Security
Security
Sorry, nothing is here yet!
Sorry, this page hasn’t been filled in yet. This placeholder only exists so that links will work. Hopefully there will be something here soon!
Globus Web and API
All end-user access to Globus happens via the Globus web site, which is secured by 2048-bit RSA. TLS 1.1 and 1.2 are the only supported protocols. SSL Labs gives the Globus web site an A rating.
API accesses related to authentication go to auth.globus.org
, which is
secured by 2048-bit RSA. TLS 1.0 through 1.2 are supported. SSL Labs gives
the endpoint an A rating.
API accesses related to endpoints and data transfer go to
transfer.api.globus.org
, which is secured by 2048-bit RSA. TLS 1.0 through
1.2 are supported, and SSL Labs currently caps the API endpoint’s rating at
B,
due to the use of weak Diffie-Hellman key exchange parameters (also known as
the Logjam attack).
TODO: CILogon authentication for logging in
TODO: Any way client-side to require TLS 1.1+ ?
GridFTP Control
The GridFTP server running on the endpoint accepts control connections from Globus only.
The endpoint_cert
API returns a 2048-bit RSA key, along with a minimal
certificate (in that it is lacking any X.509 extended attributes). The
certificate is SHA-256-signed, and lasts for nine years. It is signed by
Globus’ “Globus Connect CA 3” CA.
The “Globus Connect CA 3” certificate is embedded in the
globus-connect-server
package, and can be viewed on GitHub.
If sharing is enabled, the “Transfer CA 2 Alpha” certificate is installed,
again using the certificate built in to the globus-connect-server
package,
and which is available on GitHub.
TODO: Certs for user identification.
GridFTP Data
legacy MyProxy
MyProxy OAuth
CILogon
When using CILogon, proxy certificates are issued by the “CILogon Basic CA 1”
or by the “CILogon Silver CA 1” certificates. Both CA certificates are built
in to the globus-connect-server
package, and are available on GitHub (for
both
basic
and
silver).
Both CAs may also be independently downloaded from CILogon
directly.
CILogon certificates are often valid for days, so when an endpoint trusts
CILogon for authentication, globus-connect-server-setup
installs two hourly
cron jobs, each of which downloads the latest CRL for one of the CAs.
More Details
GridFTP Security
Regarding the endpoint_cert
API, you can try it yourself using the
globus-sdk
package and the
following demo code:
The API is called by configure_credential
in globus.connect.server
.
The “Globus Connect CA 3” certificate is installed as part of configure_trust_roots
, which is also in globus.connect.server
.
CILogon
The two CILogon CA certificates are installed as part of configure_trust_roots
, which is also in globus.connect.server
. That is also where the CRL-download cron job is defined.