source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openid_ssl/securityservices.ini @ 7824

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openid_ssl/securityservices.ini@7824
Revision 7824, 20.6 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • Completed all templates
  • Tested OpenID Provider setup from template. TODO: test remaining configurations as created by respective templates
  • ALL UNIT TESTS pass for ndg.security.*
  • fix from rel to abs file path for authorisation-service.ini, tidied unit test directory.
  • Property svn:keywords set to Id
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Session Manager, Attribute Authority,
5# OpenID Relying Party and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 26/02/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id$
15
16[DEFAULT]
17portNum = 5443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24
25#______________________________________________________________________________
26# Attribute Authority settings
27# 'name' setting MUST agree with map config file 'thisHost' name attribute
28attributeAuthority.name: Site A
29
30# Lifetime is measured in seconds
31attributeAuthority.attCertLifetime: 28800 
32
33# Allow an offset for clock skew between servers running
34# security services. NB, measured in seconds - use a minus sign for time in the
35# past
36attributeAuthority.attCertNotBeforeOff: 0
37
38# All Attribute Certificates issued are recorded in this dir
39attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
40
41# Files in attCertDir are stored using a rotating file handler
42# attCertFileLogCnt sets the max number of files created before the first is
43# overwritten
44attributeAuthority.attCertFileName: ac.xml
45attributeAuthority.attCertFileLogCnt: 16
46attributeAuthority.dnSeparator:/
47
48# Location of role mapping file
49attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
50
51# Settings for custom AttributeInterface derived class to get user roles for given
52# user ID
53attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
54attributeAuthority.attributeInterface.modName: siteAUserRoles
55attributeAuthority.attributeInterface.className: TestUserRoles
56
57# Config for XML signature of Attribute Certificate
58attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
59attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
60attributeAuthority.caCertFilePathList: %(testConfigDir)s/pki/ca/d573507a.0
61
62#______________________________________________________________________________
63# Session Manager specific settings - commented out settings will take their
64# default settings.  To override the defaults uncomment and set as required.
65# See ndg.security.server.sessionmanager module for details
66
67# Credential Wallet Settings - global to all user sessions
68#
69# CA certificates for Attribute Certificate signature validation
70sessionManager.credentialWallet.caCertFilePathList=%(testConfigDir)s/pki/ca/d573507a.0
71
72# CA certificates for SSL connection peer cert. validation - required if
73# connecting to an Attribute Authority over SSL
74sessionManager.credentialWallet.sslCACertFilePathList=%(testConfigDir)s/pki/ca/d573507a.0
75
76# Allow Get Attribute Certificate calls to try to get a mapped certificate
77# from another organisation trusted by the target Attribute Authority
78sessionManager.credentialWallet.mapFromTrustedHosts=True
79sessionManager.credentialWallet.rtnExtAttCertList=True
80
81# Refresh an Attribute Certificate, if an existing one in the wallet has only
82# this length of time left before it expires
83credentialWallet.attCertRefreshElapse=7200
84
85# Pointer to WS-Security settings.  These WS-Security settings are for use
86# by user credential wallets held in user sessions hosted by the Session
87# Manager.  They enable individual wallets to query Attribute Authorities for
88# user Attribute Certificates.  Nb. the difference between these settings and
89# the WS-Security section for handling requests to the Session Manager.
90#
91# Settings are identified by a prefix. 
92sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
93
94# ...A section name could also be used.
95#sessionManager.credentialWallet.wssCfgSection=
96
97# SOAP Signature Handler settings for the Credential Wallet's Attribute
98# Authority interface
99#
100# CA Certificates used to verify X.509 certs used in Attribute Certificates.
101# The CA certificates of other NDG trusted sites should go here.  NB, multiple
102# values should be delimited by a space
103sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(testConfigDir)s/pki/ca/d573507a.0
104
105# Signature of an outbound message
106#
107# Certificate associated with private key used to sign a message.  The sign
108# method will add this to the BinarySecurityToken element of the WSSE header. 
109# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
110# As an alternative, use signingCertChain - see below...
