source: TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/full_deployment/services.ini_tmpl @ 7077

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/full_deployment/services.ini_tmpl@7077
Revision 7077, 17.7 KB checked in by pjkersha, 9 years ago (diff)
  • Property svn:keywords set to Id
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7# * OpenID Provider
8# * NDG Single Sign On Service
9#
10# The %(here)s variable will be replaced with the parent directory of this file
11#
12# Author: P J Kershaw
13# date: 30/11/05
14# Copyright: (C) 2008 STFC
15# license: BSD - see LICENSE file in top-level directory
16# Contact: Philip.Kershaw@stfc.ac.uk
17# Revision: $$Id$$
18
19[DEFAULT]
20#______________________________________________________________________________
21# Attribute Authority settings
22# 'name' setting MUST agree with map config file 'thisHost' name attribute
23attributeAuthority.name: ${attributeAuthorityID}
24
25# Lifetime is measured in seconds
26attributeAuthority.attCertLifetime: 28800
27
28# Allow an offset for clock skew between servers running
29# security services. NB, measured in seconds - use a minus sign for time in the
30# past
31attributeAuthority.attCertNotBeforeOff: 0
32
33# All Attribute Certificates issued are recorded in this dir
34attributeAuthority.attCertDir: %(here)s/attributeauthority/attCertLog
35
36# Files in attCertDir are stored using a rotating file handler
37# attCertFileLogCnt sets the max number of files created before the first is
38# overwritten
39attributeAuthority.attCertFileName: ac.xml
40attributeAuthority.attCertFileLogCnt: 16
41attributeAuthority.dnSeparator:/
42
43# Location of role mapping file
44attributeAuthority.mapConfigFile: %(here)s/attributeauthority/mapConfig.xml
45
46# Settings for custom AttributeInterface derived class to get user roles for given
47# user ID
48attributeAuthority.userRolesModFilePath: %(here)s/attributeauthority
49attributeAuthority.userRolesModName: attributeinterface
50attributeAuthority.userRolesClassName: TestAttributeInterface
51
52# Config for XML signature of Attribute Certificate
53attributeAuthority.signingPriKeyFilePath: %(here)s/attributeauthority/aa.key
54attributeAuthority.signingCertFilePath: %(here)s/attributeauthority/aa.crt
55attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
56
57#______________________________________________________________________________
58# Session Manager specific settings - commented out settings will take their
59# default settings.  To override the defaults uncomment and set as required.
60# See ndg.security.server.sessionmanager module for details
61
62# Credential Wallet Settings - global to all user sessions
63#
64# CA certificates for Attribute Certificate signature validation
65sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
66
67# CA certificates for SSL connection peer cert. validation - required if
68# connecting to an Attribute Authority over SSL
69sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt
70
71# Allow Get Attribute Certificate calls to try to get a mapped certificate
72# from another organisation trusted by the target Attribute Authority
73sessionManager.credentialWallet.mapFromTrustedHosts=True
74sessionManager.credentialWallet.rtnExtAttCertList=True
75
76# Refresh an Attribute Certificate, if an existing one in the wallet has only
77# this length of time left before it expires
78credentialWallet.attCertRefreshElapse=7200
79
80# Pointer to WS-Security settings.  These WS-Security settings are for use
81# by user credential wallets held in user sessions hosted by the Session
82# Manager.  They enable individual wallets to query Attribute Authorities for
83# user Attribute Certificates.  Nb. the difference between these settings and
84# the WS-Security section for handling requests to the Session Manager.
85#
86# Settings are identified by a prefix. 
87sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
88
89# ...A section name could also be used.
90#sessionManager.credentialWallet.wssCfgSection=
91
92# SOAP Signature Handler settings for the Credential Wallet's Attribute
93# Authority interface
94#
95# CA Certificates used to verify X.509 certs used in Attribute Certificates.
96# The CA certificates of other NDG trusted sites should go here.  NB, multiple
97# values should be delimited by a space
98sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
99
100# Signature of an outbound message
101#
102# Certificate associated with private key used to sign a message.  The sign
103# method will add this to the BinarySecurityToken element of the WSSE header. 
104# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
105# As an alternative, use signingCertChain - see below...
106
107# PEM encoded cert
108sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt
109
110# ... or provide file path to PEM encoded private key file
111sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key
112
113# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
114# signed message.  See __setReqBinSecTokValType method and binSecTokValType
115# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
116# give full namespace to alternative - see
117# ZSI.wstools.Namespaces.OASIS.X509TOKEN
118#
119# binSecTokValType determines whether signingCert or signingCertChain
120# attributes will be used.
121sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
122
123# Add a timestamp element to an outbound message
124sessionManager.credentialWallet.wssecurity.addTimestamp: True
125
126# For WSSE 1.1 - service returns signature confirmation containing signature
127# value sent by client
128sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
129
130# Authentication service properties
131sessionManager.authNService.moduleFilePath:
132sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn
133sessionManager.authNService.className: UserX509CertAuthN
134
135# Specific settings for UserCertAuthN Session Manager authentication plugin
136# This sets up PKI credentials for a single test account
137sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt
138sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key
139sessionManager.authNService.userPriKeyPwd: testpassword
140
141[server:main]
142use = egg:Paste#http
143host = 0.0.0.0
144port = 8000
145
146[filter-app:mainApp]
147use = egg:Paste#httpexceptions
148next = cascade
149
150# Put Single Sign On and Static URL parser together in a cascade to shoe horn
151# static URL content serving for OpenID Provider
152[composit:cascade]
153use = egg:Paste#cascade
154app1 = StaticOpenIDProviderContentApp
155app2 = SingleSignOnServiceApp
156catch = 404
157
158[app:StaticOpenIDProviderContentApp]
159# Static URL Parser to serve OpenID Provider static page content such as CSS
160# and graphics
161use = egg:Paste#static
162document_root = %(here)s/openidprovider
163
164[app:SingleSignOnServiceApp]
165# Single Sign On Service is the main application
166paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app
167cache_dir = %(here)s/data
168beaker.session.key = sso
169beaker.session.secret = somesecret
170
171# If you'd like to fine-tune the individual locations of the cache data dirs
172# for the Cache data, or the Session saves, un-comment the desired settings
173# here:
174#beaker.cache.data_dir = %(here)s/data/cache
175#beaker.session.data_dir = %(here)s/data/sessions
176
177# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
178# Debug mode will enable the interactive debugging tool, allowing ANYONE to
179# execute malicious code after an exception is raised.
180set debug = false
181
182configfile = %(here)s/sso/sso.cfg
183
184# AuthKit Set-up
185authkit.setup.method=openid, cookie
186authkit.cookie.secret=secret encryption string
187authkit.cookie.signoutpath = /logout
188authkit.openid.path.signedin=/
189authkit.openid.store.type=file
190authkit.openid.store.config=%(here)s/data/openid
191authkit.openid.session.key = authkit_openid
192authkit.openid.session.secret = random string
193
194authkit.openid.baseurl = http://localhost
195
196# Template for signin
197authkit.openid.template.obj = ndg.security.server.sso.sso.lib.openid_util:make_template
198
199# Handler for parsing OpenID and creating a session from it
200authkit.openid.urltouser = ndg.security.server.sso.sso.lib.openid_util:url2user
201
202# Chain of SOAP Middleware filters
203[pipeline:main]
204pipeline = wsseSignatureVerificationFilter
205                   AttributeAuthorityFilter
206           SessionManagerFilter
207           wsseSignatureFilter
208           SessionMiddlewareFilter
209           OpenIDProviderFilter
210           mainApp
211
212
213#______________________________________________________________________________
214# Attribute Authority WSGI settings
215#
216[filter:AttributeAuthorityFilter]
217# This filter is a container for a binding to a SOAP based interface to the
218# Attribute Authority
219paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
220
221# Use this ZSI generated SOAP service interface class to handle i/o for this
222# filter
223ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
224
225# SOAP Binding Class specific keywords are in this section identified by this
226# prefix:
227ServiceSOAPBindingPropPrefix = AttributeAuthority
228
229# The AttributeAuthority class has settings in the default section above
230# identified by this prefix:
231AttributeAuthority.propPrefix = attributeAuthority
232AttributeAuthority.propFilePath = %(here)s/services.ini
233AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
234
235# Provide an identifier for this filter so that main WSGI app
236# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
237# directly
238referencedFilters = filter:wsseSignatureVerificationFilter
239
240# Path from URL for Attribute Authority in this Paste deployment
241path = /AttributeAuthority
242
243# Enable ?wsdl query argument to list the WSDL content
244enableWSDLQuery = True
245charset = utf-8
246filterID = %(__name__)s
247
248#______________________________________________________________________________
249# Session Manager WSGI settings
250#
251[filter:SessionManagerFilter]
252# This filter is a container for a binding to a SOAP based interface to the
253# Session Manager
254paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
255
256# Use this ZSI generated SOAP service interface class to handle i/o for this
257# filter
258ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
259
260# SOAP Binding Class specific keywords are in this section identified by this
261# prefix:
262ServiceSOAPBindingPropPrefix = SessionManager
263
264# The SessionManager class has settings in the default section above identified
265# by this prefix:
266SessionManager.propPrefix = sessionManager
267SessionManager.propFilePath = %(here)s/services.ini
268
269# This filter references other filters - a local Attribute Authority (optional)
270# and a WS-Security signature verification filter (required if using signature
271# to authenticate user in requests
272SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
273SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
274
275# The SessionManagerWS SOAP interface class needs to know about these other
276# filters
277referencedFilters = filter:wsseSignatureVerificationFilter
278                                        filter:AttributeAuthorityFilter
279
280# Path from URL for Session Manager in this Paste deployment
281path = /SessionManager
282
283# Enable ?wsdl query argument to list the WSDL content
284enableWSDLQuery = True
285charset = utf-8
286
287# Provide an identifier for this filter so that main WSGI app
288# CombinedServicesWSGI can call this Session Manager directly
289filterID = %(__name__)s
290
291#______________________________________________________________________________
292# WS-Security Signature Verification
293[filter:wsseSignatureVerificationFilter]
294paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
295filterID = %(__name__)s
296
297# Settings for WS-Security SignatureHandler class used by this filter
298wsseCfgFilePrefix = wssecurity
299
300# Verify against known CAs - Provide a space separated list of file paths
301wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
302
303#______________________________________________________________________________
304# Apply WS-Security Signature
305[filter:wsseSignatureFilter]
306paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
307
308# Reference the verification filter in order to be able to apply signature
309# confirmation
310referencedFilters = filter:wsseSignatureVerificationFilter
311wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
312
313# Last filter in chain of SOAP handlers writes the response
314writeResponse = True
315
316# Settings for WS-Security SignatureHandler class used by this filter
317wsseCfgFilePrefix = wssecurity
318
319# Certificate associated with private key used to sign a message.  The sign
320# method will add this to the BinarySecurityToken element of the WSSE header. 
321wssecurity.signingCertFilePath=%(here)s/pki/wsse-server.crt
322
323# PEM encoded private key file
324wssecurity.signingPriKeyFilePath=%(here)s/pki/wsse-server.key
325
326# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
327# signed message.  See __setReqBinSecTokValType method and binSecTokValType
328# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
329# give full namespace to alternative - see
330# ZSI.wstools.Namespaces.OASIS.X509TOKEN
331#
332# binSecTokValType determines whether signingCert or signingCertChain
333# attributes will be used.
334wssecurity.reqBinSecTokValType=X509v3
335
336# Add a timestamp element to an outbound message
337wssecurity.addTimestamp=True
338
339# For WSSE 1.1 - service returns signature confirmation containing signature
340# value sent by client
341wssecurity.applySignatureConfirmation=True
342
343#______________________________________________________________________________
344# OpenID Provider WSGI Settings
345[filter:OpenIDProviderFilter]
346paste.filter_app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware
347openid.provider.path.openidserver=/openid/endpoint
348openid.provider.path.login=/openid/login
349openid.provider.path.loginsubmit=/openid/loginsubmit
350
351# Comment out next two lines and uncomment the third to disable URL based
352# discovery and allow only Yadis based instead
353openid.provider.path.id=/openid/id
354openid.provider.path.yadis=/openid/yadis
355#openid.provider.path.yadis=/id/
356
357openid.provider.path.serveryadis=/openid/serveryadis
358openid.provider.path.allow=/openid/allow
359openid.provider.path.decide=/openid/decide
360openid.provider.path.mainpage=/openid/
361openid.provider.session_middleware=beaker.session
362openid.provider.base_url=http://localhost:8000
363openid.provider.trace=False
364openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
365#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
366
367openid.provider.rendering.templateType = kid
368openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
369openid.provider.rendering.kid.assume_encoding= utf-8
370openid.provider.rendering.kid.encoding = utf-8
371
372# Layout
373openid.provider.rendering.baseURL = %(openid.provider.base_url)s
374openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
375openid.provider.rendering.leftAlt = Natural Environment Research Council
376openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
377openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
378openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
379openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/
380openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
381openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
382
383
384#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
385#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
386
387# Basic Authentication interface to demonstrate capabilities
388#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
389#openid.provider.authN.userCreds=pjk:test
390#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
391
392# Link Authentication to a Session Manager instance running in the same WSGI
393# stack or on a remote service
394openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
395
396# Omit or leave as blank if the Session Manager is accessible locally in the
397# same WSGI stack.
398openid.provider.authN.sessionManagerURI=
399
400# environ dictionary key to Session Manager WSGI instance held locally.  The
401# setting below is the default and can be omitted if it matches the filterID
402# set for the Session Manager
403#openid.provider.authN.environKey=filter:SessionManagerFilter
404
405# Database connection to enable check between username and OpenID identifier
406openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb
407openid.provider.authN.logonSQLQuery: select username from openid where username = '$$username' and ident = '$$userIdentifier'
408openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$$username'
409
410# Basic authentication for testing/admin - comma delimited list of
411# <username>:<password> pairs
412#openid.provider.usercreds=pjk:test
413
414#______________________________________________________________________________
415# Beaker Session Middleware (used by OpenID Provider Filter)
416[filter:SessionMiddlewareFilter]
417paste.filter_app_factory=beaker.middleware:SessionMiddleware
418
419# Logging configuration
420[loggers]
421keys = root, ndg
422
423[handlers]
424keys = console
425
426[formatters]
427keys = generic
428
429[logger_root]
430level = INFO
431handlers = console
432
433[logger_ndg]
434level = DEBUG
435handlers =
436qualname = ndg
437
438[handler_console]
439class = StreamHandler
440args = (sys.stderr,)
441level = NOTSET
442formatter = generic
443
444[formatter_generic]
445format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
446datefmt = %H:%M:%S
447
Note: See TracBrowser for help on using the repository browser.