This wiki is obsolete, see the NorduGrid web pages for up to date information.
NOX/Tests/Security test results
From NorduGrid
Jump to navigationJump to search
ARC1 security testing
Test environment
MacOSX 10.5.8 (Leopard)
Charon
ARC Policy
INI config
profile=/Users/roczei/security/charon/CharonSecure.xml pidfile=/tmp/arched.pid logfile=/tmp/arched.log debug=VERBOSE libpath=/Users/roczei/arc1/lib/arc port=60000 cacert=/Users/roczei/arc1/etc/certificates host_cert=/Users/roczei/arc1/etc/cert.pem host_key=/Users/roczei/arc1/etc/key.pem [charon] urlpattern=^/Charon$ policy_file=/Users/roczei/security/charon/ARC_Policy_Example.xml
XML profile
<?xml version="1.0"?>
<cfg:ArcConfig xmlns="http://www.nordugrid.org/schemas/loader/2009/08" xmlns:cfg="http://www.nordugrid.org/schemas/arcconfig/2009/08" xmlns:tcp="http://www.nordugrid.org/schemas/tcp/2009/08" xmlns:tls="http://www.nordugrid.org/schemas/tls/2009/08" xmlns:charon="http://www.nordugrid.org/schemas/charon/2009/08">
<cfg:Server>
<cfg:PidFile inisections="common" initag="pidfile">/tmp/arched.pid</cfg:PidFile>
<cfg:Logger>
<cfg:File inisections="common" initag="logfile">/var/log/arched.log</cfg:File>
<cfg:Level inisections="common" initag="debug">ERROR</cfg:Level>
</cfg:Logger>
</cfg:Server>
<ModuleManager>
<Path inisections="common" initag="libpath">/usr/local/lib/arc/</Path>
</ModuleManager>
<Plugins><Name>mcctcp</Name></Plugins>
<Plugins><Name>mcctls</Name></Plugins>
<Plugins><Name>mcchttp</Name></Plugins>
<Plugins><Name>mccsoap</Name></Plugins>
<Plugins><Name>arcshc</Name></Plugins>
<Plugins><Name>charon</Name></Plugins>
<Chain>
<Component name="tcp.service" id="tcp">
<next id="tls"/>
<tcp:Listen>
<tcp:Interface inisections="common" initag="interface">0.0.0.0</tcp:Interface>
<tcp:Port inisections="common" initag="port"/>
<tcp:Version inisections="common" initag="ipversion">4</tcp:Version>
</tcp:Listen>
</Component>
<Component name="tls.service" id="tls">
<next id="http"/>
<tls:KeyPath inisections="common" initag="host_key"/>
<tls:CertificatePath inisections="common" initag="host_cert"/>
<tls:CACertificatesDir inisections="common" initag="cacert"/>
</Component>
<Component name="http.service" id="http">
<next id="soap">POST</next>
<next id="plexer">GET</next>
<next id="plexer">PUT</next>
</Component>
<Component name="soap.service" id="soap">
<next id="plexer"/>
</Component>
<Plexer name="plexer.service" id="plexer">
<next id="charon_service" inisections="charon" initag="urlpattern">^/Charon$</next>
</Plexer>
<Service name="charon" id="charon_service">
<charon:PDPConfig>
<charon:PolicyStore>
<charon:Location Type="file" inisections="charon" initag="policy_file">charon_policy.xml</charon:Location>
</charon:PolicyStore>
<charon:Evaluator name="arc.evaluator" />
<charon:Policy name="arc.policy" />
<charon:Request name="arc.request" />
</charon:PDPConfig>
</Service>
</Chain>
</cfg:ArcConfig>
Error:
[2009-11-05 07:22:11] [Arc.ModuleManager] [VERBOSE] [75787/8425248] Loaded /Users/roczei/arc1/lib/arc/libsaml2sp.so [2009-11-05 07:22:11] [Arc.ModuleManager] [VERBOSE] [75787/8425248] Loaded /Users/roczei/arc1/lib/arc/libslcs.so [2009-11-05 07:22:11] [Arc.ArcEvaluator] [ERROR] [75787/8425248] Can not parse classname for FunctionFactory from configuration [2009-11-05 07:22:11] [Arc.Service] [INFO] [75787/8425248] Succeeded to produce Evaluator [2009-11-05 07:22:11] [Arc.Loader] [INFO] [75787/8425248] Loaded Service charon(charon_service) [2009-11-05 07:22:11] [Arc.Loader] [INFO] [75787/8425248] Linking MCC tcp.service(tcp) to MCC (tls) under (empty)
