Generating grid credentials using the Java CoG Kit
Java technology with Globus Grid Security Infrastructure)
development contractor, IBM
Grid Security Infrastructure (GSI) enables secure
authentication and communication over computer networks. It is a Globus
Toolkit component that provides a number of useful services for grids,
including mutual authentication and single sign-on. However,
manipulating grid certificates using the Globus Toolkit 3.0 (GT3) in
Windows environments is an awkward situation. It usually requires that
system administrators or users install GT3 on Linux systems in order to
use the command line scripts to generate certificates. Then they must
move those certificates to their Windows systems. This article
demonstrates an easier alternative, provided by the Java CoG Kit: using
a Java class to create and sign grid proxies and
The basics of GSI
Grid Security Infrastructure (GSI) is based on
proven standards such as public key encryption, X.509 certificates, and
the Secure Sockets Layer (SSL). Extensions to these standards have been
added for single sign-on and delegation.
One of the main concepts in GSI authentication is certificates. Every
grid service and user is identified by means of a certificate, which
contains information used to authenticate and identify that user or
A GSI certificate includes information such as:
- A subject, which identifies the person or object that the
- The public key that belongs to the subject
- The identity of a Certificate Authority (CA) that has signed the
certificate. CAs certify that the public key and the identity both
belong to the subject.
- The digital signature of the named CA
A third-party certificate authority is used to certify the link between
the public key and the subject in the certificate. For an overview of the
Globus Toolkit security infrastructure, see "Overview of the Grid Security
Infrastructure" listed in the Resources
section of this article.
Using Java classes to generate
APIs built into the Java CoG Kit 1.1 on GT3 can
generate a user certificate or certificate request, sign certificates, and
create proxies. The certificate can serve as the basis for a Java CA
implementation, if you do not want to use the UNIX based simple CA
available at the Globus Web site. Listing
1 shows you how to get started by creating a
Creating a self-signed user
certificate and private key
The first step in setting up GSI
is to create a signed user certificate and a private key. These two
arguments can later be used to generate a Globus credential, also known as
a proxy, that provides access to your grid resources.
In UNIX systems, the
$GLOBUS_LOCATION/bin/grid-cert-request.sh script will start
by creating a certificate request that must be submitted to the
Globus Certificate Authority for a signature.
The CA testifies that indeed you are the person you claim to be. In
this sample class, we will use the
COM.claymoresystems.cert.CertRequest class to make a
"self-signed" user certificate along with a private key encrypted with a
user's password. Listing
2 demonstrates this technique.
A call to the
CertRequest.generateKey("RSA", 512, Pwd, bw,
true); class should do the trick. The arguments to this call
represent the following:
- A cipher used for generation (RSA).
- The strength of the certificate keys in bits (512).
- A password used to encrypt the private key.
- A buffered writer to store the private key.
CertificateRequestclass is contained in
the puretls.jar archive distributed with the GT3 Java CoG kit.
This call will return a
KeyPair object that you can then
use in the following instruction to generate a self-signed certificate:
Both the user certificate and the private key are encoded in base 64
PEM format. For more information, see the
class and the
Creating credentials from user
With a user certificate and private key, we are
ready to create the proxy. Note that the package
org.globus.security.* has been deprecated and replaced with
org.globus.gsi.*, which uses the open source Grid Security
Services (GSS). See "Security Library Compatibility" in the Resources
section of this article for further details.
The method in Listing
3 will create a credential compatible with GT3 or GT 2.2x.
If you have a PEM encoded proxy file (downloaded from your UNIX
system), you can use the utility method in Listing
4 to build a
Creating a certificate
You may want to submit your certificate request to
be signed by another CA. The function in Listing
5 shows you how to create it.
Our certificate generator is complemented with the utility functions in
6 that are used for tasks such as:
- Encoding certificate bytes in PEM format.
- Creating X.509 names or DNs for generation purposes.
Creating a certificate generator
7 provides code that illustrates how to create a
CertificateGenerator main function.
The code in Listing 7 requires the following JAR files (all of which
are distributed with GT3) to be in your classpath:
A run of this class will produce the output in Listing
article gives you a place to start in understanding how the grid security
infrastructure works. You can modify the Java code demonstrated here to
implement your own security or certificate authority services. These APIs
are based on proven open-source standards such as PKI and X.509
certificates. For more information see the GSI page on the Globus
Vladimir Silva was born in Quito, Ecuador. He
received a Systems Analyst degree from the Polytechnic Institute of
the Army in 1994. In the same year, he came to the United States as
an exchange student pursuing a career in Computer Science at Middle
Tennessee State University. After graduation, he joined the IBM
"Web-Ahead" technology think tank. His interests include Grid
computing, neural nets, and artificial intelligence. He also holds
numerous IT certifications including OCP, MCSD, and MCP. You can
contact Vladimir at email@example.com.