Security

Introduction

To utilise the the security CEC capabilities to the full you will need to configure the container to be able to use TLS/HTTPS. There are two main reasons for wanting to configure security

  1. To be able to interact with other services requiring security via the IVOA delegation service - the most likely of these being VOSpace
  2. The CEC itself can be configured to only allow authorised users to run jobs

It is perfectly possible to run a CEC without configuring security as detailed on this page, but then it will only be able to interact with other non-secure services and be open to all callers.

TLS

Transport layer security (TLS) is the name for the general approach of ensuring that HTTP communications are;

  1. Encrypted
  2. Authenticated - at the server, and optionally the client end

- this is typically known as "enabling HTTPS" and is described in more detail in the Astrogrid security component

Certificates

If you want to operate secured services from your CEC then it is necessary to obtain a "Server Certificate" for the machine on which you want to run the CEC. In the academic world this means obtaining a certificate from the national certificate authority - In the UK this CA is run by the National Grid Service

Trust Anchors

It is necessary to inform the system which certificate authorities that you trust. Typically in academic grid communities the national root certificate distribution is handled by the EuroPMA at the European level with links to the rest of the world. It is possible to download root certificates (or "trust anchors") in pre-packaged groups from this web site.

Authorization

The CEC can have an authorization policy applied to the job control which can specify which users are allowed to perform various operations on the CEC. The policies need to implement org.astrogrid.applications.authorization.AuthorizationPolicy to allow or disallow operations. The authorization policy is configured in the WEB-INF/cec-spring.xml file, and the supplied file comes with a commented out bean (id="AuthorizationPolicy") that implements a useful policy that allows only authenticated access to the CEC and only allows the job owner to manipulate a job. There are other experimental policy implementations such as org.astrogrid.applications.manager.agast.PolicyDecisionPoint that use an external service to make the authentication decision.