perfsonar development work

[Cándido Rodríguez Montes <>]

Hi Nicolas and Nina,

in Rome, we checked that the CNM and PerfsonarUI are using those last jar files :-)

Also, Danijel and me were working on how to do that in VisualPerfsonar and I hope Danijel will send us great news soon.

Regards

El 06/02/2008, a las 7:17, Nina Jeliazkova escribió:

Hi,

If I am correct, CNM and PerfsonarUI don't use openSAML at this moment and this issue was irrelevant to us; should this change?

Regards,

Nina

Nicolas Simar wrote:

Hi,

have Nina and David confirmed that the issue is solved?

Cheers,

Nicolas

Cándido Rodríguez Montes wrote:

Hi devs,

I wrote an email the 26th November about an unsolved problem between axis1, opensaml and xml signatures. When a perfSONAR resource sends a SAML assertion or the AS receives one, Axis1 modifies the content of the XML and its signature cannot be validated. Due to this problem the client in a Web containEr (WE) profile cannot be implemented in perfSONAR. I've made a workaround to solve this situation so we can integrate the authN process into web-based visualization tools for the next upcoming release of perfSONAR. You can find *more information about this at [1] section 'Client in a Web containEr'*.

Also, another important feature is that timestamp information has to be sent in the WS-SEC header, ensuring the security of the model. Now, a ws-sec header (<wsse:Security> element) cannot be reused because it would be a potential security hole in our model. The main goal is to avoid someone copying the SOAP header and using it by getting valid credentials in the perfSONAR environment. If you're wondering why I've done it right now, the thing is I've been thinking about security considerations during this Christmas holidays for the upcoming release (the first one having the authN process). I've *updated the specification of the 3 profiles and how the timestamp SHOULD be sent at [1]*. * Information for Java Developers:

** Visualization Tools: you have to use the perfsonar-base-1.0.20080114.jar file. You don't have to modify your code!

** perfSONAR services: you have to use the perfsonar-base-1.0.20080114.jar file. You don't have to modify your code!

* Information for non-Java Developers:

** Visualization Tools: you have to modify your code (or the library you're using, as perlSONAR for example). If you've implemented the AC or the UbC profiles you only have to add the timestamp information (and its digest value). You can find the specification at [2]. If you have to implement the WE profile, read the specification at [1] section 'Client in a Web containEr' below the WARNING title. Of course, if you have problems or any question send my an email or contact me by Jabber :-) ** perfSONAR services: read [1] although if you were copying the SOAP header, you don't have to do any update of your code.

I know it makes a little bit more complex the test process for the AS, since the SOAP header cannot be copied into the soapUI. For this situation, I've created a web-based test tool which generates valid SOAP messages for the three profiles. I'm going to upload it tomorrow and contact David Schmitz about this.

Regards

[1] http://wiki.perfsonar.net/jra1-wiki/index.php/Authentication_Service_resources 

[2] http://wiki.perfsonar.net/jra1-wiki/index.php/Using_X.509_token_profile

-- 

Cándido Rodríguez Montes E-mail: <>

Middleware warrior Tel:+34 955 05 66 13

Red.ES/RedIRIS

Edificio CICA

Avenida Reina Mercedes, s/n

41012 Sevilla

SPAIN

--

Cándido Rodríguez Montes E-mail: 

Middleware warrior Tel:+34 955 05 66 13

Red.ES/RedIRIS

Edificio CICA

Avenida Reina Mercedes, s/n

41012 Sevilla

SPAIN