Yes, for GT 4.0.x you will need to set it on the stub. When you add two protection levels, it implies either is acceptable. That is, the client can either just sign the message or encrypt it. Rachana
_____ From: Wilson Jr. [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 23, 2008 5:04 PM To: Rachana Ananthakrishnan Cc: Globus User List Subject: Re: [gt-user] How setup GSI Transport in the Client Hi Rachana, well, I'm using GT 4.0.x, I am setting the security on the stub in the code of the client, in fact I'd like to know if I can put it in the client-security-descriptor.xml, I was putting when I was using GSISecureConversation, but using GSITransport, putting in the security descriptor of the client didn't work. And I have another doubt: If I define this security-descriptor for my Grid-Service: <?xml version="1.0" encoding="UTF-8"?> <securityConfig xmlns="http://www.globus.org";> <auth-method> <GSITransport> <protection-level> <integrity/> <privacy/> </protection-level> </GSITransport> </auth-method> <authz value="none"/> </securityConfig> This define that my client needs to Set: GSITransport with Integrity ?AND? Privacy ???? or GSITransport with Integrity ?OR? Privacy ???? In relation to run-as, for now I 'm not needing to use Delegation anymore. thanks. On Wed, Apr 23, 2008 at 9:31 AM, Rachana Ananthakrishnan <[EMAIL PROTECTED]> wrote: If you are using GT 4.1.x or code from trunk, use GSISecureTransport as the element name: http://www.globus.org/toolkit/docs/development/4.2-drafts/security/wsaajava/ wsaajava-secdesc.html#wsaajava-secdesc-clientSide In GT 4.0.x, you need to set it on the stub if encryption is required. If GSI Transport with signature is needed, it will be used based on the URL starting with "https". http://www.globus.org/toolkit/docs/4.0/security/message/WS_AA_Message_Level_ Public_Interfaces.html#s-message-public-domain BTW, run-as caller identity requires that the caller delegate credentials to the service as part of the authentication step. So it will work only with GSI Secure Conversation with delegation. Rachana _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilson Jr. Sent: Tuesday, April 22, 2008 9:34 PM To: Globus User List Subject: [gt-user] How setup GSI Transport in the Client Hi folks, I was running the Globus Container with: -nosec, and then using GSISecureConversation at my GridService, and it works fine. I'd like to change to GSITransport, then I took out the -nosec, and I'm running Globus in 8443. The security-descriptor from my service is this: <securityConfig xmlns="http://www.globus.org";> <auth-method> <GSITransport> <protection-level> <privacy/> </protection-level> </GSITransport> </auth-method> <authz value="none"/> <run-as> <caller-identity/> </run-as> </securityConfig> My client has a client-security-descriptor.xml to choose the level of security, before using GsiSecureConversation, it was ok, but putting: <GSITransport> <privacy/> </GSITransport> it doesn't work, says the attribute GSITrasnport cannot be used in the descriptor, then I took out and let my client-security-descriptor.xml practically empty: <?xml version="1.0" encoding="UTF-8"?> <securityConfig xmlns="http://www.globus.org";> </securityConfig> and it throws this exception: ERROR: GSI Transport (encryption only) authentication required for "{http://topgrid.dcc.ufba.br/namespace/grid/apps/AfisDCC/AfisDCC}sendFinger <http://topgrid.dcc.ufba.br/namespace/grid/apps/AfisDCC/AfisDCC%7dsendFinger > " operation. AxisFault My question is, How do I set GSI Transport in the client? -- "É este um mundo no qual devemos esconder nossas virtudes?" Willian Shakespeare **************** Wilson Júnior **************** -- "É este um mundo no qual devemos esconder nossas virtudes?" Willian Shakespeare **************** Wilson Júnior ****************
