secureBLAST

---

Abstract

secureBLAST supplements NCBI wwwblast with features necessary to control in an easy manageable way usage of BLAST data sets and their update. The concept we implemented allows to offer on a single BLAST server several data sets with individually configurable access rights. Security is provided by user authentication and encryption of the http traffic via SSL. By using secureBLAST, the administration of users and databases can be done via a web interface. Therefore, secureBLAST is valuable for institutions that have to restrict access to their datasets or just want to administer BLAST servers via a web interface.

Key words: wwwblast, user authentication, BLAST database management

---

Motivation

BLAST [Altschul et al., 1990] is - due to its sensitivity and speed - very popular and widely used for DNA and protein sequence searches against databases. A second reason for its prominence are the many servers offering the "BLASTing" of a query against comprehensive sets of freely available databases. There exist, however, institutions like sequencing centres that are often obliged to restrict the access to specific databases to a limited group of users. These institutions are usually forced to configure both firewalls and BLAST- or web-servers for every new project to specifically provide clients and users with online access to their projects and to maintain a security concept.

Controlled access to BLAST datasets enables researchers that may be scattered around the globe to hunt for gene-sequences of special interest from the very early stages of a sequencing project till the last gap is closed and the annotation comes to a preliminary end. Such an entrance from the "evil outer world" has to be configured in a way that is open for authorized users only. As datasets grow continually during the sequencing phase, it is desirable to alleviate their update.

---

Implementation

The impetus for the development of secureBLAST was our effort to facilitate the complex configuration described above. Now it is possible to deposit several databases on one server within a single wwwblast environment and to accurately and individually define access conditions. The security concept relies on three types of users: The secureBLAST administrator has the right to create databases and users and to define their role. Database curators are authorized to update a distinct set of databases. Ordinary users are allowed to query sequences against databases, which are accessible in a user-specific manner. 

To preserve consistency and to make secureBLAST as user-friendly as possible, we orientated on existing mechanisms and web page layouts (Fig. 1). The secureBLAST interface is an adapted version of the popular wwwblast page of the NCBI. Thus, we gain the familiar "look-and-feel" for authentication and BLASTing, while preserving all the advanced options and parameters for sequence search. 

To support database mainenance, we added a specific page (Fig. 2) accessible to curators only. In order to update, a curator only has to upload a FASTA file or to paste the sequence into a text-window. After the sequence was deposited on the BLAST-server, it is formatted automatically without user interaction by invoking the formatdb tool. 

The secureBLAST administrator can add or delete users and databases by means of the html-based configuration page (Fig. 3). A prerequisite for our concept is the installation and utilization of the widely used Apache web-server with an activated PHP-module. For user management, we rely on the htpasswd tool of the web-server. This is why passwords are stored encrypted on the machine running the BLAST-server. As the configuration is completely html-based, it is after the installation of secureBLAST no longer necessary to login to the server via ssh or similar terminal emulators.

The procedure required for user authentication is based on PHP - Hypertext Preprocessor (http://www.php.net) and Apache's webserver (http://httpd.apache.org) functionality, which prohibits access to secureBLAST without a valid user account. More specifically, we implemented three levels of security:

1. The web-server presents output only, if a valid PHP-session is active. Such a session is created exclusively after a successful login. If no session exists, the login page is presented. Therefore, only valid users can access the server.
2. Web pages are generated dynamically, depending on the rights of the authenticated user.
3. Access rights (the right to read a database is needed for a BLAST-search and write-access is necessary for updates) are checked each time a corresponding command is used.

In addition, it is highly recommended to use SSL (Secure Sockets Layer; http://www.openssl.org) to ensure the encryption of the http traffic whenever communicating with the BLAST-server. All current Linux-distributions support SSL; secureBLAST contains an easy to use installation-script which allows to create self-signed SSL-certificates.

The software combination we selected is widely used and accepted as a standard for "state-of-the-art" web-page security. The user should keep in mind that it would be counterproductive to logon to the server running secureBLAST by using an insecure connection (i. e. via rsh or telnet). These protocols alleviate the sniffing of passwords. Using SSL as recommended above eliminates this security hole. secureBLAST is available for download at http://www.g2l.bio.uni-gottingen.de/software/

---

Acknowledgements

This work was supported by a grant of the "Niedersächsisches Ministerium für Wissenschaft and Kultur" for the Göttingen Genomics Laboratory and by grants of the "Bundesministerium für Bildung und Forschung" financing the competence network "Genome research on bacteria for the analysis of biodiversity and its further use for the development of new production processes".