111
112# PEM encoded cert
113sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(testConfigDir)s/sessionmanager/sm.crt
114
115# ... or provide file path to PEM encoded private key file
116sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(testConfigDir)s/sessionmanager/sm.key
117
118# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
119# signed message.  See __setReqBinSecTokValType method and binSecTokValType
120# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
121# give full namespace to alternative - see
122# ZSI.wstools.Namespaces.OASIS.X509TOKEN
123#
124# binSecTokValType determines whether signingCert or signingCertChain
125# attributes will be used.
126sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
127
128# Add a timestamp element to an outbound message
129sessionManager.credentialWallet.wssecurity.addTimestamp: True
130
131# For WSSE 1.1 - service returns signature confirmation containing signature
132# value sent by client
133sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
134
135# Authentication service properties
136sessionManager.authNService.moduleFilePath: 
137sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn
138sessionManager.authNService.className: UserX509CertAuthN
139
140# Specific settings for UserCertAuthN Session Manager authentication plugin
141# This sets up PKI credentials for a single test account
142sessionManager.authNService.userX509CertFilePath: %(testConfigDir)s/pki/user.crt
143sessionManager.authNService.userPriKeyFilePath: %(testConfigDir)s/pki/user.key
144sessionManager.authNService.userPriKeyPwd: testpassword
145
146[server:main]
147use = egg:Paste#http
148host = 0.0.0.0
149port = %(portNum)s
150
151[filter-app:OpenIDProviderFilterApp]
152use = egg:Paste#httpexceptions
153next = cascade
154
155# Composite for OpenID Provider to enable settings for picking up static
156# content
157[composit:cascade]
158use = egg:Paste#cascade
159app1 = OpenIDProviderStaticContent
160app2 = OpenIDProviderApp
161catch = 404
162
163[app:OpenIDProviderStaticContent]
164use = egg:Paste#static
165document_root = %(here)s/openidprovider
166
167[pipeline:main]
168pipeline = wsseSignatureVerificationFilter
169                   AttributeAuthorityFilter
170           SessionManagerFilter
171           wsseSignatureFilter
172                   SessionMiddlewareFilter
173                   OpenIDRelyingPartyFilter
174                   OpenIDProviderApp
175
176#______________________________________________________________________________
177# Beaker Session Middleware (used by OpenID Provider Filter)
178[filter:SessionMiddlewareFilter]
179paste.filter_app_factory=beaker.middleware:SessionMiddleware
180#beaker.session.key = sso
181beaker.session.secret = somesecret
182
183# If you'd like to fine-tune the individual locations of the cache data dirs
184# for the Cache data, or the Session saves, un-comment the desired settings
185# here:
186beaker.cache.data_dir = %(here)s/beaker/cache
187beaker.session.data_dir = %(here)s/beaker/sessions
188
189[filter:OpenIDRelyingPartyFilter]
190paste.filter_app_factory = 
191        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
192
193openid.relyingparty.sessionKey = beaker.session
194openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
195#openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface
196#openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates
197openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
198openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
199openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
200openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
201openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
202openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
203openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
204openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
205openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
206openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
207openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
208openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
209openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
210
211cache_dir = %(here)s/data
212
213# AuthKit Set-up
214authkit.setup.method=openid, cookie
215authkit.cookie.secret=secret encryption string
216authkit.cookie.signoutpath = /logout
217authkit.openid.path.signedin=/
218authkit.openid.store.type=file
219authkit.openid.store.config=%(here)s/data/openid
220authkit.openid.session.key = authkit_openid
221authkit.openid.session.secret = random string
222
223authkit.openid.baseurl = %(baseURI)s
224
225# Template for signin
226#authkit.openid.template.obj =
227
228# Handler for parsing OpenID and creating a session from it
229#authkit.openid.urltouser =
230
231#______________________________________________________________________________
232# OpenID Provider WSGI Settings
233[app:OpenIDProviderApp]
234paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
235openid.provider.path.openidserver=/OpenID/Provider/server
