This tutorial demonstrates how security works in a secure Grimoires deployment, using a secure GShell client. It is assumed that you have read the security guide, and the security relevant sections of the installation guides for Grimoires and GShell. You should also have attempted the GShell Client tutorial.
[java] Enter the directory where you want the OMII client to be installed (default is home/myhome):enter home/myhome/client1. Next, if prompted to generate a new keystore, accept. Then for the user details, enter the following:
[echo] Please enter your details [input] Fully qualified machine name (default: ) client1 [java] Organisation: UK [java] Organisational Unit: UK [java] Location: UK [java] State: UK [java] Country: UK [java] Email Address: client1@hotmail.comand go through the requisite testing. Then repeat the installation process, but this time installing to home/myhome/client2. Then, for the user details, enter the following:
[echo] Please enter your details [input] Fully qualified machine name (default: ) client2 [java] Organisation: US [java] Organisational Unit: US [java] Location: US [java] State: US [java] Country: US [java] Email Address: client2@hotmail.comand finally, repeat this process for client3.
<authlist>
<groupIdentity groupName = "admin"
identityList = "EMAILADDRESS=client1@hotmail.com, CN=client1, OU=UK, O=UK, L=none, ST=UK, C=UK //
EMAILADDRESS=client2@hotmail.com, CN=client2, OU=UK, O=UK, L=none, ST=UK, C=UK"/>
<groupIdentity groupName = "staff"
identityList = "EMAILADDRESS=client3@hotmail.com, CN=client3, OU=UK, O=UK, L=none, ST=UK, C=UK "/>
<groupOperation groupName = "save" operationList = " save_business // save_service // save_binding // save_service // save_tModel "/>
<groupOperation groupName = "find" operationList = " find_binding // find_business // find_service "/>
<groupOperation groupName = "get" operationList = " get_bindingDetail // get_serviceDetail // get_bindingDetail "/>
<permission identity= "admin" operationList = " save // find // get " mode = "allow"/>
<permission identity = "staff" operationList = "save " mode="restrict"/>
</authlist>
Note that the L parameter for the X509DN is set to none, as this value is not taken into account when distinguishing between different X509DNs. Ensure the other configuration parameters are correct:
1. Set "container = omii-sec" and "securitype = acl" in init.properties
2. Ensure that the authfile parameter in grimoires.properties reflects the correct location of your OMII container installation.
Deploy Grimoires.
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: SecurityContextInitHandler: Request does not contain required Security header
faultActor:
faultNode:
This error message indicates that a signature was expected with the SOAP message at the OMII container where Grimoires is deployed in, but none was received. We now setup GShell to run securely. Change crypto.properties so that org.apache.ws.security.crypto.merlin.file hold the value /home/myhome/client1/OMIICLIENT/omii.ks and then re-install GShell securely by doing:
1. ant clean
2. ant
3. ant secure
Now, any outgoing messages from GShell will be signed and associated with the X509DN = "EMAILADDRESS=client1@hotmail.com, CN=client1, OU=UK, O=UK, L=none, ST=UK, C=UK", which corresponds to the client certificate created in the keystore in /home/myhome/client1/OMIICLIENT/. As we saw from the ACL that we had created earlier, this identity is within the group "admin", and hence permitted to perform the various operations from the three groups "save", "find" and "get". Start GShell, and try to perform some commands like PublishService and InquireService (which correspond to the operations save_service, find_service and get_serviceDetail). This should all work fine. Now attempt a command like PublishWSDL (which invokes the addMetadataToEntity operation). As this is not authorized for client1, a trace of error messages will be received back
only permitted two operations: save_service and get_serviceDetail (corresponding to the PublishService and InquireService operations available in GShell). Start GShell, and attempt to do an operation like PublishBusiness. You should receive back a trace of error messages, which commences in this manner:
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: Entity name : EMAILADDRESS=client1@hotmail.com, CN=client1, OU=UK, O=UK, L=none, ST=UK, C=UK recognized,
however operation addMetadataToEntity unauthorized !
faultActor:
faultNode:
This indicates the X509DN is valid (i.e. existing in the Grimoires ACL), but it pertains to an unauthorized operation. Now exit GShell, and change crypto.properties to refer to client2's location instead and then repeat the example above. You should obtain the same set of results as client1 and client2 are both in the same group in the ACL. Finally, exit Gshell again and restart again after having changed crypto.properties to refer to client3. As seen from the ACL, client3 is allowed to perform all actions except save-type operations. Verify this is the case, for example, by trying to issue a PublishService or InquireService command.
Modify the access control list again to include the use of wildcard references "#AllUsers#" and "#AllOperations#" and repeat the example to note the effect of their use. Note that the wildcard references must be in permission statements that precede all other statements in the access control list in order for them to have the desired effect.