View Issue Details

IDProjectCategoryView StatusLast Update
000791610000-007: ProfilesSpecpublic2022-07-25 13:12
ReporterAlexander Allmendinger Assigned ToKarl Deiretsbacher  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version1.04 
Target Version1.05.03 RC1 
Summary0007916: Description of CU "Discovery Client Configure Endpoint" misleading
Description

Current description is:
Allow specification of an Endpoint without going through the Discovery Service Set.

This could be misinterpreted to connect to the server without doing any discovery service (FindServers, GetEndpoints) though in many cases a GetEndpoints is required to get the servers application instance certificate. To my knowledge the intend of this CU is to allow to directly specify an Endpoint without the need to go through the discovery mechanisms of a client. So I would propose to change the description to:
Allow specification of an Endpoint without going through an interactive discovery process and calling FindServers.

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0008129 closedMatthias Damm 10000-004: Services Remove requirement to allow Administrators to disable the DiscoveryEndpoint 

Activities

Karl Deiretsbacher

2022-06-23 14:35

developer   ~0017041

Discussed in UA meeting on May 03, 2022.

This has not changed since Version 1.02. People on the call think that the meaning is the manual configuration of an endpoint (including URL, certificate, user token, security mode, ...).
Of course this configuration can be wrong in which case the connect request will fail. But this can also happen after GetEndpoints in particular if the endpoint desciption is saved and re-used multiple times.

The discussion turned out into the question whether clients - if connect fails - should automatically try to find a proper alternative, replace the stored endpoint, and try to connect with that alternative.
We should at least prevent an automatic use of a lass secure alternative.

Possible conclusion: "When using a persisted endpoint - whether it was entered manually or received from GetEndpoints - this persisted information shall not be renewed without user intervention even if the connect fails."
This may also be a separate CU.

Jim Luth

2022-07-05 16:00

administrator   ~0017088

Last edited: 2022-07-05 16:10

Suggest breaking this into 2 CUs:

One for manual configuration of endpoint URLs. (still need to call GetEndpoints).

One for use Client persisted endpoints to connect to a Server without using any Services in the Discovery Service Set. (make mandatory in 1.05, optional in 1.04).

Matthias Damm

2022-07-25 13:03

developer   ~0017182

It makes no sense to disable GetEndpoints. This requirement must be removed from Part 4.

In the automatic certificate update szenario with GDS, the client MUST call GetEndpoints to get the new certificate from the server. There is a special status code that indicates that the client is using the wrong certificate and GetEndpoints is the only way to get the new certificate. This new certificate will be used by the client if it is trusted (which will be the case for a GDS managed trust list).

If Clients are configured to use a certain endpoint setting, they should not change the used parameters by calling GetEndpoints but a updated certificate must be fetched with GetEndpoints.

If a Client has a "use best security" option, the client MUST verify the GetEndpoints results with the endpoints returned from CreateSession. It is much more important that clients do this check and this must be tested.

See also related Mantis Issue for Part 4

Issue History

Date Modified Username Field Change
2022-04-04 21:24 Alexander Allmendinger New Issue
2022-06-23 14:35 Karl Deiretsbacher Note Added: 0017041
2022-07-05 16:00 Jim Luth Note Added: 0017088
2022-07-05 16:01 Jim Luth Note Edited: 0017088
2022-07-05 16:07 Jim Luth Note Edited: 0017088
2022-07-05 16:09 Jim Luth Assigned To => Karl Deiretsbacher
2022-07-05 16:09 Jim Luth Status new => assigned
2022-07-05 16:09 Jim Luth Target Version => 1.05.03 RC1
2022-07-05 16:10 Jim Luth Note Edited: 0017088
2022-07-25 13:03 Matthias Damm Note Added: 0017182
2022-07-25 13:10 Matthias Damm Relationship added related to 0008129