Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Test services on heater.cs.man.ac.uk

A VM has been configured and pre-installed with come test secure services and deployed at heater.cs.man.ac.uk.

Note

Use port 7222 if you need to ssh to heater.cs.man.ac.uk:

Code Block
ssh -p 7222 <username>@heater.cs.man.ac.uk

You should also switch to user taverna. The following works:

Code Block
sudo -i
su taverna

Inside the VM, there is a single Tomcat installation at home/taverna/apache-tomcat-6.0.29/. It has been configured to start at boot time so you do not have to start the sever yourself - just power up the VM.

There are three types of secure resources/services that require authentication configured on the server:

  • resources protected by HTTP Basic Authentication
  • resources protected by HTTP Digest Authentication
  • Web Services protected by WS-Security

Each one can be additionally combined with the use of HTTPS to make the communication confidential.

HTTPS

The Tomcat server on heater is configured to operate on 3 ports: 7070 (HTTP), 7443 and 7444 (HTTPS). In addition, any resource you try to get on port 7444 will require you to authenticate with a client certificate (more on this later). Connecting on port 7443 will not require user certificate authentication.

Info

The server's public key certificate is available from here (in PEM encoding).

Resources protected with Basic Authentication

Resources protected by HTTP Basic Authentication are located in /home/taverna/apache-tomcat-6.0.29/webapps/examples-basic-authentication/. If you want to see how it is configured, look for <security-constraint> and <login-config> elements in WEB-INF/web.xml.

If you go to page http://heater.cs.man.ac.uk:7070/examples-basic-authentication/ in your Web browser, you will find a link "Secure BASIC HTTP Authentication test page for Taverna" to a resource protected by the Basic Authentication scheme.

Tip

Username and password to use: testuser/testpasswd

Resources protected with HTTP Digest Authentication

Resources protected by HTTP Digest Authentication are located in /home/taverna/apache-tomcat-6.0.29/webapps/examples-digest-authentication/. If you want to see how it is configured, look for <security-constraint> and <login-config> elements in WEB-INF/web.xml.

If you go to page http://heater.cs.man.ac.uk:7070/examples-digest-authentication/ in your Web browser, you will find a link "Secure DIGEST HTTP Authentication test page for Taverna" to a resource protected by the Digest Authentication scheme.

Tip

Username and password to use: testuser/testpasswd

Web Services protected with WS-Security

There are a few Web services (implemented using Axis 1) deployed in /home/taverna/apache-tomcat-6.0.29/webapps/axis/. You can see all Web services installed by pointing your browser to http://heater.cs.man.ac.uk:7070/axis/services.

There are 4 different WS-Security protections that services are using and that can be tested from workflows:

Tip

Username and password to use for all services: testuser/testpasswd

Note

You can see SOAP messages sent to/received from the above services by using the SOAP Monitor at http://heater.cs.man.ac.uk:7070/axis/SOAPMonitor. (SOAP Monitor works on port 5001.)

Resources protected with X.509 Client Authentication

As mentioned earlier, accessing any resource on heater.cs.man.ac.uk on port 7444 will request you to authenticate with a client X.509 certificate. And you will have to use HTTPS, otherwise things will not work on this port.

You can use the following client certificate for testing purposes to authenticate yourself when accessing resources behind https://heater.cs.man.ac.uk:7444

  • .p12 file containing the private and public key (password to unlock it: testcert)

You can load the .p12 file into your Web browser or in Taverna's Credential Manager when running secure workflows (see example workflows below) that access these type of resources.

Example resources on the server can be found in /home/taverna/apache-tomcat-6.0.29/webapps/examples-client-cert-authentication/. Unlike with BASIC and DIGEST authentication, you will find  the <security-constraint> and <login-config> elements in WEB-INF/web.xml commented out. This is because the authentication bits are configured on the <Connector> element level in conf/server.xml.

If you go to page https://heater.cs.man.ac.uk:7444/examples-client-cert-authentication/ in your Web browser, you may first be asked if you want to trust the server - if the server's certificate is not already marked as trusted in your Web browser. Next, you will be asked to select your client certificate (make sure you upload the one above in your Web browser beforehand).

Test workflows

  • A workflow that tests HTTP Basic Authentication: withoutand with HTTPS (username and password to use: testuser/testpasswd)
  • A workflow that tests HTTP Digest Authentication: without and with HTTPS (username and password to use: testuser/testpasswd)
  • A workflow that tests WS-Security: without and with HTTPS (username and password to use: testuser/testpasswd)
  • A workflow that tests client X.509 authentication (client certificate to use .p12 and password to unlock it: testcert)
Note

The versions of workflows without the use of HTTPS are provided as it is easier to test the authentication protections first without the overhead of HTTPS, which can make a workflow fail before even giving you chance to authenticate. Once the version without HTTPS works, test the one with HTTPS.

Backup

The backup of the Tomcat server hosting the secure services on heater.cs.man.ac.uk (on the VM taverna-secure-services-test-server running on port 7222) as of 2011-06-23 can be found in /Users/alex/My/Projects/myGrid/Security on Alex's laptop.