Upload
harvey-pope
View
223
Download
3
Embed Size (px)
Citation preview
Client Authentication & Authorization for GENI XMPP Messaging Service
Anirban Mandal, Shu Huang, Ilia Baldine (RENCI)Rudra Dutta (NSCU)
GEC14 I&M SessionBoston, MA, July 2012
Client Authentication and Credential Verification for GENI Messaging Service
GENI Messaging Service using XMPP
Server
Authentication using GENI certs
Verification of GENI XMLSEC credentials
PubSub entities inside slice
PubSub entities outside slice
(eg. CF entities)Clients Users
Clients
Credentials are generated usingGPO OMNI/gcf tool entrusting
specific rights to client certs
Eg. pub_measurements/polatis,sub_measurements
Client Authentication
• Client certificates issued by OMNI/gcf tool• Use SASL External authentication on XMPP
server• Mostly one-time configuration of XMPP server
– CH certificate needs to be inserted in server’s client truststore
• JID of the client must match the CN in certificate– Client accounts are created on the server by XMPP
pub/sub clients on-the-fly
“Can a client authenticate with the XMPP server using authentication mechanisms advertised by the XMPP server using GENI certificates ?”
Authentication using GENI certs
OMNI/gcf(gen_certs)
XMPP Server
$ python26 gen-certs.py -u anirban
Y/N
Client Authorization (credential verification) [1/2]
• Two issues– How client credentials are generated ?– How client credentials are verified on the XMPP server during pub/sub actions ?
• Credential generation– Extended OMNI/gcf tool to generate GENI XMLSEC credentials for pub/sub actions
“ Does an already authenticated client have credentials (rights) to publish and subscribe to a pubsub node ? ”
OMNI/gcf(xmppcred)
Client cert
CH cert
XMPP servercert-keypair
rights namespace
Client XMLSEC credentials
$ python26 xmppcred.py xmpp-key.pem xmpp-cert.pem anirban-cert.pem \ ch-cert.pem measurements/polatis measurements/infinera
Client Authorization (credential verification) [2/2]
• Credential verification– Extended Openfire XMPP server pubsub code to enable credential verification– Existing pubsub policy code ( canPublish / canSubscribe ) in Openfire is augmented
with GENI credential verification– On a pubsub action, client credentials are pulled from a location configurable on the
XMPP server based on clients JID– Rights are extracted from the pubsub node that the client is trying to pubsub to and
are passed to the verification code – pubsub action goes through only if credential is verified on the server
“ Does an already authenticated client have credentials (rights) to publish and/or subscribe to a pubsub node ? ”
Client XMLSEC credentials
For eg. Publishing to “measurements/polatis/renci” pubsub node will succeed if client has “pub_measurements/polatis” rights in the client credential
Verification of GENI XMLSEC credentials
XMPP Serverauthenticated clients / users
pubsub
Y/N
XMPP Messaging Service Use Case: Publishing and Subscribing ORCA Slice Manifests
XMPP Server
Authentication using GENI certs
Verification of pubsub creds
Manifest Subscriber client subscribes to
relevant slice manifests (can be
used for monitoring)
ORCA Service Manager publishes slice manifests as each slice evolves
Select relevant slice
Manifest appears here
Manifest Subscriber Client ORCA Federation
XMPP Messaging Service Use Case: OMF EC and RC
• Shown OMF components (EC and RC) communicating through an XMPP messaging Service [GENI IMF demos at GEC13-14]
• EC and RC can run on distinct VMs on the same slice or on different slices
• EC and RC authenticate against an XMPP server using GENI certs
• EC-RC communication messages are published by RC to a Repository topic – a pubsub node [uses auth/auth]
• Repository service subscribes to this topic & stores messages in a MySQL database [uses auth/auth]
* Work done by Ahmet Babaoglu, Ashutosh Grewal, Rudra Dutta @ NCSU as part of GENI IMF