The first step to execute in order to have a secure deployment is to secure the application containers (i.e., Tomcat) hosting the naming authority web application and the grid service. This document will not cover how to install certificates and configure Tomcat to use SSL. This information is already available in the Apache documentation and on the web. The caGrid installer is also capable of installing and [configuring] a secure container by requesting host certificates from [Dorian].
Optionally, in order to force the naming authority web application container to use SSL, un-comment the following block in <PROJECT_HOME>/WebContent/WEB-INF/web.xml and re-deploy to Tomcat.
The certificate from the naming authority must be added to the key-store used by the JVM running the client. For example, the following command imports the naming authority certificate that was used to secure its web application container:
The JVM that runs the client program using the resolution toolkit (identifiers-client) must be passed by the key-store being used (e.g. -Djavax.net.ssl.trustStore=/home/client/keystore)
This step is only needed if the identifiers security framework is used. By default, anyone is allowed to create and modify identifiers. The security framework allows control over who can create, modify, and read identifiers in the system.
The identifiers-namingauthority project provides an ant target addAdmin to bootstrap the framework's security by adding an initial administrator identity.
The above grid identity can now be used to perform further administration using the grid service API, such as:
- Turning off public creation of identifiers.
- Specifying identities authorized to create identifiers.
- Specifying additional administrators.