I'm loving the documentation that is being written! We're setting up a virtual machine in the UC Berkeley data center so that we can test our local resources, and one of the first questions they asked was which ports need to be open to the public through our data center firewall. I don't see this explicitly stated on the quick start guide http://wiki.collectionspace.org/display/collectionspace/Quick+Start+Guide so it might be a good thing to add. And uh while we're at it, which ports do need to be open to the public? Thanks, Chris

Hi Chris, Thank your for this feedback. I am copying James, our technical writer with your suggestion so he can put it in our queue. Marlita Kahn Project Manager Information Services & Technology Data Services 2195 Hearst Avenue Berkeley, CA 94720-4876 510-250-2488 marlita@berkeley.edu On Jul 30, 2010, at 9:29 AM, Chris Hoffman wrote: > I'm loving the documentation that is being written! We're setting up a virtual machine in the UC Berkeley data center so that we can test our local resources, and one of the first questions they asked was which ports need to be open to the public through our data center firewall. I don't see this explicitly stated on the quick start guide > http://wiki.collectionspace.org/display/collectionspace/Quick+Start+Guide > so it might be a good thing to add. > > And uh while we're at it, which ports do need to be open to the public? > > Thanks, > Chris > _______________________________________________ > Talk mailing list > Talk@lists.collectionspace.org > http://lists.collectionspace.org/mailman/listinfo/talk_lists.collectionspace.org

Hi Chris, On Jul 30, 2010, at 9:29 AM, Chris Hoffman wrote: >> We're setting up a virtual machine in the UC Berkeley data center so that we can test our local resources, and one of the first questions they asked was which ports need to be open to the public through our data center firewall. You - and Jim, when preparing documentation - might start here: "Document network port use, configuration for the Services layer" http://issues.collectionspace.org/browse/CSPACE-2184 You can find a brief discussion of what ports are used by the CollectionSpace services layer, and how you can configure which ports are used, if necessary, in the description and comments on this issue. Aron

Thanks, Aron. It looks like 8180 is the port that is most needed and possibly 8080 (if you want access to the JBoss console). Because our data center closes down all ports when it sets up a VM or a collocated machine, we'll also need to specify access for things like SSH and maybe SVN. Not sure what else, but when Glen comes in later today, we'll get this sorted out. Chris On Jul 30, 2010, at 9:46 AM, Aron Roberts wrote: > Hi Chris, > > On Jul 30, 2010, at 9:29 AM, Chris Hoffman wrote: >>> We're setting up a virtual machine in the UC Berkeley data center so that we can test our local resources, and one of the first questions they asked was which ports need to be open to the public through our data center firewall. > > You - and Jim, when preparing documentation - might start here: > > "Document network port use, configuration for the Services layer" > http://issues.collectionspace.org/browse/CSPACE-2184 > > You can find a brief discussion of what ports are used by the > CollectionSpace services layer, and how you can configure which ports > are used, if necessary, in the description and comments on this issue. > > Aron

On Fri, Jul 30, 2010 at 10:00 AM, Chris Hoffman <chris.hoffman@berkeley.edu> wrote: > Thanks, Aron.  It looks like 8180 is the port that is most needed Correct. > and possibly 8080 (if you want access to the JBoss console). Also correct, *if* that's needed ... and in stating that, also stressing the security considerations detailed here: http://issues.collectionspace.org/browse/CSPACE-1892 and here (with some background): http://issues.collectionspace.org/browse/CSPACE-344 An unsecured JBoss console is a huge vulnerability; as you may recall, one our slices had that exploited some time back. Aron -- >  Because our data center closes down all ports when it sets up a VM or a collocated machine, we'll also need to specify access for things like SSH and maybe SVN.  Not sure what else, but when Glen comes in later today, we'll get this sorted out. > Chris > > On Jul 30, 2010, at 9:46 AM, Aron Roberts wrote: > >> Hi Chris, >> >> On Jul 30, 2010, at 9:29 AM, Chris Hoffman wrote: >>>> We're setting up a virtual machine in the UC Berkeley data center so that we can test our local resources, and one of the first questions they asked was which ports need to be open to the public through our data center firewall. >> >>  You - and Jim, when preparing documentation - might start here: >> >>  "Document network port use, configuration for the Services layer" >>  http://issues.collectionspace.org/browse/CSPACE-2184 >> >>  You can find a brief discussion of what ports are used by the >> CollectionSpace services layer, and how you can configure which ports >> are used, if necessary, in the description and comments on this issue. >> >> Aron > >

Regarding >> An unsecured JBoss console is a huge vulnerability; as you may >> recall, one our slices had that exploited some time back. that is absolutely correct, and fortunately Glen is very familiar with this. I think it might be worth having some security-related text in the documentation as well, something along the lines of: "JBoss and Apache (required for CollectionSpace) have their own security requirements and best practices. We recommend you work with your service provider or system administrator to ensure your infrastructure is secure. For example, when JBoss is installed, the JBoss console needs to be disabled or the default password changed. See [URL] for more information." We could provide some links or just point people to the Apache and JBoss project sites. Chris On Jul 30, 2010, at 10:05 AM, Aron Roberts wrote: > On Fri, Jul 30, 2010 at 10:00 AM, Chris Hoffman > <chris.hoffman@berkeley.edu> wrote: >> Thanks, Aron. It looks like 8180 is the port that is most needed > > Correct. > >> and possibly 8080 (if you want access to the JBoss console). > > Also correct, *if* that's needed ... and in stating that, also > stressing the security considerations detailed here: > > http://issues.collectionspace.org/browse/CSPACE-1892 > > and here (with some background): > > http://issues.collectionspace.org/browse/CSPACE-344 > > An unsecured JBoss console is a huge vulnerability; as you may > recall, one our slices had that exploited some time back. > > Aron > > -- > >> Because our data center closes down all ports when it sets up a VM or a collocated machine, we'll also need to specify access for things like SSH and maybe SVN. Not sure what else, but when Glen comes in later today, we'll get this sorted out. >> Chris >> >> On Jul 30, 2010, at 9:46 AM, Aron Roberts wrote: >> >>> Hi Chris, >>> >>> On Jul 30, 2010, at 9:29 AM, Chris Hoffman wrote: >>>>> We're setting up a virtual machine in the UC Berkeley data center so that we can test our local resources, and one of the first questions they asked was which ports need to be open to the public through our data center firewall. >>> >>> You - and Jim, when preparing documentation - might start here: >>> >>> "Document network port use, configuration for the Services layer" >>> http://issues.collectionspace.org/browse/CSPACE-2184 >>> >>> You can find a brief discussion of what ports are used by the >>> CollectionSpace services layer, and how you can configure which ports >>> are used, if necessary, in the description and comments on this issue. >>> >>> Aron >> >>