1.11. JobServer and TaskServer Security
Contents
| download: | pdf |
|---|
1.11.1. Introduction
The JobServer is designed to facilitate data exchange between the user interface and the TaskServer; it also allows you to get quick access to monitor the progress of your computations, even if you are away from the originating machine. You can equally share results and models with your coworkers.
The JobServer offers both insecure (http) and secure (https) communication. The latter requires that you install a proper security certificate on JobServer and/or TaskServer. MedeA provides a placeholder certificate, which works to show functionality, but does not offer any security at all.
In addition to securing the communication, the JobServer can require usernames and password, and restricts each user to see and control his or her jobs only.
If security reasons require you to keep results confidential, consider certain possibilities when installing MedeA, including to limit access to compute servers involved in generating and executing your calculations and secure the communication between those compute nodes and require usernames.
Please keep in mind that if you forget the password to access and administrate the JobServer
you would not be able to access the JobServer at all.
Your results and calculations unless an admin user
resets your password. An admin user can also delete the users.dat file in MD/JobServer
to wipe out the saved usernames and passwords.
1.11.2. Securing the JobServer and TaskServer with HTTPS
The following section is for IT administrators and persons with a solid understanding of securing web server.
Before securing the JobServer, make sure that the installation works for more than one user and the queuing system integration is completed, which means each user needs at least on separate TaskServer. You can use the MDMaintenance program to set up multiple TaskServers from a shared directory and run as different user instances. Once this setup is sufficiently tested, you can continue to secure the MedeA Environment with the following steps:
Obtain a valid SSL certificate and save that on the
- JobServer as the file JobServer.pem in the directory JobServer/certificates of the JobServer installation directory
- TaskServer as the file TaskServer.pem in the directory TaskServer/certificates of the TaskServer installation directory
Each .pem file must contain a private key and an SSL certificate.
Add usernames to the JobServer
Add usernames to the TaskServers
Turn on username/password authentication on JobServer
Restart JobServer
Turn on username/password authentication on TaskServer
Restart TaskServer
Edit List of TaskServer and switch address from http to https.
In MedeA GUI change address of JobServer from http to https. The list of JobServer is found at File >> Preferences… in the JobServer tab
Note
MedeA JobServer (JS) and TaskServer (TS) only support OpenSSL 1.0.X. Install the OpenSSL 1.0.X package (also the development package) and create the following symbolic links in the system directory where the two files libssl.so.1.0.0 and libcrypto.so.1.0.0 are located:
ln -s libssl.so.1.0.0 libssl.so.10
ln -s libcrypto.so.1.0.0 libcrypto.so.10
If you have a newer OpenSSL version (e.g. 1.1.X) installed), it’s not recommended to downgrade to 1.0.x as that could negatively impact the security of the operation system. In this case, please either install also the OpenSSL 1.0.X package or recompile an older version of OpenSSL (or get the files from another source), deploy the two files libssl.so.1.0.0 and crypto.1.0.0 in /lib64 and create the relevant symbolic links.
1.11.2.1. JobServer: TaskServers to Change the Address from HTTP to HTTPS
Navigate to the TaskServers page of the JobServer (http://localhost:32000/ServerAdmin/taskserver.tml).
Replace the existing TaskServer by clicking on the Change button and change the address from e.g. http://localhost:23000 to https://localhost:23000
If you prefer to keep a reference to the old, non-secure JobServer, add an additional entry (and don’t forget to assign a MedeA queue if needed).
Note
Deactivate inaccessible TaskServers to avoid waiting for timeouts each time the JobServer starts or update the status of know TaskServers.
1.11.3. Securing the JobServer and TaskServer with Username/Password Authentication
1.11.3.1. JobServer: Users Administration to Define Authorized Users
Navigate to the Users page of the JobServer (http://localhost:32000/ServerAdmin/users.tml).
In the first section, Global Parameters, define whether and how to require usernames and passwords. You can choose between the authentication methods md5crypt, apachecrypt, or LDAP. In case of the two former methods you can set the credentials of users in the Users pages of the JobServer administration. If the authentication method is set to LDAP then the credentials of users is defined by your system-wide directory of user credentials.
Note
Currently, JobServer and TaskServer only support OpenLDAP and not Microsoft Active Directory.
When requiring usernames, you must provide a shared entity to communicate between JobServer and TaskServers in the central section JobServer “user” and password, that is the “JobServer” “user”.
In the section Users at the bottom, you can add the users allowed to work on this JobServer; if not provided by LDAP, the usernames and passwords must be entered here.
1.11.3.2. TaskServer: Users Administration to Define Authorized Users
Continue with defining users for the TaskServer. Navigate to the User page of the TaskServer (http://localhost:23000/ServerAdmin/users.tml).
In the first section, Global Parameters, define whether and how to require usernames and passwords. You can choose between the authentication methods md5crypt, apachecrypt, or LDAP. In case of the two former methods you can set the credentials of users in the Users pages of the TaskServer administration. If the authentication method is set to LDAP then the credentials of users is defined by your system-wide directory of user credentials.
Note
Currently, JobServer and TaskServer only support OpenLDAP and not Microsoft Active Directory.
When requiring usernames, you must provide a shared entity to communicate between JobServer and TaskServers in the central section TaskServer “user” and password, that is the “TaskServer” “user”.
In the section Users at the bottom, you can add the users allowed to work on this TaskServer; if not provided by LDAP, the usernames and passwords must be entered here.
1.11.3.3. JobServer: TaskServers Administration to Enable Secure Communication
Navigate to the TaskServers page of the JobServer (http://localhost:32000/ServerAdmin/TaskServers.tml). This page sets the “username” and “password” the JobServer uses to communicate with the TaskServer.
1.11.3.4. TaskServer: JobServers to Enable Secure Communication
Navigate to the JobServers page of the TaskServer (http://localhost:23000/ServerAdmin/JobServers.tml). This page sets the “username” and “password” the TaskServer uses to communicate with the JobServer.
| download: | pdf |
|---|