XACML Policy
INI config
profile=/Users/roczei/security/charon/CharonSecure.xml pidfile=/tmp/arched.pid logfile=/tmp/arched.log debug=VERBOSE libpath=/Users/roczei/arc1/lib/arc port=60000 cacert=/Users/roczei/arc1/etc/certificates host_cert=/Users/roczei/arc1/etc/cert.pem host_key=/Users/roczei/arc1/etc/key.pem [charon] urlpattern=^/Charon$ policy_file=/Users/roczei/security/charon/XACML_Policy_Example.xml
XML profile
<?xml version="1.0"?>
<cfg:ArcConfig xmlns="http://www.nordugrid.org/schemas/loader/2009/08" xmlns:cfg="http://www.nordugrid.org/schemas/arcconfig/2009/08" xmlns:tcp="http://www.nordugrid.org/schemas/tcp/2009/08" xmlns:tls="http://www.nordugrid.org/schemas/tls/2009/08" xmlns:charon="http://www.nordugrid.org/schemas/charon/2009/08">
<cfg:Server>
<cfg:PidFile inisections="common" initag="pidfile">/tmp/arched.pid</cfg:PidFile>
<cfg:Logger>
<cfg:File inisections="common" initag="logfile">/var/log/arched.log</cfg:File>
<cfg:Level inisections="common" initag="debug">ERROR</cfg:Level>
</cfg:Logger>
</cfg:Server>
<ModuleManager>
<Path inisections="common" initag="libpath">/usr/local/lib/arc/</Path>
</ModuleManager>
<Plugins><Name>mcctcp</Name></Plugins>
<Plugins><Name>mcctls</Name></Plugins>
<Plugins><Name>mcchttp</Name></Plugins>
<Plugins><Name>mccsoap</Name></Plugins>
<Plugins><Name>arcshc</Name></Plugins>
<Plugins><Name>charon</Name></Plugins>
<Chain>
<Component name="tcp.service" id="tcp">
<next id="tls"/>
<tcp:Listen>
<tcp:Interface inisections="common" initag="interface">0.0.0.0</tcp:Interface>
<tcp:Port inisections="common" initag="port"/>
<tcp:Version inisections="common" initag="ipversion">4</tcp:Version>
</tcp:Listen>
</Component>
<Component name="tls.service" id="tls">
<next id="http"/>
<tls:KeyPath inisections="common" initag="host_key"/>
<tls:CertificatePath inisections="common" initag="host_cert"/>
<tls:CACertificatesDir inisections="common" initag="cacert"/>
</Component>
<Component name="http.service" id="http">
<next id="soap">POST</next>
<next id="plexer">GET</next>
<next id="plexer">PUT</next>
</Component>
<Component name="soap.service" id="soap">
<next id="plexer"/>
</Component>
<Plexer name="plexer.service" id="plexer">
<next id="charon_service" inisections="charon" initag="urlpattern">^/Charon$</next>
</Plexer>
<Service name="charon" id="charon_service">
<charon:PDPConfig>
<charon:PolicyStore>
<charon:Location Type="file" inisections="charon" initag="policy_file">charon_policy.xml</charon:Location>
</charon:PolicyStore>
<charon:Evaluator name="xacml.evaluator" />
<charon:Policy name="xacml.policy" />
<charon:Request name="xacml.request" />
</charon:PDPConfig>
</Service>
</Chain>
</cfg:ArcConfig>
Error:
[2009-11-05 07:31:20] [Arc.ModuleManager] [VERBOSE] [75806/8425248] Loaded /Users/roczei/arc1/lib/arc/libslcs.so [2009-11-05 07:31:20] [Arc.ArcEvaluator] [ERROR] [75806/8425248] Can not parse classname for FunctionFactory from configuration [2009-11-05 07:31:20] [Arc.Service] [INFO] [75806/8425248] Succeeded to produce Evaluator [2009-11-05 07:31:20] [Arc.Loader] [INFO] [75806/8425248] Loaded Service charon(charon_service) [2009-11-05 07:31:20] [Arc.Loader] [INFO] [75806/8425248] Linking MCC tcp.service(tcp) to MCC (tls) under (empty)
Charon test results
- The ArcEvaluator has a bug
- Charon config is not compatiable with the new INI config system. We need to convert the Evaluator, the Policy, the Request attributes to XML elements
- Is it possible to add comments into INI config?!
