Implementing webbased tool using speaks-for

Introduction

This documentation is aimed at websites which want to implement services using speaks-for credentials. The tutorial is a simple website which allows speaks-for authorization and then uses the jFed command line tool to instantiate 1 server.

Installation

Tarball with speaks-for example: speaksfortutorial.tar.gz

For Debian 8 (and similar for ubuntu):

apt-get install php5
cd /var/www/html
wget http://link/to/speaksfortutorial.tar.gz
tar xvzf speaksfortutorial.tar.gz
mkdir /work
mkdir /work/my_speaksfor_tool

Install jFed CLI:

cd /work
wget http://jfed.iminds.be/releases/develop/279/jar/jfed_cli.tar.gz
tar xvzf jfed_cli.tar.gz

Install java as described here: http://jfed.iminds.be/java8_on_linux/

Work around for bug in jFed CLI:

mkdir /var/www/.jFed
touch /var/www/.jFed/experimenter-ssh.properties

Files used in this tutorial

In /var/www/html:

tool.html
main page of ‘our tool’ (this should be then substituted by your real tool)
geni-auth.js
opens the dialog box for authorization
lib/ subdir
all magic regarding in browser signing of speaks for and jquery (can probably be narrowed down)
start_pc.php
php to run jFed CLI in speaks-for mode with an RSpec (example of calling another service)
wall1_1node.rspec
single node RSpec

In /work:

jfed_cli/
jFed CLI jars (unzipped from tarball)
my_speaksfor_tool/my_speaksfor_tooljfed.pem
pem file of tool
my_speaksfor_tool/my_speaksfor_tooljfed.pass
passphrase of the pem file
my_speaksfor_tool/context_my_speaksfor_tooljfed_wall2.properties
contains tool info used for jFed CLI, see below

Configuration

Your tool needs its own account to speak as. So you need a tool URN, a signed certificate and a certificate + private key (pem file).

Configure as follows:

  • myId in tool.html contains the unique URN of the tool, eg. urn:publicid:IDN+wall2.ilabt.iminds.be+user+tengjfed
  • myCert in tool.html contains the signed certificate (not the private key) of the tool
  • you need the pem and passphrase as well to talk to other services (e.g. in the example we use jFed CLI to talk to a testbed, so we put the pem file in /work/my_speaksfor_tool/my_speaksfor_tooljfed.pem and the according passphrase in /work/my_speaksfor_tool/my_speaksfor_tooljfed.pass)

Flow

The user browses to tool.html where he sees a button to ‘Authorize’. (div need-credential is shown, div have-credential is hidden).

Button Authorize calls genilib.authorize(myId, myCert, complete) where myId and myCert are the above configured parameters which are specific for the tool. complete is the call back function which will be called when the authorization is okay.

The user is then referred to an authorization window which is handled by the authority (chose www.wall2.ilabt.iminds.be or paste your private key).

When all is well, the ‘complete’ callback is called with a good speaks for credential as argument.

As an example, we will now launch a single PC on the virtual wall 1 testbed with jFed CLI, which is done by calling start_pc.php with speaks-for credential as parameter.

In start_pc.php, this is handled as follows:

$credential = base64_decode($_GET['credential']);
$filename = uniqid('jFed', true);
$cred_filename = "/tmp/".$filename.".cred";
$slicename = substr($filename,-8,8);
echo "Slice name: ".$slicename."\n";
echo "----------------------\n";
$calllog = "/tmp/".$filename."_calls.log";
$manifest = "/tmp/".$filename.".mrspec";
$rspec = "/var/www/html/wall1_1node.rspec";
$context = "/work/my_speaksfor_tool/context_my_speaksfor_tooljfed_wall2.properties";
$duration = "2";  // in hours
file_put_contents("/tmp/".$filename.".cred", $credential);
$jfedcli="/usr/bin/java -jar /work/jfed_cli/experimenter-cli.jar\
          createsliver --expiration-hours $duration \
          --speaks-for /tmp/$filename.cred --create-slice --slice $slicename \
          --project-name CHOOSE_AUTOMATICALLY --call-log /tmp/$filename_calls.log \
          --context-file $context \
          --rspec $rspec --manifest $manifest 2>&1";
exec("$jfedcli",$output,$return_var);

while /work/my_speaksfor_tool/context_my_speaksfor_tooljfed_wall2.properties then refers to the right info for speaking as user my_speaksfor_tooljfed:

username = my_speaksfor_tooljfed
passwordFilename = /work/my_speaksfor_tool/my_speaksfor_tooljfed.pass
pemKeyAndCertFilename = /work/my_speaksfor_tool/my_speaksfor_tooljfed.pem
userAuthorityUrn = urn:publicid:IDN+wall2.ilabt.iminds.be+authority+cm

Result

In the webinterface, when you clicked ‘create 1 raw pc’, the output (after a minute or three) contains the manifest RSpec at the bottom, so you can see which node was allocated.