236openid.provider.path.login=/OpenID/Provider/login
237openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
238
239# Yadis based discovery only - the 'id' path is configured to return 404 not
240# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
241# buffet.BuffetRendering class
242openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
243openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
244
245# Yadis based discovery for idselect mode - this is where the user has entered
246# a URI at the Relying Party which identifies their Provider only and not their
247# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
248# https://badc.nerc.ac.uk/John
249openid.provider.path.serveryadis=%(openIDProviderIDBase)s
250openid.provider.path.allow=/OpenID/Provider/allow
251openid.provider.path.decide=/OpenID/Provider/decide
252openid.provider.path.mainpage=/OpenID/Provider/home
253
254openid.provider.session_middleware=beaker.session
255openid.provider.base_url=%(baseURI)s
256openid.provider.trace=False
257openid.provider.consumer_store_dirpath=%(here)s/openidprovider
258openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
259#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
260
261openid.provider.rendering.templateType = kid
262openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
263openid.provider.rendering.kid.assume_encoding= utf-8
264openid.provider.rendering.kid.encoding = utf-8
265
266# Layout
267openid.provider.rendering.baseURL = %(openid.provider.base_url)s
268openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
269openid.provider.rendering.leftAlt = Natural Environment Research Council
270openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
271openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
272openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
273openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
274openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
275openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
276
277
278#openid.provider.sregResponse=ndg.security.server.pylons.container.lib.openid_provider_util:esgSregResponse
279#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
280
281# Basic Authentication interface to demonstrate capabilities
282#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
283#openid.provider.authN.userCreds=pjk:test
284#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
285
286# Link Authentication to a Session Manager instance running in the same WSGI
287# stack or on a remote service
288openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
289
290# Omit or leave as blank if the Session Manager is accessible locally in the
291# same WSGI stack.
292#openid.provider.authN.sessionManagerURI=
293
294# environ dictionary key to Session Manager WSGI instance held locally.  The
295# setting below is the default and can be omitted if it matches the filterID
296# set for the Session Manager
297openid.provider.authN.environKeyName=filter:SessionManagerFilter
298
299# Database connection to enable check between username and OpenID identifier
300openid.provider.authN.connectionString: postgres://postgres:testpassword@%(hostname)s/testUserDb
301openid.provider.authN.logonSQLQuery: select username from openid where username = '$username' and ident = '$userIdentifier'
302openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username'
303
304# Basic authentication for testing/admin - comma delimited list of
305# <username>:<password> pairs
306#openid.provider.usercreds=pjk:test
307
308#______________________________________________________________________________
309# Attribute Authority WSGI settings
310#
311[filter:AttributeAuthorityFilter]
312# This filter is a container for a binding to a SOAP based interface to the
313# Attribute Authority
314paste.filter_app_factory = ndg.security.server.wsgi.zsi:SOAPBindingMiddleware
315
316# Use this ZSI generated SOAP service interface class to handle i/o for this
317# filter
318ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
319
320# SOAP Binding Class specific keywords are in this section identified by this
321# prefix:
322ServiceSOAPBindingPropPrefix = AttributeAuthority
323
324# The AttributeAuthority class has settings in the default section above
325# identified by this prefix:
326AttributeAuthority.propPrefix = attributeAuthority
327AttributeAuthority.propFilePath = %(here)s/securityservices.ini
328AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
329
330# Provide an identifier for this filter so that main WSGI app
331# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
332# directly
333referencedFilters = filter:wsseSignatureVerificationFilter
334
335# Path from URL for Attribute Authority in this Paste deployment
336path = /AttributeAuthority
337
338# External endpoint for this Attribute Authority - must agree with setting used
339# to invoke this service set in:
340# * serverapp.py
341# * or port in [server:main] if calling with paster serve securityservices.ini
342# * or something else e.g. proxied through Apache?
