Connectivity and Certificates

This document provides an overview of the network ports and certificates used by services operating on DataONE Coordinating Nodes.

Services and Ports

In summary:

Service Ports Secured By Using
LDAP 389 TLS Server FQDN Certificate (ENV_FQDN)
PostgreSQL 5432 SSL Server Wild Card Certificate (WILDCARD) (copy or link)
Hazelcast 5701, 5702, 5703 Firewall  
HTTP 80 No  
HTTPS 443 TLS Server Wild Card Certificate (WILDCARD)
Solr (v2) 8983 Uses apache TBD
Zookeeper (v2) 9983 SSL TBD
DataONE Services 443 TLS Client NodeID Certificate (ENV_CLIENT)
Portal-CILogon 443 TLS Public key for CILogon (CILOGON_KEY)

LDAP TLS

Port:389
Firewall:Open to CNs only

OpenLDAP is used primarily to synchronize information about Member and Coordinating nodes across the Coordianting Nodes. See the dataone-os-core buildout under /user/share/dataone-cn-os-core/debian/ldap for details. The slapd configuration file is /etc/ldap/slapd.conf and contains the following references to certificates and keys:

TLSCACertificateFile  /etc/ssl/certs/{ENV_CHAIN}.crt
TLSCertificateFile    /etc/dataone/client/certs/{ENV_FQDN}.pem
TLSCertificateKeyFile /etc/dataone/client/private/{ENV_FQDN}.key

For eache of the syncRepl entries:

tls_cacert=/etc/ssl/certs/{ENV_CHAIN}.crt
tls_cert=/etc/dataone/client/certs/{ENV_FQDN}.pem
tls_key=/etc/dataone/client/private/{ENV_FQDN}.key

PostgreSQL

Port:5432
Firewall:Open to CNs only

PostgreSQL is used by the Metacat and Portal applications. The Portal application relies on Postgres mirroring of session state information to ensure user experience consistency across the Coordinating Nodes. See the PostgreSQL documentation for more information.

/var/lib/postgresql/9.1/main/server.crt
/var/lib/postgresql/9.1/main/server.key

The server.crt is a copy of the Server Wild Card Certificate (WILDCARD), similarly for the key.

Note

Can we just symlink these to the actual certificate files?

Hazelcast

Port:5701 Storage cluster, group “DataONE”
Port:5702 Processing cluster, instance “hzProcessInstance”, group “hzProcess”
Port:5703 Portal cluster, group “DataONE”
Firewall:Open to CNs only

The storage cluster runs on port 5701 and is configured in:

/etc/dataone/storage/hazelcast.xml

The processing cluster runs on port 5702 and is configured in:

/etc/dataone/process/hazelcast.xml

which gleans values for many of the properties from:

/etc/dataone/process/dataoneHazelcast.properties

The portal cluster runs on port 5703 and is configured in:

/etc/dataone/portal/hazelcast.xml

Apache HTTPS

Port:80, 443
Firewall:Open to anywhere, additional restrictions by apache config.

The Apache HTTP server provides the HTTP(S) service for Coordinating Nodes and services all DataONE client interactions. This service is Internet facing, and provides a layer of isolation between the Internet and applications running under Tomcat or other containers. All DataONE services operate through HTTPS which on the Coordinating Nodes, is configured to use the Server Wild Card Certificate (WILDCARD) certificate to establish secure communications. The service is configured primarily through two files:

/etc/apache2/mods-enabled/ssl.conf

and:

/etc/apache2/sites-enabled/cn-ssl

which contains the following certificate references:

SSLCertificateFile      /etc/ssl/certs/{WILDCARD}.crt
SSLCertificateKeyFile   /etc/ssl/private/{WILDCARD}.key
SSLCertificateChainFile /etc/ssl/certs/{WILDCARD_CHAIN}.crt
SSLCACertificateFile    /etc/ssl/certs/{ENV_CHAIN}.crt

The SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile entries are all used to establish TLS. The SSLCACertificateFile is used to verify the client certificate provided by clients when establishing authenticated connections.

Solr and Zookeeper (v2)

Note

These services are for Version 2.x infrastructure

Port:8983 (perhaps not, likely to be over apache 443)
Port:9983
Certs and locations TBD

DataONE Services

Port:443
Firewall:Open to anywhere. Additional restrictions by apache config.