UsernameToken
New profile and files:
http://svn.nordugrid.org/trac/nordugrid/browser/arc1/trunk/src/hed/profiles/EchoServiceUsernameToken
Results
Server side
[2009-11-05 09:03:55] [Arc.MCC] [VERBOSE] [76658/8529664] No security processing/check requested for 'incoming'
[2009-11-05 09:03:55] [Arc.MCC] [VERBOSE] [76658/8529664] No security processing/check requested for 'outgoing'
[2009-11-05 09:04:07] [Arc.MCC] [VERBOSE] [76658/8531072] No security processing/check requested for 'incoming'
[2009-11-05 09:04:07] [Arc.MCC.TCP] [DEBUG] [76658/8531072] next chain element called
[2009-11-05 09:04:07] [Arc.MCC.TLS] [DEBUG] [76658/8531072] Peer name: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gabor Roczei/emailAddress=roczei@niif.hu
[2009-11-05 09:04:07] [Arc.MCC.TLS] [DEBUG] [76658/8531072] Identity name: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gabor Roczei/emailAddress=roczei@niif.hu
[2009-11-05 09:04:07] [Arc.MCC.TLS] [DEBUG] [76658/8531072] CA name: /C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA
[2009-11-05 09:04:07] [Arc.MCC] [VERBOSE] [76658/8531072] No security processing/check requested for 'incoming'
[2009-11-05 09:04:07] [Arc.MCC] [VERBOSE] [76658/8531072] No security processing/check requested for 'incoming'
[2009-11-05 09:04:07] [Arc.SecHandler] [INFO] [76658/8531072] Succeeded to authenticate UsernameToken
[2009-11-05 09:04:07] [Arc.MCC] [VERBOSE] [76658/8531072] Security processing/check passed
[2009-11-05 09:04:07] [Arc.Plexer] [DEBUG] [76658/8531072] Operation on path "/Echo"
[2009-11-05 09:04:07] [Arc.Service] [VERBOSE] [76658/8531072] No security processing/check requested for 'incoming'
[2009-11-05 09:04:07] [Arc.Echo] [DEBUG] [76658/8531072] process: request=<?xml version="1.0"?>
<soap-env:Envelope xmlns:echo="urn:echo" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap-env:Header xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>oliver</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">ZWvOpD4NpaSTrQhlp5kanp8Wu3Q=</wsse:Password>
<wsse:Nonce>0oW2quUdirb9KPZe0/jrAQ==</wsse:Nonce>
<wsu:Created>2009-11-05T08:04:07Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap-env:Header>
<soap-env:Body>
<echo:echo>
<echo:say>Hello Oliver</echo:say>
</echo:echo>
</soap-env:Body>
</soap-env:Envelope>
[2009-11-05 09:04:07] [Arc.Echo] [DEBUG] [76658/8531072] process: response=<?xml version="1.0"?>
<soap-env:Envelope xmlns:echo="urn:echo" xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap-env:Header/>
<soap-env:Body>
<echo:echoResponse>
<echo:hear>{{Hello Oliver}}</echo:hear>
</echo:echoResponse>
</soap-env:Body>
</soap-env:Envelope>
[2009-11-05 09:04:07] [Arc.MCC] [VERBOSE] [76658/8531072] No security processing/check requested for 'outgoing'
[2009-11-05 09:04:07] [Arc.MCC] [VERBOSE] [76658/8531072] No security processing/check requested for 'outgoing'
Client side
[roczei@zion-2:~/security/usernametoken] $arcecho -z client.conf https://localhost:60000/Echo "Hello Oliver"
{{Hello Oliver}}
[roczei@zion-2:~/security/usernametoken] $
Conclusion
The UsernameToken security handler working perfectly.
