All sites typically configure their servers to requires some kind of authentication irrespective of what is being sent on the wire (e.g. TPC). If that is the case, then clearly, server to server cmmunications need to authenticate as well.

Understood - is there a way to specify within the xrootd configuration, that only for TPC being on the wire, a different sec.protocol is being applied? I don't find that in the documentation.
If there is no way yet, would this be a useful new feature?

Otherwise, I don't see how Grid usecases can be covered securely as things are now. The straightforward solution would be to enable "unix", which is not save - a secure way would be to give all servers robot certificates in addition to their hostcerts. Of course, the final path to use is not a problem of xrootd, but rather something DDM should figure out and solve.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@olifre in #694: \u003e All sites typically configure their servers to requires some kind of authentication irrespective of what is being sent on the wire (e.g. TPC). If that is the case, then clearly, server to server cmmunications need to authenticate as well. \r\n\r\nUnderstood - is there a way to specify within the xrootd configuration, that *only* for TPC being on the wire, a different `sec.protocol` is being applied? I don't find that in the documentation. \r\nIf there is no way yet, would this be a useful new feature?\r\n\r\nOtherwise, I don't see how Grid usecases can be covered securely as things are now. The straightforward solution would be to enable \"unix\", which is not save - a secure way would be to give all servers robot certificates in addition to their hostcerts. Of course, the final path to use is not a problem of xrootd, but rather something DDM should figure out and solve. "}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/694#issuecomment-384422535"}}}

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1