Client certificate is used by various apps for communicating to CN services. The client cert and key:

/etc/dataone/client/certs/{ENV_FQDN}.pem
/etc/dataone/client/private/{ENV_CLIENT}.pem

Portal and CILogon

The portal application retrieves a user’s client certificate from CILogon after authentication. A public key is generated using the Server Wild Card Certificate (WILDCARD) certificate during the dataone-cn-portal installation process. See CILogon Portal Support.

Certificates

Several channels of communication must be secured on CNs to enable normal operations and interactions between local and remove systems. Different certificates, keys, and signing authorities are used.

Document Location Used By Description
ENV_CHAIN.crt /etc/ssl/certs/ LDAP, DataONE Services The certificate authority chain for the respective DataONE environment used to sign the Server FQDN Certificate (ENV_FQDN) and the Client NodeID Certificate (ENV_CLIENT).
ENV_FQDN.pem /etc/dataone/client/certs/ LDAP A certificate signed by the DataONE Certificate Authority of the respective environment. The subject of the certificate is the fully qualified domain name for the server.
ENV_FQDN.key /etc/dataone/client/private/ LDAP The key for the Server FQDN Certificate (ENV_FQDN).
WILDCARD.crt /etc/ssl/certs/ HTTPS, PostgreSQL, Portal-CILogon The wild card certificate is a commercially provided certificate with a subject that represents the wild card domain for the respective DataONE environment. For production this will be *.dataone.org and for test environments, this will be *.test.dataone.org.
WILDCARD.key /etc/ssl/private/ HTTPS, PostgreSQL The key for the Server Wild Card Certificate (WILDCARD).
WILDCARD_CHAIN.crt /etc/ssl/certs/ HTTPS, PostgreSQL, Portal-CILogon The certificate authority chain issued by the commercial provider of the WILDCARD certificate. Note that this may be different between production and test environments depending on the certificate provider and the timing of acquisition.
ENV_CLIENT.pem /etc/dataone/client/private/ DataONE Services The client certificate used to identify the node. The certificate subject is the nodeId, and the certificate is signed by the DataONE Certificate Authority (ENV_CHAIN) for the respective environment.
CILOGON_KEY.publickey /etc/ssl/certs/ Portal A public key used by the Portal application to retrieve the client certificate from the CILogon service once a user has authenticated.
CILOGON_KEY.pk8 /etc/ssl/private/ Portal The private portion of the public key used by the Portal application to retrieve the client certificate from the CILogon service once a user has authenticated.

Server Wild Card Certificate (WILDCARD)

The wild card certificate is a commercially provided certificate with a subject that represents the wild card domain for the respective DataONE environment. For production this will be *.dataone.org and for test environments, this will be *.test.dataone.org.

Test Environments

CA:Commercial provider
Chain:/etc/ssl/certs/geotrust_intermediate.crt
Certificate:/etc/ssl/certs/_.test.dataone.org.crt
Key:/etc/ssl/private/_.test.dataone.org.key

Production Environment

CA:Commercial provider
Chain:/etc/ssl/certs/geotrust_intermediate.crt
Certificate:/etc/ssl/certs/_.dataone.org.crt
Key:/etc/ssl/private/_.dataone.org.key

Checking the server certificate. You can save this script locally as “check_cn_certs” and execute it using the command:

ssh some.cn.address "bash -s"  -- < ./check_cn_certs

The following script will examine the known locations for certificates on the CN and check their status.

DataONE Certificate Authority (ENV_CHAIN)

The certificate authority chain for the respective DataONE environment used to sign the Server FQDN Certificate (ENV_FQDN) and the Client NodeID Certificate (ENV_CLIENT) certificates.

Test Environments

Chain:/etc/ssl/certs/DataONETestCAChain.crt

Production Environment

Chain:/etc/ssl/certs/DataONECAChain.crt

See the DataONE Certificate Authority project for more details.

Server FQDN Certificate (ENV_FQDN)

A certificate signed by the DataONE Certificate Authority (ENV_CHAIN) of the respective environment with the certificate subject being the fully qualified domain name for the server. This certificate is used by the LDAP service, which apparently does not accept a wild card certificate.

