[Go-essp-tech] Gateway Security Telecon

Rachana Ananthakrishnan ranantha at mcs.anl.gov
Mon Jul 19 11:52:19 MDT 2010 

Notes and action items from today's call.

Rachana

1.  OpenID whitelisting

- configurable in Gateway s/w 1.1.
- PKI trust root and Open ID trust root (endpoints and CAs)
- Trust root provisioning: http download from central server, MyProxy  
get trust roots operations
- Format: PEM certificate files, Java keystore
- All sites should have this version installed by next week.

Action Items:
- Rachana to document trust roots accepted across the federation
- Rachana to initiate discussion on automating trust root provisioning  
from central store

2. wget scripts with SSL

- On target for 1.2 release in August.
- NCAR working on the script
- BADC has sorted out versions and parameters questions
- Mutual authentication is required
- Token-less security will be released as part of 1.2, but tokens will  
also be supported for some time. Currently discontinue by 1.4.
- curl might be an interesting option to support, in addition to wget.

Action Items:
- Eric to work with BADC on standardized wget script to link off Gateway
- Eric to develop a deprecation plan for token based security
- Eric to determine user requirements to see if curl should be  
supported.

3. MyProxy Java Webstart

- Required for 1.2 release
- Code and s/w available
- Need to sort of certificate for signing the executable. Should be a  
widely trusted CA
- Gateway integration is outstanding
- Need to agree on provisioning directory and advertise across ESG

Action Items:
- Rachana to ensure the webstart is signed
- Rachana to document provisioning directory location, and advertise  
for other tools to leverage.
- Eric to integrate with Gateway

4. PCMDI Gateway to be updated to recent s/w version (Resolved)

5. ORP Whitelisting
- Has been implemented, and needs to be configured manually
- Code is in PCMDI repository, and OpenID has been added to Request  
Scope to aid in metrics gathering
- With 1.2 release, update ORP release version to 1.2.

Action Items:
- Gavin to move code to git repository
- Luca to create distribution, and provide latest release for use
- ? to create compatibility matrix of Gateway s/w and ORP s/w.

6. Attribute and Authorization Services:
- These services have been implemented and are part of the distribution
- Need to add whitelist to prevent open access to these services
- Policy should allow other Gateways, Attribute and AuthZ services,  
Data Node Manager to query attribute service
- Attribute registration system in place, needs further testing

Action Items
- Eric to augment these services with ability to authorize requests to  
determine if user is in whitelist
- Stephen to test the attribute registration system as a end user from  
BADC
- Rachana and Stephen to document use case scenarios for these  
services, to feed into acceptance tests

7. PCMDI Gateway certificate
Action Items
- Bob will have a valid certificate installed for the Gateway

8. Publisher client
- Does not validate server's certificate

Action Items:
- Bob and Gavin to fix the issue

On Jul 16, 2010, at 10:58 AM, Rachana Ananthakrishnan wrote:

> Hi,
>
> We plan to discuss open issues on the Gateway Security aspects on
> Monday July 19th at 9am CDT. Please see coordinates and agenda below:
>
> Dial-in: 1 (925) 424-8105
> Access code 305757#
>
> Agenda:
>
> 1. OpenID Whitelisting at Gateways
> 2. wget scripts
> 3. Consistent CA trust roots across the federation
> 4. MyProxy Java Web Start from Gateways
> 5. Authorization and attribute service security
> 6. Attribute service at PCMDI
>
> We'll have a separate call to discuss the data node security aspects.
>
> Given we have postponed this many times, it was decided we would hold
> a separate meeting on this. I'll send notes and summary to this list,
> and we can follow-up as needed.
>
> Rachana
>
> Rachana Ananthakrishnan
> Argonne National Lab | University of Chicago
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

Rachana Ananthakrishnan
Argonne National Lab | University of Chicago

More information about the GO-ESSP-TECH mailing list