1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
---|
2 | <HTML> |
---|
3 | <HEAD> |
---|
4 | <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8"> |
---|
5 | <TITLE>NDG Security Installation Guide</TITLE> |
---|
6 | <META NAME="GENERATOR" CONTENT="OpenOffice.org 2.0 (Linux)"> |
---|
7 | <META NAME="AUTHOR" CONTENT="P J Kershaw"> |
---|
8 | <META NAME="CREATED" CONTENT="20071010;9350000"> |
---|
9 | <META NAME="CHANGED" CONTENT="20071221;14112900"> |
---|
10 | <STYLE TYPE="text/css"> |
---|
11 | <!-- |
---|
12 | @page { size: 21cm 29.7cm; margin-left: 2.54cm; margin-right: 2.29cm; margin-top: 1.27cm; margin-bottom: 1.27cm } |
---|
13 | @page:first { margin-top: 1.27cm; margin-bottom: 2.54cm } |
---|
14 | P { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 } |
---|
15 | P.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB } |
---|
16 | P.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt } |
---|
17 | P.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA } |
---|
18 | H1 { margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2; page-break-before: always } |
---|
19 | H1.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB } |
---|
20 | H1.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt } |
---|
21 | H1.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } |
---|
22 | H2 { margin-left: 0.1cm; margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: left; widows: 2; orphans: 2 } |
---|
23 | H2.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB } |
---|
24 | H2.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt } |
---|
25 | H2.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } |
---|
26 | H3 { margin-top: 0cm; margin-bottom: 0.42cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 } |
---|
27 | H3.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic } |
---|
28 | H3.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic } |
---|
29 | H3.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } |
---|
30 | H4 { margin-top: 0cm; margin-bottom: 0cm; direction: ltr; color: #000000; text-align: justify; widows: 2; orphans: 2 } |
---|
31 | H4.western { font-family: "Helvetica", sans-serif; font-size: 10pt; so-language: en-GB; font-style: italic; font-weight: medium } |
---|
32 | H4.cjk { font-family: "Times New Roman", "Times", serif; font-size: 10pt; font-style: italic; font-weight: medium } |
---|
33 | H4.ctl { font-family: "Times New Roman", "Times", serif; font-size: 10pt; so-language: ar-SA; font-weight: medium } |
---|
34 | A:link { color: #0000ff } |
---|
35 | A:visited { color: #800080 } |
---|
36 | --> |
---|
37 | </STYLE> |
---|
38 | </HEAD> |
---|
39 | <BODY LANG="en-GB" TEXT="#000000" LINK="#0000ff" VLINK="#800080" DIR="LTR"> |
---|
40 | <DIV TYPE=HEADER> |
---|
41 | <P ALIGN=JUSTIFY STYLE="margin-bottom: 1.17cm"><BR><BR> |
---|
42 | </P> |
---|
43 | </DIV> |
---|
44 | <P ALIGN=LEFT><BR><BR> |
---|
45 | </P> |
---|
46 | <P ALIGN=LEFT><A NAME="_Ref179772410"></A><BR><BR> |
---|
47 | </P> |
---|
48 | <P ALIGN=LEFT><SPAN ID="Frame1" DIR="LTR" STYLE="float: left; width: 12.96cm; height: 4.77cm; border: none; padding: 0cm; background: #ffffff"> |
---|
49 | <P ALIGN=RIGHT><FONT SIZE=6 STYLE="font-size: 28pt"><B>NERC Data |
---|
50 | Grid Security</B></FONT></P> |
---|
51 | <P ALIGN=RIGHT><FONT SIZE=6><B>Installation Guide</B></FONT></P> |
---|
52 | <P ALIGN=RIGHT><FONT SIZE=3><B>Version 0.9</B></FONT></P> |
---|
53 | </SPAN><BR><BR> |
---|
54 | </P> |
---|
55 | <P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Document |
---|
56 | Log</B></FONT></P> |
---|
57 | <TABLE WIDTH=627 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
58 | <COL WIDTH=194> |
---|
59 | <COL WIDTH=195> |
---|
60 | <COL WIDTH=195> |
---|
61 | <TR VALIGN=TOP> |
---|
62 | <TD WIDTH=194 BGCOLOR="#d9d9d9"> |
---|
63 | <P ALIGN=JUSTIFY><B>Version Number</B></P> |
---|
64 | </TD> |
---|
65 | <TD WIDTH=195 BGCOLOR="#d9d9d9"> |
---|
66 | <P CLASS="western" ALIGN=JUSTIFY><B>Date</B></P> |
---|
67 | </TD> |
---|
68 | <TD WIDTH=195 BGCOLOR="#d9d9d9"> |
---|
69 | <P CLASS="western" ALIGN=JUSTIFY><B>Comment</B></P> |
---|
70 | </TD> |
---|
71 | </TR> |
---|
72 | <TR VALIGN=TOP> |
---|
73 | <TD WIDTH=194> |
---|
74 | <P ALIGN=JUSTIFY>0.1</P> |
---|
75 | </TD> |
---|
76 | <TD WIDTH=195> |
---|
77 | <P CLASS="western" ALIGN=JUSTIFY>04/11/05</P> |
---|
78 | </TD> |
---|
79 | <TD WIDTH=195> |
---|
80 | <P CLASS="western" ALIGN=JUSTIFY>First Draft</P> |
---|
81 | </TD> |
---|
82 | </TR> |
---|
83 | <TR VALIGN=TOP> |
---|
84 | <TD WIDTH=194> |
---|
85 | <P ALIGN=JUSTIFY>0.2</P> |
---|
86 | </TD> |
---|
87 | <TD WIDTH=195> |
---|
88 | <P CLASS="western" ALIGN=JUSTIFY>21/02//06</P> |
---|
89 | </TD> |
---|
90 | <TD WIDTH=195> |
---|
91 | <P CLASS="western" ALIGN=JUSTIFY>Draft for installation at NOCS</P> |
---|
92 | </TD> |
---|
93 | </TR> |
---|
94 | <TR VALIGN=TOP> |
---|
95 | <TD WIDTH=194> |
---|
96 | <P ALIGN=JUSTIFY>0.3</P> |
---|
97 | </TD> |
---|
98 | <TD WIDTH=195> |
---|
99 | <P CLASS="western" ALIGN=JUSTIFY>07/04/06</P> |
---|
100 | </TD> |
---|
101 | <TD WIDTH=195> |
---|
102 | <P CLASS="western" ALIGN=JUSTIFY>Updates following installation at |
---|
103 | NOCS</P> |
---|
104 | </TD> |
---|
105 | </TR> |
---|
106 | <TR VALIGN=TOP> |
---|
107 | <TD WIDTH=194> |
---|
108 | <P ALIGN=JUSTIFY>0.4</P> |
---|
109 | </TD> |
---|
110 | <TD WIDTH=195> |
---|
111 | <P CLASS="western" ALIGN=JUSTIFY>25/07/06</P> |
---|
112 | </TD> |
---|
113 | <TD WIDTH=195> |
---|
114 | <P CLASS="western" ALIGN=JUSTIFY>Include deployment model and |
---|
115 | details about SysV style init scripts for web services.</P> |
---|
116 | </TD> |
---|
117 | </TR> |
---|
118 | <TR VALIGN=TOP> |
---|
119 | <TD WIDTH=194> |
---|
120 | <P ALIGN=JUSTIFY>0.5</P> |
---|
121 | </TD> |
---|
122 | <TD WIDTH=195> |
---|
123 | <P CLASS="western" ALIGN=JUSTIFY>16/01/07</P> |
---|
124 | </TD> |
---|
125 | <TD WIDTH=195> |
---|
126 | <P CLASS="western" ALIGN=JUSTIFY>Instructions for installation of |
---|
127 | python packages and associated C library dependencies from source |
---|
128 | and corrections for MyProxy installation.</P> |
---|
129 | <P CLASS="western" ALIGN=JUSTIFY>Installation instructions apply |
---|
130 | to NDG-Security Post Alpha release 0.72.</P> |
---|
131 | </TD> |
---|
132 | </TR> |
---|
133 | <TR VALIGN=TOP> |
---|
134 | <TD WIDTH=194> |
---|
135 | <P ALIGN=JUSTIFY>0.6</P> |
---|
136 | </TD> |
---|
137 | <TD WIDTH=195> |
---|
138 | <P CLASS="western" ALIGN=JUSTIFY>17/08/07</P> |
---|
139 | </TD> |
---|
140 | <TD WIDTH=195> |
---|
141 | <P CLASS="western" ALIGN=JUSTIFY>Updated for NDG Beta release. |
---|
142 | </P> |
---|
143 | <UL> |
---|
144 | <LI><P CLASS="western" ALIGN=JUSTIFY>Installation of python |
---|
145 | packages is now via distutils eggs. |
---|
146 | </P> |
---|
147 | <LI><P CLASS="western" ALIGN=JUSTIFY>Python services use Twisted.</P> |
---|
148 | </UL> |
---|
149 | </TD> |
---|
150 | </TR> |
---|
151 | <TR VALIGN=TOP> |
---|
152 | <TD WIDTH=194> |
---|
153 | <P ALIGN=JUSTIFY>0.7</P> |
---|
154 | </TD> |
---|
155 | <TD WIDTH=195> |
---|
156 | <P CLASS="western" ALIGN=JUSTIFY>03/10/07</P> |
---|
157 | </TD> |
---|
158 | <TD WIDTH=195> |
---|
159 | <P CLASS="western" ALIGN=JUSTIFY>Tidied headers for creation of |
---|
160 | HTML version</P> |
---|
161 | </TD> |
---|
162 | </TR> |
---|
163 | <TR VALIGN=TOP> |
---|
164 | <TD WIDTH=194> |
---|
165 | <P ALIGN=JUSTIFY>0.8</P> |
---|
166 | </TD> |
---|
167 | <TD WIDTH=195> |
---|
168 | <P CLASS="western" ALIGN=JUSTIFY>09/10/07</P> |
---|
169 | </TD> |
---|
170 | <TD WIDTH=195> |
---|
171 | <UL> |
---|
172 | <LI><P CLASS="western" ALIGN=LEFT>Updates for mapConfig.xml, |
---|
173 | sessionMgrProperties.xml and attAuthorityProperties.xml config |
---|
174 | files</P> |
---|
175 | <LI><P CLASS="western" ALIGN=LEFT>Configuration for logging</P> |
---|
176 | </UL> |
---|
177 | </TD> |
---|
178 | </TR> |
---|
179 | <TR VALIGN=TOP> |
---|
180 | <TD WIDTH=194> |
---|
181 | <P ALIGN=JUSTIFY>0.9</P> |
---|
182 | </TD> |
---|
183 | <TD WIDTH=195> |
---|
184 | <P CLASS="western" ALIGN=JUSTIFY>11//10/07</P> |
---|
185 | </TD> |
---|
186 | <TD WIDTH=195> |
---|
187 | <UL> |
---|
188 | <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Use of MyProxy with a |
---|
189 | SimpleCA and PAM callout for authentication</P> |
---|
190 | <LI><P CLASS="western" ALIGN=LEFT>details for certificate |
---|
191 | requests for Session Manager and Attribute Authority</P> |
---|
192 | </UL> |
---|
193 | </TD> |
---|
194 | </TR> |
---|
195 | </TABLE> |
---|
196 | <P ALIGN=LEFT STYLE="page-break-before: always"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></P> |
---|
197 | <DIV ID="Table of Contents1" DIR="LTR"> |
---|
198 | <P ALIGN=JUSTIFY><A HREF="#1. References|outline">1. References 6</A></P> |
---|
199 | <P ALIGN=JUSTIFY><A HREF="#2.Introduction|outline">2. Introduction 7</A></P> |
---|
200 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.1.Pre-requisites |outline">2.1 |
---|
201 | Pre-requisites 7</A></P> |
---|
202 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#2.2.Deployment Model|outline">2.2 |
---|
203 | Deployment Model 7</A></P> |
---|
204 | <P ALIGN=JUSTIFY><A HREF="#3.Software Installation Components|outline">3. |
---|
205 | Software Installation Components 9</A></P> |
---|
206 | <P ALIGN=JUSTIFY><A HREF="#4.Installation|outline">4. |
---|
207 | Installation 10</A></P> |
---|
208 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.1.Dependencies|outline">4.1 |
---|
209 | Dependencies 10</A></P> |
---|
210 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.1.OpenSSL|outline">4.1.1 |
---|
211 | OpenSSL 10</A></P> |
---|
212 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.1.2.SWIG|outline">4.1.2 |
---|
213 | SWIG 10</A></P> |
---|
214 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.2.Python Packages|outline">4.2 |
---|
215 | Python Packages 10</A></P> |
---|
216 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.1.setuptools|outline">4.2.1 |
---|
217 | setuptools 10</A></P> |
---|
218 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.2.2.NDG Security Packages|outline">4.2.2 |
---|
219 | NDG Security Packages 11</A></P> |
---|
220 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.3.NDG Web Services Configuration|outline">4.3 |
---|
221 | NDG Web Services Configuration 11</A></P> |
---|
222 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.1.NDG Security System Configuration Files|outline">4.3.1 |
---|
223 | NDG Security System Configuration Files 11</A></P> |
---|
224 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.3.2. Certificate Generation|outline">4.3.2 |
---|
225 | Certificate Generation 12</A></P> |
---|
226 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.4.Session Manager Configuration|outline">4.4 |
---|
227 | Session Manager Configuration 14</A></P> |
---|
228 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.1.Session Manager Credential Repository|outline">4.4.1 |
---|
229 | Session Manager Credential Repository 14</A></P> |
---|
230 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.2.Session Manager Properties File Settings|outline">4.4.2 |
---|
231 | Session Manager Properties File Settings 14</A></P> |
---|
232 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.4.3.SysV-style Boot Script|outline">4.4.3 |
---|
233 | SysV-style Boot Script 18</A></P> |
---|
234 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.5.Attribute Authority Configuration|outline">4.5 |
---|
235 | Attribute Authority Configuration 18</A></P> |
---|
236 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.1.Attribute Authority Properties File Settings|outline">4.5.1 |
---|
237 | Attribute Authority Properties File Settings 18</A></P> |
---|
238 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.2.User Roles Interface|outline">4.5.2 |
---|
239 | User Roles Interface 20</A></P> |
---|
240 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.3.Role Mapping|outline">4.5.3 |
---|
241 | Role Mapping 20</A></P> |
---|
242 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.4.Twisted Python server .tac file|outline">4.5.4 |
---|
243 | Twisted Python server .tac file 21</A></P> |
---|
244 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.5.5.SysV-style Boot Script|outline">4.5.5 |
---|
245 | SysV-style Boot Script 22</A></P> |
---|
246 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.6.Python Unit Tests|outline">4.6 |
---|
247 | Python Unit Tests 22</A></P> |
---|
248 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#4.7. MyProxy|outline">4.7 |
---|
249 | MyProxy 22</A></P> |
---|
250 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.1. MyProxy and NDG Security Background|outline">4.7.1 |
---|
251 | MyProxy and NDG Security Background 22</A></P> |
---|
252 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.2. MyProxy user account and the repository location considerations|outline">4.7.2 |
---|
253 | MyProxy user account and the repository location considerations 23</A></P> |
---|
254 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.3. Installation|outline">4.7.3 |
---|
255 | Installation 23</A></P> |
---|
256 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.4. SimpleCA Installation|outline">4.7.4 |
---|
257 | SimpleCA Installation 24</A></P> |
---|
258 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.5. Host Certificate Creation|outline">4.7.5 |
---|
259 | Host Certificate Creation 27</A></P> |
---|
260 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.6. MyProxy Configuration File|outline">4.7.6 |
---|
261 | MyProxy Configuration File 27</A></P> |
---|
262 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.7. MyProxy SimpleCA Configuration|outline">4.7.7 |
---|
263 | MyProxy SimpleCA Configuration 28</A></P> |
---|
264 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.8. MyProxy PAM Configuration|outline">4.7.8 |
---|
265 | MyProxy PAM Configuration 29</A></P> |
---|
266 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.9. Testing MyProxy|outline">4.7.9 |
---|
267 | Testing MyProxy 30</A></P> |
---|
268 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#4.7.10. Adding MyProxy Server to the system start up|outline">4.7.10 |
---|
269 | Adding MyProxy Server to the system start up 33</A></P> |
---|
270 | <P ALIGN=JUSTIFY><A HREF="#5.Appendices|outline">5. Appendices 35</A></P> |
---|
271 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.1. Postgres PAM for MyProxy|outline">5.1 |
---|
272 | Postgres PAM for MyProxy 35</A></P> |
---|
273 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.1.1. Configuration|outline">5.1.1 |
---|
274 | Configuration 35</A></P> |
---|
275 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.2. MySQL Installation|outline">5.2 |
---|
276 | MySQL Installation 36</A></P> |
---|
277 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.1.Version|outline">5.2.1 |
---|
278 | Version 36</A></P> |
---|
279 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.2. Getting the Binaries|outline">5.2.2 |
---|
280 | Getting the Binaries 36</A></P> |
---|
281 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.3. New mysql User Account|outline">5.2.3 |
---|
282 | New mysql User Account 36</A></P> |
---|
283 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.4. Unpacking the tarball|outline">5.2.4 |
---|
284 | Unpacking the tarball 36</A></P> |
---|
285 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.5. Configuration File|outline">5.2.5 |
---|
286 | Configuration File 37</A></P> |
---|
287 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.6. Create the Grant Tables|outline">5.2.6 |
---|
288 | Create the Grant Tables 37</A></P> |
---|
289 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.7. File and Directory Permissions|outline">5.2.7 |
---|
290 | File and Directory Permissions 38</A></P> |
---|
291 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.8. Starting the Server|outline">5.2.8 |
---|
292 | Starting the Server 38</A></P> |
---|
293 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.9. Securing MySQL Accounts|outline">5.2.9 |
---|
294 | Securing MySQL Accounts 38</A></P> |
---|
295 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.2.10. Server Automated Start up|outline">5.2.10 |
---|
296 | Server Automated Start up 39</A></P> |
---|
297 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.3. HTTPS set-up with Apache Web Server|outline">5.3 |
---|
298 | HTTPS set-up with Apache Web Server 39</A></P> |
---|
299 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.1. Web Server Host Certificate Generation|outline">5.3.1 |
---|
300 | Web Server Host Certificate Generation 39</A></P> |
---|
301 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.3.2.Apache Configuration File Settings|outline">5.3.2 |
---|
302 | Apache Configuration File Settings 40</A></P> |
---|
303 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline">5.4 |
---|
304 | Apache Web Server Proxy Settings Configuration for Web Services 40</A></P> |
---|
305 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.5.An Example Attribute Authority AAUserRoles interface class|outline">5.5 |
---|
306 | An Example Attribute Authority AAUserRoles interface class 41</A></P> |
---|
307 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.35cm"><A HREF="#5.6.Troubleshooting|outline">5.6 |
---|
308 | Troubleshooting 44</A></P> |
---|
309 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.1.M2Crypto |outline">5.6.1 |
---|
310 | M2Crypto 44</A></P> |
---|
311 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.2. PyXML|outline">5.6.2 |
---|
312 | PyXML 45</A></P> |
---|
313 | <P ALIGN=JUSTIFY STYLE="margin-left: 0.71cm"><A HREF="#5.6.3. 4Suite-XML Build error|outline">5.6.3 |
---|
314 | 4Suite-XML Build error 45</A></P> |
---|
315 | </DIV> |
---|
316 | <H1 CLASS="western"><A NAME="1. References|outline"></A>1. References</H1> |
---|
317 | <OL> |
---|
318 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://grid.ncsa.uiuc.edu/myproxy/"><SPAN LANG="fi-FI">http://grid.ncsa.uiuc.edu/myproxy/</SPAN></A></U></FONT><SPAN LANG="fi-FI"> |
---|
319 | - NCSA MyProxy site</SPAN></P> |
---|
320 | <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/ca/">http://grid.ncsa.uiuc.edu/myproxy/ca/</A> |
---|
321 | - MyProxy Certificate Authority</P> |
---|
322 | <LI><P LANG="fr-FR" CLASS="western" ALIGN=JUSTIFY><A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A> |
---|
323 | â MyProxy PAM Support</P> |
---|
324 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT COLOR="#0000ff"><U><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/">http://www-unix.globus.org/toolkit/docs/4.0/security/</A></U></FONT> |
---|
325 | - Globus 4.0 and Security</P> |
---|
326 | <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://peak.telecommunity.com/DevCenter/setuptools">http://peak.telecommunity.com/DevCenter/setuptools</A></U></FONT> |
---|
327 | - Python Eggs and Easy Install</P> |
---|
328 | <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://pywebsvcs.sourceforge.net/">http://pywebsvcs.sourceforge.net/</A></U></FONT> |
---|
329 | - Python ZSI SOAP Web Services package</P> |
---|
330 | <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://chandlerproject.org/bin/view/Projects/MeTooCrypto">http://chandlerproject.org/bin/view/Projects/MeTooCrypto</A></U></FONT> |
---|
331 | - Python M2Crypto OpenSSL wrapper</P> |
---|
332 | <LI><P CLASS="western" ALIGN=LEFT><FONT COLOR="#0000ff"><U><A HREF="http://twistedmatrix.com/trac/">http://twistedmatrix.com/trac/</A></U></FONT> |
---|
333 | - Python Twisted Application Server</P> |
---|
334 | <LI><P CLASS="western" ALIGN=LEFT><A NAME="_Ref132180158"></A>NDG |
---|
335 | Security - Security Measures for Installation [v0.2, 7 September |
---|
336 | 2005], |
---|
337 | <FONT COLOR="#0000ff"><U><A HREF="http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation">http://bscw.badc.rl.ac.uk/bscw/bscw.cgi/d77103/NDG%20Security%20-%20Security%20Measures%20for%20Installation</A></U></FONT></P> |
---|
338 | </OL> |
---|
339 | <H1 CLASS="western"><A NAME="2.Introduction|outline"></A>2.Introduction</H1> |
---|
340 | <P CLASS="western" ALIGN=JUSTIFY>This is a guide for system |
---|
341 | administrators and developers deploying NDG security at a data |
---|
342 | centre.</P> |
---|
343 | <H2 CLASS="western"><A NAME="2.1.Pre-requisites |outline"></A>2.1Pre-requisites |
---|
344 | </H2> |
---|
345 | <UL> |
---|
346 | <LI><P CLASS="western" ALIGN=JUSTIFY>For NDG Security Web Services: |
---|
347 | a host running RedHat Enterprise AS4 or later is recommended. Other |
---|
348 | Linux distributions may also be suitable.</P> |
---|
349 | <LI><P CLASS="western" ALIGN=JUSTIFY>For MyProxy: a separate host |
---|
350 | machine (See MyProxy for details of operating systems supported). |
---|
351 | The host must be secure: if possible a dedicated machine with |
---|
352 | minimal other services running on it. It should be kept up to date |
---|
353 | with patches and system logs monitored regularly.</P> |
---|
354 | <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy and Security web |
---|
355 | services hosts must be configured to link with an NTP server to |
---|
356 | enable clocks to be synchronised with security services running at |
---|
357 | other NDG sites.</P> |
---|
358 | <LI><P CLASS="western" ALIGN=JUSTIFY>Access to a web server if |
---|
359 | security for web based applications is required. The web server |
---|
360 | must be able to be configured to support HTTPS.</P> |
---|
361 | <LI><P CLASS="western" ALIGN=JUSTIFY>[MySQL 3.23 or greater or |
---|
362 | Postgres â these are optional and are required for the NDG |
---|
363 | CredentialRepository only]</P> |
---|
364 | <LI><P CLASS="western" ALIGN=JUSTIFY>Python 2.4 or later</P> |
---|
365 | <LI><P CLASS="western" ALIGN=JUSTIFY>Python setuptools utility</P> |
---|
366 | <LI><P CLASS="western" ALIGN=JUSTIFY>OpenSSL is required at version |
---|
367 | 0.9.8 or greater</P> |
---|
368 | <LI><P CLASS="western" ALIGN=JUSTIFY>SWIG 1.3.24 or later (for |
