1.11. JobServer and TaskServer Security

download:pdf

1.11.1. Introduction

The JobServer is designed to facilitate data exchange between the user interface and the TaskServer; it also allows you to get quick access to monitor the progress of your computations, even if you are away from the originating machine. You can equally share results and models with your coworkers.

The JobServer offers both insecure and secure communication (HTTP and HTTPS, respectively). The latter requires that you install a proper security certificate on JobServer and TaskServers. MedeA provides a placeholder certificate, which works to show functionality, but does not offer any security at all.

In addition to securing the communication, the JobServer can require usernames and password, and restricts each user to see and control his or her jobs only.

If security reasons require you to keep results confidential, consider certain possibilities when installing MedeA, including to limit access to compute servers involved in generating and executing your calculations and secure the communication between those compute nodes and require usernames.

Please keep in mind that if you forget the password to access and administrate the JobServer you would not be able to access the JobServer at all. Your results and calculations unless an admin user resets your password. An admin user can also delete the Users.dat file in MD/JobServer to wipe out the saved usernames and passwords.

1.11.2. Securing the JobServer and TaskServer with HTTPS

The following section is for IT administrators and persons with a solid understanding of securing web server.

Before securing the JobServer, make sure that the installation works for more than one user. Once this setup is sufficiently tested, you can continue to secure the MedeA Environment with the following steps:

  1. Obtain a valid SSL certificate and save that on the

    • JobServer as the file JobServer.pem in the directory JobServer/certificates of the JobServer installation directory
    • TaskServer as the file TaskServer.pem in the directory TaskServer/certificates of the TaskServer installation directory

    Each .pem file must contain a private key and an SSL certificate.

  2. Change the communication protocol of every TaskServer from HTTP to HTTPS

  3. Edit the URL of every TaskServer that is registered at the JobServer such that the communication protocol is HTTPS

  4. Change the communication protocol of the JobServer from HTTP to HTTPS

  5. In the MedeA GUI change the communication protocol of the JobServer from HTTP to HTTPS.

1.11.2.1. TaskServers: Change Their Address from HTTP to HTTPS

  1. In a web browser navigate to the administration section of a TaskServer, e.g., open the URL https://localhost:23000/ServerAdmin/manager.tml

  2. In the administration section add a mark to the check box of the option Use https rather than the less secure http

    ../../_images/image00612.png

  3. Confirm the modification with Apply button. The resulting page should look as follows:

    ../../_images/image0078.png

  4. Follow the instructions and restart the TaskServer

  5. After the restart use a web browser to access the TaskServer with the URL https://localhost:23000

    Note

    In case you are using the placeholder certificate then the web browser informs you about a potential security risk to open the URL. Accept the risk and continue. On the final page a section of the upper and lower bars are highlighted in red to indicate that the used certificate has an issue and does not guarantee the expected security.

    ../../_images/image0087.png

1.11.2.2. JobServer: Change the Address of TaskServers from HTTP to HTTPS

  1. In a web browser navigate to the administration section of the JobServer, e.g., http://localhost:32000/ServerAdmin/manager.tml

  2. In the green bar click on the link Manage TaskServers; that opens the URL http://localhost:32010/ServerAdmin/taskserver.tml

    ../../_images/image00510.png

  3. In the table of registered TaskServers at the bottom of the page, click on the Change button. In the next page change the communication protocol from e.g., http://localhost:23000 to https://localhost:23000.

    ../../_images/image0098.png

  4. Confirm the modification with the Update button.

  5. In the table of registered TaskServers at the bottom of the next page, click on the Check button to see whether the modified TaskServer is up, active, and accessible. You can check the latter by clicking the link that is in the table cell of the column Name.

