airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chath...@apache.org
Subject [2/5] airavata git commit: credential store related changes, BES changes
Date Thu, 03 Dec 2015 19:26:38 GMT
http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/MyProxyLogon.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/MyProxyLogon.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/MyProxyLogon.java
new file mode 100644
index 0000000..ae68a5d
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/MyProxyLogon.java
@@ -0,0 +1,465 @@
+/*
+*
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements.  See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership.  The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License.  You may obtain a copy of the License at
+*
+*   http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing,
+* software distributed under the License is distributed on an
+* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+* KIND, either express or implied.  See the License for the
+* specific language governing permissions and limitations
+* under the License.
+*
+*/
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+import eu.emi.security.authn.x509.CommonX509TrustManager;
+import eu.emi.security.authn.x509.X509CertChainValidator;
+import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.util.PrivateKeyFactory;
+import org.bouncycastle.crypto.util.PublicKeyFactory;
+import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.encoders.Base64;
+
+import javax.net.ssl.*;
+import javax.security.auth.login.FailedLoginException;
+import java.io.*;
+import java.net.ProtocolException;
+import java.security.*;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
+
+/**
+ * The MyProxyLogon class provides an interface for retrieving credentials from
+ * a MyProxy server.
+ * <p/>
+ * First, use <code>setHost</code>, <code>setPort</code>,
+ * <code>setUsername</code>, <code>setPassphrase</code>,
+ * <code>setCredentialName</code>, <code>setLifetime</code> and
+ * <code>requestTrustRoots</code> to configure. Then call <code>connect</code>,
+ * <code>logon</code>, <code>getCredentials</code>, then
+ * <code>disconnect</code>. Use <code>getCertificates</code> and
+ * <code>getPrivateKey</code> to access the retrieved credentials, or
+ * <code>writeProxyFile</code> or <code>saveCredentialsToFile</code> to
+ * write them to a file. Use <code>writeTrustRoots</code>,
+ * <code>getTrustedCAs</code>, <code>getCRLs</code>,
+ * <code>getTrustRootData</code>, and <code>getTrustRootFilenames</code>
+ * for trust root information.
+ *
+ * (modified for use with UNICORE)
+ *
+ * @version 1.1
+ * @see <a href="http://myproxy.ncsa.uiuc.edu/">MyProxy Project Home Page</a>
+ * 
+ */
+public class MyProxyLogon {
+    
+	public final static String version = "1.1";
+
+    private enum State {
+        READY, CONNECTED, LOGGEDON, DONE
+    }
+
+    public final static String VERSION = "VERSION=MYPROXYv2";
+    private final static String GETCOMMAND = "COMMAND=0";
+    private final static String TRUSTROOTS = "TRUSTED_CERTS=";
+    private final static String USERNAME = "USERNAME=";
+    private final static String PASSPHRASE = "PASSPHRASE=";
+    private final static String LIFETIME = "LIFETIME=";
+    private final static String CREDNAME = "CRED_NAME=";
+    public final static String RESPONSE = "RESPONSE=";
+    private final static String ERROR = "ERROR=";
+    private final static String DN = "CN=ignore";
+
+    public final int DEFAULT_KEY_SIZE = 2048;
+    private int keySize = DEFAULT_KEY_SIZE;
+    private final static String keyAlg = "RSA";
+    private State state = State.READY;
+    private String host = "localhost";
+    private String username;
+    private String credname;
+    private char[] passphrase;
+    private int port = 7512;
+    private int lifetime = 43200;
+    private SSLSocket socket;
+    private BufferedInputStream socketIn;
+    private BufferedOutputStream socketOut;
+    private KeyPair keypair;
+    private Collection<X509Certificate> certificateChain;
+    private String[] trustrootFilenames;
+    private String[] trustrootData;
+    private KeyManagerFactory keyManagerFactory;
+    private TrustManager trustManager;
+    
+    /**
+     * Constructs a MyProxyLogon object.
+     */
+    public MyProxyLogon() {
+        super();
+        host = System.getenv("MYPROXY_SERVER");
+        if (host == null) {
+            host = "myproxy.teragrid.org";
+        }
+        String portString = System.getenv("MYPROXY_SERVER_PORT");
+        if (portString != null) {
+            port = Integer.parseInt(portString);
+        }
+        username = System.getProperty("user.name");
+    }
+
+    
+    /**
+     * sets the internal trust manager using the supplied validator
+     */
+    public void setValidator(X509CertChainValidator validator){
+    	 CommonX509TrustManager mtm = new CommonX509TrustManager(validator);
+    	 setTrustManager(mtm);
+    }
+
+    /**
+     * Sets the hostname of the MyProxy server. Defaults to localhost.
+     *
+     * @param host MyProxy server hostname
+     */
+    public void setHost(String host) {
+        this.host = host;
+    }
+
+    /**
+     * Sets the port of the MyProxy server. Defaults to 7512.
+     *
+     * @param port MyProxy server port
+     */
+    public void setPort(int port) {
+        this.port = port;
+    }
+
+    /**
+     * Sets the key size.
+     *
+     * @param keySize
+     */
+    public void setKeySize(int keySize) {
+        this.keySize = keySize;
+    }
+
+    /**
+     * Gets the MyProxy username.
+     *
+     * @return MyProxy server port
+     */
+    public String getUsername() {
+        return username;
+    }
+
+    /**
+     * Sets the MyProxy username. Defaults to user.name.
+     *
+     * @param username MyProxy username
+     */
+    public void setUsername(String username) {
+    	this.username = username;
+    }
+
+    /**
+     * Sets the optional MyProxy credential name.
+     *
+     * @param credname credential name
+     */
+    public void setCredentialName(String credname) {
+       this.credname = credname;
+    }
+
+    /**
+     * Sets the MyProxy passphrase.
+     *
+     * @param passphrase MyProxy passphrase
+     */
+    public void setPassphrase(char[] passphrase) {
+       this.passphrase = passphrase;
+    }
+
+    /**
+     * Sets the requested credential lifetime. Defaults to 43200 seconds (12
+     * hours).
+     *
+     * @param seconds Credential lifetime
+     */
+    public void setLifetime(int seconds) {
+        lifetime = seconds;
+    }
+
+    /**
+     * Gets the certificates returned from the MyProxy server by
+     * getCredentials().
+     *
+     * @return Collection of java.security.cert.Certificate objects
+     */
+    public Collection<X509Certificate> getCertificates() {
+        return certificateChain;
+    }
+
+    
+    // for unit testing
+    static PrivateKey testingPrivateKey;
+    
+    /**
+     * Gets the private key generated by getCredentials().
+     *
+     * @return PrivateKey
+     */
+    public PrivateKey getPrivateKey() {
+    	if(testingPrivateKey!=null){
+			//for unit testing
+			return testingPrivateKey;	
+		}
+		return keypair.getPrivate();
+    }
+
+    /**
+     * Connects to the MyProxy server at the desired host and port. Requires
+     * host authentication via SSL. The host's certificate subject must
+     * match the requested hostname. If CA certificates are found in the
+     * standard GSI locations, they will be used to verify the server's
+     * certificate. If trust roots are requested and no CA certificates are
+     * found, the server's certificate will still be accepted.
+     */
+    public void connect() throws IOException, GeneralSecurityException {
+        SSLContext sc = SSLContext.getInstance("SSL");
+        if(trustManager==null){
+        	throw new IllegalStateException("No trust manager has been set!");
+        }
+        TrustManager[] trustAllCerts = new TrustManager[]{trustManager};
+        sc.init(getKeyManagers(), trustAllCerts, new java.security.SecureRandom());
+        SSLSocketFactory sf = sc.getSocketFactory();
+        socket = (SSLSocket) sf.createSocket(host, port);
+        socket.startHandshake();
+        socketIn = new BufferedInputStream(socket.getInputStream());
+        socketOut = new BufferedOutputStream(socket.getOutputStream());
+        state = State.CONNECTED;
+    }
+
+    /**
+     * Set the key manager factory for use in client-side SSLSocket
+     * certificate-based authentication to the MyProxy server.
+     * Call this before connect().
+     *
+     * @param keyManagerFactory Key manager factory to use
+     */
+    public void setKeyManagerFactory(KeyManagerFactory keyManagerFactory) {
+        this.keyManagerFactory = keyManagerFactory;
+    }
+
+
+	public void setTrustManager(TrustManager trustManager) {
+		this.trustManager = trustManager;
+	}
+
+	/**
+     * Disconnects from the MyProxy server.
+     */
+    public void disconnect() throws IOException {
+        socket.close();
+        socket = null;
+        socketIn = null;
+        socketOut = null;
+        state = State.READY;
+    }
+
+    /**
+     * Logs on to the MyProxy server by issuing the MyProxy GET command.
