Introduction to GSI

If you're familiar with Grid Computing (which you should be, if you've come this far in the tutorial! :-) you probably know that security is one of the most important parts of a grid application. Since a grid implies crossing organizational boundaries, resources are going to be accessed by a lot of different organizations. This poses a lot of challenges:

The Globus Toolkit 3 allows us to overcome the security challenges posed by grid applications through the Grid Security Infrastructure (or GSI), which offers programmers the following three features:

GSI is composed of a set of command-line tools to manage certificates, and a set of Java classes to easily integrate security into our grid services. It is based on standard technologies, such as TLS (formerly SSL) and secure Web Services specifications (XML-Signature, XML-Encryption, etc.)

Let's take a closer look at the three main features of GSI:

Complete public-key system

The GSI is based on public-key cryptography, and therefore can be configured to guarantee privacy, integrity, and authentication (strong authentication is provided in conjunction with certificates, as will be explained next). However, not all communications need to have those three features all at once. In general, a GSI secure conversation must at least be authenticated. Integrity is usually desirable, but can be disabled. Encryption can also be activated to ensure privacy

As soon as we start programming secure grid services, we'll see how using these features is as easy as adding a few lines in the client indicating that (for example) we want to use integrity, but not encryption during the communication.

Mutual authentication through digital certificates

The GSI uses X.509 certificates (as seen in the previous chapter) to guarantee a strong authentication. Mutual authentication simply means that in GSI, both parts of a secure conversation must be authenticated. In other words, when A wants to communicate with B, A must trust B and B must trust A. Remember that 'trust' (in this context) means that A must have the certificate of the CA that signed B's certificate, and vice versa. Otherwise, A won't trust B (and vice versa).

One of the first practical things we will do in the tutorial (in the next section, "Setting up GSI") is to setup a very simple CA, and get a digital certificate for ourselves.

Credential delegation and single sign-on

This feature is explained in detail in the next page.