---|
369 | M2Crypto Python OpenSSL wrapper)</P> |
---|
370 | </UL> |
---|
371 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">Also |
---|
372 | note document NDG <I>Security - Security Measures for Installation</I> |
---|
373 | (see Ref 1 above).</P> |
---|
374 | <H2 CLASS="western"><A NAME="2.2.Deployment Model|outline"></A>2.2Deployment |
---|
375 | Model</H2> |
---|
376 | <P CLASS="western" ALIGN=JUSTIFY>The following diagram gives an |
---|
377 | example deployment configuration for NDG security services.</P> |
---|
378 | <P CLASS="western" ALIGN=JUSTIFY><IMG SRC="NDGSecurityInstallationGuide_html_m1b1d83c.png" NAME="graphics1" ALIGN=BOTTOM WIDTH=611 HEIGHT=614 BORDER=0></P> |
---|
379 | <P CLASS="western" ALIGN=JUSTIFY>All services are positioned behind |
---|
380 | the firewall. MyProxy is installed on a dedicated machine in order |
---|
381 | to make its repository as secure as possible. Connections to MyProxy |
---|
382 | may be made from the Session Manager web service only from within the |
---|
383 | internal network.</P> |
---|
384 | <P CLASS="western" ALIGN=JUSTIFY>In the above, security web services |
---|
385 | are run together on the same host but this does not have to be the |
---|
386 | case. They can be run on separate servers. Similarly, the web |
---|
387 | server is on a separate host but could be run on the same machine as |
---|
388 | the web services if it was felt to be appropriate.</P> |
---|
389 | <P CLASS="western" ALIGN=JUSTIFY>In the above diagram Attribute |
---|
390 | Authority accesses a user database. It is assumed that the target |
---|
391 | site has a database to store user and user role/access right |
---|
392 | information. This information neednât be stored by means of a |
---|
393 | database and could be represented in some other way. It is for the |
---|
394 | data provider to decide. Similarly, the Session Manager web service |
---|
395 | interfaces with a Credential Repository. This is a database in the |
---|
396 | above but could be some other kind of permanent store.</P> |
---|
397 | <P CLASS="western" ALIGN=JUSTIFY>Databases are on a separate server |
---|
398 | to the web services host. Web services access the databases over the |
---|
399 | internal network. Finally, the web services have ports exposed in |
---|
400 | some way through the firewall to enable communication with other NDG |
---|
401 | security web services at other sites.</P> |
---|
402 | <H1 CLASS="western"><A NAME="3.Software Installation Components|outline"></A> |
---|
403 | 3.Software Installation Components</H1> |
---|
404 | <P CLASS="western" ALIGN=JUSTIFY>Python software is package using |
---|
405 | distutils eggs. These are divided into separate components to suit |
---|
406 | the particular installation required:</P> |
---|
407 | <UL> |
---|
408 | <LI VALUE=1><P CLASS="western" ALIGN=LEFT>ndg_security_server â |
---|
409 | components required to run services</P> |
---|
410 | <LI><P CLASS="western" ALIGN=LEFT>ndg_security_common â components |
---|
411 | required by both server and common eggs</P> |
---|
412 | <LI><P CLASS="western" ALIGN=LEFT>ndg_security_client â components |
---|
413 | for building clients to NDG security services. For example, a data |
---|
414 | providerâs web application server would these to enable the |
---|
415 | securing of access to resources or an organisationâs Identity |
---|
416 | provider would need these to authenticate and allocate authorisation |
---|
417 | attributes to users.</P> |
---|
418 | <LI><P CLASS="western" ALIGN=LEFT>ndg_security_test â unit tests |
---|
419 | for all components</P> |
---|
420 | <LI><P CLASS="western" ALIGN=LEFT>ndg_security â install all: |
---|
421 | client, server and common components</P> |
---|
422 | </UL> |
---|
423 | <P CLASS="western" ALIGN=JUSTIFY>Eggs rely on the distutils |
---|
424 | easy_install command to manage installation but NDG security uses an |
---|
425 | additional script ndg_security_install.py to install eggs and carry |
---|
426 | out the additional installation tasks to correctly configure the |
---|
427 | software.</P> |
---|
428 | <P CLASS="western" ALIGN=JUSTIFY>The following additional packages |
---|
429 | are required:</P> |
---|
430 | <UL> |
---|
431 | <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY>Globus MyProxy 4.0.5 |
---|
432 | (or later) â source installer tar ball may be downloaded from the |
---|
433 | Globus site (<FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/">http://www.globus.org/toolkit/downloads/4.0.1/</A></U></FONT>)</P> |
---|
434 | <LI><P CLASS="western" ALIGN=JUSTIFY>Globus SimpleCA to enable the |
---|
435 | MyProxy Certificate Authority.</P> |
---|
436 | </UL> |
---|
437 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm">These |
---|
438 | two packages should be installed on the target host for MyProxy.</P> |
---|
439 | <H1 CLASS="western"><A NAME="4.Installation|outline"></A>4.Installation</H1> |
---|
440 | <P CLASS="western" ALIGN=JUSTIFY>This section is divided into the |
---|
441 | Python installation and MyProxy. Note that you will almost certainly |
---|
442 | wish to install MyProxy on a separate secure server to the other |
---|
443 | Python based security services.</P> |
---|
444 | <H2 CLASS="western"><A NAME="4.1.Dependencies|outline"></A>4.1Dependencies</H2> |
---|
445 | <H3 CLASS="western"><A NAME="4.1.1.OpenSSL|outline"></A>4.1.1 OpenSSL</H3> |
---|
446 | <P CLASS="western" ALIGN=JUSTIFY>Before proceeding with the |
---|
447 | installation check that an up to date version of OpenSSL is |
---|
448 | installed:</P> |
---|
449 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
450 | <COL WIDTH=596> |
---|
451 | <TR> |
---|
452 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
453 | <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> |
---|
454 | </P> |
---|
455 | <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
456 | openssl version</FONT></P> |
---|
457 | </TD> |
---|
458 | </TR> |
---|
459 | </TABLE> |
---|
460 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
461 | </P> |
---|
462 | <P CLASS="western" ALIGN=JUSTIFY>0.9.8 or greater is required. |
---|
463 | Should you need to upgrade, OpenSSL is available from |
---|
464 | <A HREF="http://www.openssl.org/source/">http://www.openssl.org/source/</A>. |
---|
465 | Once downloaded, unpack the tarball and follow the installation |
---|
466 | intstructions.</P> |
---|
467 | <H3 CLASS="western"><A NAME="4.1.2.SWIG|outline"></A>4.1.2 SWIG</H3> |
---|
468 | <P CLASS="western">SWIG is a tool to help with bindings from C/C++ to |
---|
469 | interpreted languages such as Python. The Python OpenSSL wrapper |
---|
470 | M2Crypto uses it and version 1.3.24 or later is required. Downloads |
---|
471 | are available from, <A HREF="http://www.swig.org/">http://www.swig.org</A>.</P> |
---|
472 | <H2 CLASS="western"><A NAME="4.2.Python Packages|outline"></A>4.2 |
---|
473 | Python Packages</H2> |
---|
474 | <P CLASS="western" ALIGN=JUSTIFY>Log in to the target host as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>. |
---|
475 | Change to a suitable directory to hold temporary installation files. |
---|
476 | |
---|
477 | </P> |
---|
478 | <H3 CLASS="western"><A NAME="4.2.1.setuptools|outline"></A>4.2.1 |
---|
479 | setuptools</H3> |
---|
480 | <P CLASS="western" ALIGN=JUSTIFY>The first step is to install Python |
---|
481 | setuptools, the package that enables the use of Python eggs. |
---|
482 | Download the setuptools bootstrap script:</P> |
---|
483 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
484 | <COL WIDTH=596> |
---|
485 | <TR> |
---|
486 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
487 | <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> |
---|
488 | </P> |
---|
489 | <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
490 | wget http://peak.telecommunity.com/dist/ez_setup.py</FONT></P> |
---|
491 | </TD> |
---|
492 | </TR> |
---|
493 | </TABLE> |
---|
494 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
495 | </P> |
---|
496 | <P CLASS="western" ALIGN=JUSTIFY>You may need to set the environment |
---|
497 | for a http proxy at your site. For example,</P> |
---|
498 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
499 | <COL WIDTH=596> |
---|
500 | <TR> |
---|
501 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
502 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
503 | </P> |
---|
504 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
505 | export http_proxy=http://yourproxyurl.com:8080</FONT></P> |
---|
506 | </TD> |
---|
507 | </TR> |
---|
508 | </TABLE> |
---|
509 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
510 | </P> |
---|
511 | <P CLASS="western" ALIGN=JUSTIFY>Run the bootstrap script. Make sure |
---|
512 | to use the correct version of python in your system path. Some |
---|
513 | systems may have multiple python versions installed:</P> |
---|
514 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
515 | <COL WIDTH=596> |
---|
516 | <TR> |
---|
517 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
518 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
519 | </P> |
---|
520 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
521 | python ez_setup.py</FONT></P> |
---|
522 | </TD> |
---|
523 | </TR> |
---|
524 | </TABLE> |
---|
525 | <P CLASS="western"><BR><BR> |
---|
526 | </P> |
---|
527 | <P CLASS="western">Once completed, you can delete <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ez_setup.py</SPAN></FONT>.</P> |
---|
528 | <H3 CLASS="western"><A NAME="4.2.2.NDG Security Packages|outline"></A> |
---|
529 | 4.2.2 NDG Security Packages</H3> |
---|
530 | <P CLASS="western" ALIGN=JUSTIFY>NDG security uses a wrapper to |
---|
531 | distutils <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">easy_install</SPAN></FONT> |
---|
532 | to enable custom installation steps to be correctly carried out. |
---|
533 | Download the script from the NDG distribution site:</P> |
---|
534 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
535 | <COL WIDTH=596> |
---|
536 | <TR> |
---|
537 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
538 | <P LANG="da-DK" STYLE="margin-bottom: 0cm"><BR> |
---|
539 | </P> |
---|
540 | <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
541 | wget http://ndg.nerc.ac.uk/dist/ndg-security-install.py</FONT></P> |
---|
542 | </TD> |
---|
543 | </TR> |
---|
544 | </TABLE> |
---|
545 | <P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
546 | </P> |
---|
547 | <P CLASS="western" ALIGN=JUSTIFY>Now carry out the installation of |
---|
548 | the NDG security python packages:</P> |
---|
549 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
550 | <COL WIDTH=596> |
---|
551 | <TR> |
---|
552 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
553 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
554 | </P> |
---|
555 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
556 | python ./ndg-security-install.py -a</FONT></P> |
---|
557 | </TD> |
---|
558 | </TR> |
---|
559 | </TABLE> |
---|
560 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
561 | </P> |
---|
562 | <P CLASS="western" ALIGN=JUSTIFY>The script options can be checked |
---|
563 | using the âh option. âa selects all packages for installation. |
---|
564 | If there are problems with the installation, see the Troubleshooting |
---|
565 | Guide in the Appendices section 5.6.</P> |
---|
566 | <H2 CLASS="western"><A NAME="4.3.NDG Web Services Configuration|outline"></A> |
---|
567 | 4.3 NDG Web Services Configuration</H2> |
---|
568 | <H3 CLASS="western"><A NAME="4.3.1.NDG Security System Configuration Files|outline"></A> |
---|
569 | 4.3.1 NDG Security System Configuration Files</H3> |
---|
570 | <P CLASS="western" ALIGN=JUSTIFY>Properties files set the |
---|
571 | configuration settings for NDG security <I>server side</I> settings. |
---|
572 | Templates for these are contained within the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT> |
---|
573 | installed in your python distributionâs site-packages directory. |
---|
574 | A future version of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-security-install.py</SPAN></FONT> |
---|
575 | script will extract these and install at a suitable location on the |
---|
576 | file system. For the moment though, this is a manual process.</P> |
---|
577 | <P CLASS="western" ALIGN=JUSTIFY>Create a configuration area under |
---|
578 | your servers <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc</SPAN></FONT> |
---|
579 | directory:</P> |
---|
580 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
581 | <COL WIDTH=596> |
---|
582 | <TR> |
---|
583 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
584 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
585 | </P> |
---|
586 | <P LANG="da-DK"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
587 | mkdir /etc/ndg<BR>$ mkdir /etc/ndg/security</FONT></P> |
---|
588 | </TD> |
---|
589 | </TR> |
---|
590 | </TABLE> |
---|
591 | <P LANG="da-DK" CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
592 | </P> |
---|
593 | <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/ndg/security</SPAN></FONT> |
---|
594 | is recognised by the Python security software by the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR |
---|
595 | </SPAN></FONT>environment variable. This variable can be set in the |
---|
596 | environment of the user account used to run the security services or |
---|
597 | can be set in the init scripts used to automatically start up the |
---|
598 | services from server boot up (See sections 4.4.2, 4.4.3 and 4.5.5).</P> |
---|
599 | <P CLASS="western" ALIGN=JUSTIFY>Locate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg_security_server</SPAN></FONT> |
---|
600 | egg and copy its <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> |
---|
601 | directory into the configuration area. For example if you are using |
---|
602 | python installed in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local</SPAN></FONT> |
---|
603 | then the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> |
---|
604 | directory will be in:</P> |
---|
605 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
606 | <COL WIDTH=596> |
---|
607 | <TR> |
---|
608 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
609 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
610 | </P> |
---|
611 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/lib/python<python |
---|
612 | version num>/site-packages/ndg_security_server-<version |
---|
613 | info>.egg/ndg/security/server/conf</FONT></P> |
---|
614 | </TD> |
---|
615 | </TR> |
---|
616 | </TABLE> |
---|
617 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
618 | </P> |
---|
619 | <P CLASS="western" ALIGN=JUSTIFY>Copy as follows:</P> |
---|
620 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
621 | <COL WIDTH=596> |
---|
622 | <TR> |
---|
623 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
624 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
625 | </P> |
---|
626 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ cp |
---|
627 | /usr/local/lib/python<python version |
---|
628 | num>/site-packages/ndg_security_server-<version |
---|
629 | info>.egg/ndg/security/server/conf /etc/ndg/security</FONT></P> |
---|
630 | </TD> |
---|
631 | </TR> |
---|
632 | </TABLE> |
---|
633 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
634 | </P> |
---|
635 | <P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> |
---|
636 | directory will contain these important files:</P> |
---|
637 | <UL> |
---|
638 | <LI><P CLASS="western" ALIGN=JUSTIFY>Session Manager and Attribute |
---|
639 | Authority properties XML files</P> |
---|
640 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf</SPAN></FONT> |
---|
641 | â used by the Session Manager to configure client connections to |
---|
642 | MyProxy</P> |
---|
643 | <LI><P CLASS="western" ALIGN=JUSTIFY>Special <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT> |
---|
644 | configuration files loaded by the <I>Twisted</I> application server |
---|
645 | used to run Session Manager and Attribute Authority services</P> |
---|
646 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">certs/</SPAN></FONT> |
---|
647 | directory for storing X.509 certificates</P> |
---|
648 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT> |
---|
649 | for role mapping and other trust configuration parameters to enable |
---|
650 | the Attribute Authority to operate with other trusted organisations |
---|
651 | within NDG</P> |
---|
652 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attCertLog/</SPAN></FONT> |
---|
653 | directory for storing Attribute Certificates issued by the Attribute |
---|
654 | Authority.</P> |
---|
655 | <LI><P CLASS="western" ALIGN=JUSTIFY>Logging configuration files: |
---|
656 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg |
---|
657 | </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT></P> |
---|
658 | </UL> |
---|
659 | <P CLASS="western" ALIGN=JUSTIFY>The default location for log files |
---|
660 | set in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrLog.cfg</SPAN></FONT> |
---|
661 | and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityLog.cfg</SPAN></FONT> |
---|
662 | is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/log</SPAN></FONT>. |
---|
663 | Create this directory as follows:</P> |
---|
664 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
665 | <COL WIDTH=596> |
---|
666 | <TR> |
---|
667 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
668 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
669 | </P> |
---|
670 | <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
671 | mkdir /etc/ndg/security/log</FONT></P> |
---|
672 | </TD> |
---|
673 | </TR> |
---|
674 | </TABLE> |
---|
675 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
676 | </P> |
---|
677 | <P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to run |
---|
678 | security web services under any specified system account and group. |
---|
679 | Ensure that this user has full access to <SPAN LANG="es-ES"><FONT FACE="Lucida Console">/etc/ndg/security</FONT> |
---|
680 | e.g.</SPAN></P> |
---|
681 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
682 | <COL WIDTH=596> |
---|
683 | <TR> |
---|
684 | <TD WIDTH=596 HEIGHT=46 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
685 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
686 | </P> |
---|
687 | <P LANG="es-ES"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
688 | chmod ndg:ndggroup -R /etc/ndg/security</FONT></P> |
---|
689 | </TD> |
---|
690 | </TR> |
---|
691 | </TABLE> |
---|
692 | <P LANG="es-ES" CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
693 | </P> |
---|
694 | <H3 CLASS="western"><A NAME="4.3.2. Certificate Generation|outline"></A> |
---|
695 | 4.3.2 Certificate Generation</H3> |
---|
696 | <P CLASS="western" ALIGN=JUSTIFY>The Session Manager and Attribute |
---|
697 | Authority web services require individual X.509 certificates as a |
---|
698 | means to identify them in the various interactions required for user |
---|
699 | registration, authentication and authorisation. These may be created |
---|
700 | by similar means to the host certificate creation.</P> |
---|
701 | <P CLASS="western" ALIGN=JUSTIFY>Change directory to |
---|
702 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs</SPAN></FONT>. |
---|
703 | The certificates will be stored here. Make a new private key and |
---|
704 | certificate request for the Session Manager:</P> |
---|
705 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
706 | <COL WIDTH=610> |
---|
707 | <TR> |
---|
708 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
709 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
710 | </P> |
---|
711 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
712 | openssl genrsa âout sm-key.pem 2048</FONT></P> |
---|
713 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
714 | chmod 400 sm-key.pem</FONT></P> |
---|
715 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
716 | openssl req ânew âkey sm-key.pem âout sm.csr</FONT></P> |
---|
717 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
718 | </P> |
---|
719 | </TD> |
---|
720 | </TR> |
---|
721 | </TABLE> |
---|
722 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
723 | </P> |
---|
724 | <P CLASS="western" ALIGN=JUSTIFY>The private key may be password |
---|
725 | protected if required by adding the âdes3 option to the genrsa |
---|
726 | command. Type in a password when prompted. The req command will |
---|
727 | prompt you for the components of the Distinguished Name for the new |
---|
728 | certificate. When prompted for the Common Name, enter |
---|
729 | âSessionManagerâ. The other fields can be set as required but by |
---|
730 | convention for NDG, the Organisation field has been set to NDG and |
---|
731 | the Organisation Unit to the individual data provider name e.g. BADC. |
---|
732 | All other fields have been omitted. You can skip individual fields |
---|
733 | by enter â.â When prompted.</P> |
---|
734 | <P CLASS="western" ALIGN=JUSTIFY>Forward the request file to the |
---|
735 | appropriate CA. This could be your SimpleCA created for use with |
---|
736 | MyProxy â see MyProxy installation. The CA will issue a |
---|
737 | certificate file. Copy this file as |
---|
738 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs/sm-cert.pem</SPAN></FONT>.<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> |
---|
739 | </SPAN></FONT> The request<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"> |
---|
740 | </FONT>file can be deleted once a certificate has been obtained from |
---|
741 | the CA.</P> |
---|
742 | <P CLASS="western" ALIGN=JUSTIFY>Repeat this process for the |
---|
743 | Attribute Authority, selecting âAttributeAuthorityâ for the |
---|
744 | Common Name<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.</SPAN></FONT></P> |
---|
745 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
746 | <COL WIDTH=610> |
