The OSPool will be reconfigured to move to use the HTCSS defaults of requiring secure channels (i.e., setting authentication, integrity, and encryption to REQUIRED). One roadblock in this transition is how to query 3rd party APs. We will use SSL for most of these APs. The frontend config (/var/lib/gwms-frontend/vofrontend/frontend.condor_config) currently has:
# Allow IDTOKENS and GSI, except for for AP querying where SSL is also allowed
SEC_DEFAULT_AUTHENTICATION_METHODS = IDTOKENS, GSI
SEC_CLIENT_AUTHENTICATION_METHODS = $(SEC_DEFAULT_AUTHENTICATION_METHODS), SSL
SEC_DEFAULT_AUTHENTICATION = REQUIRED
FWIW, I think that SSL auth is automatically added to the list of SEC_CLIENT_AUTHENTICATION_METHODS if the HTCSS defaults are untouched but it doesn't hurt to make this explicit
The OSPool will be reconfigured to move to use the HTCSS defaults of requiring secure channels (i.e., setting authentication, integrity, and encryption to REQUIRED). One roadblock in this transition is how to query 3rd party APs. We will use SSL for most of these APs. The frontend config (
/var/lib/gwms-frontend/vofrontend/frontend.condor_config
) currently has:We are suggesting to changing this to: