CDR Tickets

Issue Number 3845
Summary Encrypt traffic from external CDR clients
Created 2014-12-29 16:44:52
Issue Type Improvement
Submitted By Kline, Bob (NIH/NCI) [C]
Assigned To Kline, Bob (NIH/NCI) [C]
Status Closed
Resolved 2015-05-01 15:23:09
Resolution Fixed
Path /home/bkline/backups/jira/ocecdr/issue.144227
Description

We have been asked by CBIIT to encrypt connections from XMetaL and the CDR Loader to the CDR Service. A proof of concept for implementing this request was performed as part of ticket OCECDR-3748. This ticket will track the work to deploy this solution on the CDR server across all tiers. When the deployment of this solution is complete, CBIIT will be able to turn off access to port 2019 and 2020 (the custom ports used currently for the CDR client/server protocol) for all machines except the CDR Server itself ("localhost"). The solution uses HTTPS tunneling over port 443, which encrypts all traffic using SSL. Deployment of this change (together with the upgrade of XMetaL to 9.0 and NIH Active Directory integration) is a prerequisite for allowing users to connect to the CDR from their own desktops instead of being required to connect through an intermediate "bastion" host.

Comment entered 2014-12-29 16:52:38 by Kline, Bob (NIH/NCI) [C]

My plan is to:

  • convert client software deployed from DEV to tunnel CDR requests through HTTPS

  • install the tunneling mechanism on the CDR DEV server

  • modify the cdr Python module to detect whether it is running on the CDR server, and if it is not, use the new tunneling mechanism

  • ask CBIIT to block traffic from ports 2019 and 2020 coming from outside the CDR server

  • test to verify that clients can still connect to the CDR server

  • deploy up the tiers, one at a time

Any suggestions?

Comment entered 2014-12-29 18:44:07 by Kline, Bob (NIH/NCI) [C]

So far:
✔ convert client software deployed from DEV to tunnel CDR requests through HTTPS
✔ install the tunneling mechanism on the CDR DEV server

Next I'll tackle the modifications to the cdr Python module.

Comment entered 2014-12-30 09:45:26 by Kline, Bob (NIH/NCI) [C]

I have checked in the changes to the Python module in the branch for the security remediations:

  • R13057 /branches/cdr-security-remediation/lib/Python/cdr.py

I have also filed the ticket to have the CBIIT security team close the custom ports for outside hosts:

https://tracker.nci.nih.gov/browse/SECURITYTEAM-437

I hope this ticket does what it's supposed to. Unfortunately, that JIRA project doesn't have any forms which make any sense for closing ports. There are only forms for opening firewall exceptions and for requesting appscans.

Comment entered 2015-05-01 15:23:09 by Kline, Bob (NIH/NCI) [C]

QA has completed and the ticket has been submitted to CBIIT for deployment to stage, after which an appscan will be requested.

Elapsed: 0:00:00.001553