Securing the HPC Basic Profile Web Service
Applies To: Windows HPC Server 2008
The HPC Basic Profile Web Service uses a secure transport layer (the Secure Hypertext Transfer Protocol (HTTPS)) for all communication between the service and the client. One option that is supported in this implementation of the service is the ability to secure the communication with the server by presenting an X.509 public key certificate to the client. The client validates the server certificate by using a corresponding Certification Authority (CA) certificate that it has obtained from a trusted source. For certificates that are issued by your own enterprise or from major commercial providers, these CA certificates will usually be in place; however, you can import other certificates, such as self-signed certificates, into your local certificate store.
The contents of the certificate store can be examined through the Microsoft Management Console (MMC) by loading the certificate snap-in.
The certificate that you use to secure the HPC Basic Profile Web Service can come from many sources:
You can use the head node’s Active Directory certificate. If the connecting client belongs to the same Active Directory domain, then the trust rules for the certificate are already established.
If you are not able to obtain a certificate from your enterprise’s certification authority, you can use Windows Server 2008 to generate a self-signed certificate. For information about how to import and bind a self-signed certificate, see Use a Self-Signed Certificate.
You can import a certificate issued by a third party certificate provider. For information about how to import and bind a CA certificate, see Use a Certificate from a Certification Authority.
An element of the trust rule within Windows (other operating systems and client side Web service environments may have different policies) requires that the name that is used in the certificate must match the fully qualified domain name of the computer that the Web service clients will be using to connect to the Web service. In many cases this will be the fully qualified domain name of the head node, but if the head node is behind a firewall, then it will be the URL that you specify to expose the service.
Security within the HPC Basic Profile Web Service
The HPC Basic Profile Web Service uses WS-Security to identify who is submitting, monitoring, or managing jobs started on the Windows HPC Server 2008 cluster. WS-Security provides standard mechanisms to protect integrity and confidentiality, and to identify the source of a Web service message over the network. For more information, see the Web Services Security Specifications Index Page (http://go.microsoft.com/fwlink/?LinkId=127983).
The HPC Basic Profile Web Service uses the Windows Communication Foundation (WCF) framework to deliver its Web service hosting environment, and to manage message traffic and security mapping. For more information about WCF, see Windows Communication Foundation.
The installed configuration requires that in order to use the Web service, all users must have an active account on the Windows HPC Server 2008 head node. Only authenticated users who have an existing account on the head node will be permitted access to the HPC Basic Profile Web Service by WCF. The implementation of the service in Windows HPC Server 2008 also provides support for file staging.