---|
747 | <TR> |
---|
748 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
749 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
750 | </P> |
---|
751 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
752 | openssl genrsa âout aa-key.pem 2048</FONT></P> |
---|
753 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
754 | chmod 400 aa-key.pem</FONT></P> |
---|
755 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
756 | openssl req ânew âkey aa-key.pem âout aa.csr</FONT></P> |
---|
757 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
758 | </P> |
---|
759 | </TD> |
---|
760 | </TR> |
---|
761 | </TABLE> |
---|
762 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
763 | </P> |
---|
764 | <P CLASS="western" ALIGN=JUSTIFY>It is recommended that the Session |
---|
765 | Manager is run over https to keep user login credentials secured. A |
---|
766 | server certificate and key will be required in addition to enable |
---|
767 | this. |
---|
768 | </P> |
---|
769 | <P CLASS="western" ALIGN=JUSTIFY>If required, a certificate could be |
---|
770 | issued from your SimpleCA. Follow the same procedure as used for the |
---|
771 | Session Manager and Attirbute Authority above creating a private key |
---|
772 | and certificate request. The private key should be generated without |
---|
773 | a password. When generating the certificate request ensure that the |
---|
774 | Common Name is set to the fully qualified name of the server host.</P> |
---|
775 | <P CLASS="western" ALIGN=JUSTIFY>Once available the certificate and |
---|
776 | private key can be added to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs |
---|
777 | <FONT FACE="Helvetica, sans-serif">directory and can be </FONT><FONT FACE="Helvetica, sans-serif">referenced |
---|
778 | by the Session Managerâs properties file with the </FONT><FONT FACE="Lucida Console">sslCertFile</FONT><FONT FACE="Helvetica, sans-serif"> |
---|
779 | and </FONT><FONT FACE="Lucida Console">sslKeyFile</FONT><FONT FACE="Helvetica, sans-serif"> |
---|
780 | elements respectively.</FONT></SPAN></FONT></P> |
---|
781 | <P CLASS="western" ALIGN=JUSTIFY>A copy of the NDG Certificate |
---|
782 | Authorityâs X.509 certificate is also required. Obtain this from |
---|
783 | the NDG CA administrator and copy it into the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf/certs |
---|
784 | </SPAN></FONT>directory.</P> |
---|
785 | <P CLASS="western" STYLE="background: #cccccc">Note that all other |
---|
786 | trusted NDG partner organisations MUST have copies of your CA |
---|
787 | certificate. If they don't, partner organisations NDG Security |
---|
788 | infrastructures will reject requests from your security services. |
---|
789 | CA certificates are referenced in the Attribute Authority and Session |
---|
790 | Manager properties file settings <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2>sslCACertDir</FONT><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
791 | </FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif">and |
---|
792 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">caCertFileList</FONT></FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt">.</FONT></FONT><FONT SIZE=2><FONT FACE="Helvetica, sans-serif"> |
---|
793 | Configuration for Gatekeepers may also need to reference your CA |
---|
794 | certificate.</FONT></FONT></P> |
---|
795 | <H2 CLASS="western"><A NAME="4.4.Session Manager Configuration|outline"></A> |
---|
796 | 4.4 Session Manager Configuration</H2> |
---|
797 | <P CLASS="western" ALIGN=JUSTIFY>Configuration parameters may be set |
---|
798 | via a properties file. In addition, the Session Manager can |
---|
799 | optionally make use of a Credential Repository database. This |
---|
800 | enables the credentials that users acquire during a session to be |
---|
801 | stored so that they may be retrieved. When installed, the default |
---|
802 | configuration set in the Session Manager Properties file is to <I>not</I> |
---|
803 | use a Credential Repository. If this is the case, skip this |
---|
804 | section.</P> |
---|
805 | <H3 CLASS="western"><A NAME="_Ref156702859"></A><A NAME="4.4.1.Session Manager Credential Repository|outline"></A> |
---|
806 | 4.4.1 Session Manager Credential Repository</H3> |
---|
807 | <P CLASS="western" ALIGN=JUSTIFY>Create the Credential Repository |
---|
808 | database. In the example below a MySQL database is assumed. Notes |
---|
809 | on installing MySQL are given in the Appendices section 5.2. |
---|
810 | </P> |
---|
811 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
812 | <COL WIDTH=610> |
---|
813 | <TR> |
---|
814 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
815 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
816 | </P> |
---|
817 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
818 | mysql âu root âp</FONT></P> |
---|
819 | <P CLASS="western" ALIGN=JUSTIFY>mysql> create database |
---|
820 | ndgCredRepos;</P> |
---|
821 | <P><BR> |
---|
822 | </P> |
---|
823 | </TD> |
---|
824 | </TR> |
---|
825 | </TABLE> |
---|
826 | <P CLASS="western" ALIGN=JUSTIFY><BR>Use the script |
---|
827 | init-credrepos-db to create the tables. As the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> |
---|
828 | user, run the script. Enter the password for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT> |
---|
829 | account when prompted and type <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">yes</SPAN></FONT> |
---|
830 | to confirm creation of the tables:</P> |
---|
831 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
832 | <COL WIDTH=610> |
---|
833 | <TR> |
---|
834 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
835 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
836 | </P> |
---|
837 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
838 | init-credrepos-db âu root</FONT></P> |
---|
839 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Database |
---|
840 | password:</FONT></P> |
---|
841 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Are |
---|
842 | you sure you want to initialise the database tables? (yes/no) yes</FONT></P> |
---|
843 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Tables |
---|
844 | created</FONT></P> |
---|
845 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
846 | </P> |
---|
847 | <P><BR> |
---|
848 | </P> |
---|
849 | </TD> |
---|
850 | </TR> |
---|
851 | </TABLE> |
---|
852 | <P CLASS="western" ALIGN=JUSTIFY><BR>To check that the tables have |
---|
853 | been created, restart the database client:</P> |
---|
854 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
855 | <COL WIDTH=610> |
---|
856 | <TR> |
---|
857 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
858 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
859 | </P> |
---|
860 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">$ |
---|
861 | mysql âu root âp âD ndgCredRepos</P> |
---|
862 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">mysql> |
---|
863 | show tables;</P> |
---|
864 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> |
---|
865 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| |
---|
866 | Tables_in_ndgCredRepos |</FONT></FONT></P> |
---|
867 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> |
---|
868 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| |
---|
869 | UserCredential |</FONT></FONT></P> |
---|
870 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">| |
---|
871 | UserID |</FONT></FONT></P> |
---|
872 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">+------------------------+</FONT></FONT></P> |
---|
873 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">2 |
---|
874 | rows in set (0.00 sec)</FONT></FONT></P> |
---|
875 | <P><BR> |
---|
876 | </P> |
---|
877 | </TD> |
---|
878 | </TR> |
---|
879 | </TABLE> |
---|
880 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
881 | </P> |
---|
882 | <P CLASS="western" ALIGN=JUSTIFY>A separate account should be created |
---|
883 | for the Session Manager to access the database. It should have |
---|
884 | sufficient permissions to be able to read and write records. For |
---|
885 | details of how to create an account in MySQL see the Appendices |
---|
886 | section 5.2.9.</P> |
---|
887 | <H3 CLASS="western"><A NAME="4.4.2.Session Manager Properties File Settings|outline"></A> |
---|
888 | 4.4.2 Session Manager Properties File Settings</H3> |
---|
889 | <P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgrProperties.xml</SPAN></FONT> |
---|
890 | in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> |
---|
891 | and modify the default settings:</P> |
---|
892 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
893 | <COL WIDTH=610> |
---|
894 | <TR> |
---|
895 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
896 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><?xml |
---|
897 | version="1.0" encoding="utf-8"?></FONT></FONT></P> |
---|
898 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrProp></FONT></FONT></P> |
---|
899 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><portNum></portNum></FONT></FONT></P> |
---|
900 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSSL>Yes</useSSL> |
---|
901 | <!-- leave blank to use http --></FONT></FONT></P> |
---|
902 | <P STYLE="margin-bottom: 0cm"> |
---|
903 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslCertFile>$NDGSEC_DIR/conf/certs/server-cert.pem</sslCertFile></FONT></FONT></P> |
---|
904 | <P STYLE="margin-bottom: 0cm"> |
---|
905 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyFile>>$NDGSEC_DIR/conf/certs/server-key.pem |
---|
906 | </sslKeyFile></FONT></FONT></P> |
---|
907 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><!-- |
---|
908 | <BR> Directory containing CA cert.s to verify SSL peer cert |
---|
909 | against - ignored if useSSL is blank --><BR> |
---|
910 | <sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir><BR> |
---|
911 | </FONT><!--</FONT></FONT></P> |
---|
912 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI |
---|
913 | settings for signature of outbound SOAP messages</FONT></FONT></P> |
---|
914 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
915 | <P STYLE="margin-bottom: 0cm"> |
---|
916 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSignatureHandler>Yes</useSignatureHandler> |
---|
917 | <!-- leave blank for no signature --></FONT></FONT></P> |
---|
918 | <P STYLE="margin-bottom: 0cm"> |
---|
919 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><certFile>>$NDGSEC_DIR/conf/certs/sm-cert.pem</certFile></FONT></FONT></P> |
---|
920 | <P STYLE="margin-bottom: 0cm"> |
---|
921 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyFile>>$NDGSEC_DIR/conf/certs/server-key.pem</keyFile></FONT></FONT></P> |
---|
922 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyPwd></keyPwd></FONT></FONT></P> |
---|
923 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
924 | </FONT></FONT> |
---|
925 | </P> |
---|
926 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA |
---|
927 | Certificates used to verify X.509 certs used in peer SOAP |
---|
928 | messages,<BR> SSL connections and Attribute Certificates<BR> |
---|
929 | --><BR> <caCertFileList><BR> |
---|
930 | <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile><BR> |
---|
931 | </caCertFileList><BR></FONT> <!-- </FONT></FONT> |
---|
932 | </P> |
---|
933 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set |
---|
934 | the certificate used to verify the signature of messages from the </FONT></FONT> |
---|
935 | </P> |
---|
936 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client. |
---|
937 | This can usually be left blank since the client is expected to </FONT></FONT> |
---|
938 | </P> |
---|
939 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include |
---|
940 | the cert with the signature in the inbound SOAP message</FONT></FONT></P> |
---|
941 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
942 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><clntCertFile></clntCertFile> |
---|
943 | </FONT></FONT> |
---|
944 | </P> |
---|
945 | <P STYLE="margin-bottom: 0cm"> |
---|
946 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrEncrKey></sessMgrEncrKey></FONT></FONT></P> |
---|
947 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sessMgrURI></sessMgrURI></FONT></FONT></P> |
---|
948 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><cookieDomain></cookieDomain></FONT></FONT></P> |
---|
949 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><myProxyProp></FONT></FONT></P> |
---|
950 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
951 | </FONT></FONT> |
---|
952 | </P> |
---|
953 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete |
---|
954 | this element and take setting from MYPROXY_SERVER environment </FONT></FONT> |
---|
955 | </P> |
---|
956 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">variable |
---|
957 | if required</FONT></FONT></P> |
---|
958 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
959 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><hostname>ENTER |
---|
960 | THE FULLY QUALIFIED HOSTNAME OF THE SERVER</hostname></FONT></FONT></P> |
---|
961 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
962 | </FONT></FONT> |
---|
963 | </P> |
---|
964 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Delete |
---|
965 | this element to take default setting 7512 or read </FONT></FONT> |
---|
966 | </P> |
---|
967 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR">MYPROXY_SERVER_PORT |
---|
968 | setting</SPAN></FONT></FONT></P> |
---|
969 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
970 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> |
---|
971 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><port>7512</port></FONT></FONT></P> |
---|
972 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P> |
---|
973 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Useful |
---|
974 | if hostname and certificate CN don't match correctly. Globus </FONT></FONT> |
---|
975 | </P> |
---|
976 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">host |
---|
977 | DN is set to "host/<fqdn>". Delete this element |
---|
978 | and set from </FONT></FONT> |
---|
979 | </P> |
---|
980 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">MYPROXY_SERVER_DN |
---|
981 | environment variable if prefered</FONT></FONT></P> |
---|
982 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><serverDN></serverDN></FONT></FONT></P> |
---|
983 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
984 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P> |
---|
985 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set |
---|
986 | "host/" prefix to host cert CN as is default with globus</FONT></FONT></P> |
---|
987 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
988 | <P STYLE="margin-bottom: 0cm"> |
---|
989 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><serverCNprefix>host/</serverCNprefix> </FONT></FONT></P> |
---|
990 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P> |
---|
991 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">This |
---|
992 | directory path is used to locate the OpenSSL configuration file</FONT></FONT></P> |
---|
993 | <P STYLE="margin-bottom: 0cm"> |
---|
994 | </P> |
---|
995 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">The |
---|
996 | settings are used to set up the defaults for the Distinguished |
---|
997 | Name of</FONT></FONT></P> |
---|
998 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">the |
---|
999 | new proxy cert. issued </FONT></FONT> |
---|
1000 | </P> |
---|
1001 | <P STYLE="margin-bottom: 0cm"> |
---|
1002 | </P> |
---|
1003 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">GLOBUS_LOCATION |
---|
1004 | or GRID_SECURITY_DIR environment variables may be used</FONT></FONT></P> |
---|
1005 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">but |
---|
1006 | the settings can be independent of any Globus installation</FONT></FONT></P> |
---|
1007 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><BR> |
---|
1008 | --></FONT></FONT></P> |
---|
1009 | <P STYLE="margin-bottom: 0cm"> |
---|
1010 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><openSSLConfFilePath>$NDGSEC_DIR/conf/openssl.conf</openSSLConfFilePath></FONT></FONT></P> |
---|
1011 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><tmpDir>/tmp</tmpDir></FONT></FONT></P> |
---|
1012 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1013 | </FONT></FONT> |
---|
1014 | </P> |
---|
1015 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1016 | Limit on maximum lifetime any proxy certificate can have |
---|
1017 | - </FONT></FONT> |
---|
1018 | </P> |
---|
1019 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1020 | specified when a certificate is first created by store() |
---|
1021 | method</FONT></FONT></P> |
---|
1022 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
1023 | <P STYLE="margin-bottom: 0cm"> |
---|
1024 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><proxyCertMaxLifetime>24</proxyCertMaxLifetime> |
---|
1025 | <!-- in hours --></FONT></FONT></P> |
---|
1026 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1027 | </FONT></FONT> |
---|
1028 | </P> |
---|
1029 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1030 | Life time of a proxy certificate when issued from the |
---|
1031 | Proxy Server </FONT></FONT> |
---|
1032 | </P> |
---|
1033 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1034 | with getDelegation() method</FONT></FONT></P> |
---|
1035 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1036 | --></FONT></FONT></P> |
---|
1037 | <P STYLE="margin-bottom: 0cm"> |
---|
1038 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><proxyCertLifetime>8</proxyCertLifetime> |
---|
1039 | <!-- in hours --></FONT></FONT></P> |
---|
1040 | <P STYLE="margin-bottom: 0cm"> |
---|
1041 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="fr-FR"><caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile></SPAN></FONT></FONT></P> |
---|
1042 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> </myProxyProp></FONT></FONT></P> |
---|
1043 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <simpleCACltProp> |
---|
1044 | </FONT></FONT> |
---|
1045 | </P> |
---|
1046 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1047 | <uri></uri></FONT></FONT></P> |
---|
1048 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> |
---|
1049 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigKeyFile></xmlSigKeyFile></FONT></FONT></P> |
---|
1050 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> |
---|
1051 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigCertFile></xmlSigCertFile></FONT></FONT></P> |
---|
1052 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> |
---|
1053 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><xmlSigCertPwd></xmlSigCertPwd></FONT></FONT></P> |
---|
1054 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></simpleCACltProp></FONT></FONT></P> |
---|
1055 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <!--</FONT></FONT></P> |
---|
1056 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> <simpleCASrvProp></FONT></FONT></P> |
---|
1057 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1058 | <certExpiryDate></certExpiryDate></FONT></FONT></P> |
---|
1059 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1060 | <certLifetimeDays></certLifetimeDays></FONT></FONT></P> |
---|
1061 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1062 | <certTmpDir></certTmpDir></FONT></FONT></P> |
---|
1063 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1064 | <caCertFile></caCertFile></FONT></FONT></P> |
---|
1065 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1066 | <signExe></signExe></FONT></FONT></P> |
---|
1067 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1068 | <path></path></FONT></FONT></P> |
---|
1069 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> </simpleCASrvProp></FONT></FONT></P> |
---|
1070 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> --></FONT></FONT></P> |
---|
1071 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><credReposProp></FONT></FONT></P> |
---|
1072 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1073 | <modFilePath></modFilePath></FONT></FONT></P> |
---|
1074 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1075 | <modName>ndg.security.common.CredWallet</modName></FONT></FONT></P> |
---|
1076 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1077 | <className>NullCredRepos</className></FONT></FONT></P> |
---|
1078 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"> |
---|
1079 | <propFile></propFile></FONT></FONT></P> |
---|
1080 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></credReposProp></FONT></FONT></P> |
---|
1081 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></sessMgrProp></FONT></FONT></P> |
---|
1082 | <P> |
---|
1083 | </P> |
---|
1084 | </TD> |
---|
1085 | </TR> |
---|
1086 | </TABLE> |
---|
1087 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1088 | </P> |
---|
1089 | <P CLASS="western" ALIGN=JUSTIFY><B>Notes</B></P> |
---|
1090 | <UL> |
---|
1091 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT FACE="Helvetica, sans-serif">The |
---|
1092 | property file reading software will expand any environment variables |
---|
1093 | included in the file.</FONT></SPAN></FONT></P> |
---|
1094 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">openssl.conf<FONT FACE="Helvetica, sans-serif"> |
---|
1095 | file uses the standard OpenSSL configuration file format. It is |
---|
1096 | used by the Session Manager MyProxy client to formulate a |
---|
1097 | certificate request for a proxy certificate generated for a users |
---|
1098 | session when they login. An example is given below. The important |
---|
1099 | section to reference is </FONT>[ req_distinguished_name ]</SPAN></FONT></P> |
---|
1100 | </UL> |
---|
1101 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1102 | </P> |
---|
1103 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1104 | <COL WIDTH=610> |
---|
1105 | <TR> |
---|
1106 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
1107 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P> |
---|
1108 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1109 | SSLeay example configuration file.</FONT></FONT></P> |
---|
1110 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1111 | This is mostly being used for generation of certificate requests.</FONT></FONT></P> |
---|
1112 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#</FONT></FONT></P> |
---|
1113 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1114 | </P> |
---|
1115 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE |
---|
1116 | = $ENV::HOME/.rnd</FONT></FONT></P> |
---|
1117 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1118 | </P> |
---|
1119 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> |
---|
1120 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ |
---|
1121 | ca ]</FONT></FONT></P> |
---|
1122 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_ca |
---|
1123 | = CA_default # The default ca section</FONT></FONT></P> |
---|
1124 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1125 | </P> |
---|
1126 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> |
---|
1127 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ |
---|
1128 | CA_default ]</FONT></FONT></P> |
---|
1129 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1130 | </P> |
---|
1131 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">dir |
---|
1132 | = ./demoCA # Where everything is kept</FONT></FONT></P> |
---|
1133 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certs |
---|
1134 | = $dir/certs # Where the issued certs are |
---|
1135 | kept</FONT></FONT></P> |
---|
1136 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl_dir |
---|
1137 | = $dir/crl # Where the issued crl are kept</FONT></FONT></P> |
---|
1138 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">database |
---|
1139 | = $dir/index.txt # database index file.</FONT></FONT></P> |
---|
1140 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">new_certs_dir |
---|
1141 | = $dir/newcerts # default place for new certs.</FONT></FONT></P> |
---|
1142 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1143 | </P> |
---|
1144 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">certificate |
---|
1145 | = $dir/cacert.pem # The CA certificate</FONT></FONT></P> |
---|
1146 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">serial |
---|
1147 | = $dir/serial # The current serial number</FONT></FONT></P> |
---|
1148 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">crl |
---|
1149 | = $dir/crl.pem # The current CRL</FONT></FONT></P> |
---|
1150 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">private_key |
---|
1151 | = $dir/private/cakey.pem# The private key</FONT></FONT></P> |
---|
1152 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">RANDFILE |
---|
1153 | = $dir/private/.rand # private random number file</FONT></FONT></P> |
---|
1154 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1155 | </P> |
---|
1156 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">x509_extensions |
---|
1157 | = x509v3_extensions # The extentions to add to the cert</FONT></FONT></P> |
---|
1158 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_days |
---|
1159 | = 365 # how long to certify for</FONT></FONT></P> |
---|
1160 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_crl_days= |
---|
1161 | 365 # DEE 30 # how long before next CRL</FONT></FONT></P> |
---|
1162 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_md |
---|
1163 | = md5 # which md to use.</FONT></FONT></P> |
---|
1164 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">preserve |
---|
1165 | = no # keep passed DN ordering</FONT></FONT></P> |
---|
1166 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1167 | </P> |
---|
1168 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1169 | A few difference way of specifying how similar the request should |
---|
1170 | look</FONT></FONT></P> |
---|
1171 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1172 | For type CA, the listed attributes must be the same, and the |
---|
1173 | optional</FONT></FONT></P> |
---|
1174 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1175 | and supplied fields are just that :-)</FONT></FONT></P> |
---|
1176 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">policy |
---|
1177 | = policy_match</FONT></FONT></P> |
---|
1178 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1179 | </P> |
---|
1180 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1181 | For the CA policy</FONT></FONT></P> |
---|
1182 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ |
---|
1183 | policy_match ]</FONT></FONT></P> |
---|
1184 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName |
---|
1185 | = optional</FONT></FONT></P> |
---|
1186 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName |
---|
1187 | = optional</FONT></FONT></P> |
---|
1188 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName |
---|
1189 | = match</FONT></FONT></P> |
---|
1190 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName |
---|
1191 | = optional</FONT></FONT></P> |
---|
1192 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName |
---|
1193 | = supplied</FONT></FONT></P> |
---|
1194 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress |
---|
1195 | = optional</FONT></FONT></P> |
---|
1196 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1197 | </P> |
---|
1198 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1199 | For the 'anything' policy</FONT></FONT></P> |
---|
1200 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1201 | At this point in time, you must list all acceptable 'object'</FONT></FONT></P> |
---|
1202 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1203 | types.</FONT></FONT></P> |
---|
1204 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ |
---|
1205 | policy_anything ]</FONT></FONT></P> |
---|
1206 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">countryName |
---|
1207 | = optional</FONT></FONT></P> |
---|
1208 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">stateOrProvinceName |
---|
1209 | = optional</FONT></FONT></P> |
---|
1210 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">localityName |
---|
1211 | = optional</FONT></FONT></P> |
---|
1212 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationName |
---|
1213 | = optional</FONT></FONT></P> |
---|
1214 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">organizationalUnitName |
---|
1215 | = optional</FONT></FONT></P> |
---|
1216 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName |
---|
1217 | = supplied</FONT></FONT></P> |
---|
1218 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">emailAddress |
---|
1219 | = optional</FONT></FONT></P> |
---|
1220 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1221 | </P> |
---|
1222 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">####################################################################</FONT></FONT></P> |
---|
1223 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ |
---|
1224 | req ]</FONT></FONT></P> |
---|
1225 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_bits |
---|
1226 | = 1024</FONT></FONT></P> |
---|
1227 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">default_keyfile |
---|
1228 | = privkey.pem</FONT></FONT></P> |
---|
1229 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">distinguished_name |
---|
1230 | = req_distinguished_name</FONT></FONT></P> |
---|
1231 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">req_extensions |
---|
1232 | = v3_req</FONT></FONT></P> |
---|
1233 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1234 | </P> |
---|
1235 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ |
---|
1236 | req_distinguished_name ]</FONT></FONT></P> |
---|
1237 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1238 | BEGIN CONFIG</FONT></FONT></P> |
---|
1239 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName |
---|
1240 | = Level 0 Organization</FONT></FONT></P> |
---|
1241 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationName_default |
---|
1242 | = NDG</FONT></FONT></P> |
---|
1243 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName |
---|
1244 | = Level 0 Organizational Unit</FONT></FONT></P> |
---|
1245 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">0.organizationalUnitName_default |
---|
1246 | = BADC</FONT></FONT></P> |
---|
1247 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName |
---|
1248 | = Level 1 Organizational Unit</FONT></FONT></P> |
---|
1249 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">#1.organizationalUnitName_default |
---|
1250 | = localdomain</FONT></FONT></P> |
---|
1251 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName |
---|
1252 | = Name (e.g., John M. Smith)</FONT></FONT></P> |
---|
1253 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">commonName_max |
---|
1254 | = 64</FONT></FONT></P> |
---|
1255 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"># |
---|
1256 | END CONFIG</FONT></FONT></P> |
---|
1257 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1258 | </P> |
---|
1259 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">[ |
---|
1260 | v3_req ]</FONT></FONT></P> |
---|
1261 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">nsCertType |
---|
1262 | = objsign,email,server,client</FONT></FONT></P> |
---|
1263 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">basicConstraints |
---|
1264 | = critical,CA:false</FONT></FONT></P> |
---|
1265 | <P><BR> |
---|
1266 | </P> |
---|
1267 | </TD> |
---|
1268 | </TR> |
---|
1269 | </TABLE> |
---|
1270 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1271 | </P> |
---|
1272 | <H3 CLASS="western"><A NAME="_Ref175134983"></A><A NAME="_Ref179772391"></A><A NAME="4.4.3.SysV-style Boot Script|outline"></A> |
---|
1273 | 4.4.3 SysV-style Boot Script</H3> |
---|
1274 | <P CLASS="western" ALIGN=JUSTIFY>The Session Manager can be |
---|
1275 | configured to start up at system boot of the host machine. A SysV |
---|
1276 | style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT> |
---|
1277 | is provided in the installation in:</P> |
---|
1278 | <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/lib/python</SPAN></FONT><python |
---|
1279 | version num><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/site-packages/ndg_security_server</SPAN></FONT>-<version |
---|
1280 | info><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.egg/ndg/security/server/share |
---|
1281 | </SPAN></FONT> |
---|
1282 | </P> |
---|
1283 | <P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P> |
---|
1284 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1285 | <COL WIDTH=602> |
---|
1286 | <TR> |
---|
1287 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
1288 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1289 | </P> |
---|
1290 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1291 | cp /usr/local/lib/python<python version |
---|
1292 | num>/site-packages/ndg_security_server-<version |
---|
1293 | info>.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> |
---|
1294 | /share/ndg-sm /etc/rc.d/init.d</SPAN></FONT></FONT></P> |
---|
1295 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ |
---|
1296 | chkconfig --add ndg-sm</SPAN></FONT></FONT></P> |
---|
1297 | <P><BR> |
---|
1298 | </P> |
---|
1299 | </TD> |
---|
1300 | </TR> |
---|
1301 | </TABLE> |
---|
1302 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1303 | </P> |
---|
1304 | <P CLASS="western" ALIGN=JUSTIFY>Edit the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-sm</SPAN></FONT> |
---|
1305 | so that it uses the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">NDGSEC_DIR</SPAN></FONT> |
---|
1306 | environment variable to point to the correct location of the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.tac</SPAN></FONT> |
---|
1307 | file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">conf/</SPAN></FONT> |
---|
1308 | directory. User and group ID settings can be made to run under |
---|
1309 | alternative account to root. If used ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR</SPAN></FONT> |
---|
1310 | is set with the necessary permissions to enable access. |
---|
1311 | </P> |
---|
1312 | <P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chkconfig</SPAN></FONT> |
---|
1313 | command may not be available on your target machine. Please refer to |
---|
1314 | instructions for your particular Linux distribution.</P> |
---|
1315 | <H2 CLASS="western"><A NAME="4.5.Attribute Authority Configuration|outline"></A> |
---|
1316 | 4.5 Attribute Authority Configuration</H2> |
---|
1317 | <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority also has a |
---|
1318 | properties file for the setting of configuration parameters.</P> |
---|
1319 | <H3 CLASS="western"><A NAME="4.5.1.Attribute Authority Properties File Settings|outline"></A> |
---|
1320 | 4.5.1Attribute Authority Properties File Settings</H3> |
---|
1321 | <P CLASS="western" ALIGN=JUSTIFY>Edit <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT> |
---|
1322 | in <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> |
---|
1323 | and modify the default settings:</P> |
---|
1324 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1325 | <COL WIDTH=610> |
---|
1326 | <TR> |
---|
1327 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
1328 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1329 | </P> |
---|
1330 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><?xml |
---|
1331 | version="1.0" encoding="utf-8"?></FONT></FONT></P> |
---|
1332 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><AAprop></FONT></FONT></P> |
---|
1333 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1334 | </FONT></FONT> |
---|
1335 | </P> |
---|
1336 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">'name' |
---|
1337 | setting MUST agree with map config file 'thisHost' name attribute</FONT></FONT></P> |
---|
1338 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
1339 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><name>Organisation |
---|
1340 | Identifier</name> </FONT></FONT> |
---|
1341 | </P> |
---|
1342 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><portNum>SELECT |
---|
1343 | A SUITABLE PORT NUMBER FOR RUNNING THE SERVICE</portNum></FONT></FONT></P> |
---|
1344 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!--</FONT></FONT></P> |
---|
1345 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI |
---|
1346 | settings for transport level encryption</FONT></FONT></P> |
---|
1347 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
1348 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSSL></useSSL> |
---|
1349 | <!-- leave blank to use http --></FONT></FONT></P> |
---|
1350 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslCertFile></sslCertFile></FONT></FONT></P> |
---|
1351 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyFile></sslKeyFile></FONT></FONT></P> |
---|
1352 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><sslKeyPwd></sslKeyPwd></FONT></FONT></P> |
---|
1353 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><!-- |
---|
1354 | <BR> Directory containing CA cert.s to verify SSL peer cert |
---|
1355 | against - ignored if useSSL is blank --><BR> |
---|
1356 | <sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir><BR></FONT> |
---|
1357 | <!--</FONT></FONT></P> |
---|
1358 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">PKI |
---|
1359 | settings for signature of outbound SOAP messages</FONT></FONT></P> |
---|
1360 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
1361 | <P STYLE="margin-bottom: 0cm"> |
---|
1362 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><useSignatureHandler>Yes</useSignatureHandler> |
---|
1363 | <!-- leave blank for no signature --></FONT></FONT></P> |
---|
1364 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1365 | </FONT></FONT> |
---|
1366 | </P> |
---|
1367 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><FONT FACE="Lucida Console, DejaVu Sans Mono, sans-serif">CA |
---|
1368 | Certificates used to verify X.509 certs used in peer SOAP |
---|
1369 | messages,<BR> SSL connections and Attribute Certificates<BR> |
---|
1370 | --><BR> <caCertFileList><BR> |
---|
1371 | <caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem</caCertFile><BR> |
---|
1372 | </caCertFileList><BR></FONT> |
---|
1373 | <keyFile>$NDGSEC_DIR/conf/certs/aa-key.pem </keyFile></FONT></FONT></P> |
---|
1374 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><keyPwd></keyPwd></FONT></FONT></P> |
---|
1375 | <P STYLE="margin-bottom: 0cm"> |
---|
1376 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><caCertFile>$NDGSEC_DIR/conf/certs/cacert.pem |
---|
1377 | </caCertFile></FONT></FONT></P> |
---|
1378 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1379 | </FONT></FONT> |
---|
1380 | </P> |
---|
1381 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Set |
---|
1382 | the certificate used to verify the signature of messages from the </FONT></FONT> |
---|
1383 | </P> |
---|
1384 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">client. |
---|
1385 | This can usually be left blank since the client is expected to </FONT></FONT> |
---|
1386 | </P> |
---|
1387 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">include |
---|
1388 | the cert with the signature in the inbound SOAP message</FONT></FONT></P> |
---|
1389 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
1390 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><clntCertFile></clntCertFile> |
---|
1391 | </FONT></FONT> |
---|
1392 | </P> |
---|
1393 | <P STYLE="margin-bottom: 0cm"> |
---|
1394 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertLifetime>86400</attCertLifetime> |
---|
1395 | <!-- Measured in seconds --></FONT></FONT></P> |
---|
1396 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1397 | </FONT></FONT> |
---|
1398 | </P> |
---|
1399 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Allow |
---|
1400 | an offset for clock skew between servers running </FONT></FONT> |
---|
1401 | </P> |
---|
1402 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">security |
---|
1403 | services. - Use minus sign for time in the past</FONT></FONT></P> |
---|
1404 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
1405 | <P STYLE="margin-bottom: 0cm"> |
---|
1406 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertNotBeforeOff>0</attCertNotBeforeOff></FONT></FONT></P> |
---|
1407 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1408 | Location of role mapping file --></FONT></FONT></P> |
---|
1409 | <P STYLE="margin-bottom: 0cm"> |
---|
1410 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><mapConfigFile>$NDGSEC_DIR/conf/mapConfig.xml</mapConfigFile></FONT></FONT></P> |
---|
1411 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1412 | All Attribute Certificates issued are recorded in this dir --></FONT></FONT></P> |
---|
1413 | <P STYLE="margin-bottom: 0cm"> |
---|
1414 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertDir>$NDGSEC_DIR/conf/attCertLog</attCertDir></FONT></FONT></P> |
---|
1415 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1416 | </FONT></FONT> |
---|
1417 | </P> |
---|
1418 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Files |
---|
1419 | in attCertDir are stored using a rotating file handler</FONT></FONT></P> |
---|
1420 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">attCertFileLogCnt |
---|
1421 | sets the max number of files created before the first is</FONT></FONT></P> |
---|
1422 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">overwritten</FONT></FONT></P> |
---|
1423 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
1424 | <P STYLE="margin-bottom: 0cm"> |
---|
1425 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertFileName>ac.xml</attCertFileName></FONT></FONT></P> |
---|
1426 | <P STYLE="margin-bottom: 0cm"> |
---|
1427 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><attCertFileLogCnt>1024</attCertFileLogCnt></FONT></FONT></P> |
---|
1428 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><dnSeparator>/</dnSeparator></FONT></FONT></P> |
---|
1429 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><!-- |
---|
1430 | </FONT></FONT> |
---|
1431 | </P> |
---|
1432 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">Settings |
---|
1433 | for custom AAUserRoles derived class to get user roles for</FONT></FONT></P> |
---|
1434 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">given |
---|
1435 | user ID</FONT></FONT></P> |
---|
1436 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt">--></FONT></FONT></P> |
---|
1437 | <P STYLE="margin-bottom: 0cm"> |
---|
1438 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesModFilePath>$NDGSEC_DIR/conf</userRolesModFilePath></FONT></FONT></P> |
---|
1439 | <P STYLE="margin-bottom: 0cm"> |
---|
1440 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesModName>userRoles</userRolesModName></FONT></FONT></P> |
---|
1441 | <P STYLE="margin-bottom: 0cm"> |
---|
1442 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesClassName>UserRoles</userRolesClassName></FONT></FONT></P> |
---|
1443 | <P STYLE="margin-bottom: 0cm"> |
---|
1444 | <FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><userRolesPropFile>$NDGSEC_DIR/conf/userRoles.cfg</userRolesPropFile></FONT></FONT></P> |
---|
1445 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2 STYLE="font-size: 9pt"></AAprop></FONT></FONT></P> |
---|
1446 | <P> |
---|
1447 | </P> |
---|
1448 | </TD> |
---|
1449 | </TR> |
---|
1450 | </TABLE> |
---|
1451 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1452 | </P> |
---|
1453 | <H3 CLASS="western"><A NAME="4.5.2.User Roles Interface|outline"></A>4.5.2 |
---|
1454 | User Roles Interface</H3> |
---|
1455 | <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority given a |
---|
1456 | valid user proxy certificate serves an attribute certificate |
---|
1457 | containing authorisation roles for that user. It is for the data |
---|
1458 | centre to determine how these roles map to the users identity as |
---|
1459 | given by their Distinguished Name given in the proxy certificate. |
---|
1460 | Typically, a data centre might have a user database which relates |
---|
1461 | user id to authorisation roles.</P> |
---|
1462 | <P CLASS="western" ALIGN=JUSTIFY>The Attribute Authority provides a |
---|
1463 | programmatic interface to determine the roles to user id |
---|
1464 | relationship. A custom python class may be written to perform this |
---|
1465 | task. See the Appendices section 5.5.</P> |
---|
1466 | <H3 CLASS="western"><A NAME="4.5.3.Role Mapping|outline"></A>4.5.3 |
---|
1467 | Role Mapping</H3> |
---|
1468 | <P CLASS="western" ALIGN=JUSTIFY>The role mapping file is stored in |
---|
1469 | the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$NDGSEC_DIR/conf</SPAN></FONT> |
---|
1470 | directory as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mapConfig.xml</SPAN></FONT>. |
---|
1471 | This is an XML file which relates local roles at the target data |
---|
1472 | centre to roles of other trusted data centres. These role mapping |
---|
1473 | are made by agreement between data centres.</P> |
---|
1474 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1475 | <COL WIDTH=610> |
---|
1476 | <TR> |
---|
1477 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
1478 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1479 | </P> |
---|
1480 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><?xml |
---|
1481 | version="1.0" encoding="utf-8"?></FONT></P> |
---|
1482 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><AAmap></FONT></P> |
---|
1483 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><thisHost |
---|
1484 | name="yourSiteIdentifier"></FONT></P> |
---|
1485 | <P STYLE="margin-bottom: 0cm"> |
---|
1486 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>yourSiteAttAuthorityURI</aaURI></FONT></P> |
---|
1487 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaDN>the |
---|
1488 | DN for the Attribute Authorityâs X.509 Cert.</aaDN></FONT></P> |
---|
1489 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>Your |
---|
1490 | Site Login Page URI (https expected)</loginURI></FONT></P> |
---|
1491 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginServerDN>The |
---|
1492 | DN of loginURIâs SSL cert.</loginServerDN></FONT></P> |
---|
1493 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginRequestServerDN></FONT></P> |
---|
1494 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
1495 | cert. DN for SSL server making a request to loginURI</FONT></P> |
---|
1496 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></loginRequestServerDN></FONT></P> |
---|
1497 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></thisHost></FONT></P> |
---|
1498 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted |
---|
1499 | name="BODC"></FONT></P> |
---|
1500 | <P STYLE="margin-bottom: 0cm"> |
---|
1501 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>bodcAttAuthorityURI</aaURI></FONT></P> |
---|
1502 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaDN>the |
---|
1503 | DN for the Attribute Authorityâs X.509 Cert.</aaDN></FONT></P> |
---|
1504 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>BODCâs |
---|
1505 | Login Page URI</loginURI></FONT></P> |
---|
1506 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginServerDN>The |
---|
1507 | DN of loginURIâs SSL cert.</loginServerDN></FONT></P> |
---|
1508 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginRequestServerDN></FONT></P> |
---|
1509 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
1510 | cert. DN for SSL server making a request to loginURI</FONT></P> |
---|
1511 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></loginRequestServerDN></FONT></P> |
---|
1512 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role |
---|
1513 | remote="aBODCrole" local="aLocalRole"/></FONT></P> |
---|
1514 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P> |
---|
1515 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted |
---|
1516 | name="NOCS"></FONT></P> |
---|
1517 | <P STYLE="margin-bottom: 0cm"> |
---|
1518 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>nocsAttAuthorityURI</aaURI></FONT></P> |
---|
1519 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaDN>the |
---|
1520 | DN for the Attribute Authorityâs X.509 Cert.</aaDN></FONT></P> |
---|
1521 | <P STYLE="margin-bottom: 0cm"> |
---|
1522 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>nocsLoginPageURI</loginURI></FONT></P> |
---|
1523 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginServerDN>The |
---|
1524 | DN of loginURIâs SSL cert.</loginServerDN></FONT></P> |
---|
1525 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginRequestServerDN></FONT></P> |
---|
1526 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
1527 | cert. DN for SSL server making a request to loginURI</FONT></P> |
---|
1528 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></loginRequestServerDN></FONT></P> |
---|
1529 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role |
---|
1530 | remote="aNOCSrole" local="anotherLocalRole"/></FONT></P> |
---|
1531 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P> |
---|
1532 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><trusted |
---|
1533 | name="NEODAAS"></FONT></P> |
---|
1534 | <P STYLE="margin-bottom: 0cm"> |
---|
1535 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaURI>neodaasAttAuthorityURI</aaURI></FONT></P> |
---|
1536 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><aaDN>the |
---|
1537 | DN for the Attribute Authorityâs X.509 Cert.</aaDN></FONT></P> |
---|
1538 | <P STYLE="margin-bottom: 0cm"> |
---|
1539 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginURI>neodaasLoginPageURI</loginURI></FONT></P> |
---|
1540 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginServerDN>The |
---|
1541 | DN of loginURIâs SSL cert.</loginServerDN></FONT></P> |
---|
1542 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><loginRequestServerDN></FONT></P> |
---|
1543 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
1544 | cert. DN for SSL server making a request to loginURI</FONT></P> |
---|
1545 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></loginRequestServerDN></FONT></P> |
---|
1546 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><role |
---|
1547 | remote="neodaasRole" local="yetAnotherLocalRole"/></FONT></P> |
---|
1548 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></trusted></FONT></P> |
---|
1549 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"></AAmap></FONT></P> |
---|
1550 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1551 | </P> |
---|
1552 | <P><BR> |
---|
1553 | </P> |
---|
1554 | </TD> |
---|
1555 | </TR> |
---|
1556 | </TABLE> |
---|
1557 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1558 | </P> |
---|
1559 | <P CLASS="western" ALIGN=JUSTIFY>The map file contains an entry for |
---|
1560 | each site that the Attribute Authority trusts. These are listed |
---|
1561 | using the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">trusted</SPAN></FONT> |
---|
1562 | element name. The Attribute Authority identifies itself with the |
---|
1563 | similar <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> |
---|
1564 | element. Each uses a name attribute to uniquely identify the |
---|
1565 | organisation. The example above shows a BADC map file which trusts |
---|
1566 | the organisations BODC, NOCS and NEODAAS.</P> |
---|
1567 | <P CLASS="western" ALIGN=JUSTIFY>Note that the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost |
---|
1568 | name </SPAN></FONT>attribute should match the name element in the |
---|
1569 | corresponding <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthorityProperties.xml</SPAN></FONT> |
---|
1570 | file. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">name</SPAN></FONT> |
---|
1571 | is copied as the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">issuerName</SPAN></FONT> |
---|
1572 | used in Attribute Certificates issued by the Attribute Authority.</P> |
---|
1573 | <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> |
---|
1574 | and trusted elements share all the same sub-elements barring role. |
---|
1575 | </P> |
---|
1576 | <UL> |
---|
1577 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaURI</SPAN></FONT> |
---|
1578 | â this is the address of the Attribute Authority</P> |
---|
1579 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">aaDN</SPAN></FONT> |
---|
1580 | â the Distinguished Name of the Attribute Authorityâs X.509 |
---|
1581 | certificate (not currently used)</P> |
---|
1582 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginURI</SPAN></FONT> |
---|
1583 | â the address of the Login Service |
---|
1584 | </P> |
---|
1585 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginServerDN</SPAN></FONT> |
---|
1586 | â the Distinguished Name of the X.509 certificate held by the |
---|
1587 | Login Service for SSL connections. It is expected that the Login |
---|
1588 | Service is run over https to protect the privacy of login |
---|
1589 | credentials. This field is not currently used.</P> |
---|
1590 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT> |
---|
1591 | â on request for secured credentials a service provider enables |
---|
1592 | the user to redirect to their chosen Login Service at another |
---|
1593 | trusted site. The on successful authentication the Login Service |
---|
1594 | can return the user back to the service provider to enable them to |
---|
1595 | continue with their request. This return to address must be over |
---|
1596 | https to enable credentials to be encrypted for the transit but also |
---|
1597 | to validate service provider host making the request. The Login |
---|
1598 | Service carries this out by checking the SSL certificate of the |
---|
1599 | service provider host and checking its Distinguished Name against |
---|
1600 | the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">loginRequestServerDN</SPAN></FONT> |
---|
1601 | entries for the organisations it trusts.</P> |
---|
1602 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">role</SPAN></FONT> |
---|
1603 | â this element is used to express an individual role mapping. The |
---|
1604 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">local</SPAN></FONT> |
---|
1605 | attribute refers to a role <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">thisHost</SPAN></FONT> |
---|
1606 | supports. The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">remote</SPAN></FONT> |
---|
1607 | attribute is assigned to the role of the trusted organisation it |
---|
1608 | maps to. It is possible to have multiple role entries. One local |
---|
1609 | role may map to many remote roles and vice versa: one remote role |
---|
1610 | may map to many local roles.</P> |
---|
1611 | </UL> |
---|
1612 | <H3 CLASS="western"><A NAME="4.5.4.Twisted Python server .tac file|outline"></A> |
---|
1613 | 4.5.4 Twisted Python server .tac file</H3> |
---|
1614 | <P CLASS="western" ALIGN=JUSTIFY>Copy this from the |
---|
1615 | ndg_security_server to the NDG security conf/ area:</P> |
---|
1616 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1617 | <COL WIDTH=602> |
---|
1618 | <TR> |
---|
1619 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
1620 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1621 | </P> |
---|
1622 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1623 | cp /usr/local/lib/python<python version |
---|
1624 | num>/site-packages/ndg_security_server-<version |
---|
1625 | info>.egg/ndg/security/server/server-config.tac<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> |
---|
1626 | $NDGSEC_DIR/conf</SPAN></FONT></FONT></P> |
---|
1627 | <P><BR> |
---|
1628 | </P> |
---|
1629 | </TD> |
---|
1630 | </TR> |
---|
1631 | </TABLE> |
---|
1632 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1633 | </P> |
---|
1634 | <H3 CLASS="western"><A NAME="_Ref179772414"></A><A NAME="4.5.5.SysV-style Boot Script|outline"></A> |
---|
1635 | 4.5.5 SysV-style Boot Script</H3> |
---|
1636 | <P CLASS="western" ALIGN=JUSTIFY>As with the Session Manager, the |
---|
1637 | Attribute Authority can be configured to start up at system boot of |
---|
1638 | the host machine. A SysV style start up script <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg-aa</SPAN></FONT> |
---|
1639 | is provided in the installation in:</P> |
---|
1640 | <P CLASS="western" ALIGN=JUSTIFY>/usr/local/lib/python<python |
---|
1641 | version num>/site-packages/ndg_security_server-<version |
---|
1642 | info>.egg/ndg/security/server/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">share</SPAN></FONT> |
---|
1643 | |
---|
1644 | </P> |
---|
1645 | <P CLASS="western" ALIGN=JUSTIFY>To configure, install this file:</P> |
---|
1646 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1647 | <COL WIDTH=602> |
---|
1648 | <TR> |
---|
1649 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
1650 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1651 | </P> |
---|
1652 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1653 | cp /usr/local/lib/python<python version |
---|
1654 | num>/site-packages/ndg_security_server-<version |
---|
1655 | info>.egg/ndg/security/server<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> |
---|
1656 | /share/ndg-aa /etc/rc.d/init.d</SPAN></FONT></FONT></P> |
---|
1657 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ |
---|
1658 | chkconfig --add ndg-aa</SPAN></FONT></FONT></P> |
---|
1659 | <P><BR> |
---|
1660 | </P> |
---|
1661 | </TD> |
---|
1662 | </TR> |
---|
1663 | </TABLE> |
---|
1664 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1665 | </P> |
---|
1666 | <P CLASS="western" ALIGN=JUSTIFY>Edit the ndg-aa so that it uses the |
---|
1667 | NDGSEC_DIR environment variable to point to the correct location of |
---|
1668 | the .tac file in the conf/ directory. User and group ID settings can |
---|
1669 | be made to run under alternative account to root. If used ensure |
---|
1670 | that $NDGSEC_DIR is set with the necessary permissions to enable |
---|
1671 | access. |
---|
1672 | </P> |
---|
1673 | <P CLASS="western" ALIGN=JUSTIFY>If required, add any additional |
---|
1674 | environment settings required to connect to a user database.</P> |
---|
1675 | <H2 CLASS="western"><A NAME="4.6.Python Unit Tests|outline"></A>4.6 |
---|
1676 | Python Unit Tests</H2> |
---|
1677 | <P CLASS="western" ALIGN=JUSTIFY>Python unit test scripts are |
---|
1678 | provided to enable the system to be checked to confirm that it is |
---|
1679 | running correctly. These are located in the ndg_security_test egg |
---|
1680 | in the site-packages/ directory of the python installation.</P> |
---|
1681 | <P CLASS="western" ALIGN=JUSTIFY><todo: ></P> |
---|
1682 | <H2 CLASS="western"><A NAME="4.7. MyProxy|outline"></A>4.7 MyProxy</H2> |
---|
1683 | <H3 CLASS="western"><A NAME="4.7.1. MyProxy and NDG Security Background|outline"></A> |
---|
1684 | 4.7.1 MyProxy and NDG Security Background</H3> |
---|
1685 | <P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy |
---|
1686 | from the Globus toolkit to enable the use of individual user X.509 |
---|
1687 | certificates to secure messages in transactions. For example, to |
---|
1688 | request an Attribute Certificate from an Attribute Authority the |
---|
1689 | request can be signed using the user's certificate to enable the |
---|
1690 | Attribute Authority to authenticate it.</P> |
---|
1691 | <P CLASS="western" ALIGN=JUSTIFY>MyProxy is a flexible and can be |
---|
1692 | configured to run in a number of different modes or combination of |
---|
1693 | modes:</P> |
---|
1694 | <OL> |
---|
1695 | <LI><P CLASS="western" ALIGN=JUSTIFY>users can upload a proxy to |
---|
1696 | their personal user certificate for storage in the MyProxy |
---|
1697 | repository for later use in delegation |
---|
1698 | </P> |
---|
1699 | <LI><P CLASS="western" ALIGN=JUSTIFY>Personal user certificates |
---|
1700 | issued by a CA can by stored in the repository.</P> |
---|
1701 | <LI><P CLASS="western" ALIGN=JUSTIFY>MyProxy can be run with the |
---|
1702 | Globus SimpleCA package issuing certificates dynamically based on a |
---|
1703 | callout to some external authentication system. MyProxy has basic |
---|
1704 | support for PAM (Pluggable Authentication Module) and SASL (<SPAN STYLE="font-style: normal">Simple |
---|
1705 | Authentication and Security Layer).</SPAN></P> |
---|
1706 | </OL> |
---|
1707 | <P CLASS="western" ALIGN=JUSTIFY>3) is the preferred mode for NDG |
---|
1708 | deployments as typically NDG partners have existing user databases |
---|
1709 | against which their users authenticate. MyProxy can be configured |
---|
1710 | to query the database with username/password via PAM/SASL. |
---|
1711 | </P> |
---|
1712 | <P CLASS="western" ALIGN=JUSTIFY>MyProxy runs as a service |
---|
1713 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT> |
---|
1714 | on its host machine and user credentials are held in a directory on |
---|
1715 | the file system. It is important to secure the host to ensure the |
---|
1716 | credentials are not compromised. |
---|
1717 | </P> |
---|
1718 | <H3 CLASS="western"><A NAME="4.7.2. MyProxy user account and the repository location considerations|outline"></A> |
---|
1719 | 4.7.2 MyProxy user account and the repository location considerations</H3> |
---|
1720 | <P CLASS="western" ALIGN=JUSTIFY>MyProxy may be installed as root or |
---|
1721 | using a separate user account. The latter provides an extra degree |
---|
1722 | of security but for use with PAM, the MyProxy must be installed and |
---|
1723 | run as root. Note that the MyProxy repository will be in a standard |
---|
1724 | location. |
---|
1725 | </P> |
---|
1726 | <UL> |
---|
1727 | <LI><P CLASS="western" ALIGN=JUSTIFY>If MyProxy is installed as |
---|
1728 | root, this is <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/var/myproxy</SPAN></FONT>. |
---|
1729 | |
---|
1730 | </P> |
---|
1731 | <LI><P CLASS="western" ALIGN=JUSTIFY>If installed as under an |
---|
1732 | alternative user account, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/var/myproxy</SPAN></FONT>. |
---|
1733 | |
---|
1734 | </P> |
---|
1735 | </UL> |
---|
1736 | <P CLASS="western" ALIGN=JUSTIFY>When run in mode 3) the repository |
---|
1737 | is not used since all credentials are generated dynamically on a |
---|
1738 | successful MyProxy logon request. It is possible to explicitly define |
---|
1739 | an alternate location but this can only be done by providing a |
---|
1740 | command line argument to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT>. |
---|
1741 | Note that this might be visible in the process list of the host |
---|
1742 | machine as output from<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"> |
---|
1743 | ps</SPAN></FONT>. This could be avoided by running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT> |
---|
1744 | with <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd |
---|
1745 | </SPAN></FONT>(See 4.7.10.1).</P> |
---|
1746 | <P CLASS="western" ALIGN=LEFT>This guide assumes installation as |
---|
1747 | root. |
---|
1748 | </P> |
---|
1749 | <H3 CLASS="western"><A NAME="4.7.3. Installation|outline"></A>4.7.3 |
---|
1750 | Installation</H3> |
---|
1751 | <P CLASS="western">MyProxy is available with Globus. Version 4.0.5 |
---|
1752 | distribution is recommended for use with the NDG Security software. |
---|
1753 | <FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">C and C++ |
---|
1754 | development packages are needed for the build.</SPAN></FONT></P> |
---|
1755 | <H4 CLASS="western">4.7.3.1 PAM Dependencies</H4> |
---|
1756 | <P CLASS="western">A binary version is available but it is |
---|
1757 | recommended to build and install from the source code to include PAM |
---|
1758 | dependencies (<A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A>). |
---|
1759 | To check, there should be a <CODE><FONT FACE="Helvetica, sans-serif">pam_appl.h |
---|
1760 | header file either in /usr/include/security or /usr/include/pam.</FONT></CODE></P> |
---|
1761 | <P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">If they |
---|
1762 | are not present, they can be installed with the PAM development |
---|
1763 | package for your Linux distribution â e.g. pam-devel (Redhat) or |
---|
1764 | libpam*-dev (Debian based).</FONT></CODE></P> |
---|
1765 | <P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">Due to a |
---|
1766 | limitation in PAM, MyProxy must be built and installed under the |
---|
1767 | system root account.</FONT></CODE></P> |
---|
1768 | <H4 CLASS="western">4.7.3.2<CODE><FONT FACE="Helvetica, sans-serif"> |
---|
1769 | Build</FONT></CODE></H4> |
---|
1770 | <P CLASS="western"><CODE><FONT FACE="Helvetica, sans-serif">The code |
---|
1771 | can be downloaded from </FONT><FONT COLOR="#0000ff"><U><A HREF="http://www.globus.org/toolkit/downloads/4.0.1/"><FONT FACE="Helvetica, sans-serif">http://www.globus.org/toolkit/downloads/4.0.5</FONT></A></U></FONT></CODE></P> |
---|
1772 | <P CLASS="western" ALIGN=JUSTIFY>Note that it is possible to set a |
---|
1773 | target for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">make |
---|
1774 | </SPAN></FONT>so that only the MyProxy components of Globus are |
---|
1775 | built. Click on the link for the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer</FONT> |
---|
1776 | tarball. Extract the files and change to the |
---|
1777 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">gt4.0.5-all-source-installer/</FONT> |
---|
1778 | directory created.</P> |
---|
1779 | <P CLASS="western" ALIGN=JUSTIFY>Configure the build settings. The |
---|
1780 | default installation location is /usr/local/globus-4.0.5. Use |
