UNICORE/X Service Reference Card

Functional description

The UNICORE/X server is the central component in UNICORE, hosting the web services, and interfacing to the target resource (batch system, file system) through the XNJS/TSI components. In a typical execution site, the services provided are

• job submission and management
• file system access (on the target resource, e.g. cluster)
• file transfer services

Daemons running

The UNICORE/X server is a single process.

Init scripts and options (start|stop|restart|...)

The service can be started with /etc/init.d/unicore-unicorex {start|stop|restart}

Configuration files location with example or template

The config files are located in /etc/unicore/unicorex Example files are provided.

• wsrflite.xml : keystore/truststore locations and passwords, gateway location, host/port, deployed web services, service persistence configuration
• uas.properties : some service container configuration (registries, startup code, etc). AuthZ attribute source configuration
• xnjs_legacy.xml : target system access configuration, TSI host/port, config options
• simpleidb : installed applications, target system configuration (resources)
• xacml2Policies/*.xml : XACML security policy files
• logging.properties : log4j logging configuration

Logfile locations (and management) and other useful audit information

Log files will be written to /var/log/unicore/unicorex/ By default the log files are rolled over daily. Details can be controlled in the logging.properties file

Open ports

• the web server port, configured in the wsrflite.xml file (default: 7777).
• the TSI listener port, configured in the xnjs_legacy.xml file (default: 7654).

Possible unit test of the service

Unit tests are part of the build procedure and executed automatically. To test the installed server, the UNICORE command line client can be used.

Where is service state held (and can it be rebuilt)

Service state is held in a configurable database. By default, the data is kept on the file system (using an embedded database engine) in /var/lib/unicore/unicorex Other options can be configured, for example a MySQL database.

Cron jobs

N/A

Security information

Access control Mechanism description (authentication & authorization)

Users are authenticated by the UNICORE gateway. Authorization is performed by UNICORE/X in the following way

• based in the user's identity, authz attributes are fetched from the configured sources
• based on these attributes, an XACML callout is made to check that the current operation (web service call) is allowed
• if not allowed, an "Access denied" fault is thrown

How to block/ban a user

Revoke the certificate. Also it is possible to ban a user by removing his/her attributes from the configured attribute sources (e.g. XUUDB).

Network Usage

UNICORE/X will connect to

• UNICORE gateway(s)
• AuthZ attribute services (UVOS, XUUDB, SAML-VOMS) depending on configuration
• the Perl TSI daemon (depending on configuration)
• For file transfers, the UNICORE/X will need to connect to gateways at other sites, thus needs to be able to do outbound connections

Firewall configuration

• see above for outbound connections

Security recommendations

Do not run as root.

Security incompatibilities

None known.

Other security relevant comments

n/a

Utility scripts

n/a