Test services on heater.cs.man.ac.uk
A VM has been configured and pre-installed with come test secure services and deployed at heater.cs.man.ac.uk.
Use port 7222 if you need to ssh to heater.cs.man.ac.uk:
You should also switch to user
Inside the VM, there is a single Tomcat installation at
home/taverna/apache-tomcat-6.0.29/. It has been configured to start at boot time so you do not have to start the sever yourself - just power up the VM.
There are three types of secure resources/services that require authentication configured on the server:
- resources protected by HTTP Basic Authentication
- resources protected by HTTP Digest Authentication
- Web Services protected by WS-Security
Each one can be additionally combined with the use of HTTPS to make the communication confidential.
The Tomcat server on heater is configured to operate on 3 ports: 7070 (HTTP), 7443 and 7444 (HTTPS). In addition, any resource you try to get on port 7444 will require you to authenticate with a client certificate (more on this later). Connecting on port 7443 will not require user certificate authentication.
The server's public key certificate is available from here (in PEM encoding).
Resources protected with Basic Authentication
Resources protected by HTTP Basic Authentication are located in
/home/taverna/apache-tomcat-6.0.29/webapps/examples-basic-authentication/. If you want to see how it is configured, look for <security-constraint> and <login-config> elements in
If you go to page http://heater.cs.man.ac.uk:7070/examples-basic-authentication/ in your Web browser, you will find a link "Secure BASIC HTTP Authentication test page for Taverna" to a resource protected by the Basic Authentication scheme.
Username and password to use: testuser/testpasswd
Resources protected with HTTP Digest Authentication
Resources protected by HTTP Digest Authentication are located in
/home/taverna/apache-tomcat-6.0.29/webapps/examples-digest-authentication/. If you want to see how it is configured, look for <security-constraint> and <login-config> elements in
If you go to page http://heater.cs.man.ac.uk:7070/examples-digest-authentication/ in your Web browser, you will find a link "Secure DIGEST HTTP Authentication test page for Taverna" to a resource protected by the Digest Authentication scheme.
Username and password to use: testuser/testpasswd
Web Services protected with WS-Security
There are a few Web services (implemented using Axis 1) deployed in
/home/taverna/apache-tomcat-6.0.29/webapps/axis/. You can see all Web services installed by pointing your browser to
There are 4 different WS-Security protections that services are using and that can be tested from workflows:
- WS-Security plaintext username and password, example service is http://heater.cs.man.ac.uk:7070/axis/services/HelloService-PlaintextPassword?wsdl
- WS-Security timestamp + plaintext username and password (order of WS-Security elements is important), example service is http://heater.cs.man.ac.uk:7070/axis/services/HelloService-PlaintextPassword-Timestamp?wsdl
- WS-Security digest username and password, example service is http://heater.cs.man.ac.uk:7070/axis/services/HelloService-DigestPassword?wsdl
- WS-Security timestamp + digest username and password (order of WS-Security elements is important), example service is http://heater.cs.man.ac.uk:7070/axis/services/HelloService-DigestPassword-Timestamp?wsdl
Username and password to use for all services: testuser/testpasswd
You can see SOAP messages sent to/received from the above services by using the SOAP Monitor at http://heater.cs.man.ac.uk:7070/axis/SOAPMonitor. (SOAP Monitor works on port 5001.)
Resources protected with X.509 Client Authentication
As mentioned earlier, accessing any resource on
heater.cs.man.ac.uk on port 7444 will request you to authenticate with a client X.509 certificate. And you will have to use HTTPS, otherwise things will not work on this port.
You can use the following client certificate for testing purposes to authenticate yourself when accessing resources behind
- .p12 file containing the private and public key (password to unlock it: testcert)
You can load the .p12 file into your Web browser or in Taverna's Credential Manager when running secure workflows (see example workflows below) that access these type of resources.
Example resources on the server can be found in
/home/taverna/apache-tomcat-6.0.29/webapps/examples-client-cert-authentication/. Unlike with BASIC and DIGEST authentication, you will find the <security-constraint> and <login-config> elements in
WEB-INF/web.xml commented out. This is because the authentication bits are configured on the <Connector> element level in
If you go to page https://heater.cs.man.ac.uk:7444/examples-client-cert-authentication/ in your Web browser, you may first be asked if you want to trust the server - if the server's certificate is not already marked as trusted in your Web browser. Next, you will be asked to select your client certificate (make sure you upload the one above in your Web browser beforehand).
- A workflow that tests HTTP Basic Authentication: withoutand with HTTPS (username and password to use: testuser/testpasswd)
- A workflow that tests HTTP Digest Authentication: without and with HTTPS (username and password to use: testuser/testpasswd)
- A workflow that tests WS-Security: without and with HTTPS (username and password to use: testuser/testpasswd)
- A workflow that tests client X.509 authentication (client certificate to use .p12 and password to unlock it: testcert)
The versions of workflows without the use of HTTPS are provided as it is easier to test the authentication protections first without the overhead of HTTPS, which can make a workflow fail before even giving you chance to authenticate. Once the version without HTTPS works, test the one with HTTPS.
The backup of the Tomcat server hosting the secure services on
heater.cs.man.ac.uk (on the VM taverna-secure-services-test-server running on port 7222) as of 2011-06-23 can be found in
/Users/alex/My/Projects/myGrid/Security on Alex's laptop.