1.11.2.3. JobServer: Change the Address from HTTP to HTTPS

  1. In a web browser navigate to the administration section of the JobServer, e.g., open the URL http://localhost:32000/ServerAdmin/manager.tml

  2. In the administration section add a mark to the check box of the option Use https rather than the less secure http

    ../../_images/image0106.png

  3. Confirm the modification with Apply button. The resulting page should look as follows:

    ../../_images/image0116.png

  4. Follow the instructions and restart the JobServer

  5. After the restart use a web browser to access the JobServer with the URL https://localhost:32000

    Note

    In case you are using the placeholder certificate then the web browser informs you about a potential security risk to open the URL. Accept the risk and continue. On the final page a section of the upper and lower bars are highlighted in red to indicate that the used certificate has an issue and does not guarantee the expected security.

    ../../_images/image0125.png

1.11.2.4. MedeA GUI: Change the Address of the JobServer from HTTP to HTTPS

In the MedeA GUI modify the address (URL) of the JobServer:

  1. File >> Preferences…
  2. Click on Add to create a new row with empty fields
  3. In the JobServer tab register the secure JobServer: add an informative name (e.g. SecureJobServer and the URL https://localhost:32000
  4. Confirm the modification with OK

1.11.3. Securing the JobServer and TaskServer with Username/Password Authentication

The following section is for IT administrators and persons with a solid understanding of securing web server.

Before securing the JobServer, make sure that the installation works for more than one user and the queuing system integration is completed, which means each user needs at least one separate TaskServer. You can use the MDMaintenance program to set up multiple TaskServers from a shared directory and run them as different user instances. Once this setup is sufficiently tested, you can continue to secure the MedeA Environment with the following steps:

  1. Add usernames to the JobServer
  2. Add usernames to the TaskServers
  3. Turn on username/password authentication on JobServer
  4. Turn on username/password authentication on TaskServer

Note

Using usernames and passwords does not require to enable the secure communication protocol HTTPS.

1.11.3.1. JobServer: Users Administration to Define Authorized Users

Navigate to the Users page of the JobServer (http://localhost:32000/ServerAdmin/users.tml).

../../_images/image00116.png

In the first section, Global Parameters, define whether and how to require usernames and passwords. You can choose between the authentication methods md5crypt, apachecrypt, or LDAP. In case of the two former methods you can set the credentials of users in the Users pages of the JobServer administration. If the authentication method is set to LDAP then the credentials of users is defined by your system-wide directory of user credentials.

Note

Currently, JobServer and TaskServer only support OpenLDAP and not Microsoft Active Directory.

When requiring usernames, you must provide a shared entity to communicate between JobServer and TaskServers in the central section JobServer “user” and password, that is the “JobServer” “user”.

In the section Users at the bottom, you can add the users allowed to work on this JobServer; if not provided by LDAP, the usernames and passwords must be entered here.

1.11.3.2. TaskServer: Users Administration to Define Authorized Users

Continue with defining users for the TaskServer. Navigate to the User page of the TaskServer (http://localhost:23000/ServerAdmin/users.tml).

../../_images/image00215.png

In the first section, Global Parameters, define whether and how to require usernames and passwords. You can choose between the authentication methods md5crypt, apachecrypt, or LDAP. In case of the two former methods you can set the credentials of users in the Users pages of the TaskServer administration. If the authentication method is set to LDAP then the credentials of users is defined by your system-wide directory of user credentials.

Note

Currently, JobServer and TaskServer only support OpenLDAP and not Microsoft Active Directory.

When requiring usernames, you must provide a shared entity to communicate between JobServer and TaskServers in the central section TaskServer “user” and password, that is the “TaskServer” “user”.

In the section Users at the bottom, you can add the users allowed to work on this TaskServer; if not provided by LDAP, the usernames and passwords must be entered here.

1.11.3.3. JobServer: TaskServers Administration to Enable Secure Communication

Navigate to the JobServer page from the web browser interface for the TaskServer (http://localhost:32000/ServerAdmin/TaskServers.tml). This page sets the “username” and “password” the JobServer uses to communicate with the TaskServer.

../../_images/image00313.png

1.11.3.4. TaskServer: JobServers to Enable Secure Communication

Navigate to the JobServers page of the TaskServer (http://localhost:23000/ServerAdmin/JobServers.tml). This page sets the “username” and “password” the TaskServer uses to communicate with the JobServer.

../../_images/image00411.png
download:pdf