[AG-DEV] Some issues with secure/non-secure

Thomas D. Uram turam at mcs.anl.gov
Mon Apr 24 17:15:39 CDT 2006 

Hi Rhys:

Comments inline...

On 4/20/06 6:36 PM, Rhys Hawkins wrote:
> I have some issues when trying to run my own VenueServer with AG
> from CVS and I'd like to know if other people have these problems
> or whether its a problem with my gentoo ebuilds.
> 
> 1. VenueServer.py requires a certificate, and I can't run a VenueServer
> insecurely. The old -i switch is gone and --secure=0 still asks for
> a certificate. With --secure=0 it does run on http rather than https,
> but I am unable to connect to it with either VenueClient or
> VenueManagement when supplied with the --secure=0 argument.

We were trying to carry the insecure code all the way through, but
it became less of a priority.  Is insecure support important for you?
I would like to have it work insecurely, but wonder about use cases.
How should VenueManagement then be secured?

> 
> 2. When running a secure VenueServer I get 2 prompts for a passwd (
> I don't have to enter it twice, I just get 2 prompts). They are:
>   Verify passphrase:
>   Certmgr passphrase:

You should use a service certificate for running the venue server.
Here you must be using an identity certificate, since it apparently
has an encrypted private key.

> 
> 3. When running VenueManagement and connecting to the server, I have
> to enter my passphrase repeatedly in the shell from which I started
> the UI. eg For the initial connection to the VenueServer, I get
> six of the following prompts:
>   Enter PEM pass phrase:
> After entering the pass phrase each, the connection succeeds. I'm
> using my certificate issued for AG24.

Same as above.  In this case, it is prompting you for the passphrase for
each SOAP call, because it wants to decrypt the private key for each call.
Since we're not supporting the use of client-side certificates yet,
no effort is made to cache the password.

> 
> 4. Can you still run the VenueClient with a certificate? I tried
> using VenueClient3.py --secure=1 --personalNode=1, but it doesn't 
> ask for the pass phrase and fails to start the audio and video 
> services as it looks like the command line arguments passed to them
> are incorrect, ie its giving --secure rather than --secure=1. 
> BTW, is there a reason why the personalNode option has changed from
> a switch to an int option?

The VenueClient cannot be made to use a certificate right now.  You may see
some scattered bits of secure-ness there, but it's not enabled.  The plan is
to bring that possibility back in the next release, when we have support
for proxy certificates from OpenSSL.

Tom

More information about the ag-dev mailing list