Single Sign-on Authentication Modules

Single Sign-on Authentication Modules

The GridPort demo portal includes a set of configurable grid authentication modules which allow one to perform grid authentication upon signing in to the portal. The demo portal contains modules that work with the GridPort Repository and MyProxy.

Configuration

There are a few properties that you can configure in the main project.properties file of the demo portal.

You can enable and disable the authentication modes by setting the auth.enable properties to either true or false. true will turn the module on and false will turn the module off.

	    ###
	    # AUTHENTICATION MODULE PROPERTIES
	    # Set to 'true' to enable and 'false' to disable.
	    ###
	    gridport.auth.enable=true
	    myproxy.auth.enable=false	    

In order for changes to take effect in the portal you must re-deploy the modules and restart tomcat.

Configuring GridPort Repository Authentication

The GridPort Repository allows a developer to set up grid authentication without a MyProxy server. Prerequisites for a GridPort Repository are at least one certificate and private key pair of .pem files and at least one GridSphere portal account created for the user you wish to have single sign-on grid capability through the portal.

If the GridPort authentication module is enabled then a GridPort repository will be created automatically in $HOME/.globus/GridPortRepository with the appropriate directory structure. You can also configure the GridPort repository to install in a directory other than the default by setting the gridport.repo property in project.properties.

	      ###
	      # GRIDPORT REPOSITORY CONFIGURATION
	      ###
	      gridport.repo=${user.home}/.globus/GridPortRepository

Inside the repository you will find three directories, storeCredentials/, storedProxies/, and sessions/. You should copy your certificate and private key .pem files into storedCredentials/ and rename them to have your portal user’s username as a prefix followed by _cert.pem and _key.pem, respectively.

	      localhost> pwd
	      /home/ericrobe/.globus/GridPortRepository/storedCredentials
	      localhost> ls -l
	      total 12
	      -r--------  1 ericrobe users 4860 2005-08-01 18:43 ericrobe_cert.pem
	      -r--------  1 ericrobe users 1743 2005-08-01 18:43 ericrobe_key.pem	    

You should also ensure that all of the directories in the GridPort repository have read, write and execute permissions only for the user running the portal (in UNIX this would be 700). In the example above the user ericrobe is also running the portal.NOTE: Use the GridPort Repository with CAUTION. It does not provide the same level of security that a MyProxy server or other authentication mechanisms do but does allow GridPort users to easily start using the interactive grid capabilities of the demo portal without having to install a MyProxy server.

Configuring MyProxy Authentication

You can configure these authentication modules with as many as 2 different MyProxy servers. If authentication with the first MyProxy server is successful the module will not try the second one. However, if authentication to the first MyProxy server fails the module will automatically try to authenticate to the second one.

The properties that you can configure for each server are the hostname, port and lifetime. By default, the port properties are set to 7512 which is the default port that MyProxy runs on. The default proxy lifetime is set to 2. You will need to set the hostnames to point to actual MyProxy servers as the properties are blank by default.

NOTE:You do not have to configure both MyProxy servers at the same time.


	      # MYPROXY CONFIGURATION
	      # You can configure up to 2 MyProxy servers
	      myproxy.host.1=
	      myproxy.port.1=7512
	      myproxy.lifetime.1=2
	      
	      myproxy.host.2=
	      myproxy.port.2=7512
	      myproxy.lifetime.2=2	    

Deploy

Once you have configured the modules you deploy them and restart Tomcat.

Grid Single Sign-on

If the portal is installed on your local system point your browser to http://localhost:8080/gridsphere. Before you can perform single sign-on grid authentication you need to create a portal user account. The username should be chosen such that it’s the same as the username that you’ve used to delegate proxies to MyProxy or the same as the username you named your certificate and key after in the GridPort repository.

Create A New Portal User

To create a portal account login to the portal using the username root and no password (assuming you haven’t changed the root password for the portal). Once authenticated, click on the Administration tab and then the Users subtab. Next, click on the Create a New User link, fill out the form with the desired username, password and other information and click Save user. Finally, logout of the portal.

Authenticate

To perform a single sign-on login simply enter the username of the portal account you just created and a password that corresponds to either one of your proxies delegated to MyProxy or the certificate you placed in the GridPort repsository. If single sign-on grid authentication is successful you will be logged in and you should see a DN added to your list of proxies in the Proxy Manager portlet.

NOTE: you can still login to GridSphere without grid authentication by providing the password you used when you created your portal account.