+     */
+    public void logon() throws IOException, GeneralSecurityException {
+        String line;
+        char response;
+
+        if (state != State.CONNECTED) {
+            connect();
+        }
+
+        socketOut.write('0');
+        socketOut.flush();
+        socketOut.write(VERSION.getBytes());
+        socketOut.write('\n');
+        socketOut.write(GETCOMMAND.getBytes());
+        socketOut.write('\n');
+        socketOut.write(USERNAME.getBytes());
+        socketOut.write(username.getBytes());
+        socketOut.write('\n');
+        socketOut.write(PASSPHRASE.getBytes());
+        socketOut.write(new String(passphrase).getBytes());
+        socketOut.write('\n');
+        socketOut.write(LIFETIME.getBytes());
+        socketOut.write(Integer.toString(lifetime).getBytes());
+        socketOut.write('\n');
+        if (credname != null) {
+            socketOut.write(CREDNAME.getBytes());
+            socketOut.write(credname.getBytes());
+            socketOut.write('\n');
+        }
+        socketOut.flush();
+
+        line = readLine(socketIn);
+        if (line == null) {
+            throw new EOFException();
+        }
+        if (!line.equals(VERSION)) {
+            throw new ProtocolException("bad MyProxy protocol VERSION string: "
+                    + line);
+        }
+        line = readLine(socketIn);
+        if (line == null) {
+            throw new EOFException();
+        }
+        if (!line.startsWith(RESPONSE)
+                || line.length() != RESPONSE.length() + 1) {
+            throw new ProtocolException(
+                    "bad MyProxy protocol RESPONSE string: " + line);
+        }
+        response = line.charAt(RESPONSE.length());
+        if (response == '1') {
+            StringBuffer errString;
+
+            errString = new StringBuffer("MyProxy logon failed");
+            while ((line = readLine(socketIn)) != null) {
+                if (line.startsWith(ERROR)) {
+                    errString.append('\n');
+                    errString.append(line.substring(ERROR.length()));
+                }
+            }
+            throw new FailedLoginException(errString.toString());
+        } else if (response == '2') {
+            throw new ProtocolException(
+                    "MyProxy authorization RESPONSE not implemented");
+        } else if (response != '0') {
+            throw new ProtocolException(
+                    "unknown MyProxy protocol RESPONSE string: " + line);
+        }
+        while ((line = readLine(socketIn)) != null) {
+            if (line.startsWith(TRUSTROOTS)) {
+                String filenameList = line.substring(TRUSTROOTS.length());
+                trustrootFilenames = filenameList.split(",");
+                trustrootData = new String[trustrootFilenames.length];
+                for (int i = 0; i < trustrootFilenames.length; i++) {
+                    String lineStart = "FILEDATA_" + trustrootFilenames[i]
+                            + "=";
+                    line = readLine(socketIn);
+                    if (line == null) {
+                        throw new EOFException();
+                    }
+                    if (!line.startsWith(lineStart)) {
+                        throw new ProtocolException(
+                                "bad MyProxy protocol RESPONSE: expecting "
+                                        + lineStart + " but received " + line);
+                    }
+                    trustrootData[i] = new String(Base64.decode(line
+                            .substring(lineStart.length())));
+                }
+            }
+        }
+        state = State.LOGGEDON;
+    }
+
+   
+    /**
+     * Retrieves credentials from the MyProxy server.
+     */
+    public void getCredentials() throws IOException, GeneralSecurityException {
+
+        KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance(keyAlg);
+        keyGenerator.initialize(keySize);
+        keypair = keyGenerator.genKeyPair();
+        Security.addProvider(new BouncyCastleProvider());
+        
+        org.bouncycastle.pkcs.PKCS10CertificationRequest pkcs10 = null;
+        try{
+        	pkcs10 = generateCertificationRequest(DN, keypair);
+        }
+        catch(Exception ex){
+        	throw new GeneralSecurityException(ex);
+        }
+        getCredentials(pkcs10.getEncoded());
+    }
+
+    
+    public X509Certificate getCertificate() {
+        if (certificateChain == null) {
+           return null;
+        }
+        Iterator<X509Certificate> iter = this.certificateChain.iterator();
+        return iter.next();
+    }
+    
+    
+    private KeyManager[] getKeyManagers() {
+        return keyManagerFactory != null? keyManagerFactory.getKeyManagers() : null ;
+    }
+
+    private void getCredentials(byte[] derEncodedCertRequest) throws IOException, GeneralSecurityException {
+        if (state != State.LOGGEDON) {
+            logon();
+        }
+        socketOut.write(derEncodedCertRequest);
+        socketOut.flush();
+        int numCertificates = socketIn.read();
+        if (numCertificates == -1) {
+            throw new IOException("Error: connection aborted");
+        } else if (numCertificates == 0 || numCertificates < 0) {
+            throw new GeneralSecurityException("Error: bad number of certificates sent by server");
+        }
+        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+        certificateChain = new ArrayList<X509Certificate>();
+        for(int i = 0; i<numCertificates; i++){
+        	X509Certificate c = (X509Certificate)certFactory.generateCertificate(socketIn);
+        	certificateChain.add(c);
+        }
+        state = State.DONE;
+    }
+
+    private String readLine(InputStream is) throws IOException {
+        StringBuffer sb = new StringBuffer();
+        for (int c = is.read(); c > 0 && c != '\n'; c = is.read()) {
+            sb.append((char) c);
+        }
+        if (sb.length() > 0) {
+            return new String(sb);
+        }
+        return null;
+    }
+
+	private org.bouncycastle.pkcs.PKCS10CertificationRequest generateCertificationRequest(String dn, KeyPair kp)
+			throws Exception{
+		X500Name subject=new X500Name(dn);
+		PublicKey pubKey=kp.getPublic();
+		PrivateKey privKey=kp.getPrivate();
+		AsymmetricKeyParameter pubkeyParam = PublicKeyFactory.createKey(pubKey.getEncoded());
+		SubjectPublicKeyInfo publicKeyInfo=SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(pubkeyParam);
+		PKCS10CertificationRequestBuilder builder=new PKCS10CertificationRequestBuilder(subject, publicKeyInfo);
+		AlgorithmIdentifier signatureAi = new AlgorithmIdentifier(OIWObjectIdentifiers.sha1WithRSA);
+		BcRSAContentSignerBuilder signerBuilder=new BcRSAContentSignerBuilder(
+				signatureAi, AlgorithmIdentifier.getInstance(OIWObjectIdentifiers.idSHA1));
+		AsymmetricKeyParameter pkParam = PrivateKeyFactory.createKey(privKey.getEncoded());
+		ContentSigner signer=signerBuilder.build(pkParam);
+		return builder.build(signer);
+	}
+}
+

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/OSType.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/OSType.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/OSType.java
new file mode 100644
index 0000000..19ea19d
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/OSType.java
@@ -0,0 +1,124 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+public enum OSType {
+
+	unknown("Unknown"), //$NON-NLS-1$
+	linux("LINUX"), //$NON-NLS-1$
+	mac_os("MACOS"), //$NON-NLS-1$
+	win95("WIN95"), //$NON-NLS-1$
+	win98("WIN98"), //$NON-NLS-1$
+	windows_R_Me("Windows_R_Me"), //$NON-NLS-1$
+	winNT("WINNT"), //$NON-NLS-1$
+	windows_2000("Windows_2000"), //$NON-NLS-1$
+	windows_XP("Windows_XP"), //$NON-NLS-1$
+	msdos("MSDOS"), //$NON-NLS-1$
+	solaris("Solaris"), //$NON-NLS-1$
+	sunOS("SunOS"), //$NON-NLS-1$
+	freeBSD("FreeBSD"), //$NON-NLS-1$
+	netBSD("NetBSD"), //$NON-NLS-1$
+	openBSD("OpenBSD"), //$NON-NLS-1$
+	bsdunix("BSDUNIX"), //$NON-NLS-1$
+	aix("AIX"), //$NON-NLS-1$
+	z_OS("z_OS"), //$NON-NLS-1$
+	os_2("OS_2"), //$NON-NLS-1$
+	os9("OS9"), //$NON-NLS-1$
+	netWare("NetWare"), //$NON-NLS-1$
+	tru64_unix("Tru64_UNIX"), //$NON-NLS-1$
+	irix("IRIX"), //$NON-NLS-1$
+	osf("OSF"), //$NON-NLS-1$
+
+	mvs("MVS"), //$NON-NLS-1$
+	os400("OS400"), //$NON-NLS-1$
+	javaVM("JavaVM"), //$NON-NLS-1$
+	win3x("WIN3x"), //$NON-NLS-1$
+	winCE("WINCE"), //$NON-NLS-1$
+	NCR3000("NCR3000"), //$NON-NLS-1$
+	dc_os("DC_OS"), //$NON-NLS-1$
+	reliant_unix("Reliant_UNIX"), //$NON-NLS-1$
+	sco_unixWare("SCO_UnixWare"), //$NON-NLS-1$
+	sco_openServer("SCO_OpenServer"), //$NON-NLS-1$
+	sequent("Sequent"), //$NON-NLS-1$
+	u6000("U6000"), //$NON-NLS-1$
+	aseries("ASERIES"), //$NON-NLS-1$
+	tandemNSK("TandemNSK"), //$NON-NLS-1$
+	tandemNT("TandemNT"), //$NON-NLS-1$
+	bs2000("BS2000"), //$NON-NLS-1$
+	lynx("Lynx"), //$NON-NLS-1$
+	xenix("XENIX"), //$NON-NLS-1$
+	vm("VM"), //$NON-NLS-1$
+	interactive_unix("Interactive_UNIX"), //$NON-NLS-1$
+	gnu_hurd("GNU_Hurd"), //$NON-NLS-1$
+	mach_kernel("MACH_Kernel"), //$NON-NLS-1$
+	inferno("Inferno"), //$NON-NLS-1$
+	qnx("QNX"), //$NON-NLS-1$
+	epoc("EPOC"), //$NON-NLS-1$
+	ixWorks("IxWorks"), //$NON-NLS-1$
+	vxWorks("VxWorks"), //$NON-NLS-1$
+	mint("MiNT"), //$NON-NLS-1$
+	beOS("BeOS"), //$NON-NLS-1$
+	hp_mpe("HP_MPE"), //$NON-NLS-1$
+	nextStep("NextStep"), //$NON-NLS-1$
+	palmPilot("PalmPilot"), //$NON-NLS-1$
+	rhapsody("Rhapsody"), //$NON-NLS-1$
+	dedicated("Dedicated"), //$NON-NLS-1$
+	os_390("OS_390"), //$NON-NLS-1$
+	vse("VSE"), //$NON-NLS-1$
+	tpf("TPF"), //$NON-NLS-1$
+	caldera_open_unix("Caldera_Open_UNIX"), //$NON-NLS-1$