If you have created a single node with the above web based service, you will see that you can recover this experiment with jFed GUI, just as you had created it yourself. Then you can just double click the node to login.

Speaks-for credential details

A speaks-for credential looks like you can see below:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><signed-credential xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.protogeni.net/resources/credential/credential.xsd" xsi:schemaLocation="http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd">
<credential xml:id="_0">

      <type>abac</type>
      <serial/>
      <owner_gid/>
      <target_gid/>
      <uuid/>
      <expires>2016-02-25T07:46:36.488Z</expires>
      <abac>
          <rt0>
              <version>1.1</version>
              <head>
                 <ABACprincipal><keyid>162ebef0fa5d553819dbf9f41255eb31a1e96fb8</keyid></ABACprincipal>
                 <role>speaks_for_162ebef0fa5d553819dbf9f41255eb31a1e96fb8</role>
              </head>
              <tail>
                 <ABACprincipal><keyid>193a45bb42745506c87ad182aee2f5017a56a1cf</keyid></ABACprincipal>
              </tail>
          </rt0>
      </abac>

</credential>
<signatures>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>WCsgAfjWsbv8bNwFKFudBT16q0Y=</DigestValue></Reference></SignedInfo><SignatureValue>gv1efk41mDVUUnelaFk1PepGT1R0xlZz3zvfGikkKNSh7WBOj5/KP6dsmfxKV8+0KKAyKIsbsNW3NKvg1SuhNpxgJ9V8DrG3q09ixl19rYgvaC20PnxCYD11LUf4PFzYZVp9BFHurOmNJ/sM91Et01rFpuSX+9NKGImI4Mv2npY=</SignatureValue><KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>AM4K6zLvGAtWYHNpcZP9zEkhzdKeOPD7P8moLFYZjBNaGmrvhgyTtTyfWsR09nMxy0CKtvkzmGHhlCH02vMQKXJFuhiW7frXxjzf5GbKJEyBHJio/NXZ7rG1K2vmkH8tWQyhyTAs6GjyBwfkptc06o/AKq3/YSmA5vt+JQ6e3fVh</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue></KeyValue>
<X509Data>
<X509Certificate>MIIEDDCCA3WgAwIBAgIDAXMqMA0GCSqGSIb3DQEBBAUAMIG1MQswCQYDVQQGEwJC
RTELMAkGA1UECBMCT1YxDjAMBgNVBAcTBUdoZW50MRgwFgYDVQQKEw9pTWluZHMg
LSBpbGFiLnQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEjMCEGA1UE
AxMaYm9zcy53YWxsMi5pbGFidC5pbWluZHMuYmUxKjAoBgkqhkiG9w0BCQEWG3Z3
YWxsLW9wc0BhdGxhbnRpcy51Z2VudC5iZTAeFw0xNTA0MjgwOTI1MzFaFw0xNjA0
MjcwOTI1MzFaMIGyMQswCQYDVQQGEwJCRTELMAkGA1UECBMCT1YxGDAWBgNVBAoT
D2lNaW5kcyAtIGlsYWIudDEeMBwGA1UECxMVaW1pbmRzLXdhbGwyLmJ2ZXJtZXVs
MS0wKwYDVQQDEyRiMzQ5YTRlZi0xNDllLTExZTMtOTY2YS0wMDE1MTdiZWNkYzEx
LTArBgkqhkiG9w0BCQEWHmJ2ZXJtZXVsQHdhbGwyLmlsYWJ0LmltaW5kcy5iZTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzgrrMu8YC1Zgc2lxk/3MSSHN0p44
8Ps/yagsVhmME1oaau+GDJO1PJ9axHT2czHLQIq2+TOYYeGUIfTa8xApckW6GJbt
+tfGPN/kZsokTIEcmKj81dnusbUra+aQfy1ZDKHJMCzoaPIHB+Sm1zTqj8Aqrf9h
KYDm+34lDp7d9WECAwEAAaOCASkwggElMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FBYuvvD6XVU4Gdv59BJV6zGh6W+4MIGQBgNVHREEgYgwgYWGNHVybjpwdWJsaWNp
ZDpJRE4rd2FsbDIuaWxhYnQuaW1pbmRzLmJlK3VzZXIrYnZlcm1ldWyBHmJ2ZXJt
ZXVsQHdhbGwyLmlsYWJ0LmltaW5kcy5iZYYtdXJuOnV1aWQ6YjM0OWE0ZWYtMTQ5
ZS0xMWUzLTk2NmEtMDAxNTE3YmVjZGMxMGMGCCsGAQUFBwEBBFcwVTBTBhRpg8yT
gKiYzKjHvbGngICqrteKG4Y7aHR0cHM6Ly93d3cud2FsbDIuaWxhYnQuaW1pbmRz
LmJlOjEyMzY5L3Byb3RvZ2VuaS94bWxycGMvc2EwDQYJKoZIhvcNAQEEBQADgYEA
EWRnLF5Xp3HnmeCRA6uPI3xCvlVV3c1pgme4ccJWxxFP3l3Aor29qk5Wzj2kN123
Jyf0Pm8+2RfEl0OD0ZOZ5fOgjEGypUV+vPIvFkOXs5Size3wPUryVPC6ilrkoSxz
GB4u22GJVK74xcdYBQKogxS/ndUYqdHQgRXvst6YGFc=
</X509Certificate>
</X509Data></KeyInfo></Signature></signatures>

