Security TID (Now superceded)
Original NDG2 Key Integration Milestones
- Initiation Stage (Sept-Dec 2005): Completed. NDG 1 Security is a working prototype installed at BADC and BODC.
- Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005]
- Alpha Development and Testing Stage (Jan-July 2006) :
- H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security [20 Jan 2006]
- Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006]
- Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006]
- Integration with Data Extractor [1 May 2006]
- Role Mappings finalised for all data centres [30 June 2006]
- Security Integration: installation of version 1.0 at all sites [31 July 2006]
- Beta Development and Testing Stage (Aug-Jan 2007)
- Production System Implementation Stage (Feb-June 2007)
- Reporting and Futures Planning (July-Sept 2007)
Integration Dependencies
- BADC User database and user roles <-> Attribute Authority
- PML User database and user roles <-> Attribute Authority
- NOSC User database and user roles <-> Attribute Authority
- PERMIS – authorisation system
- THREDDS system (external)
- NCAR (external)
- World Data Centre for Climate (external)
Internal Development Stages
- Initiation Stage [Sept-Dec 2006]:
- NDG 1 Security working prototype installed at BADC and BODC [Completed Nov 2005]
- Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005]
- Prototype Enhancements 1 [20 Dec 2005]:
- [DEFINITE] XML Encryption – allow encryption of NDG security message content between web services where required [3 days].
- [DEFINITE] Session Manager request forwarding – allow local Session Manager to forward browser client requests to the Session Manager where the user’s session resides [3 days].
- Alpha Development and Testing Stage [Jan-July 2006]:
- Prototype Enhancements 2 [30 June 2006]:
- [DEFINITE] Cross domain cookies – Problem: NDG must work across the domains of the different participating data centres. However, a given cookie is only visible to the domain in which it was set. Look into solutions and following analysis, implement the best. [2 weeks].
- [DEFINITE] Attribute Authority WS has method getTrustedHosts to allow user to see which hosts a data centre trusts to help when they are trying to get authorisation for a given data set [2 days].
- [DEFINITE] Session Manager SimpleCA Web Services - functionality for certificate revocation [1 week].
- H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security[20 Jan 2006]
- Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006]:
- [DEFINITE] Liaise with data centres (NOCS and PML) to establish user roles (BADC and BODC have roles set up).
- [MAYBE] Meeting with data centres to discuss roles [1 day]
- [DEFINITE] Data Centres (NOCS and PML) create list of user roles for their data [1 week each]
- Write NOCS and PML roles<–>Attribute Authority interface python plug-ins. [1 week]
- Pre-installation preparation [31 January 2006]:
- [MAYBE] Installation script – builds Python libraries from C source code. This may not be necessary if binary install will work [1 week]
- [DEFINITE] Installation Guide Complete [1 week]
- Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006]:
- [DEFINITE] Upgrade BADC system from NDG prototype to latest version [1 week]
- [DEFINITE] Upgrade BODC system from NDG prototype to latest version [1 week]
- [DEFINITE] Install system at NOCS [1 week]
- [DEFINITE] Install system at PML [1 week]
- DataDeliveryService – component for matching user authorisation roles with those of data and handling of data download [30 Apr 2006].
- [DEFINITE] Design and analysis - sequence diagrams and use cases to aid analysis as required [1 week]
- [DEFINITE] Implementation [2 weeks]
- [DEFINITE] Integration testing with BADC system [1 week]
- Logging Web Service (database or file based, with web service interface) [15 Apr 2006 – in time for DX integration].
- [DEFINITE] Requirements Document – gather requirements from whom? – data centres? [1 week]
- [DEFINITE] Analysis and design [1 week]
- [DEFINITE] Implementation [2 weeks]
- Integration with Data Extractor [1 May 2006]:
- [DEFINITE] Help Ag with integration [3 days]
- Role Mappings finalised for all data centres [30 June 2006]:
- [MAYBE] Meet with Data Centres to discuss roles and role mappings [1 day]
- [DEFINITE] Data Centres establish bilateral role maps between them [2 weeks]
- Security Integration: installation of version 1.0 at all sites [31 July 2006]:
- [DEFINITE] BADC [1 week]
- [DEFINITE] BODC [1 week]
- [DEFINITE] NOCS [1 week]
- [DEFINITE] PML [1 week]
- Beta Development and Testing Stage(Aug-Jan 2007):
- [DEFINITE] Updates to web front ends to include security infrastructure Administrators at each data centre 31 August 2006, 4 weeks each?
- [DEFINITE] system testing [31 August 2006, 4 weeks]
- [DEFINITE] bug fixes, changes and updates as required [4 weeks]
- Production System Implementation Stage (Feb-June 2007):
- Reporting and Futures Planning (July-Sept 2007): [The following activities organised under this milestone more by relevance to topic than suiting time constraint. These tasks could be shifted to earlier in the schedule as required]
- Using certificates from other CAs in NDG security:
- [MAYBE] Analysis – look into changes that would be needed – MyProxy behaviour etc.
- [MAYBE] Implement
- Java clients to Web Service Interfaces:
- [MAYBE] Write Java stub code for NDG Security Web Services [3 weeks]
- [MAYBE] In light of the above, review the WS interfaces and change as necessary – radical change to Document Literal rather than RPC style needed? [1 week]
- [MAYBE ] Aug - updates to BODC, NOCS and PML NDG Security s/w following possible changes to WS interfaces [2 weeks]
- PERMIS:
- [MAYBE] Investigate replacement of NDG authorisation system with PERMIS. [1 week]
- [MAYBE] Implement as of outcome of the above [7 weeks]
- Shibboleth:
- [MAYBE] Investigate Shibboleth <-> NDG interoperation [1 week]
- [MAYBE] Implement as of outcome of the above [5 weeks]
- THREDDS:
- [MAYBE] engineer a suitable interface to integrate with THREDDS authorisation [4 weeks]
- Look into Java implementation of NDG Security components:
- [MAYBE] Attribute Authority – update Neil Bennett’s existing version [3 weeks]
- [MAYBE] Session Manager – [4 weeks]
- [MAYBE] SimpleCA – [4 weeks]
- [MAYBE] ftpService – [4 weeks]
Issues
trusting external certificates (KNOWN CA’s)
- can we generate certificates for a session only?
- How to enable NDG security needs to be an early deliverable