+	attunix("ATTUNIX"), //$NON-NLS-1$
+	dgux("DGUX"), //$NON-NLS-1$
+	decnt("DECNT"), //$NON-NLS-1$
+	openVMS("OpenVMS"), //$NON-NLS-1$
+	hpux("HPUX"), //$NON-NLS-1$
+	other("other"); //$NON-NLS-1$
+
+
+	private OSType(String value) { 
+		this.value = value;
+	}
+
+	private final String value;
+
+	public String getValue() { 
+		return value;
+	}
+
+	public static OSType fromString(String value)
+	{
+		for(OSType type : values())
+		{
+			if(type.value.equals(value))
+			{
+				return type;
+			}
+		}
+		return null;
+	}
+	
+	public String toString()
+	{
+		return value;
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ProcessorRequirement.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ProcessorRequirement.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ProcessorRequirement.java
new file mode 100644
index 0000000..ed1ab6a
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ProcessorRequirement.java
@@ -0,0 +1,61 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+*/
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+public enum ProcessorRequirement{
+	sparc("sparc"), //$NON-NLS-1$
+	powerpc("powerpc"), //$NON-NLS-1$
+	x86("x86"), //$NON-NLS-1$
+	x86_32("x86_32"), //$NON-NLS-1$
+	x86_64("x86_64"), //$NON-NLS-1$
+	parisc("parisc"), //$NON-NLS-1$
+	mips("mips"), //$NON-NLS-1$
+	ia64("ia64"), //$NON-NLS-1$
+	arm("arm"), //$NON-NLS-1$
+	other("other"); //$NON-NLS-1$
+
+	ProcessorRequirement(String value) {
+		this.value = value; 
+	}
+
+	private final String value;
+
+	public String getValue() { 
+		return value; 
+	}
+
+	public static ProcessorRequirement fromString(String value)
+	{
+		for (ProcessorRequirement type : values()) {
+			if (type.value.equals(value)) {
+				return type;
+			}
+		}
+		return other;
+	}
+	
+	public String toString()
+	{
+		return value;
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/RangeValueType.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/RangeValueType.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/RangeValueType.java
new file mode 100644
index 0000000..1d64025
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/RangeValueType.java
@@ -0,0 +1,271 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+
+public class RangeValueType implements ResourceRequirement {
+	
+
+    private double exact = Double.NaN;
+    private double lowerBound = Double.NEGATIVE_INFINITY;
+    private double upperBound = Double.POSITIVE_INFINITY;
+    
+    private double epsilon = Double.NaN;
+    private boolean includeLowerBound = true;
+    private boolean includeUpperBound = true;
+    
+    private boolean enabled = false;
+    
+    
+    public RangeValueType(double exact, double epsilon, double lowerBound, boolean includeLowerBound, double upperBound, boolean includeUpperBound, boolean enabled) {
+        this.exact = exact;
+    	this.epsilon = epsilon;
+    	this.lowerBound = lowerBound;
+        this.includeLowerBound = includeLowerBound;
+        this.upperBound = upperBound;
+        this.includeUpperBound = includeUpperBound;
+        this.enabled = enabled;
+    }
+   
+    
+    
+    /**
+	 * Create the range requirements
+	 * 
+	 * @param exact -
+	 *            the exact value
+	 * @param lowerBound -
+	 *            the lower bound
+	 * @param upperBound -
+	 *            the upper bound
+	 * @param includeUpperBound -
+	 *            true, if upperBound should be included in range
+	 * 
+	 */
+    public RangeValueType(double exact, double epsilon, double lowerBound, boolean includeLowerBound, double upperBound, boolean includeUpperBound) {
+    	this(exact,epsilon,lowerBound,includeLowerBound,upperBound,includeUpperBound,false);
+        
+    }
+    
+    
+    /**
+	 * Create the range requirements
+	 * 
+	 * @param exact -
+	 *            the exact value
+	 * @param lowerBound -
+	 *            the lower bound
+	 * @param upperBound -
+	 *            the upper bound
+	 */
+    public RangeValueType(double exact, double epsilon, double lowerBound, double upperBound) {
+    	this(exact,epsilon,lowerBound,true,upperBound,true);
+    }
+    
+    
+    public RangeValueType(double exact, double lowerBound, double upperBound) {
+    	this(exact,Double.NaN,lowerBound,true,upperBound,true);
+    }
+
+    /**
+	 * Create the exact requirements
+	 * 
+	 * @param exact -
+	 *            the exact value
+	 * @param epsilon -
+	 *            the epsilon arround exact
+	 * 
+	 */
+    public RangeValueType(double exact, double epsilon) {
+        this(exact,epsilon,Double.NaN,Double.NaN);
+    }
+
+    
+    /**
+	 * Create the exact requirements
+	 * 
+	 * @param exact -
+	 *            the exact value
+	 */
+    public RangeValueType(double exact) {
+        this(exact,Double.NaN);
+    }
+
+    public RangeValueType() {
+    }
+
+    /**
+	 * Get exact requirements
+	 * 
+	 * @return the exact requirements
+	 */
+    public double getExact() {
+        return exact;
+    }
+
+    /**
+	 * Set exact requirements
+	 * 
+	 * @param exact -
+	 *            the exact requirements
+	 */
+    public void setExact(double exact) {
+        this.exact = exact;
+    }
+    
+    /**
+	 * Get epsilon
+	 * 
+	 * @return the epsilon
+	 */
+    public double getEpsilon() {
+        return epsilon;
+    }
+
+    /**
+	 * Set epsilon
+	 * 
+	 * @param epsilon -
+	 *            epsilon belonging to to exact requirements
+	 */
+    public void setEpsilon(double epsilon) {
+        this.epsilon = epsilon;
+    }
+
+    /**
+	 * Get lower bound
+	 * 
+	 * @return the lower bound
+	 */
+    public double getLowerBound() {
+        return lowerBound;
+    }
+
+    /**
+	 * Set lower bound
+	 * 
+	 * @param lowerBound -
+	 *            the lower bound
+	 */
+    public void setLowerBound(double lowerBound) {
+        this.lowerBound = lowerBound;
+    }
+
+    /**
+	 * Get upper bound
+	 * 
+	 * @return the upper bound
+	 */
+    public double getUpperBound() {
+        return upperBound;
+    }
+
+    /**
+	 * Set upper bound
+	 * 
+	 * @param upperBound -
+	 *            the upper bound
+	 */
+    public void setUpperBound(double upperBound) {
+        this.upperBound = upperBound;
+    }
+
+    /**
+	 * Test if requirements are met
+	 * 
+	 * @param value -
+	 *            the tested value
+	 * @return <code>true</code> if value is in the range and not less than
+	 *         the exact value
+	 */
+    public boolean lowerThanDouble(double value) {
+        return (value >= exact && value >= lowerBound && value <= upperBound) ? true : false;
+    }
+
+    public String toString() {
+        if (lowerBound == Double.NEGATIVE_INFINITY && upperBound == Double.POSITIVE_INFINITY) {
+            return Double.toString(exact);
+        }
+        else {
+            return "(e=" + Double.toString(exact) + ",l=" + Double.toString(lowerBound) + ",u=" //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
+                    + Double.toString(upperBound) + ")"; //$NON-NLS-1$
+        }
+    }
+
+
+	public boolean isIncludeLowerBound() {
+		return includeLowerBound;
+	}
+
+
+	public void setIncludeLowerBound(boolean includeLowerBound) {
+		this.includeLowerBound = includeLowerBound;
+	}
+
+
+	public boolean isIncludeUpperBound() {
+		return includeUpperBound;
+	}
+
+
+	public void setIncludeUpperBound(boolean includeUpperBound) {
+		this.includeUpperBound = includeUpperBound;
+	}
+	
+	public RangeValueType clone(){
+		return new RangeValueType(this.exact, this.epsilon, this.lowerBound, this.includeLowerBound, this.upperBound, this.includeUpperBound,this.enabled);
+	}
+
+
+
+	public boolean isEnabled() {
+		return enabled;
+	}
+
+
+
+	public void setEnabled(boolean enabled) {
+		this.enabled = enabled;
+	}
+
+	
+	public boolean equals(Object o)
+	{
+		if(! (o instanceof RangeValueType)) return false;
+		RangeValueType other = (RangeValueType) o;
+		return doublesEqual(getExact(),other.getExact())
+		&& doublesEqual(getEpsilon(), other.getEpsilon())
+		&& doublesEqual(getLowerBound(), other.getLowerBound())
+		&& doublesEqual(getUpperBound(), other.getUpperBound())
+		&& isIncludeLowerBound() == other.isIncludeLowerBound()
+		&& isIncludeUpperBound() == other.isIncludeUpperBound()
+		&& isEnabled() == other.isEnabled();
+	}
+
+	
+	private boolean doublesEqual(double a, double b)
+	{
+		Double A = new Double(a);
+		Double B = new Double(b);
+		return A.equals(B);
+	}
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ResourceProcessor.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ResourceProcessor.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ResourceProcessor.java
new file mode 100644
index 0000000..a5586db
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ResourceProcessor.java
@@ -0,0 +1,97 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+import de.fzj.unicore.wsrflite.xmlbeans.WSUtilities;
+import eu.unicore.jsdl.extensions.ResourceRequestDocument;
+import eu.unicore.jsdl.extensions.ResourceRequestType;
+import org.apache.airavata.gfac.core.context.ProcessContext;
+import org.apache.airavata.model.process.ProcessModel;
+import org.apache.airavata.model.scheduling.ComputationalResourceSchedulingModel;
+import org.ggf.schemas.jsdl.x2005.x11.jsdl.JobDefinitionType;
+import org.ggf.schemas.jsdl.x2005.x11.jsdl.ResourcesType;
+
+public class ResourceProcessor {
+
+	
+	public static void generateResourceElements(JobDefinitionType value, ProcessContext context) throws Exception {
+        ProcessModel processModel = context.getProcessModel();
+        if (processModel != null) {
+            try {
+                ComputationalResourceSchedulingModel crs = processModel.getResourceSchedule();
