Client Authentication & Authorization for GENI XMPP Mes - PowerPoint Presentation

Slide1

Client Authentication & Authorization for GENI XMPP Messaging Service

Anirban Mandal

,

Shu

Huang, Ilia

Baldine

(RENCI)

Rudra

Dutta

(NSCU)

GEC14 I&M Session

Boston, MA, July 2012Slide2

Client Authentication and Credential Verification for

GENI Messaging Service

GENI Messaging Service using XMPP Server

Authentication using GENI certs

Verification of GENI XMLSEC credentials

PubSub

entities inside slice

PubSub

entities outside slice (

eg

. CF entities)

Clients Users

Clients

Credentials are generated using

GPO OMNI/

gcf

tool entrusting specific rights to client certs

Eg

.

pub_measurements

/

polatis

,

sub_measurementsSlide3

Client

Authentication

Client certificates issued by OMNI/

gcf toolUse SASL External authentication on XMPP server

Mostly one-time configuration of XMPP serverCH certificate needs to be inserted in server’s client

truststoreJID of the client must match the CN in certificate

Client accounts are created on the server by XMPP pub/sub clients on-the-fly

“Can a client authenticate with the XMPP server using authentication mechanisms advertised by the XMPP server using GENI certificates ?”

Authentication using GENI certs

OMNI/

gcf

(

gen_certs)

XMPP

Server

$

python26

gen

-

certs.py -u

anirban

Y/NSlide4

Client Authorization (credential verification) [1/2]

Two issues

How client credentials are generated ?

How client credentials are verified on the XMPP server during pub/sub actions ?Credential generationExtended OMNI/gcf tool to generate GENI XMLSEC credentials for pub/sub actions

“ Does an already authenticated client have

credentials (rights) to publish and subscribe to a pubsub

node ? ”

OMNI/gcf(xmppcred)

Client cert

CH cert

XMPP server

cert-keypair

r

ights namespace

Client XMLSEC

credentials

$ python26

xmppcred.py

xmpp-key.pem

xmpp-cert.pem

anirban-cert.pem \

ch-cert.pem measurements/

polatis measurements/infineraSlide5

Client Authorization (credential verification) [2/2]

Credential verification

Extended

Openfire XMPP server pubsub code to enable credential verificationExisting pubsub policy code ( canPublish / canSubscribe

) in Openfire is augmented with GENI credential verification

On a pubsub action, client credentials are pulled from a location configurable on the XMPP server based on clients JID

Rights are extracted from the pubsub node that the client is trying to

pubsub to and are passed to the verification code pubsub action goes through only if credential is verified on the server

“ Does an already authenticated client have credentials (rights) to publish and/or subscribe to a

pubsub node ? ”

Client XMLSEC credentials

For eg

. Publishing to “measurements/polatis/renci”

pubsub node will succeed if client has “pub_measurements/

polatis” rights in the client credential

Verification of GENI XMLSEC credentials

XMPP

Server

authenticated clients /

u

sers

pubsub

Y/NSlide6

XMPP Messaging Service Use Case: Publishing and Subscribing ORCA Slice Manifests

XMPP Server

Authentication using GENI certs

Verification

of

pubsub

creds

Manifest Subscriber client subscribes to relevant slice manifests (can be used for monitoring)

ORCA Service Manager publishes slice manifests as each slice evolves

Select relevant slice

Manifest appears here

Manifest Subscriber Client

ORCA FederationSlide7

XMPP Messaging Service Use Case: OMF EC and RC

Shown OMF components (EC and RC) communicating through an XMPP messaging Service [GENI IMF demos at GEC13-14]

EC and RC can run on distinct VMs on the same slice or on different slices

EC and RC authenticate against an XMPP server using GENI certs

EC-RC communication messages are published by RC to a Repository topic – a

pubsub

node [uses

auth/auth]Repository service subscribes to this topic & stores messages in a MySQL database [uses auth/auth

]* Work done by Ahmet

Babaoglu, Ashutosh Grewal, Rudra

Dutta @ NCSU as part of GENI IMF