343# This setting is used by Attribute Authority clients in this WSGI stack to see
344# if a request is being made to the local service or to another Attribute
345# Authority running elsewhere
346publishedURI = %(baseURI)s%(path)s
347
348# Enable ?wsdl query argument to list the WSDL content
349enableWSDLQuery = True
350charset = utf-8
351filterID = %(__name__)s
352
353#______________________________________________________________________________
354# Session Manager WSGI settings
355#
356[filter:SessionManagerFilter]
357# This filter is a container for a binding to a SOAP based interface to the
358# Session Manager
359paste.filter_app_factory = ndg.security.server.wsgi.zsi:SOAPBindingMiddleware
360
361# Use this ZSI generated SOAP service interface class to handle i/o for this
362# filter
363ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
364
365# SOAP Binding Class specific keywords are in this section identified by this
366# prefix:
367ServiceSOAPBindingPropPrefix = SessionManager
368
369# The SessionManager class has settings in the default section above identified
370# by this prefix:
371SessionManager.propPrefix = sessionManager
372SessionManager.propFilePath = %(here)s/securityservices.ini
373
374# This filter references other filters - a local Attribute Authority (optional)
375# and a WS-Security signature verification filter (required if using signature
376# to authenticate user in requests
377SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
378SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
379
380# The SessionManagerWS SOAP interface class needs to know about these other
381# filters
382referencedFilters = filter:wsseSignatureVerificationFilter
383                                        filter:AttributeAuthorityFilter
384
385# Path from URI for Session Manager in this Paste deployment
386path = /SessionManager
387
388# External endpoint for this Session Manager - must agree with setting used to
389# invoke this service set in:
390# * securityservicesapp.py
391# * or port in [server:main] if calling with paster serve securityservices.ini
392# * or something else e.g. proxied through Apache?
393# This setting is used by Session Manager clients in this WSGI stack to see if
394# a request is being made to the local service or to another session manager
395# running elsewhere
396publishedURI = %(baseURI)s%(path)s
397
398# Enable ?wsdl query argument to list the WSDL content
399enableWSDLQuery = True
400charset = utf-8
401
402# Provide an identifier for this filter so that main WSGI app
403# CombinedServicesWSGI can call this Session Manager directly
404filterID = %(__name__)s
405
406#______________________________________________________________________________
407# WS-Security Signature Verification
408[filter:wsseSignatureVerificationFilter]
409paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
410filterID = %(__name__)s
411
412# Settings for WS-Security SignatureHandler class used by this filter
413wsseCfgFilePrefix = wssecurity
414
415# Verify against known CAs - Provide a space separated list of file paths
416wssecurity.caCertFilePathList=%(testConfigDir)s/pki/ca/d573507a.0
417
418#______________________________________________________________________________
419# Apply WS-Security Signature
420[filter:wsseSignatureFilter]
421paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
422
423# Reference the verification filter in order to be able to apply signature
424# confirmation
425referencedFilters = filter:wsseSignatureVerificationFilter
426wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
427
428# Last filter in chain of SOAP handlers writes the response
429writeResponse = True
430
431# Settings for WS-Security SignatureHandler class used by this filter
432wsseCfgFilePrefix = wssecurity
433
434# Certificate associated with private key used to sign a message.  The sign
435# method will add this to the BinarySecurityToken element of the WSSE header. 
436wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
437
438# PEM encoded private key file
439wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
440
441# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
442# signed message.  See __setReqBinSecTokValType method and binSecTokValType
443# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
444# give full namespace to alternative - see
445# ZSI.wstools.Namespaces.OASIS.X509TOKEN
446#
447# binSecTokValType determines whether signingCert or signingCertChain
448# attributes will be used.
449wssecurity.reqBinSecTokValType=X509v3
450
451# Add a timestamp element to an outbound message
452wssecurity.addTimestamp=True
453
454# For WSSE 1.1 - service returns signature confirmation containing signature
455# value sent by client
456wssecurity.applySignatureConfirmation=True
457
458# Logging configuration
459[loggers]
460keys = root, ndg
461
462[handlers]
463keys = console
464
465[formatters]
466keys = generic
467
468[logger_root]
469level = INFO
470handlers = console
471
472[logger_ndg]
473level = DEBUG
474handlers =
475qualname = ndg
476
477[handler_console]
478class = StreamHandler
479args = (sys.stderr,)
480level = NOTSET
481formatter = generic
482
483[formatter_generic]
484format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
485datefmt = %H:%M:%S
486
Note: See TracBrowser for help on using the repository browser.