UNICORE XUUDB Service Reference Card

Functional description

The UNICORE XUUDB is a SOAP (over HTTP) web service service providing attributes to be used for authorization purposes in the UNICORE/X server. It has two public web service interfaces for

• querying the XUUDB by X509 certificate or just the X500 name (DN)
• administrating the XUUDB (adding, updating, removing entries)

Daemons running

The XUUDB server is a single process.

Init scripts and options (start|stop|restart|...)

The service is started and stopped using shell scripts in the bin/ folder of the installation.

If installed via a Linux distribution package, e.g. RPM or .deb, the service can be started with /etc/init.d/unicore-xuudb {start|stop|restart}.

Configuration files location with example or template

Configuration files are in the conf/ folder of the installation.

• xuudb_server.conf : XUUDB server settings (key/truststore, host/port, etc)
• xuudb.acl : list of trusted X500 names that may administrate the XUUDB
• logging.properties : XUUDB server logging settings
• xuudb_client.conf : administrative client configuration
• client_logging.properties : administrative client logging config

If installed via a Linux distribution package, e.g. RPM or .deb, the configuration files will be located in /etc/unicore/xuudb.

Logfile locations (and management) and other useful audit information

Logfiles are by default placed in the logs/ directory in the installation, and rolled over daily. Details can be controlled in the logging.properties file

If installed via a Linux distribution package, e.g. RPM or .deb, the log files will be written to /var/log/unicore/xuudb, to which the unicore user created by this package has write access.

Open ports

• the XUUDB listener port, configured in the xuudb_server.conf file (default: 34463).

Possible unit test of the service

Unit tests are part of the build procedure and executed automatically. When running, the service can be tested by executing the admin.sh script to list the XUUDB content (execute "admin.sh list" or "unicore-xuudb-admin list" if XUUDB was installed with RPM or .deb)

Where is service state held (and can it be rebuilt)

The data is kept on the file system (using an embedded database engine) in the data/ directory in the installation.

If installed via a Linux distribution package, e.g. RPM or .deb, then the service state will be held in /var/lib/unicore/xuudb.

Cron jobs

N/A

Security information

Access control Mechanism description (authentication & authorization)

The two XUUDB web services are secured in different ways.

• query : is possible for all clients (i.e. end users or UNICORE/X servers!) having a trusted certificate
• admin : requires a matching entry in the xuudb.acl file

How to block/ban a user

Revoke the certificate. For the admin interface, remove the entry from the xuudb.acl file

Network Usage

The XUUDB listens to client requests on a single port.

Firewall configuration

n/a

Security recommendations

Do not run as root.

Security incompatibilities

None known.

List of externals (packages are NOT maintained by Red Hat)

n/a

Other security relevant comments

n/a

Utility scripts

n/a