabling developers to
access someone's else.
Deployment and run-time issues can be
experienced when using Tomcat instead
of the native container due to lack of
documentation.
GT3 using tomcat
After installing GT3 (Install GT3 ./install-gt3-bin /path/to/install
(www-unix.globus.org/toolkit/docs/3.2/installation/index.html ),
it can be deployed in tomcat as follows:


The ogsa web application context first needs to be
populated with the ogsa jar systems files using the ant
deployTomcat target: ant Dtomcat.dir=/home/globus/jakarta deployTomcat
The next step is to add the gwsdl and text/xml mime types
to the web.xml
<mime-mapping>
<extension>gwsdl</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
<mime-mapping>
<extension>wsdl</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
<mime-mapping>
<extension>xsd</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
GT3 in tomcat
….

The invoker servlet needs to be enabled in the <tomcat
root>/conf/web.xml configuration file in order to use the Axis
administration servlet.
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>



The following <tomcat
root>/webapps/ogsa/WEB-INF/etc directory
needs to be created and populated with a subset of the
xml and conf files located in the etc directory of the
globus top-level installation directory.
The index-service-config.xml le needs to be edited
in order to enable the Cluster service data element
The following parameter needs to be added to the
Tomcat run-time parameters: Dorg.globus.ogsa.client.timeout=180000
GT3 in tomcat
….

A number of run-time parameters need to be added to the
Tomcat startup command line.
CATALINA_OPTS=''-Xmx384m -Dorg.globus.tcp.port.range=3000,3600 Dorg.globus.ogsa.server.webroot=/opt/gt3 -Dorg.globus.ogsa.client.timeout=180000 Dorg.globus.ogsa.schema.root=http://localhost:8080/'‘

A schema folder for the ogsa web application context
needs to be created for storing .wsdl files
<tomcat root>/webapps/ogsa/schema
List of applications contexts:
http://node40.cluster.cpc.wmin.ac.uk:8080/ogsa
Configuring user Web
application contexts in tomcat
for GT3
Once the default ogsa web application context is configured, it is
then possible to configure additional web application
contexts for multiple users:

Each web application context needs to defined in the Tomcat
<tomcat root>/conf/server.xml system conguration file.
<Context path=''/goyenea'' docBase=''/ogsi/webapps/goyenea'' debug=''0'‘ reloadable=''true''>
<Logger className=''org.apache.catalina.logger.FileLogger'‘ directory=''/ogsi/logs''
prefix=''goyenea_log.'' suffix=''.txt'‘ timestamp=''true''/>
</Context>

Each /ogsi/webapps/<username> top-level web application
context folders need to be created and permissions must be
changed
#
#
#
#
#
mkdir -p -m 755 /ogsi/webapps/goyenea/schema
mkdir -p -m 755 /ogsi/webapps/goyenea/WEB-INF
mkdir -p -m 755 /ogsi/webapps/goyenea/WEB-INF/lib
mkdir -p -m 755 /ogsi/webapps/goyenea/WEB-INF/classes
chown -R goyenea /ogsi/webapps/goyenea
Configuring user web
application contexts in tomcat
for GT3

Each web application context needs to be populated with the GT3
jar and configuration files
cd $GLOBUS_LOCATION/schema
find . | cpio -pdv /ogsi/webapps/goyenea/schema
cp <tomcat_root/webapps/ogsa/WEB-INF/lib/*.jar /ogsi/webapps/goyenea/WEB-INF/lib
cp <tomcat_root>/webapps/ogsa/WEB-INF/*.wsdd /ogsi/webapps/goyenea/WEB-INF
cp <tomcat_root>/webapps/ogsa/WEB-INF/etc/*.conf /ogsi/webapps/goyenea/WEB-INF/etc
cp <tomcat_root>/webapps/ogsa/WEB-INF/etc/*.xml /ogsi/webapps/goyenea/WEB-INF/etc
(strip down version is also possible)