+
+                if (crs.getTotalPhysicalMemory() > 0) {
+                    RangeValueType rangeType = new RangeValueType();
+                    rangeType.setLowerBound(Double.NaN);
+                    rangeType.setUpperBound(Double.NaN);
+                    rangeType.setExact(crs.getTotalPhysicalMemory());
+                    JSDLUtils.setIndividualPhysicalMemoryRequirements(value, rangeType);
+                }
+
+                if (crs.getNodeCount() > 0) {
+                    RangeValueType rangeType = new RangeValueType();
+                    rangeType.setLowerBound(Double.NaN);
+                    rangeType.setUpperBound(Double.NaN);
+                    rangeType.setExact(crs.getNodeCount());
+                    JSDLUtils.setTotalResourceCountRequirements(value, rangeType);
+                }
+
+                if (crs.getWallTimeLimit() > 0) {
+                    RangeValueType cpuTime = new RangeValueType();
+                    cpuTime.setLowerBound(Double.NaN);
+                    cpuTime.setUpperBound(Double.NaN);
+                    long wallTime = crs.getWallTimeLimit() * 60;
+                    cpuTime.setExact(wallTime);
+                    JSDLUtils.setIndividualCPUTimeRequirements(value, cpuTime);
+                }
+                // the total cpu count is total cpus per node
+                if (crs.getTotalCPUCount() > 0) {
+                    RangeValueType rangeType = new RangeValueType();
+                    rangeType.setLowerBound(Double.NaN);
+                    rangeType.setUpperBound(Double.NaN);
+                    int nodeCount = crs.getNodeCount();
+                    if (nodeCount <= 0) {
+                        nodeCount = 1;
+                    }
+                    rangeType.setExact(crs.getTotalCPUCount() / nodeCount);
+                    JSDLUtils.setIndividualCPUCountRequirements(value, rangeType);
+                }
+
+                String qName = crs.getQueueName();
+                if (!(qName == null || "".equals(qName))) {
+                    // ignore "default" queue names
+                    if (!(crs.getQueueName().trim().equalsIgnoreCase("default"))) {
+                        ResourceRequestDocument rqDoc = ResourceRequestDocument.Factory.newInstance();
+                        ResourceRequestType rq = rqDoc.addNewResourceRequest();
+                        rq.setName("Queue");
+                        rq.setValue(qName);
+                        ResourcesType res = JSDLUtils.getOrCreateResources(value);
+                        WSUtilities.insertAny(rqDoc, res);
+                    }
+                }
+
+            } catch (NullPointerException npe) {
+                throw new Exception("No value set for resource requirements.", npe);
+            }
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ResourceRequirement.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ResourceRequirement.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ResourceRequirement.java
new file mode 100644
index 0000000..79d3f2c
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/ResourceRequirement.java
@@ -0,0 +1,34 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+public interface ResourceRequirement extends Cloneable {
+	
+	/**
+	 * States whether this resource requirement is active
+	 * and should be written into the job description.
+	 * @return
+	 */
+	public boolean isEnabled();
+	
+	public void setEnabled(boolean enabled);
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/SPMDVariations.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/SPMDVariations.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/SPMDVariations.java
new file mode 100644
index 0000000..9d3cd02
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/SPMDVariations.java
@@ -0,0 +1,52 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+public enum SPMDVariations {
+
+	MPI ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/MPI"), 
+	GridMPI ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/GridMPI"),
+	IntelMPI ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/IntelMPI"),
+	LAMMPI ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/LAM-MPI"), 
+	MPICH1 ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/MPICH1"),
+	MPICH2 ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/MPICH2"),
+	MPICHGM ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/MPICH-GM"),
+	MPICHMX ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/MPICH-MX"),
+	MVAPICH ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/MVAPICH"),
+	MVAPICH2 ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/MVAPICH2"),
+	OpenMPI ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/OpenMPI"),
+	POE ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/POE"),
+	PVM ("http://www.ogf.org/jsdl/2007/02/jsdl-spmd/PVM");
+	
+	private final String variation;
+	
+	private SPMDVariations(String variation) {
+		this.variation = variation;
+	}
+	
+	public String value(){
+		return variation;
+	}
+	
+}
+
+

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/SecurityUtils.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/SecurityUtils.java
new file mode 100644
index 0000000..a357e62
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/SecurityUtils.java
@@ -0,0 +1,167 @@
+/*
+*
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements.  See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership.  The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License.  You may obtain a copy of the License at
+*
+*   http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing,
+* software distributed under the License is distributed on an
+* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+* KIND, either express or implied.  See the License for the
+* specific language governing permissions and limitations
+* under the License.
+*
+*/
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+import eu.emi.security.authn.x509.helpers.CertificateHelpers;
+import eu.emi.security.authn.x509.helpers.proxy.X509v3CertificateBuilder;
+import eu.emi.security.authn.x509.impl.CertificateUtils;
+import eu.emi.security.authn.x509.impl.CertificateUtils.Encoding;
+import eu.emi.security.authn.x509.impl.KeyAndCertCredential;
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.credential.store.store.CredentialReader;
+import org.apache.airavata.gfac.core.GFacException;
+import org.apache.airavata.gfac.core.GFacUtils;
+import org.apache.airavata.gfac.core.RequestData;
+import org.apache.airavata.gfac.core.context.ProcessContext;
+import org.apache.airavata.model.appcatalog.computeresource.JobSubmissionProtocol;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import java.util.Random;
+
+public class SecurityUtils {
+	
+	private final static Logger logger = LoggerFactory.getLogger(SecurityUtils.class);
+	
+	
+	public static void addSecurityContext(ProcessContext processContext) throws GFacException {
+		
+	        if (!processContext.getJobSubmissionProtocol().equals(JobSubmissionProtocol.UNICORE)) {
+	            logger.error("This is a wrong method to invoke for UNICORE host types,please check your gfac-config.xml");
+	        }
+	        else
+	        {	
+	        	String credentialStoreToken = processContext.getTokenId(); // set by the framework
+	            RequestData requestData;
+				try {
+					requestData = new RequestData(ServerSettings.getDefaultUserGateway());
+				} catch (ApplicationSettingsException e1) {
+					throw new GFacException(e1);
+				} // coming from top tier
+	            requestData.setTokenId(credentialStoreToken);
+	            
+	            CredentialReader credentialReader = null;
+	            try{
+	            	credentialReader = GFacUtils.getCredentialReader();
+	            }catch (Exception e){
+	            	logger.warn("Cannot get credential reader instance");
+	            }
+	            
+            	UNICORESecurityContext secCtx = new UNICORESecurityContext(credentialReader, requestData);
+//            	processContext.setJobSubmissionRemoteCluster(X509SecurityContext.X509_SECURITY_CONTEXT, secCtx);
+	        }
+	}
+	
+	public static final KeyAndCertCredential generateShortLivedCertificate(String userDN,
+			String caCertPath, String caKeyPath, String caPwd) throws Exception {
+		final long CredentialGoodFromOffset = 1000L * 60L * 15L; // 15 minutes
+		// ago
+
+		final long startTime = System.currentTimeMillis() - CredentialGoodFromOffset;
+		final long endTime = startTime + 30 * 3600 * 1000;
+
+		final String keyLengthProp = "1024";
+		int keyLength = Integer.parseInt(keyLengthProp);
+		final String signatureAlgorithm = "SHA1withRSA";
+
+		KeyAndCertCredential caCred = getCACredential(caCertPath, caKeyPath,
+				caPwd);
+
+		KeyPairGenerator kpg = KeyPairGenerator.getInstance(caCred.getKey()
+				.getAlgorithm());
+		kpg.initialize(keyLength);
+		KeyPair pair = kpg.generateKeyPair();
+
+		X500Principal subjectDN = new X500Principal(userDN);
+		Random rand = new Random();
+
+		SubjectPublicKeyInfo publicKeyInfo;
+		try {
+			publicKeyInfo = SubjectPublicKeyInfo
+					.getInstance(new ASN1InputStream(pair.getPublic()
+							.getEncoded()).readObject());
+		} catch (IOException e) {
+			throw new InvalidKeyException("Can not parse the public key"
+					+ "being included in the short lived certificate", e);
+		}
+
+		X500Name issuerX500Name = CertificateHelpers.toX500Name(caCred
+				.getCertificate().getSubjectX500Principal());
+
+		X500Name subjectX500Name = CertificateHelpers.toX500Name(subjectDN);
+