X509Token
New profile and files:
http://svn.nordugrid.org/trac/nordugrid/browser/arc1/trunk/src/hed/profiles/EchoServiceX509Token
Results
Server side
INI config
profile=/Users/roczei/security/x509token/EchoServiceX509Token.xml
pidfile=/tmp/arched.pid
logfile=/tmp/arched.log
debug=VERBOSE
port=60000
cacert=/Users/roczei/arc1/etc/certificates
host_cert=/Users/roczei/arc1/etc/cert.pem
host_key=/Users/roczei/arc1/etc/key.pem
libpath=/Users/roczei/arc1/lib/arc
x509token_ca=/Users/roczei/security/x509token/niif_ca_root_x509.pem
[echo]
prefix={{
suffix=}}
XML profile
<?xml version="1.0"?>
<cfg:ArcConfig xmlns="http://www.nordugrid.org/schemas/loader/2009/08" xmlns:cfg="http://www.nordugrid.org/schemas/arcconfig/2009/08" xmlns:tcp="http://www.nordugrid.org/schemas/tcp/2009/08" xmlns:tls="http://www.nordugrid.org/schemas/tls/2009/08" xmlns:echo="http://www.nordugrid.org/schemas/echo/2009/08">
<cfg:Server>
<cfg:PidFile inisections="common" initag="pidfile">/tmp/arched.pid</cfg:PidFile>
<cfg:Logger>
<cfg:File inisections="common" initag="logfile">/var/log/arched.log</cfg:File>
<cfg:Level inisections="common" initag="debug">ERROR</cfg:Level>
</cfg:Logger>
</cfg:Server>
<ModuleManager>
<Path inisections="common" initag="libpath">/usr/local/lib/arc/</Path>
</ModuleManager>
<Plugins>
<Name>mcctls</Name>
<Name>mcchttp</Name>
<Name>mccsoap</Name>
<Name>mcctcp</Name>
<Name>echo</Name>
<Name>arcshc</Name>
</Plugins>
<Chain>
<Component name="tcp.service" id="tcp">
<next id="tls"/>
<tcp:Listen>
<tcp:Interface inisections="common" initag="interface">0.0.0.0</tcp:Interface>
<tcp:Port inisections="common" initag="port"/>
<tcp:Version inisections="common" initag="ipversion">4</tcp:Version>
</tcp:Listen>
</Component>
<Component name="tls.service" id="tls">
<next id="http"/>
<tls:KeyPath inisections="common" initag="host_key"/>
<tls:CertificatePath inisections="common" initag="host_cert"/>
<tls:CACertificatesDir inisections="common" initag="cacert"/>
</Component>
<Component name="http.service" id="http">
<next id="soap">POST</next>
<next id="plexer">GET</next>
<next id="plexer">PUT</next>
</Component>
<Component name="soap.service" id="soap">
<next id="plexer"/>
<SecHandler name="x509token.handler" id="x509token" event="incoming">
<Process>extract</Process>
<CACertificatePath inisections="common" initag="x509token_ca">./testcacert.pem</CACertificatePath>
</SecHandler>
</Component>
<Plexer name="plexer.service" id="plexer">
<next id="echo" inisections="echo" initag="urlpattern">^/Echo$</next>
</Plexer>
<Service name="echo" id="echo">
<echo:prefix inisections="echo" initag="prefix">[</echo:prefix>
<echo:suffix inisections="echo" initag="suffix">]</echo:suffix>
</Service>
</Chain>
</cfg:ArcConfig>
Server log
[2009-11-05 21:21:51] [Arc.Loader] [INFO] [81779/8425264] Linking MCC http.service(http) to Plexer (plexer) under GET [2009-11-05 21:21:51] [Arc.Loader] [INFO] [81779/8425264] Linking MCC http.service(http) to MCC (soap) under POST [2009-11-05 21:21:51] [Arc.Loader] [INFO] [81779/8425264] Linking MCC http.service(http) to Plexer (plexer) under PUT [2009-11-05 21:21:51] [Arc.Loader] [INFO] [81779/8425264] Linking MCC soap.service(soap) to Plexer (plexer) under (empty) [2009-11-05 21:21:51] [Arc.Loader] [INFO] [81779/8425264] Linking Plexer plexer to Service (echo) under ^/Echo$ [2009-11-05 21:21:51] [Arc] [INFO] [81779/8425264] Service side MCCs are loaded [2009-11-05 21:21:56] [Arc.MCC] [VERBOSE] [81779/8484944] No security processing/check requested for 'incoming' [2009-11-05 21:21:56] [Arc.MCC.TCP] [DEBUG] [81779/8484944] next chain element called [2009-11-05 21:21:56] [Arc.MCC.TLS] [DEBUG] [81779/8484944] Peer name: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gabor Roczei/emailAddress=roczei@niif.hu [2009-11-05 21:21:56] [Arc.MCC.TLS] [DEBUG] [81779/8484944] Identity name: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gabor Roczei/emailAddress=roczei@niif.hu [2009-11-05 21:21:56] [Arc.MCC.TLS] [DEBUG] [81779/8484944] CA name: /C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA [2009-11-05 21:21:56] [Arc.MCC] [VERBOSE] [81779/8484944] No security processing/check requested for 'incoming' [2009-11-05 21:21:56] [Arc.MCC] [VERBOSE] [81779/8484944] No security processing/check