airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hasini Gunasinghe <hasi7...@gmail.com>
Subject Re: Informing about security related configuration applied on master
Date Fri, 10 Jul 2015 10:10:34 GMT
Hi Shameera,

Thank you for the reply. Please find my answers inline.

On Wed, Jul 8, 2015 at 1:40 PM, Shameera Rathnayaka <shameerainfo@gmail.com>
wrote:

> Hi Hasini,
>
> I thing it is good to have both properties "false" by default. The reason
> because, if the user need to enable those features, user may need to do few
> other configuration changes like pointing correct authorization server url
> , credential etc ... .IMO it is ok to ask advanced user to edit those
> properties instead of simple user who won't use this features.
>
> I set those to 'true' assuming that Airavata API is secured by default.
Actually, user can setup the default deployment with security enabled
Airavata without changing other configurations because 'authorization
server url' and 'admin credentials' also take the default values (i.e: WSO2
IS running in the local machine takes the same url as in the default
configuration)

If the plan is to ship the default distribution without the API secured,
then we can set them to false.

I saw you have added new property call "TLS.api.server.port" . is there any
> reason you can't use apiserver.port property for this?
>

Yes, we can use the same port. The reason for having different ports is
that, earlier I planned to host the server with TLS enabled and not enabled
at the same time.

Thanks,
Hasini.

>
> Thanks,
> Shameera.
>
> On Wed, Jul 8, 2015 at 12:13 PM Hasini Gunasinghe <hasi7786@gmail.com>
> wrote:
>
>> Hi all,
>>
>> I just wanted to notify about some of the security related configuration
>> changes merged with Airavata master. Please let me know if you have any
>> objections.
>>
>> 1). Following two properties in airavata-server.properties controls if
>> the OAuth token validation is performed upon method invocation and the if
>> the Airavata server is exposed over TLS, respectively.
>>
>>    - api.secured
>>    - TLS.enabled
>>
>> Default value for both those two parameters in the
>> airavata-server.properties shipped in the distribution is 'true' (i.e:
>>  token validation is performed upon method invocation and the airavata
>> server is hosted only over TLS.)
>>
>> When you write unit tests, integration tests without security, you can
>> set the parameter values to 'false' and proceed as usual.
>>
>> 2). Default key store (airavata.jks) and trust store
>> (client_truststore.jks) are shipped with the distribution which are located
>> in airavata_home/bin directory. Password of both of them are 'airavata' and
>> the client_truststore.jks contains the public certificates of Airavata and
>> WSO2 IS. These are used in the SSL handshakes.
>> Production deployment should replace them with organizational keystore
>> and trust store.
>> I will add this information to documentation as well.
>>
>> Thanks,
>> Hasini.
>>
> --
> Shameera Rathnayaka

Mime
View raw message