Skip to end of metadata
Go to start of metadata

The Credential Manager is a Taverna utility that manages your credentials and certificates of services you wish to invoke. It can store your username and password pairs and private key certificates securely and remembers which credentials you want to use for which services. This is convenient, as you do not have to enter them every time you wish to invoke a secure service from a workflow. In this respect, the Credential Manager is similar to Password Manager in Firefox or Internet Explorer, or Keychain (Apple’s password management system in Mac OS X).

The Credential Manager also keeps certificates from trusted services and trusted CAs (that issue certificates to services). This is so that Taverna can open HTTPS connections to a secure services and addresses when executing a workflow, similar to Web browser padlocks.

Security in Java depends on the type of Cryptography Policy you have installed on your computer (which is installed when you install Java).

Java Cryptography Policy

The use of cryptography to implement security features in Java is regulated by the JCE Jurisdiction Policy (which is installed when you install Java on your computer). It comes in two flavours: weak (limited - you are allowed to use a limited set of crypto algorithms and short keys) and strong (unlimited). Taverna requires strong policy to be in place for its security features to operate correctly.

As of version 2.5, Taverna ships with an embedded OpenJDK 7, which includes the strong cryptography policy by default so you do not need to do anything.

If, for some reason you run Taverna using Oracle's Java 7, which by default comes with a weak policy, then you are advised to replace it with the strong one. Otherwise, you may get a warning similar to the one below the first time Taverna attempts to do some 'secure' operation, e.g. call a secure service.

Master Password for the Credential Manager

Every time Taverna tries to access a secure service (e.g. one that requires HTTPS or you to authenticate), it will contact the Credential Manager to see if it can provide the necessary information (e.g. a trusted certificate of the service provider or your username and password to authenticate to the service).

Credential Manager requires a master password to unlock the content stored in it. As of version 2.5, Taverna comes with a default master password so it will not prompt you for it. You can set your own master password for Credential Manager from the Credential Manager dialog. If you do, Taverna will prompt you for it each time it needs something from Credential Manager.

If you are using a non-default master password - try and remember it. It is used to protect all your other credentials. If you forget then you will have to delete the security directory in the Taverna home directory and effectively wipe out the Credential Manager's content and start over.

If you get these errors:

  • Failed to generate new empty Taverna's Truststore
  • Failed to load Taverna's Truststore. Possible reason: incorrect password or corrupted file.

Even if you believe you are using the correct master password, then first:

If you are running with Oracle's Java and did not install the strong cryptography policy (see above), then Java will not allow a master password that is longer than 7 characters. A workaround, which is obviously not particularly secure, is to use a short master password. This might be useful if Taverna needs the Credential Manager to manage HTTPS connections, but you are not storing any username/passwords or private keys. If you still set the master password that is too long, the Credential Manager will fail to open. To start again, (loosing any stored entries), delete the security folder from your Taverna home directory.

if you persist in using the weak policy, it is very possible that some other security aspect of Taverna will fail to function properly.

Credentials and Certificates in the Credential Manager

To store something or to see what is stored inside the Credential Manager:

  1. In the top menu, select Advanced -> Credential Manager.

The Credential Manager contains your:

  • username and passwords
  • user certificates
  • trusted CAs' and servers' certificates

Initially, the Credential Manager does not contain any credentials - usernames and passwords or user certificates - since you have not added any yet. However, it does initially contain a certain number of trusted certificates (found under Trusted Certificates tab). These are standard default trusted Certification Authorities' (CAs') certificates that have been imported from Java. It enables many HTTPS-protected services that have certificates signed by one of the trusted CAs to be marked as trusted as well so Taverna will not prompt you to confirm your trust in such a service. However, if you try to access an HTTPS-protected service that has not been marked as trusted - Credential Managed will recognize that it is a new certificate and will ask if you want to accept or reject it.

If you reject it then the workflow will still attempt to run but will fail.

Authenticating to Services

Telling Taverna that a service requires authentication

In some cases, e.g. when you are simply trying to fetch a page which requires HTTP Basic Authentication, Taverna will detect that the service requires authentication and prompt you for a username and password. You do not have to configure anything for this service and it will all work automatically.

In other cases, most notably for WSDL services, you will have to explicitly tell Taverna what kind of authentication the service provider expects. See the Configuring a WSDL Service section for more.

Username and password for the service

If the password for a secure service is not currently stored in the Credential Manager and you try to run the workflow with such a service, Taverna will prompt you for username and password. It is up to you whether you also want to store them in the Credential Manager so you do not get prompted for them next time you run the workflow.

 

Labels
  • None