VOMS Java API
From EUAGwiki
Contents |
[edit] VOMS Java API
[edit] Lectured by
Giuseppe LA ROCCA
Italian National Institute of Nuclear Physics
Italy
mailto:giuseppe.larocca@ct.infn.it
[edit] About this page
Goal of this wiki page is to provide some hints and examples about how to interact with the Virtual Organization Membership Services (VOMS) using the dedicated Java API exposed by the server. VOMS is a system for managing authorization data within multi-institutional collaborations.
VOMS provides a database of user roles and capabilities and a set of tools for accessing and manipulating the database and using the database contents to generate Grid credentials for users when needed. The VOMS database contains authorization data that defines specific capabilities and general roles for specific users. A suite of administrative tools allow administrators to assign roles to users and manipulate capability information.
A command-line tool (voms-proxy-init) allows users to generate a local proxy credential based on the contents of the VOMS database. This credential includes the basic authenticaiton information that standardGrid proxy credentials contain, but it also includes role and capability information from the VOMS server. Standard Grid applications can use the credential without using the VOMS data, whereas VOMS-aware applications can use the VOMS data to make authentication decisions regarding user requests. VOMS allows distributed collaborations to centrally manage user roles and capabilities. The VOMS user credentials provide additional role and capability data to application service providers that can then be used to make more fully-informed authorization decisions.
[edit] Basic Requirements
Before we begin with the proxy generation, we need to specify the following System proporties:
Setting the mentioned variables is optional. If omitted the default values are used. In order for PKCS12 certificates to be used the X509 certificates should not be present. After we setup the parameters, the proxy generation begins with creation of org.glite.security.voms.contact.VOMSProxyInit object providing a password for the opening of the user certificate. We call:
public static VOMSProxyInit instance(String privateKeyPassword)
After the generation of the VOMSProxyInit object class, we need to specify additional parameters for the proxy generation. In the following table are presented the available parameters and how to set them.
The method getVomsProxy generates the proxy file as specified in the parameters.
The needed libraries for the VOMSProxyInit are:
- glite-security-voms.jar;
- bcprov.jar;
- log4j.jar;
- cog-jglobus.jar;
- commons-lang.jar;
- commons-cli.jar.
There are conflicts with glite-security-voms.jar when using glite-security-utils.jar which should be located after glite-security-voms.jar in the classpath. The conflicting classes that are the ones contained in the package glite.security.voms in the glite-security-utils.jar that are of older version.
The needed archives can be downloaded from here [1]
The grid settings of the VOMS Server can be specified using the Java class org.glite.security.voms.contact.VOMSServerInfo.
We call:
org.glite.security.voms.contact.VOMSServerInfo vomsServerInfo = null; vomsServerInfo = new org.glite.security.voms.contact.VOMSServerInfo(); vomsServerInfo.setVoName(VOMS_VONAME); vomsServerInfo.setHostName(VOMS_HOSTNAME); vomsServerInfo.setPort(VOMS_PORT); vomsServerInfo.setHostDn(VOMS_HOSTDN);
[edit] Material and instructions for use
In attach you can find a tarball with the JAVA source files implementing what described above.
If you have a shell on a linux machine, download the tar ball with the examples typing
wget http://grid.ct.infn.it/api-java/Api-Java-VOMS.tar.gz
Uncompress the tar in your working directory using the command:
tar zxvf Api-Java-VOMS.tar.gz
These are the files you should find in the working directory
$ cd Api-Java-VOMS $ ls -al drwxr-xr-x 5 larocca users 8192 Feb 23 2009 cog-jglobus-1.7.0-bin.tar.gz drwxr-xr-x 2 larocca users 8192 Feb 23 2009 help drwxr-xr-x 2 larocca users 8192 Feb 24 2009 jars drwxr-xr-x 2 larocca users 8192 Feb 23 2009 java-voms-init -rw-r--r-- 1 larocca users 523 Feb 23 2009 log4j.properties drwxr-xr-x 2 larocca users 8192 Feb 23 2009 META-INF drwxr-xr-x 3 larocca users 8192 Feb 23 2009 org -rw-r--r-- 1 larocca users 8520 Feb 24 2009 PasswordField.java -rw-r--r-- 1 larocca users 8520 Feb 24 2009 VOMSProxyInitCreation.java -rw-r--r-- 1 larocca users 967 Feb 24 2009 VOMSProxyInitCreation.sh
To compile all the Java classes, first uncompress the CoG jGlobus tar in the working directory and than use the VOMSProxyInitCreation.sh bash script
$ tar zxvf cog-jglobus-1.7.0-bin.tar.gz
cog-jglobus-1.7.0-bin/
cog-jglobus-1.7.0-bin/API.html
cog-jglobus-1.7.0-bin/bin/
cog-jglobus-1.7.0-bin/bin/globus-gass-server
cog-jglobus-1.7.0-bin/bin/globus-gass-server-shutdown
cog-jglobus-1.7.0-bin/bin/globus-gass-server-shutdown.bat
cog-jglobus-1.7.0-bin/bin/globus-gass-server.bat
cog-jglobus-1.7.0-bin/bin/globus-personal-gatekeeper
cog-jglobus-1.7.0-bin/bin/globus-personal-gatekeeper.bat
cog-jglobus-1.7.0-bin/bin/globus-url-copy
[cut ..]
