Adapting Globus and Kerberos for a Secure ASCI Grid

Porting a complex secure application from one security infrastructure to another is often difficult or impractical. Grid security associated with the Globus toolkit is supported by a Grid Security Infrastructure (GSI) based on a Public Key Infrastructure where users authenticate to the grid using X509 certificates. Kerberos security is based on a trusted third party, secret key infrastructure where users authenticate using encrypted tickets. However, both GSI and Kerberos provide a Generic Security Services Application Program Interface (GSSAPI) for source code portability. We describe the porting of our Globus system from GSI security to Kerberos V5 security, and the Kerberos modifications necessary to achieve that portability. Our case study provides details and insights that will be of value to developers and designers interested in GSSAPI portability. We conclude, based on our results, that designers of network security software should strive to accommodate the GSSAPI.