requested for 'incoming' No Signature node in SOAP header func=xmlSecDSigCtxVerify:file=xmldsig.c:line=355:obj=unknown:subj=node != NULL:error=100:assertion: Signature verification failed [2009-11-05 21:21:56] [Arc.SecHandler] [ERROR] [81779/8484944] Failed to verify X509 Token inside the incoming SOAP [2009-11-05 21:21:56] [Arc.MCC] [INFO] [81779/8484944] Security processing/check failed [2009-11-05 21:21:56] [Arc.MCC.SOAP] [ERROR] [81779/8484944] Security check failed in SOAP MCC for incoming message [2009-11-05 21:21:56] [Arc.MCC] [VERBOSE] [81779/8484944] No security processing/check requested for 'outgoing' [2009-11-05 21:21:56] [Arc.MCC] [VERBOSE] [81779/8484944] No security processing/check requested for 'outgoing' [2009-11-05 21:21:56] [Arc.MCC] [VERBOSE] [81779/8484944] No security processing/check requested for 'incoming' [2009-11-05 21:21:56] [Arc.MCC.TCP] [DEBUG] [81779/8484944] next chain element called [2009-11-05 21:21:56] [Arc.MCC.TLS] [DEBUG] [81779/8484944] Peer name: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gabor Roczei/emailAddress=roczei@niif.hu [2009-11-05 21:21:56] [Arc.MCC.TLS] [DEBUG] [81779/8484944] Identity name: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gabor Roczei/emailAddress=roczei@niif.hu [2009-11-05 21:21:56] [Arc.MCC.TLS] [DEBUG] [81779/8484944] CA name: /C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA [2009-11-05 21:21:56] [Arc.MCC] [VERBOSE] [81779/8484944] No security processing/check requested for 'incoming' [2009-11-05 21:21:56] [Arc.MCC] [VERBOSE] [81779/8484944] No security processing/check requested for 'outgoing'
Client side
Config
client.conf:
[common] keypath=/Users/roczei/.globus/userkey.pem certificatepath=/Users/roczei/.globus/usercert.pem cacertificatesdirectory=/Users/roczei/arc1/etc/certificates overlayfile=/Users/roczei/security/x509token/x509token.xml
overlay file:
<ArcConfig>
<Plugins overlay="add">
<Name>arcshc</Name>
</Plugins>
<Chain>
<Component name="soap.client">
<SecHandler name='x509token.handler' id='x509token' event='outgoing' overlay="add">
<Process>generate</Process>
<CertificatePath>/Users/roczei/.globus/usercert.pem</CertificatePath>
<KeyPath>/Users/roczei/.globus/userkey.pem</KeyPath>
</SecHandler>
</Component>
</Chain>
</ArcConfig>
Client log
[roczei@zion-2:~/security/x509token] $arcecho -z client.conf https://localhost:60000/Echo "Hello Oliver" func=xmlSecTransformRsaSha1GetKlass:file=app.c:line=773:obj=unknown:subj=transformRsaSha1Id:error=9:feature is not implemented: func=xmlSecTmplSignatureCreate:file=templates.c:line=70:obj=unknown:subj=signMethodId != NULL:error=100:assertion: There is not wsu:Id attribute in soap body, add a new one func=xmlSecTransformSha1GetKlass:file=app.c:line=934:obj=unknown:subj=transformSha1Id:error=9:feature is not implemented: func=xmlSecTmplSignatureAddReference:file=templates.c:line=247:obj=unknown:subj=signNode != NULL:error=100:assertion: func=xmlSecTmplReferenceAddTransform:file=templates.c:line=448:obj=unknown:subj=referenceNode != NULL:error=100:assertion: func=xmlSecTmplReferenceAddTransform:file=templates.c:line=448:obj=unknown:subj=referenceNode != NULL:error=100:assertion: func=xmlSecTransformSha1GetKlass:file=app.c:line=934:obj=unknown:subj=transformSha1Id:error=9:feature is not implemented: func=xmlSecTmplSignatureAddReference:file=templates.c:line=247:obj=unknown:subj=signNode != NULL:error=100:assertion: func=xmlSecTmplReferenceAddTransform:file=templates.c:line=448:obj=unknown:subj=referenceNode != NULL:error=100:assertion: func=xmlSecTmplReferenceAddTransform:file=templates.c:line=448:obj=unknown:subj=referenceNode != NULL:error=100:assertion: func=xmlSecTmplSignatureEnsureKeyInfo:file=templates.c:line=194:obj=unknown:subj=signNode != NULL:error=100:assertion: func=xmlSecCryptoAppKeyLoad:file=app.c:line=1259:obj=unknown:subj=cryptoAppKeyLoad:error=9:feature is not implemented: Can not load key [roczei@zion-2:~/security/x509token] $
Conclusion
- Maybe the X509Token security handler has a bug or I am doing something in wrong way
SAMLToken
Profile: http://svn.nordugrid.org/trac/nordugrid/browser/arc1/trunk/src/hed/profiles/EchoServiceSAMLToken
Conclusion
- I have not found any solution to test it, I need Weizhong help
