Anirban Mandal Shu Huang Ilia Baldine RENCI Rudra Dutta NSCU GEC14 IampM Session Boston MA July 2012 Client Authentication and Credential Verification for GENI Messaging Service ID: 621562
Download Presentation The PPT/PDF document "Client Authentication & Authorizatio..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Client Authentication & Authorization for GENI XMPP Messaging Service
Anirban Mandal
,
Shu
Huang, Ilia
Baldine
(RENCI)
Rudra
Dutta
(NSCU)
GEC14 I&M Session
Boston, MA, July 2012Slide2
Client Authentication and Credential Verification for
GENI Messaging Service
GENI Messaging Service using XMPP Server
Authentication using GENI certs
Verification of GENI XMLSEC credentials
PubSub
entities inside slice
PubSub
entities outside slice (
eg
. CF entities)
Clients Users
Clients
Credentials are generated using
GPO OMNI/
gcf
tool entrusting specific rights to client certs
Eg
.
pub_measurements
/
polatis
,
sub_measurementsSlide3
Client
Authentication
Client certificates issued by OMNI/
gcf toolUse SASL External authentication on XMPP server
Mostly one-time configuration of XMPP serverCH certificate needs to be inserted in server’s client
truststoreJID of the client must match the CN in certificate
Client accounts are created on the server by XMPP pub/sub clients on-the-fly
“Can a client authenticate with the XMPP server using authentication mechanisms advertised by the XMPP server using GENI certificates ?”
Authentication using GENI certs
OMNI/
gcf
(
gen_certs)
XMPP
Server
$
python26
gen
-
certs.py -u
anirban
Y/NSlide4
Client Authorization (credential verification) [1/2]
Two issues
How client credentials are generated ?
How client credentials are verified on the XMPP server during pub/sub actions ?Credential generationExtended OMNI/gcf tool to generate GENI XMLSEC credentials for pub/sub actions
“ Does an already authenticated client have
credentials (rights) to publish and subscribe to a pubsub
node ? ”
OMNI/gcf(xmppcred)
Client cert
CH cert
XMPP server
cert-keypair
r
ights namespace
Client XMLSEC
credentials
$ python26
xmppcred.py
xmpp-key.pem
xmpp-cert.pem
anirban-cert.pem \
ch-cert.pem measurements/
polatis measurements/infineraSlide5
Client Authorization (credential verification) [2/2]
Credential verification
Extended
Openfire XMPP server pubsub code to enable credential verificationExisting pubsub policy code ( canPublish / canSubscribe
) in Openfire is augmented with GENI credential verification
On a pubsub action, client credentials are pulled from a location configurable on the XMPP server based on clients JID
Rights are extracted from the pubsub node that the client is trying to
pubsub to and are passed to the verification code pubsub action goes through only if credential is verified on the server
“ Does an already authenticated client have credentials (rights) to publish and/or subscribe to a
pubsub node ? ”
Client XMLSEC credentials
For eg
. Publishing to “measurements/polatis/renci”
pubsub node will succeed if client has “pub_measurements/
polatis” rights in the client credential
Verification of GENI XMLSEC credentials
XMPP
Server
authenticated clients /
u
sers
pubsub
Y/NSlide6
XMPP Messaging Service Use Case: Publishing and Subscribing ORCA Slice Manifests
XMPP Server
Authentication using GENI certs
Verification
of
pubsub
creds
Manifest Subscriber client subscribes to relevant slice manifests (can be used for monitoring)
ORCA Service Manager publishes slice manifests as each slice evolves
Select relevant slice
Manifest appears here
Manifest Subscriber Client
ORCA FederationSlide7
XMPP Messaging Service Use Case: OMF EC and RC
Shown OMF components (EC and RC) communicating through an XMPP messaging Service [GENI IMF demos at GEC13-14]
EC and RC can run on distinct VMs on the same slice or on different slices
EC and RC authenticate against an XMPP server using GENI certs
EC-RC communication messages are published by RC to a Repository topic – a
pubsub
node [uses
auth/auth]Repository service subscribes to this topic & stores messages in a MySQL database [uses auth/auth
]* Work done by Ahmet
Babaoglu, Ashutosh Grewal, Rudra
Dutta @ NCSU as part of GENI IMF