+		X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
+				issuerX500Name, new BigInteger(20, rand), new Date(startTime),
+				new Date(endTime), subjectX500Name, publicKeyInfo);
+
+		AlgorithmIdentifier sigAlgId = X509v3CertificateBuilder
+				.extractAlgorithmId(caCred.getCertificate());
+
+		X509Certificate certificate = certBuilder.build(caCred.getKey(),
+				sigAlgId, signatureAlgorithm, null, null);
+
+		certificate.checkValidity(new Date());
+		certificate.verify(caCred.getCertificate().getPublicKey());
+		KeyAndCertCredential result = new KeyAndCertCredential(
+				pair.getPrivate(), new X509Certificate[] { certificate,
+						caCred.getCertificate() });
+
+		return result;
+	}
+	
+	public static KeyAndCertCredential getCACredential(String caCertPath,
+			String caKeyPath, String password) throws Exception {
+		InputStream isKey = new FileInputStream(caKeyPath);
+		PrivateKey pk = CertificateUtils.loadPrivateKey(isKey, Encoding.PEM,
+				password.toCharArray());
+
+		InputStream isCert = new FileInputStream(caCertPath);
+		X509Certificate caCert = CertificateUtils.loadCertificate(isCert,
+				Encoding.PEM);
+
+		if (isKey != null)
+			isKey.close();
+		if (isCert != null)
+			isCert.close();
+
+		return new KeyAndCertCredential(pk, new X509Certificate[] { caCert });
+	}
+
+	
+	
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/StorageCreator.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/StorageCreator.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/StorageCreator.java
new file mode 100644
index 0000000..65b2d14
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/StorageCreator.java
@@ -0,0 +1,207 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+import de.fzj.unicore.uas.StorageFactory;
+import de.fzj.unicore.uas.client.StorageClient;
+import de.fzj.unicore.uas.client.StorageFactoryClient;
+import de.fzj.unicore.wsrflite.xmlbeans.WSUtilities;
+import de.fzj.unicore.wsrflite.xmlbeans.client.RegistryClient;
+import de.fzj.unicore.wsrflite.xmlbeans.sg.Registry;
+import eu.unicore.util.httpclient.DefaultClientConfiguration;
+import org.oasisOpen.docs.wsrf.sg2.EntryType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.unigrids.services.atomic.types.PropertyType;
+import org.unigrids.x2006.x04.services.smf.CreateSMSDocument;
+import org.unigrids.x2006.x04.services.smf.StorageBackendParametersDocument.StorageBackendParameters;
+import org.unigrids.x2006.x04.services.smf.StorageDescriptionType;
+import org.w3.x2005.x08.addressing.EndpointReferenceType;
+
+import javax.security.auth.x500.X500Principal;
+import java.util.Calendar;
+
+public class StorageCreator {
+	 protected final Logger log = LoggerFactory.getLogger(this.getClass());
+
+	/**
+	 * the initial lifetime (in days) for newly created SMSs
+	 */
+	private int initialLifeTime;
+
+	/**
+	 * factory URL to use
+	 */
+	private String factoryUrl;
+
+	/**
+	 * site where to create the storage
+	 */
+	private String siteName;
+
+	/**
+	 * storage type to create
+	 */
+	private String storageType;
+
+	private DefaultClientConfiguration secProps;
+	
+	private String userName;
+	
+	public StorageCreator(DefaultClientConfiguration secProps, String besUrl, int initialLifetime, String storageType, String userName) {
+		this.secProps = secProps; 
+		this.factoryUrl = getStorageFactoryUrl(besUrl);
+		this.storageType = storageType;
+		this.initialLifeTime = initialLifetime;
+		this.userName = userName;
+	}
+	
+	
+	public StorageCreator(DefaultClientConfiguration secProps, String besUrl, int initialLifetime, String userName) {
+		this.secProps = secProps; 
+		this.factoryUrl = getStorageFactoryUrl(besUrl);
+		this.initialLifeTime = initialLifetime;
+		this.userName = userName;
+	}
+
+	
+	// The target site must have storage factory deployed with bes factory
+	public StorageClient createStorage() throws Exception{
+		
+		if(factoryUrl == null) {
+			throw new Exception("Cannot create Storage Factory Url");
+		}
+		
+		EndpointReferenceType sfEpr= WSUtilities.makeServiceEPR(factoryUrl, StorageFactory.SMF_PORT);
+		
+		String dn = findServerName(factoryUrl, sfEpr);
+		
+		WSUtilities.addServerIdentity(sfEpr, dn);
+		
+		secProps.getETDSettings().setReceiver(new X500Principal(dn));
+		secProps.getETDSettings().setIssuerCertificateChain(secProps.getCredential().getCertificateChain());
+		
+		// TODO: remove it afterwards
+		if(userName != null) {
+			secProps.getETDSettings().getRequestedUserAttributes2().put("xlogin", new String[]{userName});
+		}
+		
+		StorageFactoryClient sfc = new StorageFactoryClient(sfEpr, secProps);
+		
+		if (log.isDebugEnabled()){
+			log.debug("Using storage factory at <"+sfc.getUrl()+">");
+		}
+		
+		StorageClient sc = null;
+		try{
+			sc=sfc.createSMS(getCreateSMSDocument());
+			
+			String addr=sc.getEPR().getAddress().getStringValue();
+			log.info(addr);
+			
+		}catch(Exception ex){
+			log.error("Could not create storage",ex);
+			throw new Exception(ex);
+		}
+
+		return sc;
+	}
+	
+	protected String findServerName(String besUrl, EndpointReferenceType smsEpr)throws Exception{
+		
+		int besIndex = besUrl.indexOf("StorageFactory?res");
+		String ss = besUrl.substring(0, besIndex);
+		ss = ss + "Registry";
+		
+		EndpointReferenceType eprt = WSUtilities.makeServiceEPR(ss, "default_registry", Registry.REGISTRY_PORT);
+		
+		RegistryClient registry = new RegistryClient(eprt, secProps);
+		
+		//first, check if server name is already in the EPR...
+		String dn=WSUtilities.extractServerIDFromEPR(smsEpr);
+		if(dn!=null){
+			return dn;
+		}
+		//otherwise find a matching service in the registry
+		String url=smsEpr.getAddress().getStringValue();
+		if(url.contains("/services/"))url=url.substring(0,url.indexOf("/services"));
+		if(log.isDebugEnabled()) log.debug("Checking for services at "+url);
+		for(EntryType entry:registry.listEntries()){
+			if(entry.getMemberServiceEPR().getAddress().getStringValue().startsWith(url)){
+				dn=WSUtilities.extractServerIDFromEPR(entry.getMemberServiceEPR());
+				if(dn!=null){
+					return dn;
+				}
+			}
+		}
+		return null;
+	}
+
+	
+	public static String getStorageFactoryUrl(String besUrl){
+		int besIndex = besUrl.indexOf("BESFactory?res");
+		String ss = besUrl.substring(0, besIndex);
+		ss = ss + "StorageFactory?res=default_storage_factory";
+		return ss;
+	}
+	
+	/**
+	 * prepare request
+	 * */
+	protected CreateSMSDocument getCreateSMSDocument(String ...keyValueParams){
+		CreateSMSDocument in=CreateSMSDocument.Factory.newInstance();
+		in.addNewCreateSMS();
+		if(initialLifeTime>0){
+			in.getCreateSMS().addNewTerminationTime().setCalendarValue(getTermTime());
+		}
+		if(storageType!=null){
+			if(log.isDebugEnabled()) {
+				log.debug("Will create storage of type : "+storageType);
+			}
+			StorageDescriptionType desc=in.getCreateSMS().addNewStorageDescription();
+			desc.setStorageBackendType(storageType);
+			if(keyValueParams.length>1){
+				//other parameters from the cmdline as key=value
+				StorageBackendParameters params=desc.addNewStorageBackendParameters();
+				for(int i=1;i<keyValueParams.length;i++){
+					String arg=keyValueParams[i];
+					String[]sp=arg.split("=",2);
+					PropertyType prop=params.addNewProperty();
+					prop.setName(sp[0]);
+					prop.setValue(sp[1]);
+					if(log.isDebugEnabled()) {
+						log.debug("Have parameter : "+arg);
+					}
+				}
+			}
+		}
+		return in;
+	}
+
+	protected Calendar getTermTime(){
+		Calendar c = Calendar.getInstance();
+		c.add(Calendar.DATE, initialLifeTime);
+		return c;
+	}
+
+
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/UASDataStagingProcessor.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/UASDataStagingProcessor.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/UASDataStagingProcessor.java
new file mode 100644
index 0000000..444f97d
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/UASDataStagingProcessor.java
@@ -0,0 +1,182 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+import org.apache.airavata.gfac.core.context.ProcessContext;
+import org.apache.airavata.model.appcatalog.computeresource.JobSubmissionProtocol;
+import org.apache.airavata.model.application.io.DataType;
+import org.apache.airavata.model.application.io.InputDataObjectType;
+import org.apache.airavata.model.application.io.OutputDataObjectType;
+import org.ggf.schemas.jsdl.x2005.x11.jsdl.JobDefinitionType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+public class UASDataStagingProcessor {
+	
+	protected final Logger log = LoggerFactory.getLogger(this.getClass());
+
+	
+	public static void generateDataStagingElements(JobDefinitionType value, ProcessContext context, String smsUrl) throws Exception{
+		smsUrl = "BFT:"+smsUrl;
+		
+		if (context.getProcessModel().getProcessOutputs().size() > 0) {
+			buildDataStagingFromInputContext(context, value, smsUrl);
+		}
+		
+		if (context.getProcessModel().getProcessOutputs().size() > 0) {
+			buildFromOutputContext(context, value, smsUrl);
+		}
+	}
+	
+	private static void createInURISMSElement(JobDefinitionType value, String smsUrl, String uri, boolean useSMS)
+			throws Exception {
+		String fileName = new File(uri).getName();
+		
+		if (useSMS && uri.startsWith("file:")) {
+			uri = smsUrl+"#/"+fileName;
+			
+		} 
+		// no need to stage-in those files to the input
+		// directory because unicore site will fetch them for the user
+		// supported third party transfers include 
+		// gsiftp, http, rns, ftp
+		JSDLUtils.addDataStagingSourceElement(value, uri, null, fileName);
+
+	}
+	
+	//TODO: will be deprecated
+	private static void createStdOutURIs(JobDefinitionType value, ProcessContext context, String smsUrl, boolean isUnicore) throws Exception {
+
+		// no need to use smsUrl for output location, because output location is activity's working directory 
+		
+		if(isUnicore) {
+			String scriptExitCodeFName = "UNICORE_SCRIPT_EXIT_CODE";
+			String scriptExitCode = smsUrl+"#/output/"+scriptExitCodeFName;
+			JSDLUtils.addDataStagingTargetElement(value, null,
+					scriptExitCodeFName, null);
+		}
+		
+		if(!isUnicore) {
+		String stdout = ApplicationProcessor.getApplicationStdOut(value, context);
+		
+		String stderr = ApplicationProcessor.getApplicationStdErr(value, context);
+		
+		String stdoutFileName = (stdout == null || stdout.equals("")) ? "stdout"
+				: stdout;
+		String stdoutURI = smsUrl+"#/output/"+stdoutFileName;
+		
+		JSDLUtils.addDataStagingTargetElement(value, null, stdoutFileName,
+				null);
+
+		String stderrFileName = (stdout == null || stderr.equals("")) ? "stderr"
+				: stderr;
+		String stderrURI = smsUrl+"#/output/"+stderrFileName;
+		
+		JSDLUtils.addDataStagingTargetElement(value, null, stderrFileName,
+				null);
+		}
+
+	}
+
+	// TODO: this should be deprecated, because the outputs are fetched using activity working dir from data transferrer
+	private static void createOutStringElements(JobDefinitionType value, String smsUrl, String prmValue) throws Exception {
+		if(prmValue == null || "".equals(prmValue)) return;
+		String finalSMSPath = smsUrl + "#/output/"+prmValue;
+		JSDLUtils.addDataStagingTargetElement(value, null, prmValue, null);
+	}
+
+	
+	private static void createOutURIElement(JobDefinitionType value,
+			String prmValue) throws Exception {
+		String fileName = new File(prmValue.toString()).getName();
+		JSDLUtils.addDataStagingTargetElement(value, null, fileName, prmValue);
+	}
+
+	
+	private static JobDefinitionType buildFromOutputContext(ProcessContext context,
+			JobDefinitionType value, String smsUrl) throws Exception {
+		List<OutputDataObjectType> applicationOutputs = context.getProcessModel().getProcessOutputs();
+		 if (applicationOutputs != null && !applicationOutputs.isEmpty()){
+             for (OutputDataObjectType output : applicationOutputs){
+ 				if("".equals(output.getValue()) || output.getValue() == null) {
+					continue;
+				}
+
+            	if(output.getType().equals(DataType.URI)) {
+            		 createOutURIElement(value, output.getValue());
+            	}
+             }
+		 }
+		return value;
+	}
+
+	
+	private static void buildDataStagingFromInputContext(ProcessContext context, JobDefinitionType value, String smsUrl)
+			throws Exception {
+		  // sort the inputs first and then build the command ListR
+        Comparator<InputDataObjectType> inputOrderComparator = new Comparator<InputDataObjectType>() {
+            @Override
+            public int compare(InputDataObjectType inputDataObjectType, InputDataObjectType t1) {
+                return inputDataObjectType.getInputOrder() - t1.getInputOrder();
+            }
+        };
+        Set<InputDataObjectType> sortedInputSet = new TreeSet<InputDataObjectType>(inputOrderComparator);
+        for (InputDataObjectType input : context.getProcessModel().getProcessInputs()) {
+            sortedInputSet.add(input);
+        }
+      
+		
+		if (sortedInputSet != null && !sortedInputSet.isEmpty()){
+			for (InputDataObjectType input : sortedInputSet){
+				if("".equals(input.getValue()) || input.getValue() == null) {
+					continue;
+				}
+				if(input.getType().equals(DataType.URI)){
+					createInURISMSElement(value, smsUrl, input.getValue(), true);
+				}
+				else if(input.getType().equals(DataType.STRING) && input.isDataStaged()){
+					createInURISMSElement(value, smsUrl, input.getValue(), false);
+				}
+				else if(input.getType().equals(DataType.STRING) && !input.isDataStaged()){
+					ApplicationProcessor.addApplicationArgument(value, context, input.getValue());
+				}
+				else if (input.getType().equals(DataType.FLOAT) || input.getType().equals(DataType.INTEGER)){
+					if(! (input.getName().equals(BESConstants.NUMBER_OF_PROCESSES) || input.getName().equals(BESConstants.PROCESSES_PER_HOST))) {
+						// temp avoid environ going to app args
+						ApplicationProcessor.addApplicationArgument(value, context, String.valueOf(input.getValue()));
+					}
+				}
+			}
+		}
+	}
+	
+	public static boolean isUnicoreEndpoint(ProcessContext context) {
+		return context.getJobSubmissionProtocol().equals(JobSubmissionProtocol.UNICORE);
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/UNICORESecurityContext.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/UNICORESecurityContext.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/UNICORESecurityContext.java
new file mode 100644
index 0000000..a383b40
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/UNICORESecurityContext.java
@@ -0,0 +1,191 @@
+/*
+*
+* Licensed to the Apache Software Foundation (ASF) under one
+* or more contributor license agreements.  See the NOTICE file
+* distributed with this work for additional information
+* regarding copyright ownership.  The ASF licenses this file
+* to you under the Apache License, Version 2.0 (the
+* "License"); you may not use this file except in compliance
+* with the License.  You may obtain a copy of the License at
+*
+*   http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing,
+* software distributed under the License is distributed on an
+* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+* KIND, either express or implied.  See the License for the
+* specific language governing permissions and limitations
+* under the License.
+*
+*/
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+import de.fzj.unicore.uas.security.ProxyCertOutHandler;
+import eu.emi.security.authn.x509.X509Credential;
+import eu.emi.security.authn.x509.impl.KeyAndCertCredential;
+import eu.emi.security.authn.x509.impl.X500NameUtils;
+import eu.unicore.util.httpclient.DefaultClientConfiguration;
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.credential.store.store.CredentialReader;
+import org.apache.airavata.gfac.core.GFacException;
+import org.apache.airavata.gfac.core.RequestData;
+import org.apache.airavata.registry.core.experiment.catalog.model.UserConfigurationData;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Properties;
+import java.util.Set;
+
+public class UNICORESecurityContext extends X509SecurityContext {
+
+	private static final long serialVersionUID = 1L;
+	protected static final Logger log = LoggerFactory.getLogger(UNICORESecurityContext.class);
+	private DefaultClientConfiguration secProperties;
+	
+	
+	public UNICORESecurityContext(CredentialReader credentialReader, RequestData requestData) {
+		super(credentialReader, requestData);
+	}
+	
+	
+
+	public DefaultClientConfiguration getDefaultConfiguration(Boolean enableMessageLogging) throws GFacException, ApplicationSettingsException {
+		try{
+			X509Credential cred = getX509Credentials();
+			secProperties = new DefaultClientConfiguration(dcValidator, cred);
+			setExtraSettings();
+		}
+		catch (Exception e) {
+			throw new GFacException(e.getMessage(), e); 
+		} 
+		if(enableMessageLogging) secProperties.setMessageLogging(true);
+		
+		return secProperties;
+	}
+
+	public DefaultClientConfiguration getDefaultConfiguration(Boolean enableMessageLogging, UserConfigurationData userData) throws GFacException, ApplicationSettingsException {
+		X509Credential cred = null;
+		
+		try{
+			boolean genCert = userData.getGenerateCert();
+				if(genCert) {
+					String userDN = userData.getUserDn();
+					if (userDN == null || "".equals(userDN)){
+						log.warn("Cannot generate cert, falling back to GFAC configured MyProxy credentials");
+						return getDefaultConfiguration(enableMessageLogging);
+					}
+					else {
+						log.info("Generating X.509 certificate for: "+userDN);
+						try {
+							String caCertPath = ServerSettings.getSetting(BESConstants.PROP_CA_CERT_PATH, "");
+							String caKeyPath = ServerSettings.getSetting(BESConstants.PROP_CA_KEY_PATH, "");
+							String caKeyPass = ServerSettings.getSetting(BESConstants.PROP_CA_KEY_PASS, "");
+							
+							if(caCertPath.equals("") || caKeyPath.equals("")) {
+								throw new Exception("CA certificate or key file path missing in the properties file. "
+										            + "Please make sure "+BESConstants.PROP_CA_CERT_PATH+ " or "+BESConstants.PROP_CA_KEY_PATH+" are not empty.");
+							}
+							
+							if("".equals(caKeyPass)) {
+								log.warn("Caution: CA key has no password. For security reasons it is highly recommended to set a CA key password");
+							}
+							cred = generateShortLivedCredential(userDN, caCertPath, caKeyPath, caKeyPass);
+						}catch (Exception e){
+							throw new GFacException("Error occured while generating a short lived credential for user:"+userDN, e);
+						}
+						
+					}
+				}else  {
+					return getDefaultConfiguration(enableMessageLogging);
+				}
+				
+			secProperties = new DefaultClientConfiguration(dcValidator, cred);
+			setExtraSettings();
+		}
+		catch (Exception e) {
+			throw new GFacException(e.getMessage(), e); 
+		} 
+		secProperties.getETDSettings().setExtendTrustDelegation(true);
+		if(enableMessageLogging) secProperties.setMessageLogging(true);
+//		secProperties.setDoSignMessage(true);
+		secProperties.getETDSettings().setIssuerCertificateChain(secProperties.getCredential().getCertificateChain());
+		
+		return secProperties;
+	}
+
+	
+	/**
+	 * Get server signed credentials. Each time it is invoked new certificate 
+	 * is returned.
