Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2released today
On Friday 27 March 2009 11:52, you wrote:
Ok,
and that's why we have to support both in our profiles I guess - correct?!
Definitely not because of ARC. Rather vice versa. :) A.K.
Take care, Morris
------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany
Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656
Skype: MorrisRiedel
"We work to better ourselves, and the rest of humanity"
Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
------Original Message----- -From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of -Aleksandr Konstantinov -Sent: Friday, March 27, 2009 10:49 AM -To: pgi-wg@ogf.org -Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite 3.2released -today - -On Monday 23 March 2009 15:04, Etienne URBAH wrote: -> To all, -> -> Concerning various implementations of TLS to handle X509 certificates -> and proxies, it seems that : -> -> - DEISA (Unicore) uses the OpenSSL implementation of TLS to process -> X509 certificates, -> -> - EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security -> Infrastructure) implementation of TLS to process X509 proxies, - -No, ARC uses OpenSSL for TLS data connections and Globus for -GSI connections (SRM and GridFTP). - - -A.K. - - -> -> - The OpenSSL and GSI implementations of TLS seem to be INCOMPATIBLE -> (see mails below of Weizhong QIANG and Duane MERRIL). -> -> This would make any interoperability very difficult. -> -> -> But the situation is perhaps NOT so desperate : -> -> - EGEE has just released gLite version 3.2 today 23 March 2009. -> -> - In slide 3 of the presentation 'Middleware update' performed at CERN -> GDB on 11 March 2009 and which is available at -> -http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c onfId=4 -5473 -> Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10, which -> uses 'system OpenSSL'. -> -> -> ==> Can Andreas UNTERKIRCHER provide more precisions, and confirm that -> this permits interoperability at the X509 level ? -> -> ==> Can the PGI chairs plan an interoperability test ASAP to check if -> this really work ? -> -> -> In hope that the above informations and suggestions are useful. -> -> Best regards. -> -> ---------------------------------- -> Etienne URBAH IN2P3 - LAL -> Bat 200 91898 ORSAY France -> Tel: +33 1 64 46 84 87 -> Mob: +33 6 22 30 53 27 -> Skype: etienne.urbah -> mailto:urbah@lal.in2p3.fr -> ---------------------------------- -> -> -> On Mon, 23 Mar 200, Jens Jensen wrote: -> > 2009/3/20 weizhong qiang <weizhongqiang@gmail.com>: -> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel@fz-juelich.de> wrote: -> >> Basically the globus implementation if GSSAPI is about a specific -> >> context-initiation negotiation, and some data-padding for initiation and -> >> data-transferring. Also you can accomplish proxy-delegation via it. -> >> What is for sure is that you can not use client based on normal TLS to talk -> >> with service which is based on GSSAPI, or vice versa. -> >> AFAIK, There is some grid service (WS compliant) such as some SRM service -> >> which uses GSSAPI. (SOAP + HTTP + GSS). -> > -> > Some years since I last looked at it in detail but IIRC GSSAPI (RFC2743) is just -> > a mechanism for establishing security contexts - if you get these -> > bytes then send -> > this, etc. Presumably normal TLS can be implemented via GSSAPI as well, see -> > eg section 5.3 of the RFC -> > Someone once told me Globus had to deviate from the standard GSSAPI -> > to implement GSI. If this is true then it's worth documenting, no? -> > Again long