LISTSERV 16.5 - XROOTD-L Archives

Hi Derek,

When it comes to xrootd you can run everything on one port, doesn't matter 
as it sorts things out. So, yes GSI and TLS are considered independent. 
Well, to the extent you configure it that way. GSI can run over TLS but 
that's overkill and just introduced latency. So, you have he option to 
tell the server I need to use TLS but after authentication. That way, GSI 
runs it's own TLS session to authenticate and then the server switches to 
general TLS afterwards. Look at the xrootd.tls directive:

https://xrootd.slac.stanford.edu/doc/dev50/xrd_config.htm#_Toc38663875

Andy


On Tue, 28 Apr 2020, Derek Weitzel wrote:

> Hi Andy,
>
> Thank you for the clarification.  The part I missed was the ?if a server requires TLS, the client will switch to TLS?.  That?s what I wanted.
>
> My goal is to transition a GSI XCache infrastructure to a scitokens + TLS infrastructure.  The easiest path would be for all caches and origins to understand all protocols on the same port.  Can XRootD support GSI and TLS on the same 1094 port?
>
> Thanks very much for you help.
>
> - Derek
>
>
>
>> On Apr 28, 2020, at 2:27 PM, Andrew Hanushevsky <[log in to unmask]> wrote:
>>
>> Hi Derek,
>>
>> Frankly, if you don't apply security for the redirector (which most places do not) there is no reason to use TLS. If you do apply security, thinnk what harm migh occur in a MIM attack or somebody snooping on the connection. Likely, it's a very low risk. If you are comfortable with that risk, then there is no reason to enable TLS for a redirector. Otherwise, yes, you would use xroots but at the moment there is no fallback so if the redirector doesn't talk TLS you will fail which, frankly, in the https world is common practice. Please note that if he redirector sends you off to a server that needs TLS then you will automatically get TLS no matter what. Same for the redirector if it requires TLS you will get it. That allows you to keep the config file as is and get TLS when it is required.
>>
>> Andy
>>
>>
>> On Tue, 28 Apr 2020, Derek Weitzel wrote:
>>
>>> Just some TLS deployment questions:
>>>
>>> - Do the redirectors also need to be TLS enabled?  I presume yes.  For caching, the pss.origin should list the redirector like?:
>>> pss.origin xroots://redirector.example.com
>>>
>>> - When the origin is a redirector, does the cache then connect to the data server with TLS?
>>>
>>> - Can the redirector run both non-TLS and TLS at the same time?  Is that on the same port?
>>>
>>> - Derek
>>>
>>> ########################################################################
>>> Use REPLY-ALL to reply to list
>>>
>>> To unsubscribe from the XROOTD-L list, click the following link:
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__listserv.slac.stanford.edu_cgi-2Dbin_wa-3FSUBED1-3DXROOTD-2DL-26A-3D1&d=DwIBAg&c=Cu5g146wZdoqVuKpTNsYHeFX_rg6kWhlkLF8Eft-wwo&r=-wn1Su9B3IOpyo0_algpeg&m=pM2ji7IPxU_OgMd7SEiVbQ8EuSI1U1xifbExoBnLZKo&s=-T9Dz018s1IjNMYGZvGbWFjC0ZC6m54k5k2S5rqVuLI&e=
>
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1