---|
1781 | âprefix=<dir path> command line option to specify an |
---|
1782 | alternative location for the installation.</P> |
---|
1783 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1784 | <COL WIDTH=596> |
---|
1785 | <TR> |
---|
1786 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
1787 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1788 | </P> |
---|
1789 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1790 | ./configure </FONT> |
---|
1791 | </P> |
---|
1792 | <P><BR> |
---|
1793 | </P> |
---|
1794 | </TD> |
---|
1795 | </TR> |
---|
1796 | </TABLE> |
---|
1797 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
1798 | </P> |
---|
1799 | <P CLASS="western" ALIGN=JUSTIFY>Compile and install MyProxy:</P> |
---|
1800 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1801 | <COL WIDTH=596> |
---|
1802 | <TR> |
---|
1803 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
1804 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1805 | </P> |
---|
1806 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1807 | make gsi-myproxy postinstall</FONT></P> |
---|
1808 | <P><BR> |
---|
1809 | </P> |
---|
1810 | </TD> |
---|
1811 | </TR> |
---|
1812 | </TABLE> |
---|
1813 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1814 | </P> |
---|
1815 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">When |
---|
1816 | running</SPAN></FONT> ./configure <FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">you |
---|
1817 | may see an error if the </SPAN></FONT>JAVA_HOME<FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB"> |
---|
1818 | environment variable is not set. This can be ignored because Java is |
---|
1819 | not required for the MyProxy build.</SPAN></FONT></FONT></P> |
---|
1820 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"> |
---|
1821 | </P> |
---|
1822 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If |
---|
1823 | you encounter errors with the build you can trobuleshoot by checking |
---|
1824 | config.log in the BUILD/globus_core-* or source-trees/core/source |
---|
1825 | directories.</SPAN></FONT></P> |
---|
1826 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> |
---|
1827 | </P> |
---|
1828 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">Verify |
---|
1829 | myproxy has built with PAM support by running the command:</SPAN></FONT></P> |
---|
1830 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> |
---|
1831 | </P> |
---|
1832 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> |
---|
1833 | </P> |
---|
1834 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1835 | <COL WIDTH=596> |
---|
1836 | <TR> |
---|
1837 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
1838 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1839 | </P> |
---|
1840 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1841 | /usr/local/globus-4.0.5/sbin/myproxy-server -V</FONT></P> |
---|
1842 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server |
---|
1843 | version MYPROXYv2 (v3.7 12 Dec 2006 PAM)</FONT></P> |
---|
1844 | <P><BR> |
---|
1845 | </P> |
---|
1846 | </TD> |
---|
1847 | </TR> |
---|
1848 | </TABLE> |
---|
1849 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> |
---|
1850 | </P> |
---|
1851 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Helvetica, sans-serif"><SPAN LANG="en-GB">If |
---|
1852 | 'PAM' is included in the output as above then the executable has |
---|
1853 | built correctly to include PAM support.</SPAN></FONT></P> |
---|
1854 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><BR> |
---|
1855 | </P> |
---|
1856 | <H3 CLASS="western"><A NAME="4.7.4. SimpleCA Installation|outline"></A> |
---|
1857 | 4.7.4 SimpleCA Installation</H3> |
---|
1858 | <P CLASS="western" ALIGN=JUSTIFY>Reference: |
---|
1859 | </P> |
---|
1860 | <P CLASS="western" ALIGN=JUSTIFY><A HREF="http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing">http://www-unix.globus.org/toolkit/docs/4.0/security/simpleca/admin-index.html#s-simpleca-admin-installing</A></P> |
---|
1861 | <P CLASS="western" ALIGN=JUSTIFY>The SimpleCA can be set up under a |
---|
1862 | dedicated user account but this user must have read/write permissions |
---|
1863 | to the Globus MyProxy installation location. For simplicity, this |
---|
1864 | guide assumes installation for MyProxy and the SimpleCA under root.</P> |
---|
1865 | <P CLASS="western" ALIGN=JUSTIFY>To install first initialise the |
---|
1866 | environment settings (These may be added to the appropriate start-up |
---|
1867 | file e.g. .bashrc):</P> |
---|
1868 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1869 | <COL WIDTH=596> |
---|
1870 | <TR> |
---|
1871 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
1872 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> |
---|
1873 | </P> |
---|
1874 | <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1875 | export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export |
---|
1876 | GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . |
---|
1877 | $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> |
---|
1878 | </TD> |
---|
1879 | </TR> |
---|
1880 | </TABLE> |
---|
1881 | <P><BR><BR> |
---|
1882 | </P> |
---|
1883 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Installation |
---|
1884 | script:</FONT></P> |
---|
1885 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1886 | <COL WIDTH=596> |
---|
1887 | <TR> |
---|
1888 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
1889 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> |
---|
1890 | </P> |
---|
1891 | <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1892 | $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P> |
---|
1893 | </TD> |
---|
1894 | </TR> |
---|
1895 | </TABLE> |
---|
1896 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
1897 | </P> |
---|
1898 | <P CLASS="western" ALIGN=LEFT>You will be prompted for the following |
---|
1899 | information:</P> |
---|
1900 | <OL> |
---|
1901 | <LI><P CLASS="western" ALIGN=LEFT>Subject Name: When prompted, type |
---|
1902 | 'n' to override the default and set an appropriate subject name for |
---|
1903 | the CA for your organisation. O = Organisation Name, OU = |
---|
1904 | Organisational Unit (you can set more than one), CN = the Common |
---|
1905 | Name i.e. the name of the Certificate Authority. For |
---|
1906 | example,<BR><BR>/O=STFC/OU=Rutherford Appleton |
---|
1907 | Laboratory/OU=Testing/CN=CA<BR><BR>could be the Certificate |
---|
1908 | Authorityâs subject for a CA for the Space Science and Technology |
---|
1909 | Department at Rutherford Appleton Laboratory which is part of the |
---|
1910 | Science and Technology Facilities Council.</P> |
---|
1911 | <LI><P CLASS="western" ALIGN=LEFT>e-mail Address: the contact |
---|
1912 | address for certificate requests. If you are using the CA for |
---|
1913 | MyProxy only you will probably not need this facility. You could |
---|
1914 | enter globus@<target host> or some suitable administrative |
---|
1915 | contact</P> |
---|
1916 | <LI><P CLASS="western" ALIGN=LEFT>CA Certificate Expiry Date: Press |
---|
1917 | enter to accept the default of five years, otherwise override and |
---|
1918 | enter your required period.</P> |
---|
1919 | <LI><P CLASS="western" ALIGN=LEFT>PEM Pass phrase: this is the |
---|
1920 | password that will protect the CA's private key file. It will need |
---|
1921 | to be entered in MyProxy's configuration file to enable MyProxy to |
---|
1922 | dynamically issue certificates.</P> |
---|
1923 | </OL> |
---|
1924 | <P CLASS="western" ALIGN=LEFT>A message will appear indicating that |
---|
1925 | the set-up has completed and confirming the subject chosen for your |
---|
1926 | certificate and the location of certificate and private key:</P> |
---|
1927 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
1928 | <COL WIDTH=596> |
---|
1929 | <TR> |
---|
1930 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
1931 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
1932 | $GLOBUS_LOCATION/setup/globus/setup-simple-ca</FONT></P> |
---|
1933 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1934 | </P> |
---|
1935 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">C |
---|
1936 | e r t i f i c a t e A u t h o r i t y S e t u p</FONT></P> |
---|
1937 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1938 | </P> |
---|
1939 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This |
---|
1940 | script will setup a Certificate Authority for signing Globus</FONT></P> |
---|
1941 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">users |
---|
1942 | certificates. It will also generate a simple CA package</FONT></P> |
---|
1943 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">that |
---|
1944 | can be distributed to the users of the CA.</FONT></P> |
---|
1945 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1946 | </P> |
---|
1947 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
1948 | CA information about the certificates it distributes will</FONT></P> |
---|
1949 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">be |
---|
1950 | kept in:</FONT></P> |
---|
1951 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1952 | </P> |
---|
1953 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA/</FONT></P> |
---|
1954 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1955 | </P> |
---|
1956 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
1957 | unique subject name for this CA is:</FONT></P> |
---|
1958 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1959 | </P> |
---|
1960 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">cn=Globus |
---|
1961 | Simple CA, ou=simpleCA-gabriel, ou=GlobusTest, o=Grid</FONT></P> |
---|
1962 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1963 | </P> |
---|
1964 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Do |
---|
1965 | you want to keep this as the CA subject (y/n) [y]:n</FONT></P> |
---|
1966 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1967 | </P> |
---|
1968 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter |
---|
1969 | a unique subject name for this CA:cn=CA, ou=BADC, ou=Gabriel, |
---|
1970 | o=NDG</FONT></P> |
---|
1971 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1972 | </P> |
---|
1973 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1974 | </P> |
---|
1975 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter |
---|
1976 | the email of the CA (this is the email where certificate</FONT></P> |
---|
1977 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">requests |
---|
1978 | will be sent to be signed by the CA):p.j.kershaw@rl.ac.uk</FONT></P> |
---|
1979 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1980 | </P> |
---|
1981 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
1982 | CA certificate has an expiration date. Keep in mind that</FONT></P> |
---|
1983 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">once |
---|
1984 | the CA certificate has expired, all the certificates</FONT></P> |
---|
1985 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">signed |
---|
1986 | by that CA become invalid. A CA should regenerate</FONT></P> |
---|
1987 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the |
---|
1988 | CA certificate and start re-issuing ca-setup packages</FONT></P> |
---|
1989 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">before |
---|
1990 | the actual CA certificate expires. This can be done</FONT></P> |
---|
1991 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">by |
---|
1992 | re-running this setup script. Enter the number of DAYS</FONT></P> |
---|
1993 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the |
---|
1994 | CA certificate should last before it expires.</FONT></P> |
---|
1995 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[default: |
---|
1996 | 5 years (1825 days)]:</FONT></P> |
---|
1997 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
1998 | </P> |
---|
1999 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Enter |
---|
2000 | PEM pass phrase:</FONT></P> |
---|
2001 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Verifying |
---|
2002 | - Enter PEM pass phrase:</FONT></P> |
---|
2003 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2004 | </P> |
---|
2005 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">creating |
---|
2006 | CA config package...done.</FONT></P> |
---|
2007 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2008 | </P> |
---|
2009 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2010 | </P> |
---|
2011 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">A |
---|
2012 | self-signed certificate has been generated</FONT></P> |
---|
2013 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">for |
---|
2014 | the Certificate Authority with the subject:</FONT></P> |
---|
2015 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2016 | </P> |
---|
2017 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/O=NDG/OU=Gabriel/OU=BADC/CN=CA</FONT></P> |
---|
2018 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2019 | </P> |
---|
2020 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If |
---|
2021 | this is invalid, rerun this script</FONT></P> |
---|
2022 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2023 | </P> |
---|
2024 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus/setup-simple-ca</FONT></P> |
---|
2025 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2026 | </P> |
---|
2027 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">and |
---|
2028 | enter the appropriate fields.</FONT></P> |
---|
2029 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2030 | </P> |
---|
2031 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P> |
---|
2032 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2033 | </P> |
---|
2034 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
2035 | private key of the CA is stored in |
---|
2036 | /root/.globus/simpleCA//private/cakey.pem</FONT></P> |
---|
2037 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
2038 | public CA certificate is stored in |
---|
2039 | /root/.globus/simpleCA//cacert.pem</FONT></P> |
---|
2040 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2041 | </P> |
---|
2042 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
2043 | distribution package built for this CA is stored in</FONT></P> |
---|
2044 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2045 | </P> |
---|
2046 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P> |
---|
2047 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2048 | </P> |
---|
2049 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This |
---|
2050 | file must be distributed to any host wishing to request</FONT></P> |
---|
2051 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificates |
---|
2052 | from this CA.</FONT></P> |
---|
2053 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2054 | </P> |
---|
2055 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">CA |
---|
2056 | setup complete.</FONT></P> |
---|
2057 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2058 | </P> |
---|
2059 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">The |
---|
2060 | following commands will now be run to setup the security</FONT></P> |
---|
2061 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">configuration |
---|
2062 | files for this CA:</FONT></P> |
---|
2063 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2064 | </P> |
---|
2065 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-build |
---|
2066 | /root/.globus/simpleCA//globus_simple_ca_2cba3376_setup-0.19.tar.gz</FONT></P> |
---|
2067 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2068 | </P> |
---|
2069 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/sbin/gpt-postinstall</FONT></P> |
---|
2070 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">-------------------------------------------------------------------</FONT></P> |
---|
2071 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2072 | </P> |
---|
2073 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2074 | </P> |
---|
2075 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils: |
---|
2076 | Configuring ssl-utils package</FONT></P> |
---|
2077 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Running |
---|
2078 | setup-ssl-utils-sh-scripts...</FONT></P> |
---|
2079 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2080 | </P> |
---|
2081 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P> |
---|
2082 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2083 | </P> |
---|
2084 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">Note: |
---|
2085 | To complete setup of the GSI software you need to run the</FONT></P> |
---|
2086 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">following |
---|
2087 | script as root to configure your security configuration</FONT></P> |
---|
2088 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">directory:</FONT></P> |
---|
2089 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2090 | </P> |
---|
2091 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/gt4.0.5/setup/globus_simple_ca_2cba3376_setup/setup-gsi</FONT></P> |
---|
2092 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2093 | </P> |
---|
2094 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">For |
---|
2095 | further information on using the setup-gsi script, use the -help</FONT></P> |
---|
2096 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">option. |
---|
2097 | The -default option sets this security configuration to be</FONT></P> |
---|
2098 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">the |
---|
2099 | default, and -nonroot can be used on systems where root access is</FONT></P> |
---|
2100 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">not |
---|
2101 | available.</FONT></P> |
---|
2102 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2103 | </P> |
---|
2104 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">***************************************************************************</FONT></P> |
---|
2105 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2106 | </P> |
---|
2107 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">setup-ssl-utils: |
---|
2108 | Complete</FONT></P> |
---|
2109 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2110 | </P> |
---|
2111 | <P><BR> |
---|
2112 | </P> |
---|
2113 | </TD> |
---|
2114 | </TR> |
---|
2115 | </TABLE> |
---|
2116 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
2117 | </P> |
---|
2118 | <P CLASS="western" ALIGN=LEFT>The number in the file names â |
---|
2119 | 2cba3376â is a unique h<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ash</SPAN></FONT> |
---|
2120 | identifier for the CA. It will be different for for your |
---|
2121 | installation when you run the setup. To complete the set-up run the |
---|
2122 | setup-gsi script:</P> |
---|
2123 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2124 | <COL WIDTH=596> |
---|
2125 | <TR> |
---|
2126 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
2127 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2128 | </P> |
---|
2129 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2130 | $GLOBUS_LOCATION/setup/globus_simple_ca_2cba3376_setup/setup-gsi </FONT> |
---|
2131 | </P> |
---|
2132 | <P>â<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default |
---|
2133 | </FONT> |
---|
2134 | </P> |
---|
2135 | </TD> |
---|
2136 | </TR> |
---|
2137 | </TABLE> |
---|
2138 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2139 | </P> |
---|
2140 | <H3 CLASS="western"><A NAME="4.7.5. Host Certificate Creation|outline"></A> |
---|
2141 | 4.7.5 Host Certificate Creation</H3> |
---|
2142 | <P CLASS="western">As root user to carry out these steps. First |
---|
2143 | check the path to the command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">grid-cert-request</SPAN></FONT>:</P> |
---|
2144 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2145 | </P> |
---|
2146 | <TABLE WIDTH=609 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2147 | <COL WIDTH=593> |
---|
2148 | <TR> |
---|
2149 | <TD WIDTH=593 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2150 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2151 | </P> |
---|
2152 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2153 | which grid-cert-request</FONT></P> |
---|
2154 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
2155 | </P> |
---|
2156 | </TD> |
---|
2157 | </TR> |
---|
2158 | </TABLE> |
---|
2159 | <P CLASS="western" ALIGN=JUSTIFY><BR>Should return something like: |
---|
2160 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">/usr/local/globus-4.0.5/bin/grid-cert-request</FONT></P> |
---|
2161 | <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">If |
---|
2162 | not check the settings as made earlier for the SimpleCA:</FONT></P> |
---|
2163 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2164 | </P> |
---|
2165 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2166 | <COL WIDTH=596> |
---|
2167 | <TR> |
---|
2168 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
2169 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> |
---|
2170 | </P> |
---|
2171 | <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2172 | export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export |
---|
2173 | GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . |
---|
2174 | $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> |
---|
2175 | </TD> |
---|
2176 | </TR> |
---|
2177 | </TABLE> |
---|
2178 | <P><BR><BR> |
---|
2179 | </P> |
---|
2180 | <P CLASS="western" ALIGN=JUSTIFY>To generate a host certificate |
---|
2181 | request:</P> |
---|
2182 | <TABLE WIDTH=608 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2183 | <COL WIDTH=592> |
---|
2184 | <TR> |
---|
2185 | <TD WIDTH=592 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2186 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2187 | </P> |
---|