time ago I experimented with the Globus module for GSI and -> > the lower level Globus GSSAPI. At the time they did not interoperate :-) -> > Had some discussions with Aleksandr at the time. -> > -> > Regards -> > --jens -> -> -> -> On Fri, 20 Mar 2009, Duane Merrill wrote: -> > In theory, rfc-3820 proxy certs should not have any effect on TLS wire -> > protocol. For various reasons, different versions of GSI-OpenSSH *have* -> > changed the wire format in different ways. (Shame on them.) Out of -> > curiosity, are there any published/publicly-availabe descriptions of -> > these deltas? -> > -> > Duane -> -_______________________________________________ -Pgi-wg mailing list -Pgi-wg@ogf.org -http://www.ogf.org/mailman/listinfo/pgi-wg
Ok, but I guess there might be GSI-enabled production elements out there, e.g. an SRM interface which I see basically on the same level as BES...(as a functional interface) ------------------------------------------------------------ Morris Riedel SW - Engineer Distributed Systems and Grid Computing Division Jülich Supercomputing Centre (JSC) Forschungszentrum Juelich Wilhelm-Johnen-Str. 1 D - 52425 Juelich Germany Email: m.riedel@fz-juelich.de Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel Phone: +49 2461 61 - 3651 Fax: +49 2461 61 - 6656 Skype: MorrisRiedel "We work to better ourselves, and the rest of humanity" Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender)
------Original Message----- -From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of -Aleksandr Konstantinov -Sent: Friday, March 27, 2009 1:35 PM -To: pgi-wg@ogf.org -Subject: Re: [Pgi-wg]TLS : OpenSSL and GSI implementations - gLite 3.2released -today - -On Friday 27 March 2009 11:52, you wrote: -> Ok, -> -> and that's why we have to support both in our profiles I guess - correct?! -> - -Definitely not because of ARC. Rather vice versa. :) - - -A.K. - - -> -> Take care, -> Morris -> -> ------------------------------------------------------------ -> Morris Riedel -> SW - Engineer -> Distributed Systems and Grid Computing Division -> Jülich Supercomputing Centre (JSC) -> Forschungszentrum Juelich -> Wilhelm-Johnen-Str. 1 -> D - 52425 Juelich -> Germany -> -> Email: m.riedel@fz-juelich.de -> Info: http://www.fz-juelich.de/jsc/JSCPeople/riedel -> Phone: +49 2461 61 - 3651 -> Fax: +49 2461 61 - 6656 -> -> Skype: MorrisRiedel -> -> "We work to better ourselves, and the rest of humanity" -> -> Sitz der Gesellschaft: Jülich -> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 -> Vorsitzende des Aufsichtsrats: MinDirig'in Bärbel Brumme-Bothe -> Vorstand: Prof. Dr. Achim Bachem (Vorsitzender), -> Dr. Ulrich Krafft (stellv. Vorsitzender) -> -> -> >------Original Message----- -> >-From: pgi-wg-bounces@ogf.org [mailto:pgi-wg-bounces@ogf.org] On Behalf Of -> >-Aleksandr Konstantinov -> >-Sent: Friday, March 27, 2009 10:49 AM -> >-To: pgi-wg@ogf.org -> >-Subject: Re: [Pgi-wg] TLS : OpenSSL and GSI implementations - gLite -> 3.2released -> >-today -> >- -> >-On Monday 23 March 2009 15:04, Etienne URBAH wrote: -> >-> To all, -> >-> -> >-> Concerning various implementations of TLS to handle X509 certificates -> >-> and proxies, it seems that : -> >-> -> >-> - DEISA (Unicore) uses the OpenSSL implementation of TLS to process -> >-> X509 certificates, -> >-> -> >-> - EGEE (gLite) and NorduGrid (ARC) use the GSI (Globus Security -> >-> Infrastructure) implementation of TLS to process X509 proxies, -> >- -> >-No, ARC uses OpenSSL for TLS data connections and Globus for -> >-GSI connections (SRM and GridFTP). -> >- -> >- -> >-A.K. -> >- -> >- -> >-> -> >-> - The