[Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2released today

Morris Riedel m.riedel at fz-juelich.de
Fri Mar 27 07:42:25 CDT 2009 

Ok, but I guess there might be GSI-enabled production elements out there,
e.g. an SRM interface which I see basically on the same level as BES...(as a
functional interface)

------------------------------------------------------------
Morris Riedel
SW - Engineer
Distributed Systems and Grid Computing Division
Jülich Supercomputing Centre (JSC)
Forschungszentrum Juelich
Wilhelm-Johnen-Str. 1
D - 52425 Juelich
Germany

Email: m.riedel at fz-juelich.de
Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
Phone: +49 2461 61 - 3651
Fax: +49 2461 61 - 6656

Skype: MorrisRiedel

"We work to better ourselves, and the rest of humanity"

Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), 
Dr. Ulrich Krafft (stellv. Vorsitzender)


>------Original Message-----
>-From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf Of
>-Aleksandr Konstantinov
>-Sent: Friday, March 27, 2009 1:35 PM
>-To: pgi-wg at ogf.org
>-Subject: Re: [Pgi-wg]TLS : OpenSSL and GSI implementations - gLite
3.2released
>-today
>-
>-On Friday 27 March 2009 11:52, you wrote:
>-> Ok,
>->
>->   and that's why we have to support both in our profiles I guess -
correct?!
>->
>-
>-Definitely not because of ARC. Rather vice versa. :)
>-
>-
>-A.K.
>-
>-
>->
>-> Take care,
>-> Morris
>->
>-> ------------------------------------------------------------
>-> Morris Riedel
>-> SW - Engineer
>-> Distributed Systems and Grid Computing Division
>-> Jülich Supercomputing Centre (JSC)
>-> Forschungszentrum Juelich
>-> Wilhelm-Johnen-Str. 1
>-> D - 52425 Juelich
>-> Germany
>->
>-> Email: m.riedel at fz-juelich.de
>-> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel
>-> Phone: +49 2461 61 - 3651
>-> Fax: +49 2461 61 - 6656
>->
>-> Skype: MorrisRiedel
>->
>-> "We work to better ourselves, and the rest of humanity"
>->
>-> Sitz der Gesellschaft: Jülich
>-> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
>-> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe
>-> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender),
>-> Dr. Ulrich Krafft (stellv. Vorsitzender)
>->
>->
>-> >------Original Message-----
>-> >-From: pgi-wg-bounces at ogf.org [mailto:pgi-wg-bounces at ogf.org] On Behalf
Of
>-> >-Aleksandr Konstantinov
>-> >-Sent: Friday, March 27, 2009 10:49 AM
>-> >-To: pgi-wg at ogf.org
>-> >-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite
>-> 3.2released
>-> >-today
>-> >-
>-> >-On Monday 23 March 2009 15:04, Etienne URBAH wrote:
>-> >-> To all,
>-> >->
>-> >-> Concerning various implementations of TLS to handle X509
certificates
>-> >-> and proxies, it seems that :
>-> >->
>-> >-> -  DEISA (Unicore) uses the OpenSSL implementation of TLS to process
>-> >-> X509 certificates,
>-> >->
>-> >-> -  EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security
>-> >-> Infrastructure) implementation of TLS to process X509 proxies,
>-> >-
>-> >-No, ARC uses OpenSSL for TLS data connections and Globus for
>-> >-GSI connections (SRM and GridFTP).
>-> >-
>-> >-
>-> >-A.K.
>-> >-
>-> >-
>-> >->
>-> >-> -  The OpenSSL and GSI implementations of TLS seem to be
>-INCOMPATIBLE
>-> >-> (see mails below of Weizhong QIANG and Duane MERRIL).
>-> >->
>-> >-> This would make any interoperability very difficult.
>-> >->
>-> >->
>-> >-> But the situation is perhaps NOT so desperate :
>-> >->
>-> >-> -  EGEE has just released gLite version 3.2 today 23 March 2009.
>-> >->