$ cat VOMSProxyInitCreation.sh
#/bin/sh
#
# @author Giuseppe LA ROCCA
# @mail giuseppe.larocca@ct.infn.it
# @copyright 2009-02-24
#
# Export the CLASSPATH environment variable before to compile
# and run the class.
#
unset CLASSPATH
export CLASSPATH=.:./cog-jglobus-1.4/lib/log4j-1.2.13.jar:./java-voms-init/bcprov.jar:./java-voms-init/cog-jglobus.jar:./java-voms-init/commons-cli-1.0.jar:./java-voms-init/commons-lang-2.3.jar:./java-voms-init/glite-security-voms.jar:./java-voms-init/log4j-1.2.14.jar:./jars/glite-security-util-java.jar:./jars/commons-logging-api.jar:./jars/puretls.jar:./jars/cryptix.jar:./jars/cryptix-asn1.jar:./jars/cryptix32.jar
# Compile the Java class
/usr/java/jdk1.5.0_14/bin/javac -classpath ${CLASSPATH} VOMSProxyInitCreation.java PasswordField.java
# Run the class
# Create a proxy for the EUASIA VO.
umask 066; ${JAVA_HOME}/bin/java -cp ${CLASSPATH}:. VOMSProxyInitCreation \
voms.grid.sinica.edu.tw \
euasia \
15015 \
/C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw \
${X509_USER_PROXY}
[edit] Example of API usage
$ source VOMSProxyInitCreation.sh Note: VOMSProxyInitCreation.java uses unchecked or unsafe operations. Note: Recompile with -Xlint:unchecked for details. [main] INFO VOMSProxyInitCreation - ----------------------------------------------------------------------------- [main] INFO VOMSProxyInitCreation - +++ Configure System Setting(s) before to start user's proxy generation +++ Enter GRID pass phrase:********* [main] INFO VOMSProxyInitCreation - USER NAME : larocca [main] INFO VOMSProxyInitCreation - USER HOME : /home/larocca [main] INFO VOMSProxyInitCreation - X509_USER_CERT : /home/larocca/.globus/usercert.pem [main] INFO VOMSProxyInitCreation - X509_USER_KEY : /home/larocca/.globus/userkey.pem [main] INFO VOMSProxyInitCreation - GLITE_LOCATION : /opt/glite [main] INFO VOMSProxyInitCreation - VOMSES_LOCATION : /opt/glite/etc/vomses [main] INFO VOMSProxyInitCreation - VOMSDIR : /etc/grid-security/vomsdir [main] INFO VOMSProxyInitCreation - X509_CERT_DIR : /etc/grid-security/certificates [main] INFO VOMSProxyInitCreation - ----------------------------------------------------------------------------- [main] INFO VOMSProxyInitCreation - ----------------------------------------------------------------------------- [main] INFO VOMSProxyInitCreation - +++ Configure VOMS Server setting(s) +++ [main] INFO VOMSProxyInitCreation - VOMS Server HOST : voms.grid.sinica.edu.tw [main] INFO VOMSProxyInitCreation - VOMS VO Name : euasia [main] INFO VOMSProxyInitCreation - VOMS Port Number : 15015 [main] INFO VOMSProxyInitCreation - VOMS Host DN : /C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw [main] INFO VOMSProxyInitCreation - VOMS Proxy File Path : /tmp/x509up_u502 [main] INFO VOMSProxyInitCreation - VOMS Proxy Type : GT2 [main] INFO VOMSProxyInitCreation - ----------------------------------------------------------------------------- [main] INFO VOMSProxyInitCreation - >>> Proxy successfully generated and valid for 86399 sec. <<< [main] INFO VOMSProxyInitCreation - -----------------------------------------------------------------------------
Once you have created your proxy file, you can check it as follow:
$ voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Giuseppe La Rocca/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Giuseppe La Rocca identity : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Giuseppe La Rocca type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 23:59:56 === VO euasia extension information === VO : euasia subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Giuseppe La Rocca issuer : /C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw attribute : /euasia/Role=NULL/Capability=NULL timeleft : 23:57:08
[edit] Acknowledgements
This tutorial is based on Andrea Ceccanti (mailto:andrea.ceccanti@cnaf.infn.it) implementation of voms-proxy-init java client.
[edit] References
http://wiki.egee-see.org/index.php/SG_Generating_VOMS_Proxy_Using_Java_API
