1 / 5

Client Authentication & Authorization for GENI XMPP Messaging Service

Client Authentication & Authorization for GENI XMPP Messaging Service. Anirban Mandal, Shu Huang, Ilia Baldine (RENCI) Rudra Dutta (NSCU). Client Authentication and Credential Verification for GENI Messaging Service. GENI Messaging Service using XMPP Server.

marva
Download Presentation

Client Authentication & Authorization for GENI XMPP Messaging Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Client Authentication & Authorization for GENI XMPP Messaging Service Anirban Mandal, Shu Huang, Ilia Baldine (RENCI) RudraDutta (NSCU)

  2. Client Authentication and Credential Verification for GENI Messaging Service GENI Messaging Service using XMPP Server Credentials are generated using GPO OMNI/gcf tool entrusting specific rights to client certs Eg. pub_measurements/polatis, sub_measurements Verification of GENI XMLSEC credentials Clients Authentication using GENI certs PubSub entities outside slice (eg. CF entities) Clients Users PubSub entities inside slice

  3. Client Authentication “Can a client authenticate with the XMPP server using authentication mechanisms advertised by the XMPP server using GENI certificates ?” • Client certificates issued by OMNI/gcf tool • Use SASL External authentication on XMPP server • Mostly one-time configuration of XMPP server • CH certificate needs to be inserted in server’s client truststore • JID of the client must match the CN in certificate • Client accounts are created on the server by XMPP pub/sub clients on-the-fly OMNI/gcf (gen_certs) Y/N Authentication using GENI certs XMPP Server $ python26 gen-certs.py -u anirban

  4. Client Authorization (credential verification) [1/2] “ Does an already authenticated client have credentials (rights) to publish and subscribe to a pubsubnode ? ” • Two issues • How client credentials are generated ? • How client credentials are verified on the XMPP server during pub/sub actions ? • Credential generation • Extended OMNI/gcf tool to generate GENI XMLSEC credentials for pub/sub actions Client cert OMNI/gcf (xmppcred) CH cert Client XMLSEC credentials XMPP server cert-keypair rights namespace $ python26 xmppcred.pyxmpp-key.pemxmpp-cert.pemanirban-cert.pem \ ch-cert.pemmeasurements/polatis measurements/infinera

  5. Client Authorization (credential verification) [2/2] “ Does an already authenticated client have credentials (rights) to publish and/or subscribe to a pubsubnode ? ” • Credential verification • Extended Openfire XMPP server pubsub code to enable credential verification • Existing pubsub policy code ( canPublish / canSubscribe) in Openfire is augmented with GENI credential verification • On a pubsub action, client credentials are pulled from a location configurable on the XMPP server based on clients JID • Rights are extracted from the pubsub node that the client is trying to pubsub to and are passed to the verification code • pubsub action goes through only if credential is verified on the server Verification of GENI XMLSEC credentials Y/N Client XMLSEC credentials pubsub XMPP Server authenticated clients / users For eg. Publishing to “measurements/polatis/renci” pubsub node will succeed if client has “pub_measurements/polatis” rights in the client credential

More Related