Unfortunately many sites installed LCG2_6_0 without a secure connection. Only when all sites expose a secure connection can the sites be configured to make calls to a secure connection. Finally once all sites are using the secure connection, the insecure connections can be closed down. I hope that with the forthcoming LCG release 2_7_0 all sites *will* install securely and we can finally make the first faltering step.
Steve
> -----Original Message-----
> From: LHC Computer Grid - Rollout
> [mailto:[log in to unmask]]On Behalf Of David McBride
> Sent: 24 November 2005 19:51
> To: [log in to unmask]
> Subject: [LCG-ROLLOUT] Problem: R-GMA registry at RAL does not support
> site running in authenticated mode.
>
>
> Hello all,
>
> I have a problem:
>
> * The GridPP Vulnerabilities Group recommend that all site
> operate their
> R-GMA installation in an authenticating mode. From
> https://mmm.cern.ch/public/archive-list/p/project-lcg-security
-contacts/Grid%20Security%20Vulnerabilities%20that%20have%20passed%20their%20target%20date-876756341.EML?Cmd=open (long URL, may wrap):
----8<-----------------------------------------------------------------
(8972)
No Security in R-GMA
Exploitable by:
No Credentials
Basic info:
R-GMA on LCG deployment has no security. Any user who has access to the
system can write information to the R-GMA system, this may include false
information. Anyone with access to the system can read all information.
[...]
Proposed Solution:
The current version of R-GMA itself in LCG 2.6 allows security to be on
or off, and provides a mechanism for systematically turning it on.
Ensure that it is systematically turned on in the deployment.
----8<-----------------------------------------------------------------
* The R-GMA registry at RAL cannot interoperate with sites operating in
a secure mode, and is presently unsupported.
Given my own (limited) understanding of R-GMA, it appears clear that I
really don't want to downgrade to unauthenticated operation.
Any suggestions how to work around this issue?
Cheers,
David
--
David McBride <[log in to unmask]>
Department of Computing, Imperial College, London
|