OpenSSL and GSI implementations of TLS seem to be -INCOMPATIBLE -> >-> (see mails below of Weizhong QIANG and Duane MERRIL). -> >-> -> >-> This would make any interoperability very difficult. -> >-> -> >-> -> >-> But the situation is perhaps NOT so desperate : -> >-> -> >-> - EGEE has just released gLite version 3.2 today 23 March 2009. -> >-> -> >-> - In slide 3 of the presentation 'Middleware update' performed at CERN -> >-> GDB on 11 March 2009 and which is available at -> >-> -> -http://indico.cern.ch/getFile.py/access?sessionId=7&resId=1&materialId=0&c -> onfId=4 -> >-5473 -> >-> Andreas UNTERKIRCHER explains that gLite 3.2 uses VDT 1.10, which -> >-> uses 'system OpenSSL'. -> >-> -> >-> -> >-> ==> Can Andreas UNTERKIRCHER provide more precisions, and confirm -that -> >-> this permits interoperability at the X509 level ? -> >-> -> >-> ==> Can the PGI chairs plan an interoperability test ASAP to check if -> >-> this really work ? -> >-> -> >-> -> >-> In hope that the above informations and suggestions are useful. -> >-> -> >-> Best regards. -> >-> -> >-> ---------------------------------- -> >-> Etienne URBAH IN2P3 - LAL -> >-> Bat 200 91898 ORSAY France -> >-> Tel: +33 1 64 46 84 87 -> >-> Mob: +33 6 22 30 53 27 -> >-> Skype: etienne.urbah -> >-> mailto:urbah@lal.in2p3.fr -> >-> ---------------------------------- -> >-> -> >-> -> >-> On Mon, 23 Mar 200, Jens Jensen wrote: -> >-> > 2009/3/20 weizhong qiang <weizhongqiang@gmail.com>: -> >-> >> On Fri, Mar 20, 2009 at 3:00 PM, <m.riedel@fz-juelich.de> wrote: -> >-> >> Basically the globus implementation if GSSAPI is about a specific -> >-> >> context-initiation negotiation, and some data-padding for initiation -> and -> >-> >> data-transferring. Also you can accomplish proxy-delegation via it. -> >-> >> What is for sure is that you can not use client based on normal TLS -> to talk -> >-> >> with service which is based on GSSAPI, or vice versa. -> >-> >> AFAIK, There is some grid service (WS compliant) such as some SRM -> service -> >-> >> which uses GSSAPI. (SOAP + HTTP + GSS). -> >-> > -> >-> > Some years since I last looked at it in detail but IIRC GSSAPI -> (RFC2743) is just -> >-> > a mechanism for establishing security contexts - if you get these -> >-> > bytes then send -> >-> > this, etc. Presumably normal TLS can be implemented via GSSAPI as -> well, see -> >-> > eg section 5.3 of the RFC -> >-> > Someone once told me Globus had to deviate from the standard GSSAPI -> >-> > to implement GSI. If this is true then it's worth documenting, no? -> >-> > Again long time ago I experimented with the Globus module for GSI and -> >-> > the lower level Globus GSSAPI. At the time they did not interoperate -> :-) -> >-> > Had some discussions with Aleksandr at the time. -> >-> > -> >-> > Regards -> >-> > --jens -> >-> -> >-> -> >-> -> >-> On Fri, 20 Mar 2009, Duane Merrill wrote: -> >-> > In theory, rfc-3820 proxy certs should not have any effect on TLS wire -> >-> > protocol. For various reasons, different versions of GSI-OpenSSH -> *have* -> >-> > changed the wire format in different ways. (Shame on them.) Out of -> >-> > curiosity, are there any published/publicly-availabe descriptions of -> >-> > these deltas? -> >-> > -> >-> > Duane -> >-> -> >-_______________________________________________ -> >-Pgi-wg mailing list -> >-Pgi-wg@ogf.org -> >-http://www.ogf.org/mailman/listinfo/pgi-wg -> -_______________________________________________ -Pgi-wg mailing list -Pgi-wg@ogf.org -http://www.ogf.org/mailman/listinfo/pgi-wg
participants (2)
-
Aleksandr Konstantinov -
Morris Riedel