XROOTD-L Archives

Support use of xrootd by HEP experiments

XROOTD-L@LISTSERV.SLAC.STANFORD.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Derek Weitzel <[log in to unmask]>
Reply To:
Support use of xrootd by HEP experiments <[log in to unmask]>
Date:
Tue, 28 Apr 2020 19:40:11 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (1 lines)
Hi Andy,



Thank you for the clarification.  The part I missed was the “if a server requires TLS, the client will switch to TLS”.  That’s what I wanted.



My goal is to transition a GSI XCache infrastructure to a scitokens + TLS infrastructure.  The easiest path would be for all caches and origins to understand all protocols on the same port.  Can XRootD support GSI and TLS on the same 1094 port?  



Thanks very much for you help.



- Derek







> On Apr 28, 2020, at 2:27 PM, Andrew Hanushevsky <[log in to unmask]> wrote:

> 

> Hi Derek,

> 

> Frankly, if you don't apply security for the redirector (which most places do not) there is no reason to use TLS. If you do apply security, thinnk what harm migh occur in a MIM attack or somebody snooping on the connection. Likely, it's a very low risk. If you are comfortable with that risk, then there is no reason to enable TLS for a redirector. Otherwise, yes, you would use xroots but at the moment there is no fallback so if the redirector doesn't talk TLS you will fail which, frankly, in the https world is common practice. Please note that if he redirector sends you off to a server that needs TLS then you will automatically get TLS no matter what. Same for the redirector if it requires TLS you will get it. That allows you to keep the config file as is and get TLS when it is required.

> 

> Andy

> 

> 

> On Tue, 28 Apr 2020, Derek Weitzel wrote:

> 

>> Just some TLS deployment questions:

>> 

>> - Do the redirectors also need to be TLS enabled?  I presume yes.  For caching, the pss.origin should list the redirector like?:

>> pss.origin xroots://redirector.example.com

>> 

>> - When the origin is a redirector, does the cache then connect to the data server with TLS?

>> 

>> - Can the redirector run both non-TLS and TLS at the same time?  Is that on the same port?

>> 

>> - Derek

>> 

>> ########################################################################

>> Use REPLY-ALL to reply to list

>> 

>> To unsubscribe from the XROOTD-L list, click the following link:

>> https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwIBAg&c=Cu5g146wZdoqVuKpTNsYHeFX_rg6kWhlkLF8Eft-wwo&r=-wn1Su9B3IOpyo0_algpeg&m=pM2ji7IPxU_OgMd7SEiVbQ8EuSI1U1xifbExoBnLZKo&s=-T9Dz018s1IjNMYGZvGbWFjC0ZC6m54k5k2S5rqVuLI&e= 





########################################################################

Use REPLY-ALL to reply to list



To unsubscribe from the XROOTD-L list, click the following link:

https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1


ATOM RSS1 RSS2