Example for cn-dev-unm-1.test.dataone.org

CA:DataONE Certificate Authority (ENV_CHAIN)
Chain:/etc/ssl/certs/DataONETestCAChain.crt
Certificate:/etc/dataone/client/certs/cn-dev-unm-1.test.dataone.org.pem
Key:/etc/dataone/client/private/cn-dev-unm-1.test.dataone.org.key

To generate the certificate:

# mount the encrypted volume
open ~/Projects/DataONE/data/Security/DataONE_certs_keys.sparseimage
cd ~/Projects/DataONE/Operations/ca

# Generate the certificate
FQDN="the.targetnode.fqdn"
./ca -c Test ${FQDN}


# Package and upload cert package
./publish_cert vieglais DataONETestIntCA/certs/cn-dev-unm-1.test.dataone.org-4.pem

# log on to cn-dev-unm-1.test.dataone.org, then
CERTNAME="cn-dev-unm-1.test.dataone.org-4"
FQDN=$(hostname -f)
TSTAMP=$(date +%Y%m%dT%H%M%S)
mkdir -p ~/private && chmod 0700 ~/private
cd private
scp project.dataone.org:/var/www/users/${USER}/${CERTNAME}.zip .
unzip ${CERTNAME}.zip
sudo mv /etc/dataone/client/certs/${FQDN}.pem /etc/dataone/client/certs/${TSTAMP}_${FQDN}.pem.bak
sudo mv /etc/dataone/client/private/${FQDN}.key /etc/dataone/client/private/${TSTAMP}_${FQDN}.key.bak

# Note that the .crt is renamed .pem
sudo cp ${CERTNAME}/${CERTNAME}.crt /etc/dataone/client/certs/${FQDN}.pem
sudo cp ${CERTNAME}/private/${CERTNAME}.key /etc/dataone/client/private/${FQDN}.key

Example for cn-ucsb-1.dataone.org

CA:DataONE Certificate Authority (ENV_CHAIN)
Chain:/etc/ssl/certs/DataONECAChain.crt
Certificate:/etc/dataone/client/certs/cn-ucsb-1.dataone.org.pem
Key:/etc/dataone/client/private/cn-dev-ucsb-1.dataone.org.key

Client NodeID Certificate (ENV_CLIENT)

Example for cn-dev-unm-1.test.dataone.org

CA:

DataONE CA

Chain:

/etc/ssl/certs/DataONETestCAChain.crt

Certificate:
/etc/dataone/client/private/urn:node:cnDevUNM1.pem
/etc/dataone/client/private/urn_node_cnDevUNM1.pem
Key:
/etc/dataone/client/private/urn:node:cnDevUNM1.pem
/etc/dataone/client/private/urn_node_cnDevUNM1.pem

Example for cn-ucsb-1.dataone.org

CA:

DataONE CA

Chain:

/etc/ssl/certs/DataONECAChain.crt

Certificate:
/etc/dataone/client/private/urn:node:CNUCSB1.pem
/etc/dataone/client/private/urn_node_CNUCSB1.pem
Key:
/etc/dataone/client/private/urn:node:CNUCSB1.pem
/etc/dataone/client/private/urn_node_CNUCSB1.pem

Public key for CILogon (CILOGON_KEY)

Generated by dataone-cn-portal buildout postinst script from the Wildcard Server Certificate.

Public Key:/etc/ssl/certs/_.test.dataone.org.crt.publickey
Key:/etc/ssl/private/_.test.dataone.org.key.pk8

See CILogon Portal Support.

Keystores

Keystores are secure areas that are well known to applications that need access to secure information. Keystores contain sensitive information and so must be afforded the appropriate protection through file system access permissions and other mechanisms where appropriate.

Two types of keystore are used by Coordinating Nodes: the file system and the Java keystore. It is necessary to store some security documents in both, and hence it is also necessary during maintenance procedures to ensure that the entries in both are consistent.

File System Keystore

Certificates and keys are stored on the file system in several places on coordinating nodes:

/etc/ssl/certs                 # Default location in Ubuntu
        /private

/etc/dataone/client/certs      # DataONE managed keys and certs
                   /private

/var/lib/postgresql/9.1/main/  # For postgres

Folders where keys are stored MUST be protected be appropriate permissions. For example, the default Ubuntu folder for keys (/etc/ssl/private) is:

chown root:ssl-cert
chmod 640

Java Keystore

Java applications use the Java keystore to store certificates an credentials in a well known location that can be accessed by Java applications running on the Coordinating Nodes. The Java keystore is located at:

/etc/ssl/certs/java/cacerts

#Note: following used in dataone-cn-os-core postinst, it is a symlink to above
/usr/lib/jvm/java-1.7.0-openjdk-amd64/jre/lib/security/cacerts

The Java keystore is modified using keytool by the dataone-cn-os-core postinst script to add the DataONE Certificate Authority (ENV_CHAIN) and the Server wild card certificate chain file.