[Nsi-wg] Setting up SSL/TLS

Henrik Thostrup Jensen htj at nordu.net
Thu Nov 24 06:13:07 CST 2011 

Hi

As promised just a short introduction to this.

Some terminology:

SSL: Secure Socket Layer
TLS: Transport Layer Security (mostly a new a name for SSL)
HTTPS: HTTP over SSL/TLS

Versions:
SSLv2 is deprecated.
SSLv3 and TLS 1.0 are quite similar, but not quite the same.
TLS 1.1 and 1.2 still have very sporadic support. 
SSLv3 and TLS 1.0 is the common thing used today. Don't worry too much 
about the SSL/TLS name, it is protocol-negotiable along with ciphers, etc. 
and will most likely take care of itself.

To authenticate a certificate must be used. The typical setup in www is 
that only the service has a certificate, so the client can authenticate 
the service, but not the other way (this has be done via some other means 
then). For NSI, the client should also have a certificate such that both 
parties can be identified.

Getting a "real" certificate, i.e., one signed by a proper certificate 
authority (CA) can be a bit tricky. There are commercial providers (costs 
money), but often research institutions and NRENs can get them through 
Terena or through a grid CA (which would be part of IGTF - The 
International Grid Trust Federation). If this turns out to be difficult, 
one can make a self-signed certificate, but this is probably not what you 
want for production.

Regarding authorization, it is usually possible to make a setup where no 
checking is done on the CA or the identity of the certificate. This can be 
a good way to start, but again, not something suited for production. 
Usually one will have a set of trusted CAs, and a list of identifies which 
are authorized (possible with some policy on the side). In the Java world 
the CAs are traditionally kept in whats called keystore, but in many other 
systems, it is just a directory with the CA files.

How to setup and implement this, will vary greatly depending on your 
system, so I can't provide any details on this, but most HTTP servers 
support for it. Otherwise a proxy such as NginX can be used in front of 
the service. Similarly you will also have to support https on your client. 
In fact, this can be a good place to start as your client will then be 
able to make requests to https services. For now, I strongly suggest using 
a client which can do both http and https, in order to easy the 
transition.

Once you have acquired a certificate, please update this page 
http://code.google.com/p/ogf-nsi-project/wiki/Certificates.

Furthermore send the new endpoint of your service to master of the 
topology file (Jerry), so he can update the topology with the new 
endpoint.

I hope this gives some overview and pointers on how to start. It should 
not be that difficult.


     Best regards, Henrik

  Henrik Thostrup Jensen <htj at ndgf.org>
  NORDUnet / Nordic Data Grid Facility.

More information about the nsi-wg mailing list