1. Introduction

1.1 Definition

Clarens is a framework for writing grid-enabled web service applications - both clients and servers. The terms "web service" and "grid" might need some clarification:

• Web Services are generally understood to beremote procedure calls encoded in XML and transported using the http protocol. This name is rather unfortunate, since the transport protocol is in fact an implementation choice. Also, web services have nothing to do with web pages as rendered by web browsers!
• The term Grid refers to a software and hardware infrastructure that provides dependable, consistent, pervasive, and inexpensive access to high-end computational capabilities, according to Foster & Kesselman (1999) [4].

Though vague, the latter definition provides some clues as to the intent of grid computing: namely the ubiquitous provision and access to computational facilities. The dependability of these resources as well as the cost of access, and the power of the computational machinery that is made available are in fact determined post-facto by physical, economical and implementation factors.

Web services deployed over a wide area network such as the internet provides the ideal vehicle for implementing and deploying computational grids because of the ubiquity of access to the internet and its well-standardized infrastructure.

From the above, grid computing is part of the continuing trend of commoditization of communications protocols at a higher functional level than the internet protocol (IP) hypertext transfer protocol (HTTP) or information prepresentation in e.g. extensible markup language (XML).

1.2 Implementation

The original Clarens server described in this document implements web services using a combination of the Apache [1] web server and the Python [10] language. The choice of programming language was prompted by its wide use in the CMS experiment at CERN. Since the goal of grid computing is to provide ubiquitous access, it should be strongly emphasized that these are merely implementation details, and there is in fact an effort to produce an equivalent server implementation using the Java [5] language.

1.3 Single sign-on

The cornerstone of ubiquitous resource access is a universal identification space. Users and providers of Clarens services are mutually identified through the use of cryptographically signed certificates using the X509 directory standard embedding so-called public keys. Through the wonders of public/private key encryption [14], these certificates are used both for identification and to establish secure communication channels.

Certificates are signed by Certification Authorities (CAs) that vouch for the indentity of a certificate through some physical verification mechanism. Security of the system depends of the accuracy of this certification, the secrecy of the private key used in communications, and dealing with breakdowns in this trust relationship by quick propagation of certificate revocation information.

In the context of web services, Clarens servers support the widely used Secure Sockets Layer (SSL) standard for establishing secure communications, but additionally uses either so-called Cookies or HTTP Basic authentication to exchange credentials securely. For e complete description of this exchange mechanism, see section 7. Work is also underway to add support for the Globus Security Infrastructure (GSI) version of GSSAPI by the Globus project [3].