Skip to content

Commit

Permalink
Updates for Argus release 1.7.3
Browse files Browse the repository at this point in the history
  • Loading branch information
@enricovianello
enricovianello committed Feb 29, 2020
1 parent 4959f5b commit dce664b
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 10 deletions.
37 changes: 28 additions & 9 deletions source/pdp/configuration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,18 @@ SECURITY section
- No
- false

*
- tlsProtocol
- Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1.
- No
- TLS

*
- enabledProtocols
- Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1.
- No
- None

*
- requireClientCertAuthentication
- Indicates whether the client must use a valid client certificate to authenticate to the PDP
Expand Down Expand Up @@ -126,6 +138,7 @@ PDP configuration file.
trustInfoDir = /etc/grid-security/certificates
# HTTPS enabled
enableSSL = true
tlsProtocol = TLS

Advanced Configuration Options
------------------------------
Expand Down Expand Up @@ -195,15 +208,21 @@ POLICY section
SECURITY section
~~~~~~~~~~~~~~~~

+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+
| Property | Description | Required? | Default Value |
+=======================+===============================================================================================================+===========+==================+
| trustInfoRefresh | The frequency, in minutes, that the trust material specified by ``trustInfoDir`` will be checked for updates. | N | 60 (1 hour) |
+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+
| messageValidityPeriod | The number of seconds, from the time a message is issued, until it is considered expired. | N | 300s (5 minutes) |
+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+
| clockSkew | The allowance, in seconds, used when computing validity periods. | N | 30s |
+-----------------------+---------------------------------------------------------------------------------------------------------------+-----------+------------------+
+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
| Property | Description | Required? | Default Value |
+=======================+===================================================================================================================================================================================+===========+==================+
| trustInfoRefresh | The frequency, in minutes, that the trust material specified by ``trustInfoDir`` will be checked for updates. | N | 60 (1 hour) |
+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
| messageValidityPeriod | The number of seconds, from the time a message is issued, until it is considered expired. | N | 300s (5 minutes) |
+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
| clockSkew | The allowance, in seconds, used when computing validity periods. | N | 30s |
+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
| enableSSL | Enable HTTPS on the service port (SSL/TLS). The ``serviceCertificate``, ``servicePrivateKey``, and ``trustInfoDir`` properties must also be defined in order to use this setting. | N | false |
+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
| tlsProtocol | Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1. | N | TLS |
+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+
| enabledProtocols | Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1 | N | None |
+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------+------------------+


.. _argus-pdp-conf-env-file:
Expand Down
5 changes: 5 additions & 0 deletions source/pep/pepd_configuration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,10 @@ SECURITY section
+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
| ``enableSSL`` | Enable HTTPS on the service port (SSL/TLS). The ``serviceCertificate``, ``servicePrivateKey``, and ``trustInfoDir`` properties must also be defined in order to use this setting. | N | false |
+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
| ``tlsProtocol`` | Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1. | N | TLS |
+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
| ``enabledProtocols`` | Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1 | N | None |
+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+
| ``requireClientCertAuthentication`` | The client must have a valid X.509 client certificate to authenticate to the PEP Server | N | true |
+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+---------------+

Expand Down Expand Up @@ -150,6 +154,7 @@ matches the name section configuring the PIP. Also note that the
serviceCertificate = /etc/grid-security/hostcert.pem
trustInfoDir = /etc/grid-security/certificates
enableSSL = true
tlsProtocol = TLS
requireClientCertAuthentication = true

[REQVALIDATOR_PIP]
Expand Down
3 changes: 2 additions & 1 deletion source/release_notes.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,15 @@ Latest release:
.. toctree::
:maxdepth: 1

release_notes/v_1_7_2
release_notes/v_1_7_3


Older releases:

.. toctree::
:maxdepth: 1

release_notes/v_1_7_2
release_notes/v_1_7_1
release_notes/v_1_7_0

Expand Down
44 changes: 44 additions & 0 deletions source/release_notes/v_1_7_3.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
.. _v1_7_3:

Argus 1.7.3 (02-03-2020)
========================

The Argus 1.7.3 release allows TLS protocol version to be configured on pdp and pep server components.

Updated components
~~~~~~~~~~~~~~~~~~

This release provides the following updated components:

- Argus PEP service version 1.7.4
- Argus PDP service version 1.7.1

Packages
~~~~~~~~

Packages for this release can be obtained from the Argus product team package repository:

https://repo.cloud.cnaf.infn.it/service/rest/repository/browse/argus-rpm-stable/

Upgrade procedure
-----------------

To install Argus 1.7.3:

#. Update the packages.
#. Restart the Argus PEP and PDP services.

Main fixes
~~~~~~~~~~

`argus-pep-server-1.7.4`_
`argus-pdp-1.7.1`_
------------------

- TLS protocol version should be configurable [`pep-25`_].
- TLS protocol version should be configurable [`pdp-6`_].

.. _pep-25: https://github.com/argus-authz/argus-pep-server/issues/25
.. _pdp-6: https://github.com/argus-authz/argus-pdp/issues/6
.. _argus-pep-server-1.7.4: https://github.com/argus-authz/argus-pep-server/milestone/3
.. _argus-pdp-1.7.1: https://github.com/argus-authz/argus-pdp/milestone/1

0 comments on commit dce664b

Please sign in to comment.