Access Keys:
Skip to content (Access Key - 0)

Identifiers

Security

Naming Authority Installation Administrators Guide 
Contents

Securing the Naming Authority Containers

The first step to execute in order to have a secure deployment is to secure the application containers (i.e., Tomcat) hosting the naming authority web application and the grid service. This document will not cover how to install certificates and configure Tomcat to use SSL. This information is already available in the Apache documentation and on the web. The caGrid installer is also capable of installing and [configuring] a secure container by requesting host certificates from [Dorian].

Optionally, in order to force the naming authority web application container to use SSL, un-comment the following block in <PROJECT_HOME>/WebContent/WEB-INF/web.xml and re-deploy to Tomcat.

<!-- Un-comment this to force the container to SSL
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPS Only Naming Authority</web-resource-name>
<url-pattern>/NamingAuthorityService/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-->

Client Configuration

The client toolkit (identifiers-client) uses Apache HttpClient, which fully leverages the Java Secure Socket Extension (JSSE). Hence, the only requirement to enable SSL is to configure JSSE properly.

The certificate from the naming authority must be added to the key-store used by the JVM running the client. For example, the following command imports the naming authority certificate that was used to secure its web application container:

$ keytool -keystore /home/client/keystore -import -alias tomcat -file identifiers-na.nci.nih.gov-cert.pem

The JVM that runs the client program using the resolution toolkit (identifiers-client) must be passed by the key-store being used (e.g. -Djavax.net.ssl.trustStore=/home/client/keystore)

Creating the Naming Authority Administrator

This step is only needed if the identifiers security framework is used. By default, anyone is allowed to create and modify identifiers. The security framework allows control over who can create, modify, and read identifiers in the system.

The identifiers-namingauthority project provides an ant target addAdmin to bootstrap the framework's security by adding an initial administrator identity.

The above grid identity can now be used to perform further administration using the grid service API, such as:

  • Turning off public creation of identifiers.
  • Specifying identities authorized to create identifiers.
  • Specifying additional administrators.
    Naming Authority Installation Administrators Guide 
Last edited by
Joe George (402 days ago) , ...
Adaptavist Theme Builder Powered by Atlassian Confluence