wiki:TI12_Security/NDG/UseCases/DataProviderDeployment

Version 1 (modified by pjkersha, 12 years ago) (diff)

--

Location: SecurityTeam/UseCases?/DataProviderDeployment?

Data Provider Deployment of NDG Security

Description

The steps required for a new data provider to deploy NDG Security

Actors

  • Data Provider
  • Data Provider systems administrator responsible for deployment
  • Data Provider stakeholders
  • NDG Security support representative - help data provider with deployment
  • [Other NDG Data Provider systems administrators to negotiate role mapping agreements]
  • Data Provider Web Server
  • Attribute Authority WS
  • Session Manager WS
  • Gatekeeper WSs
  • Logging WS
  • MyProxy
  • Credential Repository Database

Assumptions

Triggers

A new data provider wants to enable NDG security for access control to their data.

Outcome

Data provider secures datasets with NDG security

Normal Course

  1. Review System Architecture (NDG security person to liase with data provider systems administrator and other stakeholders)
  2. Analyse data provider's requirements - which NDG Security components are needed to satisfy the proposed use? (agree between data provider systems administrator with NDG security support person). Issues to consider:
    1. Does the data provider need to control access to resources? - YES ->
      • deploy an Attribute Authority WS
      • deploy Gatekeeper WSs to control access to each resource
      • what other NDG components are to be deployed and how will they interface with NDG Security e.g. Data Extractor, Data Delivery tool, NDG Browse.
    2. Data Provider supports a list of users? - YES ->
      • deploy MyProxy - if so use NDG CA or alternative?
      • determine interface for user registration - web based or otherwise? When users are registered how long will their certificates be set to last?
      • Deploy NDG enabled user login - supports authentication redirect request from data provider resource in another host domain
    3. Is a roles mechanism in place to control access to resources? - YES ->
      • arrange to write a custom interface to the Attribute Authority to map username to role entitlement
      • custom interface for roles interface required?
    4. Is data to be shared with other NDG providers? - YES ->
      • deploy Attribute Authority WS
      • agree role mapping by liasing with other data providers about the roles they publish and what they mean
      • Publish a roles list for this data provider so that other NDG data providers can set up mappings to allow this data provider's users to access their resources
    5. Do they wish to support session management or browser based access to resources? - YES ->
      • deploy a Session Manager WS
      • user interface to user Credential Wallet - enable user to determine which Attribute Certificate to use to access which data.
    6. Is a Session Manager needed? - YES -> deploy a Credential Repository database
    7. Deploy Credential Repository? - YES -> deploy SQLObject supported database e.g. MySQL or PostgreSQL OR write custom data provider interface to database e.g. Oracle.
    8. Is system logging required? - YES -> deploy Logging WS.
  3. Determine Hardware requirements and system configuration
    1. Check for hardware available for NDG components.
      • NDG Security currently requires Redhat Enterprise AS3 / AS4
      • Note requirements for MyProxy
      • Judge requirements based on expected traffic to data provider site and data provider security policy and any NDG wide security policies.
    2. Identify target machine(s) - considering the security implications: MyProxy holds user public/private keys, Credential Repository database stores user session cached Attribute Certificates
    3. Identify web server to deploy security WSDLs
    4. What budget is available for new hardware?
    5. Consider firewall configuration - run components inside or outside firewall?
      • MyProxy must be inside
      • Session Manager inside?
        • NO -> an opening in the firewall is required for the Session Manager's port
        • YES -> the connection between it and the Credential Repository must be secure
      • Likewise Attribute Authority inside?
        • YES -> connection to data providers user to roles interface must be seucre e.g. connection to data provider user database?
        • NO -> an opening in the firewall is required for the Attribute Authority's port
      • Firewall and any data provider web proxy settings must enable services of other data providers to be visible e.g. the Attribute Authority of a trusted host when brokering a user mapped Attribute Certificate
  4. Purchase new Hardware purchase as required e.g. a dedicated server for MyProxy?
  5. Install NDG security components on target hardware
  6. Install security WS WSDLs and NDG enabled login CGI on web server
  7. Deploy NTP for synchronisation of certificate issue and expiry times between different NDG security enabled hosts.
  8. Education and training - for data provider users and data administrators
  9. Determine ongoing maintenance strategy - NDG security is a living system which requires monitoring and updates.