Introduce a Cosign Service

Description

Complete the introduction of the Cosign/WebLogin service to replace KX509 for web authentication.

Customer

Ourselves.

Case

See: http://www.dice.inf.ed.ac.uk/groups/infrastructure/authorisation/cosignproposal.html

Deliverables

A production Cosign and web login service configured and managed via LCFG. A test client service indicating usage. Documentation describing how to Cosign enable a service.

Timescale

Originally planned for end of January 2006 this has slipped badly. No external time pressure.

Proposal

Provide two servers running Cosign. The servers should replicate between each other using Monster. One server to be in the central area and one to be at JCMB. Setup the service to distribute load between the servers using DNS round robin. Allow KX509 authenticated clients to pass through. Create suitable LCFG components, headers and configuration to manage the service. Provide the web login service (for connections not already authenticated). Provide a sample client service (that was using KX509 previously). Provide documentation for using Cosign. Do sufficient robustness testing to qualify as a production service.

Risks

Need to be careful with the security of the servers.

Need to ensure service is robust before wider deployment/usage.

Additional work is needed to support Cosign for all services.

Some user re-training work (and altered documentation) required.

Dependencies

This project has no dependencies. Some projects may be waiting on a production Cosign service.

Management

Infrastructure Unit manager (George Ross).

Resources

Suitable server hardware has already been purchased and deployed. It should be possible to piggy-back these on existing Infrastructure Unit UPSes.

Cosign, KX509, SSL certificate, Apache and LCFG expertise is required.

Plan

Note that most of this project is already complete, so the following is only documenting the remaining steps.

  1. Upgrade to latest version of Cosign. Note that this may have a bearing on some of the following steps.
  2. Fix the SSL certificate redirect/alias problem - this may require patching the original Cosign source.
  3. Implement a dynamic services list (via LCFG by extending the existing spanning map).
  4. Create a documentation web page, including sample configuration for adding a Cosign service (in the profile this is achieved with a header but Apache configutation is also required). Include links to the existing sample service.
  5. Do fallover tests and check replication is working (logs suggest it is but testing what happens when one server breaks has not been done yet).
  6. Rebrand the Login/Services web pages for Informatics.
  7. Advertise within COs and do some further robustness testing.
  8. Convert a suitable live service to Cosign and evaluate.

Time

Two full time weeks.

Priority

Was already a high priority, it should be even more so now it has slipped so much.

Topic revision: r2 - 12 Sep 2006 - 10:53:29 - GeorgeRoss
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies