Most webpages at Fermilab have little or no privacy concerns. Fermilab policy is that by default access to information should be unrestricted unless there are reasons for restriction. As of July 29, 2003, externally visible webservers require registration and some minimal level configuration control. Access to individual pages is determined by the content manager (typically the author) for each page.
Techniques for restricting access to webpages commonly include restriction by IP address or username/password. However, for widespread collaborations, these methods can be cumbersome to maintain: dealing with ISP's, DHCP, etc are challenges for IP address controls and maintaining yet another password is a chore. With the deployment of a PKI at Fermilab, there is another option now available: KCA credentials. Using these require some setup on the server and the client end, but it is usually simple to maintain.
Exact recipes on how to configure your client depend on the particular browser that you are using. There are two general steps: a) obtain current KCA credentials, and b) import those credentials into your browser cache. The KCA credentials are obtained by contacting a server at Fermilab using your Kerberos TGT. The software used is the kx509/kxlist clients from the UMich CITI project. Importing credentials into the browser depends on which browser you use. Look for information in the documentation about handling X509 certificates.
Detailed instructions for some of the popular web browsers at Fermilab
are listed below:
(still under constructions)
This page brought to you by the Fermilab Computer Security Team. It was last updated on2005-Jul-24 22 July 2003.