Service Reference Card
Ophidia Server daemon location:
Init scripts and options (start|stop|restart|…)
Ophidia Server daemon can be started by using the following command:
/usr/local/ophidia/oph-server/bin/oph_server > /dev/null 2>&1 &
Service can be started even in debug mode using the option “-d” as follows:
/usr/local/ophidia/oph-server/bin/oph_server -d > /dev/null 2>&1 &
In debug mode, verbosity of the messages written in log file is higher.
Configuration files location with example or template
See http://ophidia.cmcc.it/documentation/admin/configure/ophserver.html for further information
Ophidia Analytics Framework
- /usr/local/ophidia/oph-cluster/oph-analytics -framework/etc/oph_script_configuration
See http://ophidia.cmcc.it/documentation/admin/configure/ophframework.html for further information
See http://ophidia.cmcc.it/documentation/admin/configure/ophterminal.html for further information
Logfile locations (and management) and other useful audit information
Ophidia Analytics Framework
See also the operators enabling online access to log files:
Ophidia Server daemon: the port 11732 has to allow incoming TCP connections from clients, usually from any site. Thirty-party services: the ports 80 and 443 for Apache web server have to allow incoming HTTP Requests from clients, usually from any site.
Possible unit test of the service
Ophidia Service sources includes a routine for unit tests. It can be executed by typing “make check” after installing the package as reported at http://ophidia.cmcc.it/documentation/admin/install/install_from_source.html#ophidia-server-installation.
Where is service state held (and can it be rebuilt)
INDIGO Continuous Integration system
The Ophidia framework does not need a cron job
1 - Access control Mechanism description (authentication & authorization)
The basic authentication mechanism of Ophidia Server is based on credentials: username and password. Any request incoming from Ophidia Terminal have to include the credentials (as HTTP parameters) so that Ophidia Server is able to authorize each user. TCP connections between Ophidia Terminal and Ophidia Server are encrypted by TLS protocol. Secure connections can be setup by exploiting a digital certificate to be configured at Server side as reported at http://ophidia.cmcc.it/documentation/admin/configure/ophserver.html#server-configuration. In this way credential transmission from client to server is protected. The credentials of authorized users are stored in the configuration file /usr/local/ophidia/oph-server/authz/users.dat and can be modified manually (by editing the file) or by exploiting the command-line tool /usr/local/ophidia/oph-server/bin/oph_manager_user (http://ophidia.cmcc.it/documentation/admin/configure/usermanagement.html#command-line-tool). Hence, user registration can be done only by the system administrator. Web access to Ophidia session objects (see http://ophidia.cmcc.it/documentation/users/session/index.html) is admitted provided that the user logs in using the same credentials adopted for Ophidia Terminal. A PHP script checks the credentials by scanning the configuration file /usr/local/ophidia/oph-server/authz/users.dat. Also in this case confidentiality is based on TLS protocol (see http://ophidia.cmcc.it/documentation/admin/configure/ophserver.html#ophidia-web-server for further information). Each user is enabled to create new sessions and grant access privileges to other Ophidia users, provided they are already registered. He can finely tune the access of other user to session objects exploiting the operator OPH_MANAGE_SESSION as reported in http://ophidia.cmcc.it/documentation/users/session/index.html.
From release 1.1.0 Ophidia Server supports an additional authentication & authorization schema based on OpenId Connect. In this case the service has to be registered on a Identity Provider and exploits access tokens released by the provider to grant access to users. Before accessing Ophidia, the user has to authorize the Server to access some data of the profile, in particular “email” and “organization”, and send a token request. A PHP script is provided to help the user during this phase. Then, the token has to be included in any request incoming from Ophidia Terminal (on behalf of the credentials) so that the Server is able to authenticate the user, request the profile data to the Identity Provider and, finally, perform the authorization procedure. Authorization is based on a white list of admitted organizations and a black list of users (based on the related email addresses).
2 - How to block/ban a user
By using the authentication based on credentials, a user can be disabled to access Ophidia service by removing its credentials from the configuration file /usr/local/ophidia/oph-server/authz/users.dat. The session owner can revoke the access of other users to session objects exploiting the operator OPH_MANAGE_SESSION (http://ophidia.cmcc.it/documentation/users/operators/OPH_MANAGE_SESSION.html).
Concerning the schema based on OpenId Connect, Ophidia Server handles a white list of the admitted organizations and a black list of single users (based on email addresses). By exploiting these access lists, the administrator can finely select the users to be authorized to access Ophidia.
3 - Network Usage
Ophidia relies on a server-side paradigm for data analysis, so not large data movement is expected using this framework.
4 - Firewall configuration
Firewall rules of the node where Ophidia Server is running should allow incoming TCP connections to 11732 to be accepted. Firewall rules of the node where Apache web server is running should allow incoming TCP connections to 80 and 443 to be accepted.
5 - Security recommendations
By default three Ophidia users are registered in /usr/local/ophidia/oph-server/authz/users.dat: admin, framework and oph-test. Remove this accounts if they are not necessary or, at least, change the related passwords. Change the default value “abcd” assigned to any password in the following configuration files:
See http://ophidia.cmcc.it/documentation/admin/configure/index.html for further information.