User authentication is a crucial security component for most computing systems. Yet different systems rely on different authentication mechanisms based on their particular security needs. Specifically, systems such as independently-managed Grids vary with regard to the type of credential or security token used to prove the user's identity (username/password, X.509 certificates and Kerberos tickets are a few examples). Requiring a user to acquire credentials for all systems upfront and then handmanage and choose which of these credentials to present on a per-service basis is tedious, unreliable and potentially insecure. As an alternative, we present CredEx, an open-source, standards-based Web Service that facilitates the secure storage of credentials (a la MyProxy) and allows a user to dynamically exchange one type of credential for another using the WS-Trust token exchange protocol specification. CredEx makes use of an open-source, Java-based WS-Trust implementation developed for this effort, in addition to Java and .NET clients. With CredEx, a user can achieve single-signon by acquiring a single, default credential and then exchange that credential as needed for services requiring a different form of authentication. Although other credential exchangers exist, to our knowledge, this is the first credential manager that supports the general many-to-many credential exchange pattern, thus creating new flexibility for users as required by the Open Grid Services Architecture (OGSA) Security Roadmap. In this paper, we describe the design and implementation of CredEx by focusing on its use in bridging password-based Web Services and PKI-based grid services. As an important consequence, we illustrate how interoperability between Web and Grid Services can be based upon the WS-Security and WS-Trust specifications.
[1]
John Kemp,et al.
Liberty ID-WSF - a Web Services Framework
,
2004
.
[2]
Siddharth Bajaj,et al.
Web Services Federation Language (WS- Federation)
,
2003
.
[3]
Jim Basney,et al.
Grid Delegation Protocol
,
2004
.
[4]
Daniel Roth,et al.
Web Services Policy Framework (WS- Policy)
,
2002
.
[5]
Russ Housley,et al.
Internet X.509 Public Key Infrastructure Certificate and CRL Profile
,
1999,
RFC.
[6]
Theodore Y. Ts'o,et al.
Kerberos: an authentication service for computer networks
,
1994,
IEEE Communications Magazine.
[7]
Mike Just,et al.
Securely Available Credentials (SACRED) - Credential Server Framework
,
2004,
RFC.
[8]
Phillip Hallam-Baker,et al.
Web services security: soap message security
,
2003
.
[9]
Giovanni Della-Libera,et al.
Web Services Trust Language (WS-Trust)
,
2002
.
[10]
Tim Moses,et al.
EXtensible Access Control Markup Language (XACML) version 1
,
2003
.
[11]
Steven Tuecke,et al.
An online credential repository for the Grid: MyProxy
,
2001,
Proceedings 10th IEEE International Symposium on High Performance Distributed Computing.
[12]
Steven Tuecke,et al.
Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile
,
2004,
RFC.
[13]
Jim Basneya,et al.
An OGSI CredentialManager Service
,
2004
.
[14]
Peter Thompson,et al.
Liberty ID-FF Architecture Overview
,
2003
.