Once a user's web application context has been populated, it is
then possible to configure the local /ogsi/webapps/goyenea/WEBINF/web.xml and /ogsi/webapps/delaitt/WEB-INF/serverconfig.wsdd files in order to adjust the location of the web
application context directory location as well as to enable the
required and necessary services.
Configuring user web
application contexts in tomcat
for GT3
List of applications contexts:
== >
http://node40.cluster.cpc.wmin.ac.uk:8080/ogsa
<==
http://node40.cluster.cpc.wmin.ac.uk:8080/goyenea
http://node40.cluster.cpc.wmin.ac.uk:8080/delaitt
http://node40.cluster.cpc.wmin.ac.uk:8080/noam
Deploying a Grid Service into a
web application context


Stop the user (only!) application context.
Copy the two generated jar files to
/ogsi/webapps/goyenea/WEB-INF/lib and make sure the les can
be read by the Tomcat server.
cp build/lib/gt3tutorial.core.factory.Math.jar /ogsi/webapps/goyenea/WEB-INF/lib
cp build/lib/gt3tutorial.core.factory.Math-stub.jar /ogsi/webapps/goyenea/WEB-INF/lib
chmod 644 /ogsi/webapps/delaitt/WEB-INF/lib/*.jar

Publish the WSDL files (not through UDDI)

Edit grid service deployment descriptor called serverconfig.wsdd to add an entry for the MathFactory service. (It
depends on the service requirements: Security, etc)

Start the user application context
mkdir -p -m 755 /ogsi/webapps/goyenea/schema/gt3tutorial.core.factory/Math
cp build/schema/gt3tutorial.core.factory/Math/MathService.wsdl \
/ogsi/webapps/goyenea/schema/gt3tutorial.core.factory/Math
chmod 644 /ogsi/webapps/goyenea/schema/gt3tutorial.core.factory/Math
Session Part 2: outline



Grid Services introduction.
Grid Services administration.
Grid Services Security:





Definition,
GSI,
Certificates,
Administration and use.
Grid Service study case.
Grid Services Security

Terminology review:

Authentication: Establishing identity.

Authorization: Establishing rights.

Message protection:



Message integrity,
Message confidentiality (content).
Delegation: Act on behalf of Grid Service caller.
Grid Services Security
Challenges


Dynamic formation and management of virtual
organizations (unpredictable behavior).
Virtual Organization (VO) sharing resources with
different security mechanisms.

Service to service interaction and delegation.

Different formats.

…
Grid Security Infrastructure
(GSI)
Description:

Based on standard Public Key Infrastructure (PKI)
technologies. The public key is given to the world
encapsulated in a X.509 certificate.
Implements:




