Madhusudan Singh wrote: > Hi > > I was wondering if it is possible to set up authenticated access over SSL to > user volumes for a cell ? I would, for security reasons, run the webserver on > another machine (not in the cell). > > Thanks.
Theoretically yes, but as I have been discovering while attempting to set this up for a client, there are numerous issues: (1) if you are using the AFS Kernel Module, then only one user's token can exist in the Process Authentication Group associated with the web server at a time. This means you must use a web server that is not multi-threaded but instead uses a separate child process for each request. (2) you must be careful to manage the token in the PAG and make sure it is cleared after the request is complete. (3) Apache assumes that modules leak resource and therefore only allow a small number of requests to be processed by each child before killing them off. Each time a child is created, a new PAG must be created. It would be best given the current PAG implementation to force a system restart every 200 days. (4) Any external programs executed by the web server while a token is in the PAG will execute with the permissions of the client. This may or may not be desireable for CGIs, PHPs, etc. (5) Servers such as ColdFusion and Tomcat will not have access to the client token was processing their operations. This may or may not have the desired affect. (6) You will want to implement some form of weblogin functionality to reduce the number of times a password is sent across the wire. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
