[Go-essp-tech] Gateway Security Telecon
Rachana Ananthakrishnan
ranantha at mcs.anl.gov
Mon Jul 19 11:52:19 MDT 2010
Notes and action items from today's call.
Rachana
1. OpenID whitelisting
- configurable in Gateway s/w 1.1.
- PKI trust root and Open ID trust root (endpoints and CAs)
- Trust root provisioning: http download from central server, MyProxy
get trust roots operations
- Format: PEM certificate files, Java keystore
- All sites should have this version installed by next week.
Action Items:
- Rachana to document trust roots accepted across the federation
- Rachana to initiate discussion on automating trust root provisioning
from central store
2. wget scripts with SSL
- On target for 1.2 release in August.
- NCAR working on the script
- BADC has sorted out versions and parameters questions
- Mutual authentication is required
- Token-less security will be released as part of 1.2, but tokens will
also be supported for some time. Currently discontinue by 1.4.
- curl might be an interesting option to support, in addition to wget.
Action Items:
- Eric to work with BADC on standardized wget script to link off Gateway
- Eric to develop a deprecation plan for token based security
- Eric to determine user requirements to see if curl should be
supported.
3. MyProxy Java Webstart
- Required for 1.2 release
- Code and s/w available
- Need to sort of certificate for signing the executable. Should be a
widely trusted CA
- Gateway integration is outstanding
- Need to agree on provisioning directory and advertise across ESG
Action Items:
- Rachana to ensure the webstart is signed
- Rachana to document provisioning directory location, and advertise
for other tools to leverage.
- Eric to integrate with Gateway
4. PCMDI Gateway to be updated to recent s/w version (Resolved)
5. ORP Whitelisting
- Has been implemented, and needs to be configured manually
- Code is in PCMDI repository, and OpenID has been added to Request
Scope to aid in metrics gathering
- With 1.2 release, update ORP release version to 1.2.
Action Items:
- Gavin to move code to git repository
- Luca to create distribution, and provide latest release for use
- ? to create compatibility matrix of Gateway s/w and ORP s/w.
6. Attribute and Authorization Services:
- These services have been implemented and are part of the distribution
- Need to add whitelist to prevent open access to these services
- Policy should allow other Gateways, Attribute and AuthZ services,
Data Node Manager to query attribute service
- Attribute registration system in place, needs further testing
Action Items
- Eric to augment these services with ability to authorize requests to
determine if user is in whitelist
- Stephen to test the attribute registration system as a end user from
BADC
- Rachana and Stephen to document use case scenarios for these
services, to feed into acceptance tests
7. PCMDI Gateway certificate
Action Items
- Bob will have a valid certificate installed for the Gateway
8. Publisher client
- Does not validate server's certificate
Action Items:
- Bob and Gavin to fix the issue
On Jul 16, 2010, at 10:58 AM, Rachana Ananthakrishnan wrote:
> Hi,
>
> We plan to discuss open issues on the Gateway Security aspects on
> Monday July 19th at 9am CDT. Please see coordinates and agenda below:
>
> Dial-in: 1 (925) 424-8105
> Access code 305757#
>
> Agenda:
>
> 1. OpenID Whitelisting at Gateways
> 2. wget scripts
> 3. Consistent CA trust roots across the federation
> 4. MyProxy Java Web Start from Gateways
> 5. Authorization and attribute service security
> 6. Attribute service at PCMDI
>
> We'll have a separate call to discuss the data node security aspects.
>
> Given we have postponed this many times, it was decided we would hold
> a separate meeting on this. I'll send notes and summary to this list,
> and we can follow-up as needed.
>
> Rachana
>
> Rachana Ananthakrishnan
> Argonne National Lab | University of Chicago
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
Rachana Ananthakrishnan
Argonne National Lab | University of Chicago
More information about the GO-ESSP-TECH
mailing list