+	 * 
+	 * @param userID
+	 * @param userDN
+	 * @param caCertPath
+	 * @param caKeyPath
+	 * @param caKeyPwd
+	 * @return
+	 * @throws GFacException
+	 */
+	public DefaultClientConfiguration getServerSignedConfiguration(String userID, String userDN, String caCertPath, String caKeyPath, String caKeyPwd) throws GFacException {
+		try {
+			KeyAndCertCredential cred = SecurityUtils.generateShortLivedCertificate(userDN,caCertPath,caKeyPath,caKeyPwd);
+			secProperties = new DefaultClientConfiguration(dcValidator, cred);
+			setExtraSettings();
+		} catch (Exception e) {
+			throw new GFacException(e.getMessage(), e);
+		}
+
+		return secProperties;
+	}
+
+	
+	
+
+	
+	private void setExtraSettings(){
+		secProperties.getETDSettings().setExtendTrustDelegation(true);
+
+		secProperties.setDoSignMessage(true);
+
+		String[] outHandlers = secProperties.getOutHandlerClassNames();
+		
+		Set<String> outHandlerLst = null;
+
+		// timeout in milliseconds
+		Properties p = secProperties.getExtraSettings();
+		
+		if(p == null) {
+			p = new Properties();
+		}
+		
+		p.setProperty("http.connection.timeout", "5000");
+		p.setProperty("http.socket.timeout", "5000");
+		
+		if (outHandlers == null) {
+			outHandlerLst = new HashSet<String>();
+		} else {
+			outHandlerLst = new HashSet<String>(Arrays.asList(outHandlers));
+		}
+
+		outHandlerLst.add(ProxyCertOutHandler.class.getName());
+		
+		secProperties.setOutHandlerClassNames(outHandlerLst
+				.toArray(new String[outHandlerLst.size()]));
+		
+		secProperties.getETDSettings().setExtendTrustDelegation(true);
+
+	}
+
+
+    private String getCNFromUserDN(String userDN) {
+        return X500NameUtils.getAttributeValues(userDN, BCStyle.CN)[0];
+
+    }
+
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/URIUtils.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/URIUtils.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/URIUtils.java
new file mode 100644
index 0000000..43e9858
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/URIUtils.java
@@ -0,0 +1,121 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+
+import org.apache.commons.httpclient.URI;
+import org.apache.commons.httpclient.URIException;
+import org.apache.commons.httpclient.util.URIUtil;
+
+import java.net.URISyntaxException;
+
+public class URIUtils {
+
+	public static String encodeAll(String uri) throws URIException
+	{
+		String result = encodeAuthority(uri);
+		result = encodePath(uri);
+		result = encodeQuery(result );
+		result  = encodeFragment(result );
+		return result;
+	}
+	
+	public static String encodeAuthority(String uri) throws URIException
+	{
+		int start = uri.indexOf("//");
+		if(start == -1) return uri;
+		start++;
+		int end = uri.indexOf("/",start+1);
+		if(end == -1) end = uri.indexOf("?",start+1);
+		if(end == -1) end = uri.indexOf("#",start+1);
+		if(end == -1) end = uri.length();
+		String before = uri.substring(0, start+1);
+		String authority= uri.substring(start+1,end);
+		String after = uri.substring(end);
+		authority = URIUtil.encode(authority, URI.allowed_authority);
+	
+		return before+authority+after;
+	}
+	
+	public static String encodePath(String uri) throws URIException
+	{
+		int doubleSlashIndex = uri.indexOf("//");
+		boolean hasAuthority =  doubleSlashIndex >= 0;
+		int start = -1;
+		if(hasAuthority)
+		{
+			start = uri.indexOf("/",doubleSlashIndex+2);
+		}
+		else
+		{
+			start = uri.indexOf(":");
+		}
+		if(start == -1) return uri;
+		
+		int end = uri.indexOf("?",start+1);
+		if(end == -1) end = uri.indexOf("#",start+1);
+		if(end == -1) end = uri.length();
+		String before = uri.substring(0, start+1);
+		String path= uri.substring(start+1,end);
+		String after = uri.substring(end);
+		path = URIUtil.encode(path, URI.allowed_abs_path);
+		return before+path+after;
+	}
+	
+	
+	public static String encodeQuery(String uri) throws URIException
+	{
+		int queryStart = uri.indexOf("?");
+		if(queryStart == -1) return uri;
+		int queryEnd = uri.indexOf("#");
+		if(queryEnd == -1) queryEnd = uri.length();
+		
+		String beforeQuery = uri.substring(0, queryStart+1);
+		String query = uri.substring(queryStart+1,queryEnd);
+		String afterQuery = uri.substring(queryEnd);
+		query = URIUtil.encode(query, URI.allowed_query);
+		return beforeQuery+query+afterQuery;
+	}
+	
+	
+	public static String encodeFragment(String uri) throws URIException
+	{
+		int fragmentStart = uri.indexOf("#");
+		if(fragmentStart == -1) return uri;
+
+		String beforeFragment = uri.substring(0, fragmentStart+1);
+		String fragment = uri.substring(fragmentStart+1);
+		fragment = URIUtil.encode(fragment, URI.allowed_fragment);
+		return beforeFragment+fragment;
+	}
+    
+	public static java.net.URI createGsiftpURI(String host, String localPath) throws URISyntaxException {
+        StringBuffer buf = new StringBuffer();
+        if (!host.startsWith("gsiftp://"))
+            buf.append("gsiftp://");
+        buf.append(host);
+        if (!host.endsWith("/"))
+            buf.append("/");
+        buf.append(localPath);
+        return new java.net.URI(buf.toString());
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/airavata/blob/0d9a6126/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/X509SecurityContext.java
----------------------------------------------------------------------
diff --git a/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/X509SecurityContext.java b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/X509SecurityContext.java
new file mode 100644
index 0000000..5ed9b84
--- /dev/null
+++ b/modules/gfac/gfac-impl/src/main/java/org/apache/airavata/gfac/impl/task/utils/bes/X509SecurityContext.java
@@ -0,0 +1,339 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+*/
+package org.apache.airavata.gfac.impl.task.utils.bes;
+
+
+import eu.emi.security.authn.x509.X509Credential;
+import eu.emi.security.authn.x509.helpers.CertificateHelpers;
+import eu.emi.security.authn.x509.helpers.proxy.X509v3CertificateBuilder;
+import eu.emi.security.authn.x509.impl.CertificateUtils;
+import eu.emi.security.authn.x509.impl.CertificateUtils.Encoding;
+import eu.emi.security.authn.x509.impl.DirectoryCertChainValidator;
+import eu.emi.security.authn.x509.impl.KeyAndCertCredential;
+import eu.emi.security.authn.x509.impl.X500NameUtils;
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.Constants;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.credential.store.credential.Credential;
+import org.apache.airavata.credential.store.credential.impl.certificate.CertificateCredential;
+import org.apache.airavata.credential.store.store.CredentialReader;
+import org.apache.airavata.gfac.core.GFacException;
+import org.apache.airavata.gfac.core.RequestData;
+import org.apache.airavata.gfac.core.context.AbstractSecurityContext;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Random;
+
+/**
+ * Handles X509 Certificate based security.
+ */
+public class X509SecurityContext extends AbstractSecurityContext {
+
+	private static final long serialVersionUID = 1L;
+
+	protected static final Logger log = LoggerFactory.getLogger(X509SecurityContext.class);
+    
+    /*
+     * context name
+     */
+    public static final String X509_SECURITY_CONTEXT = "x509.security.context";
+    
+    public static final int CREDENTIAL_RENEWING_THRESH_HOLD = 10 * 90;
+    
+    protected static DirectoryCertChainValidator dcValidator;
+    
+    private X509Credential x509Credentials= null;
+
+    static {
+        try {
+			setUpTrustedCertificatePath();
+			// set up directory based trust validator
+			dcValidator = getTrustedCerts();
+		} catch (Exception e) {
+			log.error(e.getLocalizedMessage(), e);
+		}
+    }
+    
+
+    public static void setUpTrustedCertificatePath(String trustedCertificatePath) {
+
+        File file = new File(trustedCertificatePath);
+
+        if (!file.exists() || !file.canRead()) {
+            File f = new File(".");
+            log.info("Current directory " + f.getAbsolutePath());
+            throw new RuntimeException("Cannot read trusted certificate path " + trustedCertificatePath);
+        } else {
+            System.setProperty(Constants.TRUSTED_CERTIFICATE_SYSTEM_PROPERTY, file.getAbsolutePath());
+        }
+    }
+
+    private static void setUpTrustedCertificatePath() throws ApplicationSettingsException {
+
+        String trustedCertificatePath  = ServerSettings.getSetting(Constants.TRUSTED_CERT_LOCATION);
+
+        setUpTrustedCertificatePath(trustedCertificatePath);
+    }
+
+    /**
+     * Gets the trusted certificate path. Trusted certificate path is stored in "X509_CERT_DIR"
+     * system property.