X.509 Certificates for “users”,"hosts” and “services”.
Proxy Certificate: GSI extension to X.509 certificates that
allows timed single sign-on and delegation.
Trust at user/resource level.
Within the resource, apply the local policy.
GSI: obtain certificates
Registration Authority (RA)
Certificate Authority (CA)
5)
1)
3)
Grid User
2)
4)
RA
1) Grid user selects applies for a certificate selecting RA
2) CA informs the RA
3) RA confirms user identity (photo ID)
4) RA approves certificate request
5) User receives certificate (Download)
GSI: Distinguished name
Certificates are issued with names of
the following form (Distinguished
name):
/C=UK/O=eScience/OU=Westminster/L=ComputerScience/CN=Ariel Goyeneche
Certificate Authority (CA)
C = Country
O = Organization
Registration Authority (RA)
OU = Organizational Unit(s)
L = Location
CN = Common Name
(user
or
server
or
service/server )
GSI: Administration and use
Grid User:
 Request Certificate: organizations use different
approaches
 grid-cert-request
(usercert_request.pem/userkey.pem)
 web-interface
 Store:
~/.globus/usercert.pem
 Proxy Creation: Placed in /tmp and valid for a number of
hrs.
 grid-proxy-init
 GUI
GSI: Administration and use
Grid Client Programmer:
 Soap Message:
 Signature *
 Encryption * (includes signature)
 Mode: No Delegation*, Limited Delegation*, Full
delegation*.
(Delegation: New key pair is generated remotely on
server, sent to client, that signs proxy certificate and
returns it to the server that puts the new proxy in /tmp)
* If the Grid Services is expecting.
GSI: Administration and use
Grid Service Programmer:
 Requires Soap Message Signature or Encryption.
 Requires Delegation Mode.
 server-config.wsdd (tomcat/webapps/user/WEB-INF)
 Grid Service element
 securityConfig -> pointer to xml file, (i.e security_config.xml)
 instance-SecurityConfig -> pointer to xml (i.e security_config.xml)
 security_config.xml
 Run_as *: Caller-identity / System-identity / Service-identity
 Auth-method *: None / Gsi: Integrity, privacy
( * it could be set per Grid Services or Method in each Grid Services)
GSI: Administration and use
Grid Service Administrator:
 Grid Users:
 Grid-mapfile (/etc/grid-security)
# Distinguished name
"/C=UK/O=eScience/O=Westminster/OU=ComputerScience/CN=Ariel Goyeneche”
Local User
goyenea
 Options: 1 DN to 1 LU, # DN to 1 LU, # DN to # LU
 Grid Servers:
 Grid Server certificates (hostcert.pem/hostkey.pem in /etc/grid-security)
 /etc/grid-security
 globus-host-ssl.conf
 globus-host-ssl.conf
 Grid Services:
 Request.
GSI: Administration and use
Note:
 GSI handles authentication
but authorization is a separate issue.
 The grid-mapfile doesn’t scale well, and
works only at the resource level, not the
collective level.
Session Part 2: outline




Grid
Grid
Grid
Grid




Services introduction.
Services administration.
Services Security.
Service study case:
GEMLCA presentation,
GEMLCA infrastructure,
Security: Authentication and
Authorization,
Configuration scenarios.
Grid Service study case
GEMLCA – Grid Execution Management
for Legacy Code Architecture
http://www.cpc.wmin.ac.uk/ogsitestbed/GEMLCA/
Motivation
•
To deploy legacy code applications as
Grid services without reengineering the
original code and minimal user effort
•
To create complex Grid workflows
where components are legacy code
applications
•
To make these functions available from
a Grid Portal
GEMLCA
GEMLCA
PGPortal
Integration
GEMLCA Concept
Client
Grid Service
Client
GEMLCA
Resource
Legacy Code
Factory
Legacy Code
Process
Legacy
Code Job
Grid Host
Environment
(GT3)
OGSA Container
MMJFS
Job Manager
(Condor/Fork)
Compute
Servers
Administration scenario
Grid Clients:




User Grid Certificate (Distinguished Name (DN) )
Account Grid portal
Access to GEMLCA Resources (Authentication)
Access to Legacy Codes (Authorization)
Grid Servers:




