UNICORE Gateway Service Reference Card

Functional description

The UNICORE gateway is an authenticating web proxy service for web service requests (SOAP messages) and normal HTTP traffic.

Typically it is the only UNICORE service that must be accessible from outside the site firewall.

It consists of a web server that receives client requests, authenticates the client, adds client X509 information to the SOAP message in the form of a SAML assertion, and forwards the message to the target service. The reply from the target service is sent back to the client.

For example, if the gateway is running on myhost:8080, a request to https://myhost:8080/CLUSTER/test will be processed as follows

• the gateway checks that the client is trusted, i.e. has a certificate issued by a trusted CA
• the gateway checks its connections table for a host named "CLUSTER"
• if found (say CLUSTER is configured to be https://cluster:7700 the request will be forwarded to https://cluster:7700/test
• if it is a SOAP message, the gateway will create and insert a SAML assertion containing the X509 certificate chain of the client

Daemons running

The gateway is a single web server.

Init scripts and options (start|stop|restart|...)

The service is started and stopped using shell scripts in the bin/ folder of the installation.

If installed via a Linux distribution package, e.g. RPM or .deb, then the service can be started with /etc/init.d/unicore-gateway {start|stop|restart}.

Configuration files location with example or template

Configuration files are in the conf/ folder of the installation.

• security.properties : contains keystore/truststore locations and passwords
• gateway.properties : contains basic information such as network interface and port, and basic configuration options
• logging.properties : log4j config file for controlling the logging
• connection.properties : contains the names, hosts and ports of the target services

If installed via a Linux distribution package, e.g. RPM or .deb, then the configuration files are located in /etc/unicore/gateway.

Logfile locations (and management) and other useful audit information

Logfiles are by default placed in the logs/ directory in the installation, and rolled over daily. Details can be controlled in the logging.properties file.

If installed via a Linux distribution package, e.g. RPM or .deb, then the log files will be located in /var/log/unicore/gateway, which is writable by the unicore user created when installing the package.

Open ports

One single open port, configured in the gateway.properties file (default: 8080)

Possible unit test of the service

Unit tests are part of the build procedure and executed automatically.

Where is service state held (and can it be rebuilt)

The service is stateless.

Cron jobs

N/A

Security information

Access control Mechanism description (authentication & authorization)

Standard SSL. Optionally the gateway can be configured to accept Globus proxies. CRLs are supported.

How to block/ban a user

Revoke the certificate. CRL checking must be enabled to enforce this. As the Gateway merely authenticates users and lets anyone providing a valid certificate through, blocking users is not required at this level.

Network Usage

The gateway will connect to its configured target sites. Also target sites will connect to the gateway.

Firewall configuration

The gateway port has to be accessible from outside the firewall, i.e. the firewall must allow connections to the gateway. Also, it has to be accessible from inside the firewall.

Security recommendations

Do not run as root.

Security incompatibilities

None known.

List of externals (packages are NOT maintained by Red Hat)

n/a

Other security relevant comments

n/a

Utility scripts

n/a