+     * @return The trusted certificate path as a string.
+     */
+    public static String getTrustedCertificatePath() {
+        return System.getProperty(Constants.TRUSTED_CERTIFICATE_SYSTEM_PROPERTY);
+    }
+
+
+    public X509SecurityContext(CredentialReader credentialReader, RequestData requestData) {
+        super(credentialReader, requestData);
+    }
+
+
+    /**
+     * Gets X509Credentials. The process is as follows;
+     * If credentials were queried for the first time create credentials.
+     *   1. Try creating credentials using certificates stored in the credential store
+     *   2. If 1 fails use user name and password to create credentials
+     * @return x509credentials (from CANL security API)
+     * @throws org.apache.airavata.common.exception.ApplicationSettingsException
+     */
+    public X509Credential getX509Credentials() throws GFacException, ApplicationSettingsException {
+    	
+    	if(getCredentialReader() == null) {
+    		return getDefaultCredentials();
+    	}
+    	
+        if (x509Credentials == null) {
+
+            try {
+                x509Credentials = getCredentialsFromStore();
+            } catch (Exception e) {
+                log.error("An exception occurred while retrieving credentials from the credential store. " +
+                        "Will continue with my proxy user name and password.", e);
+            }
+
+            // If store does not have credentials try to get from user name and password
+            if (x509Credentials == null) {
+                x509Credentials = getDefaultCredentials();
+            }
+
+            // if still null, throw an exception
+            if (x509Credentials == null) {
+                throw new GFacException("Unable to retrieve my proxy credentials to continue operation.");
+            }
+        } else {
+            try {
+            	
+            	final long remainingTime = x509Credentials.getCertificate().getNotAfter().getTime() - new Date().getTime();
+            	
+                if (remainingTime < CREDENTIAL_RENEWING_THRESH_HOLD) {
+                	//                    return renewCredentials();
+                	log.warn("Do not support credentials renewal");
+                }
+                
+                log.info("Fall back to get new default credentials");
+                
+                try {
+                	x509Credentials.getCertificate().checkValidity();
+                }catch(Exception e){
+                	x509Credentials = getDefaultCredentials();
+                }
+                
+            } catch (Exception e) {
+                throw new GFacException("Unable to retrieve remaining life time from credentials.", e);
+            }
+        }
+
+        return x509Credentials;
+    }
+
+        /**
+     * Reads the credentials from credential store.
+     * @return If token is found in the credential store, will return a valid credential. Else returns null.
+     * @throws Exception If an error occurred while retrieving credentials.
+     */
+    public  X509Credential getCredentialsFromStore() throws Exception {
+
+        if (getCredentialReader() == null) {
+            return null;
+        }
+
+        Credential credential = getCredentialReader().getCredential(getRequestData().getGatewayId(),
+                getRequestData().getTokenId());
+
+        if (credential != null) {
+            if (credential instanceof CertificateCredential) {
+
+                log.info("Successfully found credentials for token id - " + getRequestData().getTokenId() +
+                        " gateway id - " + getRequestData().getGatewayId());
+
+                CertificateCredential certificateCredential = (CertificateCredential) credential;
+
+                X509Certificate[] certificates = certificateCredential.getCertificates();
+
+                KeyAndCertCredential keyAndCert = new KeyAndCertCredential(certificateCredential.getPrivateKey(), certificates); 
+                
+                return keyAndCert;
+                //return new GlobusGSSCredentialImpl(newCredential,
+                //        GSSCredential.INITIATE_AND_ACCEPT);
+            } else {
+                log.info("Credential type is not CertificateCredential. Cannot create mapping globus credentials. " +
+                        "Credential type - " + credential.getClass().getName());
+            }
+        } else {
+            log.info("Could not find credentials for token - " + getRequestData().getTokenId() + " and "
+                    + "gateway id - " + getRequestData().getGatewayId());
+        }
+
+        return null;
+    }
+
+    /**
+     * Gets the default proxy certificate.
+     * @return Default my proxy credentials.
+     * @throws org.apache.airavata.common.exception.ApplicationSettingsException
+     */
+    public X509Credential getDefaultCredentials() throws GFacException, ApplicationSettingsException {
+    	MyProxyLogon logon = new MyProxyLogon();
+    	logon.setValidator(dcValidator);
+    	logon.setHost(getRequestData().getMyProxyServerUrl());
+    	logon.setPort(getRequestData().getMyProxyPort());
+    	logon.setUsername(getRequestData().getMyProxyUserName());
+    	logon.setPassphrase(getRequestData().getMyProxyPassword().toCharArray());
+    	logon.setLifetime(getRequestData().getMyProxyLifeTime());
+    	
+        	try {
+				logon.connect();
+				logon.logon();
+				logon.getCredentials();
+				logon.disconnect();
+				PrivateKey pk=logon.getPrivateKey();
+				return new KeyAndCertCredential(pk, new X509Certificate[]{logon.getCertificate()});
+			}  catch (Exception e) {
+				throw new GFacException("An error occurred while retrieving default security credentials.", e);
+			}
+    }
+
+	private static  DirectoryCertChainValidator getTrustedCerts() throws Exception{
+		String certLocation = getTrustedCertificatePath();
+		List<String> trustedCert = new ArrayList<String>();
+		trustedCert.add(certLocation + "/*.0");
+		trustedCert.add(certLocation + "/*.pem");
+		DirectoryCertChainValidator dcValidator = new DirectoryCertChainValidator(trustedCert, Encoding.PEM, -1, 60000, null);
+		return dcValidator;
+	}
+	
+	private String getCNFromUserDN(String userDN) {
+		return X500NameUtils.getAttributeValues(userDN, BCStyle.CN)[0];
+	}
+	
+	public KeyAndCertCredential generateShortLivedCredential(String userDN, String caCertPath, String caKeyPath,
+			String caPwd) throws Exception {
+		final long CredentialGoodFromOffset = 1000L * 60L * 15L; // 15 minutes
+																	// ago
+
+		final long startTime = System.currentTimeMillis() - CredentialGoodFromOffset;
+		final long endTime = startTime + 30 * 3600 * 1000;
+
+		String keyLengthProp = "1024";
+		int keyLength = Integer.parseInt(keyLengthProp);
+		String signatureAlgorithm = "SHA1withRSA";
+
+		KeyAndCertCredential caCred = getCACredential(caCertPath, caKeyPath, caPwd);
+
+		KeyPairGenerator kpg = KeyPairGenerator.getInstance(caCred.getKey().getAlgorithm());
+		kpg.initialize(keyLength);
+		KeyPair pair = kpg.generateKeyPair();
+
+		X500Principal subjectDN = new X500Principal(userDN);
+		Random rand = new Random();
+
+		SubjectPublicKeyInfo publicKeyInfo;
+		try {
+			publicKeyInfo = SubjectPublicKeyInfo.getInstance(new ASN1InputStream(pair.getPublic().getEncoded())
+					.readObject());
+		} catch (IOException e) {
+			throw new InvalidKeyException("Can not parse the public key"
+					+ "being included in the short lived certificate", e);
+		}
+
+		X500Name issuerX500Name = CertificateHelpers.toX500Name(caCred.getCertificate().getSubjectX500Principal());
+
+		X500Name subjectX500Name = CertificateHelpers.toX500Name(subjectDN);
+
+		X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuerX500Name, new BigInteger(20, rand),
+				new Date(startTime), new Date(endTime), subjectX500Name, publicKeyInfo);
+
+		AlgorithmIdentifier sigAlgId = X509v3CertificateBuilder.extractAlgorithmId(caCred.getCertificate());
+
+		X509Certificate certificate = certBuilder.build(caCred.getKey(), sigAlgId, signatureAlgorithm, null, null);
+
+		certificate.checkValidity(new Date());
+		certificate.verify(caCred.getCertificate().getPublicKey());
+		KeyAndCertCredential result = new KeyAndCertCredential(pair.getPrivate(), new X509Certificate[] { certificate,
+				caCred.getCertificate() });
+
+		return result;
+	}
+	
+	private KeyAndCertCredential getCACredential(String caCertPath, String caKeyPath, String password) throws Exception {
+		InputStream isKey, isCert;
+		isKey = isCert = null;
+		try {
+		isKey = new FileInputStream(caKeyPath);
+		PrivateKey pk = CertificateUtils.loadPrivateKey(isKey, Encoding.PEM, password.toCharArray());
+
+		isCert = new FileInputStream(caCertPath);
+		X509Certificate caCert = CertificateUtils.loadCertificate(isCert, Encoding.PEM);
+		return new KeyAndCertCredential(pk, new X509Certificate[] { caCert });
+		} finally {
+			if (isKey != null){
+				isKey.close();
+			}
+			if (isCert != null) {
+				isCert.close();
+			}
+		}
+	}
+	 
+    
+}


Mime
View raw message