Server Grid Certificate
GT3 Web application context
Authorization
GEMLCA Resource
 Service Grid Certificate
 GEMLCA Web application context
 List of resources (Legacy code), authentication
Grid Client
 User Grid Certificate (Distinguished name )
 Approach CA authority and get a Certificate.
 Account Grid portal (it could be used from a Grid
client)
 Fill in a web form or contact the portal
administration and get an account in the portal.
 Access to GEMLCA Resources (Authentication)
 Restricted by Grid Server administration (next
slide)
 Access to Legacy Codes (Authorization)
 Restricted by Grid Server administration (next
slide)
Grid Servers
 Server Grid Certificate
 Approach CA authority and get a Server
Certificate.
 Install GT3 and the server certificate
 GT3 Web application context
 Administrator have to install GT3 and the ogsa
web application context.
Grid Servers
 Authorization
 Grid-mapfile
? Each DN mapped to different local user
 More difficult to administer.
 Administrative more complicated to the
grid user
 Fine grain control
? Several DNs mapped to 1 Local user
 Local user per project
 Difficult to administer resource use
GEMLCA Resources
 GEMLCA Service Certificate
 Get Certificate
“/C=UK/O=eScience/O=Westminster/OU=ComputerScience/CN=gemlca/ho
lly.dsg.port.ac.uk”
 GEMLCA Web Application Context
 User application context deployed with GEMLCA
Grid services. These Grid Services use the Grid
Services deployed in the ogsa application context
? One GEMLCA application context per server
 Easy to administer
? Several GEMLCA application context per server
 Flexibility (Stop/Start/Deploy)
 Fine grain authentication (next slide)
 Provide a GEMLCA resource x department,
etc.
GEMLCA Resources
 GSI handles authentication but authorization is a separate
issue
 The grid-mapfile doesn’t scale well, and works only at the
resource level, not the collective level
 Ad-Hoc authorization
 General list of resources (Legacy Codes): Each
GEMLCA resource has a pointer to a list of Legacy
codes that anyone, with access to that GEMLCA
Resource can use.
 Local list of resources (Legacy Codes): Each
mapped user has access to a list of resources that
is published in the $HOME/.gemlca/ folder of the
mapped user.
The end!
Recommended articles

IBM.com/developerworks

Secure Web services: Encryption


Secure Web services: Interoperability



WAS/WSAD and VB.NET interoperability using the
XML encryption standard from W3C.
WAS/WSAD and VB.NET using the XML Digital
Signature standard from W3C
By Hedley Proctor - tinyurl.com/4tw7x
http://www106.ibm.com/developerworks/edu/ws-dw-wsencrypt-i.html?ca=drs-ws2104
Recommended Websites







http://ws.apache.org/axis
http://www.cs.fsu.edu/~engelen/soa
p.html
http://dietrich.ganx4.com/nusoap/in
dex.php
http://www.devshed.com/
http://ws.apache.org/ws-fx/wss4j/
http://xmethods.com/
http://www.globus.org/wsrf/
Recommended books

ESB.


Java security.


http://www.j2ee-security.net/
PayPal Hacks.


http://www.oreilly.com/catalog/esb/
http://www.oreilly.com/catalog/payhks/
Web Services With Perl.

http://www.oreilly.com/catalog/webserp
erl
Recommended online books


http://www.j2eeolympus.com/freebooks/F
reeWebServicesBooks.jsp
By Sun Microsystems



Designing Web Services with the J2EE 1.4
Platform - Early Access.
The Java Web Services Tutorial
By IBM RedBooks:


WebSphere Version 5 Web Services Handbook
Self-Study Guide: WebSphere Studio
Application Developer and Web Services
Thanks!

National e-Science Centre, Edinburgh


Mike Mineter, etc.
The UK OGSA Testbed

Rob Allan, Mark Baker, Stephen Pickles,
Peter Kacsuk, etc.
Contact us…
Hong Ong
[email protected]
http://dsg.port.ac.uk/~hong/
Ariel Goyeneche
[email protected]
http://www.cscs.wmin.ac.uk/~goyenea/
Related documents
e-Commerce e-Business e-Science Dave Pearson National e-Science Centre Official Opening 25
e-Commerce e-Business e-Science Dave Pearson National e-Science Centre Official Opening 25
Major Power Grid Components
Major Power Grid Components
Abstract - theelectromech.in
Abstract - theelectromech.in
Strategic Planning and the Marketing Process
Strategic Planning and the Marketing Process
THE TRES AMIGAS SUPERSTATION
THE TRES AMIGAS SUPERSTATION
Slides
Slides
Probability distributions
Probability distributions
Power Quality Improvement of 1-Φ Grid
Power Quality Improvement of 1-Φ Grid
Applications portfolio analysis
Applications portfolio analysis
study committee 22 - SC C1
study committee 22 - SC C1