Interesting to note: * expires is based on the number of days you have chosen for duration in the GENI authorization tool (click ‘show advanced’). This means that the tool can store and use this speaks-for certificate for that duration. * The X509Certificate which is in there contains the following info:

openssl x509 -text -in cert.pem
Certificate:
  Data:
      Version: 3 (0x2)
      Serial Number: 95018 (0x1732a)
  Signature Algorithm: md5WithRSAEncryption
      Issuer: C=BE, ST=OV, L=Ghent, O=iMinds - ilab.t, OU=Certificate Authority, CN=boss.wall2.ilabt.iminds.be/emailAddress=vwall-ops@atlantis.ugent.be
      Validity
          Not Before: Apr 28 09:25:31 2015 GMT
          Not After : Apr 27 09:25:31 2016 GMT
      Subject: C=BE, ST=OV, O=iMinds - ilab.t, OU=iminds-wall2.bvermeul, CN=b349a4ef-149e-11e3-966a-001517becdc1/emailAddress=bvermeul@wall2.ilabt.iminds.be
      Subject Public Key Info:
          Public Key Algorithm: rsaEncryption
              Public-Key: (1024 bit)
              Modulus:
                  00:ce:0a:eb:32:ef:18:0b:56:60:73:69:71:93:fd:
                  cc:49:21:cd:d2:9e:38:f0:fb:3f:c9:a8:2c:56:19:
                  8c:13:5a:1a:6a:ef:86:0c:93:b5:3c:9f:5a:c4:74:
                  f6:73:31:cb:40:8a:b6:f9:33:98:61:e1:94:21:f4:
                  da:f3:10:29:72:45:ba:18:96:ed:fa:d7:c6:3c:df:
                  e4:66:ca:24:4c:81:1c:98:a8:fc:d5:d9:ee:b1:b5:
                  2b:6b:e6:90:7f:2d:59:0c:a1:c9:30:2c:e8:68:f2:
                  07:07:e4:a6:d7:34:ea:8f:c0:2a:ad:ff:61:29:80:
                  e6:fb:7e:25:0e:9e:dd:f5:61
              Exponent: 65537 (0x10001)
      X509v3 extensions:
          X509v3 Basic Constraints: critical
              CA:FALSE
          X509v3 Subject Key Identifier:
              16:2E:BE:F0:FA:5D:55:38:19:DB:F9:F4:12:55:EB:31:A1:E9:6F:B8
          X509v3 Subject Alternative Name:
              URI:urn:publicid:IDN+wall2.ilabt.iminds.be+user+bvermeul, email:bvermeul@wall2.ilabt.iminds.be, URI:urn:uuid:b349a4ef-149e-11e3-966a-001517becdc1
          Authority Information Access:
              2.25.305821105408246119474742976030998643995 - URI:https://www.wall2.ilabt.iminds.be:12369/protogeni/xmlrpc/sa

So you have: URN of the user, email of the user, authority of the user and how long the user’s cert is still valid. This is the same info that testbeds currently see about users.

A schema to validate against: https://gitlab.flux.utah.edu/emulab/emulab-devel/raw/master/protogeni/security/credential.xsd

Speaks-for generation tools

University of Cantabria has created a tool to create locally speaks-for credentials: https://github.com/psotres/speaks-for

Also jFed probe does support creation of speaks-for credentials for testing. Download the latest jFed probe from http://jfed.iminds.be/releases/develop/. See screenshot below:

../_images/jfed_speaksfor.PNG