>-> >-> -  In slide 3 of the presentation 'Middleware update' performed at
CERN
>-> >-> GDB on 11 March 2009 and which is available at
>-> >->
>->
>-http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c
>-> onfId=4
>-> >-5473
>-> >->     Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10,
which
>-> >-> uses 'system OpenSSL'.
>-> >->
>-> >->
>-> >-> ==>  Can Andreas UNTERKIRCHER provide more precisions, and confirm
>-that
>-> >-> this permits interoperability at the X509 level ?
>-> >->
>-> >-> ==>  Can the PGI chairs plan an interoperability test ASAP to check
if
>-> >-> this really work ?
>-> >->
>-> >->
>-> >-> In hope that the above informations and suggestions are useful.
>-> >->
>-> >-> Best regards.
>-> >->
>-> >-> ----------------------------------
>-> >-> Etienne URBAH          IN2P3 - LAL
>-> >-> Bat 200     91898 ORSAY     France
>-> >-> Tel: +33 1 64 46 84 87
>-> >-> Mob: +33 6 22 30 53 27
>-> >-> Skype: etienne.urbah
>-> >-> mailto:urbah at lal.in2p3.fr
>-> >-> ----------------------------------
>-> >->
>-> >->
>-> >-> On Mon, 23 Mar 200, Jens Jensen wrote:
>-> >-> > 2009/3/20 weizhong qiang <weizhongqiang at gmail.com>:
>-> >-> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel at fz-juelich.de> wrote:
>-> >-> >> Basically the globus implementation if GSSAPI is about a specific
>-> >-> >> context-initiation negotiation, and some data-padding for
initiation
>-> and
>-> >-> >> data-transferring. Also you can accomplish proxy-delegation via
it.
>-> >-> >> What is for sure is that you can not use client based on normal
TLS
>-> to talk
>-> >-> >> with service which is based on GSSAPI, or vice versa.
>-> >-> >> AFAIK, There is some grid service (WS compliant) such as some SRM
>-> service
>-> >-> >> which uses GSSAPI. (SOAP + HTTP + GSS).
>-> >-> >
>-> >-> > Some years since I last looked at it in detail but IIRC GSSAPI
>-> (RFC2743) is just
>-> >-> > a mechanism for establishing security contexts - if you get these
>-> >-> > bytes then send
>-> >-> > this, etc.  Presumably normal TLS can be implemented via GSSAPI as
>-> well, see
>-> >-> > eg section 5.3 of the RFC
>-> >-> > Someone once told me Globus had to deviate from the standard
GSSAPI
>-> >-> > to implement GSI. If this is true then it's worth documenting, no?
>-> >-> > Again long time ago I experimented with the Globus module for GSI
and
>-> >-> > the lower level Globus GSSAPI.  At the time they did not
interoperate
>-> :-)
>-> >-> > Had some discussions with Aleksandr at the time.
>-> >-> >
>-> >-> > Regards
>-> >-> > --jens
>-> >->
>-> >->
>-> >->
>-> >-> On Fri, 20 Mar 2009, Duane Merrill wrote:
>-> >-> > In theory, rfc-3820 proxy certs should not have any effect on TLS
wire
>-> >-> > protocol. For various reasons, different versions of GSI-OpenSSH
>-> *have*
>-> >-> > changed the wire format in different ways. (Shame on them.) Out of
>-> >-> > curiosity, are there any published/publicly-availabe descriptions
of
>-> >-> > these deltas?
>-> >-> >
>-> >-> > Duane
>-> >->
>-> >-_______________________________________________
>-> >-Pgi-wg mailing list
>-> >-Pgi-wg at ogf.org
>-> >-http://www.ogf.org/mailman/listinfo/pgi-wg
>->
>-_______________________________________________
>-Pgi-wg mailing list
>-Pgi-wg at ogf.org
>-http://www.ogf.org/mailman/listinfo/pgi-wg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3550 bytes
Desc: not available
Url : http://www.ogf.org/pipermail/pgi-wg/attachments/20090327/fb53ebeb/attachment-0001.bin

More information about the Pgi-wg mailing list