The Credential Manager is a Taverna utility that manages your credentials and certificates of services you wish to invoke. It can store your username and password pairs and private key certificates securely and remembers which credentials you want to use for which services. This is convenient, as you do not have to enter them every time you wish to invoke a secure service from a workflow. In this respect, the Credential Manager is similar to Password Manager in Firefox or Internet Explorer, or Keychain (Apple’s password management system in Mac OS X).
The Credential Manager also keeps certificates from trusted services and trusted CAs (that issue certificates to services). This is so that Taverna can open HTTPS connections to a secure services and addresses when executing a workflow, similar to Web browser padlocks.
Security in Java depends on the type of Cryptography Policy you have installed on your computer (which is installed when you install Java).
Java Cryptography Policy
The use of cryptography to implement security features in Java is regulated by the JCE Jurisdiction Policy (which is installed when you install Java on your computer). It comes in two flavours: weak (limited - you are allowed to use a limited set of crypto algorithms and short keys) and strong (unlimited). Taverna requires strong policy to be in place for its security features to operate correctly.
As of version 2.5, Taverna ships with an embedded OpenJDK 7, which includes the strong cryptography policy by default so you do not need to do anything.
If, for some reason you run Taverna using Oracle's Java 7, which by default comes with a weak policy, then you are advised to replace it with the strong one. Otherwise, you may get a warning similar to the one below the first time Taverna attempts to do some 'secure' operation, e.g. call a secure service.
Master Password for the Credential Manager
Every time Taverna tries to access a secure service (e.g. one that requires HTTPS or you to authenticate), it will contact the Credential Manager to see if it can provide the necessary information (e.g. a trusted certificate of the service provider or your username and password to authenticate to the service).
Credential Manager requires a master password to unlock the content stored in it. As of version 2.5, Taverna comes with a default master password so it will not prompt you for it. You can set your own master password for Credential Manager from the Credential Manager dialog. If you do, Taverna will prompt you for it each time it needs something from Credential Manager.
If you are using a non-default master password - try and remember it. It is used to protect all your other credentials. If you forget then you will have to delete the
If you get these errors:
Even if you believe you are using the correct master password, then first:
If you are running with Oracle's Java and did not install the strong cryptography policy (see above), then Java will not allow a master password that is longer than 7 characters. A workaround, which is obviously not particularly secure, is to use a short master password. This might be useful if Taverna needs the Credential Manager to manage HTTPS connections, but you are not storing any username/passwords or private keys. If you still set the master password that is too long, the Credential Manager will fail to open. To start again, (loosing any stored entries), delete the
if you persist in using the weak policy, it is very possible that some other security aspect of Taverna will fail to function properly.
Credentials and Certificates in the Credential Manager
To store something or to see what is stored inside the Credential Manager:
The Credential Manager contains your:
- username and passwords
- user certificates
- trusted CAs' and servers' certificates
Initially, the Credential Manager does not contain any credentials - usernames and passwords or user certificates - since you have not added any yet. However, it does initially contain a certain number of trusted certificates (found under Trusted Certificates tab). These are standard default trusted Certification Authorities' (CAs') certificates that have been imported from Java. It enables many HTTPS-protected services that have certificates signed by one of the trusted CAs to be marked as trusted as well so Taverna will not prompt you to confirm your trust in such a service. However, if you try to access an HTTPS-protected service that has not been marked as trusted - Credential Managed will recognize that it is a new certificate and will ask if you want to accept or reject it.
If you reject it then the workflow will still attempt to run but will fail.
Authenticating to Services
Telling Taverna that a service requires authentication
In some cases, e.g. when you are simply trying to fetch a page which requires HTTP Basic Authentication, Taverna will detect that the service requires authentication and prompt you for a username and password. You do not have to configure anything for this service and it will all work automatically.
Username and password for the service
If the password for a secure service is not currently stored in the Credential Manager and you try to run the workflow with such a service, Taverna will prompt you for username and password. It is up to you whether you also want to store them in the Credential Manager so you do not get prompted for them next time you run the workflow.