2188 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2189 | grid-cert-request âhost <fully qualified hostname> </FONT> |
---|
2190 | </P> |
---|
2191 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
2192 | </P> |
---|
2193 | </TD> |
---|
2194 | </TR> |
---|
2195 | </TABLE> |
---|
2196 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2197 | </P> |
---|
2198 | <P CLASS="western" ALIGN=LEFT>This creates the files <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT>, |
---|
2199 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostkey.pem</FONT> |
---|
2200 | and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem |
---|
2201 | in /etc/grid-security directory</FONT>. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert.pem</FONT> |
---|
2202 | is empty. |
---|
2203 | </P> |
---|
2204 | <P CLASS="western" ALIGN=JUSTIFY>In order to obtain the certificate |
---|
2205 | it must be signed by the CA: |
---|
2206 | </P> |
---|
2207 | <TABLE WIDTH=612 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2208 | <COL WIDTH=596> |
---|
2209 | <TR> |
---|
2210 | <TD WIDTH=596 HEIGHT=42 VALIGN=TOP BGCOLOR="#e6e6e6"> |
---|
2211 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> |
---|
2212 | </P> |
---|
2213 | <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2214 | grid-ca-sign -in /<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">etc/grid-security/hostcert_request.pem |
---|
2215 | -out /etc/grid-security/hostcert.pem </FONT></FONT> |
---|
2216 | </P> |
---|
2217 | </TD> |
---|
2218 | </TR> |
---|
2219 | </TABLE> |
---|
2220 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2221 | </P> |
---|
2222 | <P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">hostcert_request.pem |
---|
2223 | </FONT>is no longer needed and can be deleted.</P> |
---|
2224 | <H3 CLASS="western"><A NAME="4.7.6. MyProxy Configuration File|outline"></A> |
---|
2225 | 4.7.6 MyProxy Configuration File</H3> |
---|
2226 | <P CLASS="western" ALIGN=JUSTIFY>A MyProxy configuration file is |
---|
2227 | normally kept in the Globus installation under the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">etc</SPAN></FONT> |
---|
2228 | directory. If this file is not already present, copy the sample |
---|
2229 | file:</P> |
---|
2230 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2231 | <COL WIDTH=610> |
---|
2232 | <TR> |
---|
2233 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2234 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2235 | </P> |
---|
2236 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2237 | cp $GLOBUS_LOCATION/share/myproxy/myproxy-server.config |
---|
2238 | $GLOBUS_LOCATION/etc</FONT></P> |
---|
2239 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
2240 | </P> |
---|
2241 | </TD> |
---|
2242 | </TR> |
---|
2243 | </TABLE> |
---|
2244 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2245 | </P> |
---|
2246 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm">Edit |
---|
2247 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$GLOBUS_LOCATION/etc/myproxy-server.config |
---|
2248 | m</FONT>odifying the entries under the section <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Complete |
---|
2249 | Sample Policy</SPAN></FONT> so that they are all uncommented (remove |
---|
2250 | leading <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"># |
---|
2251 | </SPAN></FONT>character):</P> |
---|
2252 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2253 | </P> |
---|
2254 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2255 | <COL WIDTH=610> |
---|
2256 | <TR> |
---|
2257 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2258 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2259 | </P> |
---|
2260 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P> |
---|
2261 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># |
---|
2262 | Complete Sample Policy</FONT></P> |
---|
2263 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#</FONT></P> |
---|
2264 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># |
---|
2265 | The following lines define a sample policy that enables all</FONT></P> |
---|
2266 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># |
---|
2267 | myproxy-server features. See below for more examples.</FONT></P> |
---|
2268 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">accepted_credentials |
---|
2269 | "*"</FONT></P> |
---|
2270 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers |
---|
2271 | "*"</FONT></P> |
---|
2272 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_retrievers |
---|
2273 | "*"</FONT></P> |
---|
2274 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_renewers |
---|
2275 | "*"</FONT></P> |
---|
2276 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_renewers |
---|
2277 | "none"</FONT></P> |
---|
2278 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_key_retrievers |
---|
2279 | "*"</FONT></P> |
---|
2280 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_key_retrievers |
---|
2281 | "none"</FONT></P> |
---|
2282 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">trusted_retrievers |
---|
2283 | â*â</FONT></P> |
---|
2284 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">default_trusted_retrievers |
---|
2285 | ânoneâ</FONT></P> |
---|
2286 | <P><BR> |
---|
2287 | </P> |
---|
2288 | </TD> |
---|
2289 | </TR> |
---|
2290 | </TABLE> |
---|
2291 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
2292 | </P> |
---|
2293 | <P CLASS="western" ALIGN=LEFT>Note that the wildcards for these |
---|
2294 | fields may be modified such that only Distinguished Names of a given |
---|
2295 | format are accepted e.g. <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">"/O=NDG/OU=BADC/*"</SPAN></FONT></P> |
---|
2296 | <P CLASS="western" ALIGN=JUSTIFY>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">chmod |
---|
2297 | </SPAN></FONT>command ensures that only the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">globus</SPAN></FONT> |
---|
2298 | user has read/write access for the directory. Note also that the |
---|
2299 | directory need not be called <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy</SPAN></FONT>.</P> |
---|
2300 | <H3 CLASS="western"><A NAME="4.7.7. MyProxy SimpleCA Configuration|outline"></A> |
---|
2301 | 4.7.7 MyProxy SimpleCA Configuration</H3> |
---|
2302 | <P CLASS="western" ALIGN=LEFT>NDG Security uses MyProxy to |
---|
2303 | dynamically generate user certificates on user login. For this, |
---|
2304 | MyProxy requires configuration details from the SimpleCA. Make these |
---|
2305 | settings in $GLOBUS_LOCATION/etc/myproxy-server.config (Note that the |
---|
2306 | sensitivity of this information and the need to secure this file |
---|
2307 | carefully!)</P> |
---|
2308 | <OL> |
---|
2309 | <LI><P CLASS="western" ALIGN=JUSTIFY>enable any retriever â |
---|
2310 | retrieval is based on the retrievers login credentials:</P> |
---|
2311 | <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2312 | <COL WIDTH=577> |
---|
2313 | <TR> |
---|
2314 | <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2315 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2316 | </P> |
---|
2317 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">authorized_retrievers |
---|
2318 | "*"</FONT></P> |
---|
2319 | </TD> |
---|
2320 | </TR> |
---|
2321 | </TABLE> |
---|
2322 | <P CLASS="western" ALIGN=JUSTIFY></P> |
---|
2323 | <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA |
---|
2324 | certificate. In this example the CA is installed in the root user's |
---|
2325 | home directory:</P> |
---|
2326 | </OL> |
---|
2327 | <DL> |
---|
2328 | <DD> |
---|
2329 | <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2330 | <COL WIDTH=577> |
---|
2331 | <TR> |
---|
2332 | <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2333 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2334 | </P> |
---|
2335 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_cert |
---|
2336 | /root/.globus/simpleCA/cacert.pem</FONT></P> |
---|
2337 | </TD> |
---|
2338 | </TR> |
---|
2339 | </TABLE> |
---|
2340 | </DL> |
---|
2341 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2342 | </P> |
---|
2343 | <OL START=3> |
---|
2344 | <LI><P CLASS="western" ALIGN=LEFT>Set the path to the CA private |
---|
2345 | key: |
---|
2346 | </P> |
---|
2347 | <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2348 | <COL WIDTH=577> |
---|
2349 | <TR> |
---|
2350 | <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2351 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2352 | </P> |
---|
2353 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key |
---|
2354 | /root/.globus/simpleCA/private/cakey.pem</FONT></P> |
---|
2355 | </TD> |
---|
2356 | </TR> |
---|
2357 | </TABLE> |
---|
2358 | <P CLASS="western" ALIGN=JUSTIFY></P> |
---|
2359 | <LI><P CLASS="western" ALIGN=LEFT>Provide the password to the CA's |
---|
2360 | private key. (This was set when you created the SimpleCA with |
---|
2361 | $GLOBUS_LOCATION/setup/globus/setup-simple-ca):</P> |
---|
2362 | <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2363 | <COL WIDTH=577> |
---|
2364 | <TR> |
---|
2365 | <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2366 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2367 | </P> |
---|
2368 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">certificate_issuer_key_passphrase |
---|
2369 | "password"</FONT></P> |
---|
2370 | </TD> |
---|
2371 | </TR> |
---|
2372 | </TABLE> |
---|
2373 | <P CLASS="western" ALIGN=JUSTIFY></P> |
---|
2374 | <LI><P CLASS="western" ALIGN=JUSTIFY>Set the path to the certificate |
---|
2375 | serial file</P> |
---|
2376 | <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2377 | <COL WIDTH=577> |
---|
2378 | <TR> |
---|
2379 | <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2380 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_serialfile |
---|
2381 | /root/.globus/simpleCA/serial </FONT> |
---|
2382 | </P> |
---|
2383 | </TD> |
---|
2384 | </TR> |
---|
2385 | </TABLE> |
---|
2386 | <P CLASS="western" ALIGN=JUSTIFY></P> |
---|
2387 | <LI><P CLASS="western" ALIGN=JUSTIFY>Configure how MyProxy maps |
---|
2388 | usernames to Distinguished Names in generated certificates. This can |
---|
2389 | be done either with a grid mapfile or a script. A script is more |
---|
2390 | flexible as you can use a wildcard match rather requiring a map |
---|
2391 | entry for every single user. An example script is:</P> |
---|
2392 | <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2393 | <COL WIDTH=577> |
---|
2394 | <TR> |
---|
2395 | <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2396 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2397 | </P> |
---|
2398 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">#!/bin/sh<BR>username=$1<BR>if |
---|
2399 | [ X"$username" = X ]; then<BR> # no username given<BR> |
---|
2400 | exit 1<BR>fi<BR>echo |
---|
2401 | "/O=NDG/OU=Gabriel/OU=BADC/CN=${username}"</FONT></P> |
---|
2402 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">exit |
---|
2403 | 0</FONT></P> |
---|
2404 | </TD> |
---|
2405 | </TR> |
---|
2406 | </TABLE> |
---|
2407 | <P CLASS="western" ALIGN=LEFT><BR>In the example above, if a user |
---|
2408 | logs in as pjkershaw, they will be issued with a certificate with |
---|
2409 | the Distinguished Name /O=NDG/OU=Gabriel/OU=BADC/CN=pjkershaw. Copy |
---|
2410 | the file above file into $GLOBUS_LOCATION/sbin/mapper.sh replacing |
---|
2411 | â/O=NDG/OU=Gabriel/OU=BADC/CN=â with the form of the |
---|
2412 | Distinguished Name that you require for users for your site. Ensure |
---|
2413 | that the file has execute permissions set e.g.<BR><BR><BR> |
---|
2414 | </P> |
---|
2415 | <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2416 | <COL WIDTH=577> |
---|
2417 | <TR> |
---|
2418 | <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2419 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
2420 | </P> |
---|
2421 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2422 | chmod 700 $GLOBUS_LOCATION/sbin/mapper.sh</FONT></P> |
---|
2423 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
2424 | </P> |
---|
2425 | </TD> |
---|
2426 | </TR> |
---|
2427 | </TABLE> |
---|
2428 | <P CLASS="western" ALIGN=LEFT><BR>Refer to the script in |
---|
2429 | $GLOBUS_LOCATION/etc/myproxy-server.config with this setting:</P> |
---|
2430 | <TABLE WIDTH=593 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2431 | <COL WIDTH=577> |
---|
2432 | <TR> |
---|
2433 | <TD WIDTH=577 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2434 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>certificate_mapapp |
---|
2435 | /usr/local/globus-4.0.5/sbin/mapper.sh</FONT></P> |
---|
2436 | </TD> |
---|
2437 | </TR> |
---|
2438 | </TABLE> |
---|
2439 | <P CLASS="western" ALIGN=LEFT></P> |
---|
2440 | </OL> |
---|
2441 | <H3 CLASS="western"><A NAME="4.7.8. MyProxy PAM Configuration|outline"></A> |
---|
2442 | 4.7.8 MyProxy PAM Configuration</H3> |
---|
2443 | <P CLASS="western" ALIGN=JUSTIFY>Reference: |
---|
2444 | <A HREF="http://grid.ncsa.uiuc.edu/myproxy/pam.html">http://grid.ncsa.uiuc.edu/myproxy/pam.html</A></P> |
---|
2445 | <P CLASS="western" ALIGN=JUSTIFY>NDG Security makes use of MyProxy |
---|
2446 | with PAM to enable MyProxy logon requests to be authenticated against |
---|
2447 | a site's existing security infrastructure, for example a user |
---|
2448 | database or LDAP repository. Linux systems have PAMs for login, ssh |
---|
2449 | and other services. PAMs can be obtained for the major database |
---|
2450 | varieties such as MySQL, Postgres and Oracle.</P> |
---|
2451 | <P CLASS="western">To configure MyProxy for PAM, settings are made |
---|
2452 | via myproxy-server.config to two different fields:</P> |
---|
2453 | <UL> |
---|
2454 | <LI><P CLASS="western">pam: may be set to disabled, ârequiredâ |
---|
2455 | or âsufficientâ. Set to ârequiredâ. With this setting, |
---|
2456 | all MyProxy logon requests will be authenticated via PAM. The |
---|
2457 | âsufficientâ setting may be useful in some circumstances. It |
---|
2458 | enables authentication via PAM and via credentials held in the |
---|
2459 | MyProxy repository.</P> |
---|
2460 | <LI><P CLASS="western">pam_id: name that MyProxy uses to identify |
---|
2461 | itself to PAM. This can correspond either to a file of the same |
---|
2462 | name in /etc/pam.d or entries prefixed with that name in |
---|
2463 | /etc/pam.conf. This setting determines the PAM used by MyProxy to |
---|
2464 | authenticate. |
---|
2465 | </P> |
---|
2466 | </UL> |
---|
2467 | <P CLASS="western">The most straightforward way to set-up MyProxy |
---|
2468 | with PAM is to try one of the existing PAMs such as login. If the |
---|
2469 | pam_id is set to login, a myproxy-logon request will link to that |
---|
2470 | user's Linux login.</P> |
---|
2471 | <P CLASS="western">Appendices are provided at the end of this |
---|
2472 | document for some of the more common configurations.</P> |
---|
2473 | <H3 CLASS="western"><A NAME="4.7.9. Testing MyProxy|outline"></A>4.7.9 |
---|
2474 | Testing MyProxy</H3> |
---|
2475 | <P CLASS="western" ALIGN=JUSTIFY>A simple way to test the MyProxy |
---|
2476 | configuration to run the myproxy-logon client command. For initial |
---|
2477 | testing set the pam_id in $GLOBUS_LOCATION/etc/myproxy-server.config |
---|
2478 | to âlogonâ so that it uses the Linux user accounts for |
---|
2479 | authentication.</P> |
---|
2480 | <P CLASS="western" ALIGN=JUSTIFY>Client error messages can be |
---|
2481 | difficult to interpret but a -v verbose option is provided to give |
---|
2482 | more information. In addition, MyProxy server can be run in debug |
---|
2483 | mode using the -d command line switch. MyProxy should be run under |
---|
2484 | the user account in which it was installed - root. Ensure that the |
---|
2485 | environment is set correctly i.e. GLOBUS_LOCATION variable set and |
---|
2486 | $GLOBUS_LOCATION/etc/globus-user-env.sh has been sourced<SPAN LANG="pt-PT"><FONT SIZE=2>:</FONT></SPAN></P> |
---|
2487 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2488 | <COL WIDTH=602> |
---|
2489 | <TR> |
---|
2490 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2491 | <P LANG="fr-FR" STYLE="margin-bottom: 0cm"><BR> |
---|
2492 | </P> |
---|
2493 | <P LANG="fr-FR"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2494 | export GLOBUS_LOCATION=/usr/local/globus-4.0.5<BR>$ export |
---|
2495 | GPT_LOCATION=$GLOBUS_LOCATION<BR>$ . |
---|
2496 | $GLOBUS_LOCATION/etc/globus-user-env.sh</FONT></P> |
---|
2497 | </TD> |
---|
2498 | </TR> |
---|
2499 | </TABLE> |
---|
2500 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2501 | </P> |
---|
2502 | <P CLASS="western" ALIGN=JUSTIFY>If you already have MyProxy running |
---|
2503 | via xinetd or as a process started from a SysV init script, it is |
---|
2504 | possible to run a separate MyProxy server process on a different port |
---|
2505 | with the -p flag.</P> |
---|
2506 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2507 | <COL WIDTH=602> |
---|
2508 | <TR> |
---|
2509 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2510 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2511 | </P> |
---|
2512 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2513 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server |
---|
2514 | -d -v -p 60000</SPAN></FONT></FONT></P> |
---|
2515 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server |
---|
2516 | v3.7 12 Dec 2006 PAM starting at Fri Dec 21 12:45:59 2007</SPAN></FONT></FONT></P> |
---|
2517 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">reading |
---|
2518 | configuration file |
---|
2519 | /usr/local/globus-4.0.5/etc/myproxy-server.config</SPAN></FONT></FONT></P> |
---|
2520 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CA |
---|
2521 | enabled</SPAN></FONT></FONT></P> |
---|
2522 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using |
---|
2523 | storage directory /var/myproxy</SPAN></FONT></FONT></P> |
---|
2524 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Starting |
---|
2525 | myproxy-server on localhost: 60000...</SPAN></FONT></FONT></P> |
---|
2526 | <P><BR> |
---|
2527 | </P> |
---|
2528 | </TD> |
---|
2529 | </TR> |
---|
2530 | </TABLE> |
---|
2531 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
2532 | </P> |
---|
2533 | <P CLASS="western" ALIGN=LEFT>Note that in debug mode, myproxy-server |
---|
2534 | will exit after the first request made to it.</P> |
---|
2535 | <P CLASS="western" ALIGN=LEFT>Run myproxy-logon in a separate window |
---|
2536 | under a user account for which you know the Linux password. Provide |
---|
2537 | the port number if myproxy-server was started on a different port to |
---|
2538 | the default and give the full name of the server as set in the host |
---|
2539 | certificate (/etc/grid-security/hostcert.pem)</P> |
---|
2540 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2541 | <COL WIDTH=602> |
---|
2542 | <TR> |
---|
2543 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2544 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2545 | </P> |
---|
2546 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2547 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-logon |
---|
2548 | -v -s <fully qualified server hostname> -p 60000</SPAN></FONT></FONT></P> |
---|
2549 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">MyProxy |
---|
2550 | v3.7 12 Dec 2006 PAM</SPAN></FONT></FONT></P> |
---|
2551 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Attempting |
---|
2552 | to connect to 127.0.0.1:60000</SPAN></FONT></FONT></P> |
---|
2553 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Enter |
---|
2554 | MyProxy pass phrase:</SPAN></FONT></FONT></P> |
---|
2555 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using |
---|
2556 | trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P> |
---|
2557 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">no |
---|
2558 | valid credentials found -- performing anonymous authentication</SPAN></FONT></FONT></P> |
---|
2559 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server |
---|
2560 | name: /O=NDG/OU=Gabriel/OU=BADC/CN=gabriel<></SPAN></FONT></FONT></P> |
---|
2561 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">checking |
---|
2562 | that server name is acceptable...</SPAN></FONT></FONT></P> |
---|
2563 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server |
---|
2564 | name does not match "myproxy@gabriel<>"</SPAN></FONT></FONT></P> |
---|
2565 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">server |
---|
2566 | name matches "host@gabriel<>"</SPAN></FONT></FONT></P> |
---|
2567 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">authenticated |
---|
2568 | server name is acceptable</SPAN></FONT></FONT></P> |
---|
2569 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">A |
---|
2570 | credential has been received for user pjkershaw in |
---|
2571 | /tmp/x509up_u1000.</SPAN></FONT></FONT></P> |
---|
2572 | <P><BR> |
---|
2573 | </P> |
---|
2574 | </TD> |
---|
2575 | </TR> |
---|
2576 | </TABLE> |
---|
2577 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
2578 | </P> |
---|
2579 | <P CLASS="western" ALIGN=LEFT>The equivalent output from the server |
---|
2580 | will be something like:</P> |
---|
2581 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2582 | <COL WIDTH=602> |
---|
2583 | <TR> |
---|
2584 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2585 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2586 | </P> |
---|
2587 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Connection |
---|
2588 | from 127.0.0.1</SPAN></FONT></FONT></P> |
---|
2589 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using |
---|
2590 | trusted certificates directory /etc/grid-security/certificates</SPAN></FONT></FONT></P> |
---|
2591 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Authenticated |
---|
2592 | client <anonymous></SPAN></FONT></FONT></P> |
---|
2593 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying |
---|
2594 | trusted_retrievers policy</SPAN></FONT></FONT></P> |
---|
2595 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying |
---|
2596 | authorized_retrievers policy</SPAN></FONT></FONT></P> |
---|
2597 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">applying |
---|
2598 | authorized_renewers policy</SPAN></FONT></FONT></P> |
---|
2599 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P> |
---|
2600 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">resolve_via_mapapp(/usr/local/globus-4.0.5/sbin/mapper.sh, |
---|
2601 | pjkershaw)</SPAN></FONT></FONT></P> |
---|
2602 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Checking |
---|
2603 | passphrase via PAM. PAM policy: "sufficient"; PAM ID: |
---|
2604 | "logon"</SPAN></FONT></FONT></P> |
---|
2605 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PAM |
---|
2606 | authentication succeeded for pjkershaw</SPAN></FONT></FONT></P> |
---|
2607 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Received |
---|
2608 | GET request from <anonymous></SPAN></FONT></FONT></P> |
---|
2609 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending |
---|
2610 | OK response to client <anonymous></SPAN></FONT></FONT></P> |
---|
2611 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using |
---|
2612 | CA callout</SPAN></FONT></FONT></P> |
---|
2613 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Calling |
---|
2614 | CA Extensions</SPAN></FONT></FONT></P> |
---|
2615 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">handle_certificate()</SPAN></FONT></FONT></P> |
---|
2616 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Cert |
---|
2617 | request loaded.</SPAN></FONT></FONT></P> |
---|
2618 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Got |
---|
2619 | a cert request for user "pjkershaw", with pubkey hash |
---|
2620 | "282944311", and lifetime "43200"</SPAN></FONT></FONT></P> |
---|
2621 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Using |
---|
2622 | internal openssl/generate_certificate() code</SPAN></FONT></FONT></P> |
---|
2623 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Generating |
---|
2624 | certificate internally.</SPAN></FONT></FONT></P> |
---|
2625 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">user_dn_lookup()</SPAN></FONT></FONT></P> |
---|
2626 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">using |
---|
2627 | cached value</SPAN></FONT></FONT></P> |
---|
2628 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">tokenizing: |
---|
2629 | /O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw</SPAN></FONT></FONT></P> |
---|
2630 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: |
---|
2631 | O = NDG</SPAN></FONT></FONT></P> |
---|
2632 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: |
---|
2633 | OU = BADC</SPAN></FONT></FONT></P> |
---|
2634 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: |
---|
2635 | OU = Gabriel</SPAN></FONT></FONT></P> |
---|
2636 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">adding: |
---|
2637 | CN = pjkershaw</SPAN></FONT></FONT></P> |
---|
2638 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Assigning |
---|
2639 | serial number</SPAN></FONT></FONT></P> |
---|
2640 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Loaded |
---|
2641 | serial number F6 from /root/.globus/simpleCA/serial</SPAN></FONT></FONT></P> |
---|
2642 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">serial |
---|
2643 | number assigned</SPAN></FONT></FONT></P> |
---|
2644 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cert |
---|
2645 | lifetime: 43200</SPAN></FONT></FONT></P> |
---|
2646 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">CAkey: |
---|
2647 | /root/.globus/simpleCA/private/cakey.pem</SPAN></FONT></FONT></P> |
---|
2648 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Signing |
---|
2649 | internally generated certificate.</SPAN></FONT></FONT></P> |
---|
2650 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Issued |
---|
2651 | certificate for user "pjkershaw", with DN |
---|
2652 | "/O=NDG/OU=BADC/OU=Gabriel/CN=pjkershaw", lifetime |
---|
2653 | "43200", and serial number "246"</SPAN></FONT></FONT></P> |
---|
2654 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Sending |
---|
2655 | OK response to client <anonymous></SPAN></FONT></FONT></P> |
---|
2656 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Client |
---|
2657 | <anonymous> disconnected</SPAN></FONT></FONT></P> |
---|
2658 | <P><BR> |
---|
2659 | </P> |
---|
2660 | </TD> |
---|
2661 | </TR> |
---|
2662 | </TABLE> |
---|
2663 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
2664 | </P> |
---|
2665 | <P CLASS="western" ALIGN=LEFT>The certificate and private key are |
---|
2666 | written to file in /tmp by myproxy-logon. This takes the form |
---|
2667 | x509up_<uid>. It's possible to check the certificate |
---|
2668 | generated using openssl e.g.:</P> |
---|
2669 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2670 | <COL WIDTH=602> |
---|
2671 | <TR> |
---|
2672 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2673 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2674 | </P> |
---|
2675 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ |
---|
2676 | openssl -in /tmp/x509up_1001 -text</SPAN></FONT></FONT></P> |
---|
2677 | <P><BR> |
---|
2678 | </P> |
---|
2679 | </TD> |
---|
2680 | </TR> |
---|
2681 | </TABLE> |
---|
2682 | <P CLASS="western" ALIGN=LEFT><BR>The output includes details |
---|
2683 | including the certificate's DN, issuer and expiry time. If you wish |
---|
2684 | to run the test again delete or move this file as myproxy-logon will |
---|
2685 | try to use it to authenticate to the MyProxy server.</P> |
---|
2686 | <P CLASS="western" ALIGN=LEFT>If you encounter problems check the |
---|
2687 | output from the client and server. commands. The system logs may |
---|
2688 | contain useful additional information from the PAM used.</P> |
---|
2689 | <P CLASS="western" ALIGN=LEFT>The Python MyProxy client unit tests |
---|
2690 | can be used to test the server from a separate client machine where |
---|
2691 | Python NDG services are installed but not MyProxy itself. The |
---|
2692 | MyProxy unit tests are in the package ndg.security.test.myProxy.</P> |
---|
2693 | <H3 CLASS="western"><A NAME="4.7.10. Adding MyProxy Server to the system start up|outline"></A> |
---|
2694 | 4.7.10 Adding MyProxy Server to the system start up</H3> |
---|
2695 | <P CLASS="western" ALIGN=JUSTIFY>Any of the standard mechanisms may |
---|
2696 | be used such as adding a SysV style init script or using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT> |
---|
2697 | or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>. |
---|
2698 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT>/<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT> |
---|
2699 | are preferred:</P> |
---|
2700 | <UL> |
---|
2701 | <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT> |
---|
2702 | process will not show on <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ps</SPAN></FONT> |
---|
2703 | command listing |
---|
2704 | </P> |
---|
2705 | <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">Itâs |
---|
2706 | more efficient since itâs only invoked when a request from a |
---|
2707 | MyProxy client is received.</P> |
---|
2708 | <LI><P CLASS="western" ALIGN=JUSTIFY STYLE="margin-bottom: 0cm">Itâs |
---|
2709 | easy to configure so that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT> |
---|
2710 | runs as an alternative user to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>.</P> |
---|
2711 | </UL> |
---|
2712 | <P CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.63cm; margin-bottom: 0cm"> |
---|
2713 | <BR> |
---|
2714 | </P> |
---|
2715 | <H4 CLASS="western"><A NAME="_Ref143089522"></A>4.7.10.1 inetd / |
---|
2716 | xinetd</H4> |
---|
2717 | <P CLASS="western" ALIGN=LEFT>To run the myproxy server using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd |
---|
2718 | </SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>, |
---|
2719 | as root user: |
---|
2720 | </P> |
---|
2721 | <UL> |
---|
2722 | <LI><P CLASS="western" ALIGN=LEFT>Add the entries in |
---|
2723 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.services.modifications</SPAN></FONT> |
---|
2724 | to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/services</SPAN></FONT> |
---|
2725 | or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/services</SPAN></FONT> |
---|
2726 | file: |
---|
2727 | </P> |
---|
2728 | </UL> |
---|
2729 | <DL> |
---|
2730 | <DD> |
---|
2731 | <TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2732 | <COL WIDTH=558> |
---|
2733 | <TR> |
---|
2734 | <TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2735 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2736 | </P> |
---|
2737 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy-server |
---|
2738 | 7512/tcp # MyProxy server</FONT></P> |
---|
2739 | <P><BR> |
---|
2740 | </P> |
---|
2741 | </TD> |
---|
2742 | </TR> |
---|
2743 | </TABLE> |
---|
2744 | </DL> |
---|
2745 | <P CLASS="western" ALIGN=LEFT STYLE="margin-left: 0.64cm"><BR><BR> |
---|
2746 | </P> |
---|
2747 | <UL> |
---|
2748 | <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Add the entries from |
---|
2749 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.inetd.conf.modifications</SPAN></FONT></P> |
---|
2750 | <UL> |
---|
2751 | <LI><P CLASS="western" ALIGN=LEFT>For inetd add to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inetd.conf |
---|
2752 | </SPAN></FONT>or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/inet/inetd.conf</SPAN></FONT>, |
---|
2753 | or âŠ</P> |
---|
2754 | <LI><P CLASS="western" ALIGN=LEFT>for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>, |
---|
2755 | copy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.xinetd.myproxy</SPAN></FONT> |
---|
2756 | to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/xinetd.d/myproxy</SPAN></FONT>. |
---|
2757 | Modify the paths in the file according to your installation and set |
---|
2758 | the user to the correct user name for running <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">myproxy-server</SPAN></FONT> |
---|
2759 | e.g.</P> |
---|
2760 | </UL> |
---|
2761 | </UL> |
---|
2762 | <DL> |
---|
2763 | <DD> |
---|
2764 | <TABLE WIDTH=574 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2765 | <COL WIDTH=558> |
---|
2766 | <TR> |
---|
2767 | <TD WIDTH=558 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2768 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2769 | </P> |
---|
2770 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">service |
---|
2771 | myproxy-server</FONT></FONT></P> |
---|
2772 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">{</FONT></FONT></P> |
---|
2773 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">socket_type |
---|
2774 | = stream</FONT></FONT></P> |
---|
2775 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt"><SPAN LANG="pt-PT">protocol |
---|
2776 | = tcp</SPAN></FONT></FONT></P> |
---|
2777 | <P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">wait |
---|
2778 | = no</FONT></FONT></P> |
---|
2779 | <P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">user |
---|
2780 | = globus</FONT></FONT></P> |
---|
2781 | <P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">server |
---|
2782 | = /usr/local/NDG/globus-4.0.1/sbin/myproxy-server</FONT></FONT></P> |
---|
2783 | <P LANG="pt-PT" STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">env |
---|
2784 | = GLOBUS_LOCATION=/usr/local/globus-4.0.5 |
---|
2785 | LD_LIBRARY_PATH=/usr/local/globus-4.0.5/lib</FONT></FONT></P> |
---|
2786 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">disable |
---|
2787 | = no</FONT></FONT></P> |
---|
2788 | <P STYLE="margin-bottom: 0cm"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">only_from |
---|
2789 | = localhost.localdomain <hostAddress1> <hostAddress2></FONT></FONT></P> |
---|
2790 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2 STYLE="font-size: 9pt">}</FONT></FONT></P> |
---|
2791 | </TD> |
---|
2792 | </TR> |
---|
2793 | </TABLE> |
---|
2794 | </DL> |
---|
2795 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2796 | </P> |
---|
2797 | <UL> |
---|
2798 | <LI VALUE=1><P CLASS="western" ALIGN=LEFT>Note also, the additional |
---|
2799 | setting in this example for <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">only_from</SPAN></FONT>. |
---|
2800 | This a limit to be placed on which hosts clients can connect from |
---|
2801 | to the server. In the above, clients can connect from the local |
---|
2802 | machine (note the fully qualified name including <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localdomain</SPAN></FONT>) |
---|
2803 | and from the hosts <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress1> |
---|
2804 | </SPAN></FONT>and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><hostAddress2></SPAN></FONT>. |
---|
2805 | Care must be taken with these settings. Client requests will exit |
---|
2806 | with an SSL error if set incorrectly.</P> |
---|
2807 | <LI><P CLASS="western" ALIGN=LEFT>Reactivate the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT> |
---|
2808 | / <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT>. |
---|
2809 | This is typically accomplished by sending the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">SIGHUP</SPAN></FONT> |
---|
2810 | signal to the server process. Redhat Linux machines include the GUI |
---|
2811 | tool <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT> |
---|
2812 | to allow convenient management of services. Refer to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">inetd</SPAN></FONT> |
---|
2813 | or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">xinetd</SPAN></FONT> |
---|
2814 | man page for your system.</P> |
---|
2815 | </UL> |
---|
2816 | <H4 CLASS="western">4.7.10.2 SysV-style boot script |
---|
2817 | </H4> |
---|
2818 | <P CLASS="western" ALIGN=LEFT>A sample SysV-style boot script for is |
---|
2819 | available in the Globus installation at, |
---|
2820 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy</SPAN></FONT>. |
---|
2821 | </P> |
---|
2822 | <P CLASS="western" ALIGN=LEFT>To install: |
---|
2823 | </P> |
---|
2824 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2825 | <COL WIDTH=602> |
---|
2826 | <TR> |
---|
2827 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2828 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2829 | </P> |
---|
2830 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
2831 | cp <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$GLOBUS_LOCATION/share/myproxy/etc.init.d.myproxy |
---|
2832 | /etc/rc.d/init.d/myproxy</SPAN></FONT></FONT></P> |
---|
2833 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ |
---|
2834 | chkconfig --add myproxy</SPAN></FONT></FONT></P> |
---|
2835 | <P><BR> |
---|
2836 | </P> |
---|
2837 | </TD> |
---|
2838 | </TR> |
---|
2839 | </TABLE> |
---|
2840 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
2841 | </P> |
---|
2842 | <P CLASS="western" ALIGN=LEFT>Edit the file to set the |
---|
2843 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GLOBUS_LOCATION |
---|
2844 | </SPAN></FONT>environment variable correctly. |
---|
2845 | </P> |
---|
2846 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
2847 | </P> |
---|
2848 | <H1 CLASS="western"><A NAME="5.Appendices|outline"></A>5.Appendices</H1> |
---|
2849 | <H2 CLASS="western"><A NAME="5.1. Postgres PAM for MyProxy|outline"></A> |
---|
2850 | 5.1 Postgres PAM for MyProxy</H2> |
---|
2851 | <P CLASS="western" ALIGN=JUSTIFY>This section is intended to provide |
---|
2852 | the information needed to enable MyProxy to authenticate against |
---|
2853 | tables in a Postgres database. Before, making these settings ensure |
---|
2854 | that MyProxy is fully installed following the steps outlined in the |
---|
2855 | MyProxy section. It's recommended to try out MyProxy with an |
---|
2856 | existing PAM such as âlogonâ first to ensure it is working. See |
---|
2857 | the section <I>Testing MyProxy</I>.</P> |
---|
2858 | <P CLASS="western" ALIGN=JUSTIFY>Obtain and install the latest |
---|
2859 | libpam_pgsql. This can be installed from Debian or RPM packages or |
---|
2860 | from source. For NDG Security, version 0.5.2-9 Debian and 0.6.3 |
---|
2861 | source distributions have been tested. Check the documentation in |
---|
2862 | the source tar ball for details of Postgres version requirements. |
---|
2863 | </P> |
---|
2864 | <H3 CLASS="western"><A NAME="5.1.1. Configuration|outline"></A>5.1.1 |
---|
2865 | Configuration</H3> |
---|
2866 | <P CLASS="western" ALIGN=JUSTIFY>Depending on your native system |
---|
2867 | create either a /etc/pam.d/myproxy file or the relevant entry in |
---|
2868 | /etc/pam.conf |
---|
2869 | </P> |
---|
2870 | <P CLASS="western" ALIGN=JUSTIFY>For /etc/pam.d/myproxy:</P> |
---|
2871 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2872 | <COL WIDTH=602> |
---|
2873 | <TR> |
---|
2874 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2875 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2876 | </P> |
---|
2877 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">auth |
---|
2878 | required pam_pgsql.so <BR>account required |
---|
2879 | pam_pgsql.so<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password |
---|
2880 | required pam_pgsql.so</SPAN></FONT></FONT></P> |
---|
2881 | </TD> |
---|
2882 | </TR> |
---|
2883 | </TABLE> |
---|
2884 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2885 | </P> |
---|
2886 | <P CLASS="western" ALIGN=JUSTIFY>or /etc/pam.conf:</P> |
---|
2887 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2888 | <COL WIDTH=602> |
---|
2889 | <TR> |
---|
2890 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2891 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2892 | </P> |
---|
2893 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">myproxy |
---|
2894 | auth required pam_pgsql.so <BR>myproxy account |
---|
2895 | required pam_pgsql.so<BR>myproxy <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password |
---|
2896 | required pam_pgsql.so</SPAN></FONT></FONT></P> |
---|
2897 | </TD> |
---|
2898 | </TR> |
---|
2899 | </TABLE> |
---|
2900 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2901 | </P> |
---|
2902 | <P CLASS="western" ALIGN=JUSTIFY>Configure the database, and table |
---|
2903 | the module should use with the configuration file |
---|
2904 | /etc/pam_pgsql.conf. e.g.</P> |
---|
2905 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2906 | <COL WIDTH=602> |
---|
2907 | <TR> |
---|
2908 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2909 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2910 | </P> |
---|
2911 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">database |
---|
2912 | = userdb<BR>user = admin<BR>password = adminpassword<BR>table = |
---|
2913 | account<BR>user_column = username<BR>pwd_column = password<BR>pw_type |
---|
2914 | = md5<BR><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">debug</SPAN></FONT></FONT></P> |
---|
2915 | </TD> |
---|
2916 | </TR> |
---|
2917 | </TABLE> |
---|
2918 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2919 | </P> |
---|
2920 | <P CLASS="western" ALIGN=JUSTIFY>In the above example, password in |
---|
2921 | the database table âaccountâ are MD5 encrypted. This field can |
---|
2922 | also be set to Crypt or left out altogether if passwords are |
---|
2923 | unencrypted.</P> |
---|
2924 | <P CLASS="western" ALIGN=JUSTIFY>Restart MyProxy and test it using |
---|
2925 | the myproxy-logon client command as outlined in the section <I>Testing |
---|
2926 | MyProxy.</I><SPAN STYLE="font-style: normal"> To specify a database |
---|
2927 | account name use the -l flag. If this omitted then the Linux account |
---|
2928 | name is assumed e.g.</SPAN></P> |
---|
2929 | <TABLE WIDTH=618 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2930 | <COL WIDTH=602> |
---|
2931 | <TR> |
---|
2932 | <TD WIDTH=602 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2933 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
2934 | </P> |
---|
2935 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">$ |
---|
2936 | myproxy-logon -v -p 60000 -l mydbaccountid</SPAN></FONT></FONT></P> |
---|
2937 | </TD> |
---|
2938 | </TR> |
---|
2939 | </TABLE> |
---|
2940 | <P CLASS="western"><BR>Consult the myproxy-logon and myproxy-server |
---|
2941 | output and the system logs to trouble shoot errors.</P> |
---|
2942 | <H2 CLASS="western"><A NAME="_Ref133718491"></A><A NAME="5.2. MySQL Installation|outline"></A> |
---|
2943 | 5.2 MySQL Installation</H2> |
---|
2944 | <P CLASS="western" ALIGN=JUSTIFY>MySQL can be used to implement a |
---|
2945 | Credential Repository for the SessionManager to stored user |
---|
2946 | credentials as cached in their Credential Wallet held in their |
---|
2947 | session.</P> |
---|
2948 | <P CLASS="western" ALIGN=JUSTIFY>This section describes how to make |
---|
2949 | an installation from the MySQL binary package tarball. System |
---|
2950 | administrators may wish to use an existing installation of MySQL or |
---|
2951 | use an alternative installation method such as rpm. Installing from |
---|
2952 | the binary package has the advantage that it doesnât interfere with |
---|
2953 | any existing MySQL installation on the target machine. The |
---|
2954 | instructions are adapted from the file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">INSTALL-BINARY</SPAN></FONT> |
---|
2955 | provided in the tarball.</P> |
---|
2956 | <H3 CLASS="western"><A NAME="5.2.1.Version|outline"></A>5.2.1Version</H3> |
---|
2957 | <P CLASS="western" ALIGN=LEFT>Version 3.23 or later is recommended. |
---|
2958 | These instructions are for version 5.0.20a, the latest stable release |
---|
2959 | at time of writing.</P> |
---|
2960 | <H3 CLASS="western"><A NAME="5.2.2. Getting the Binaries|outline"></A> |
---|
2961 | 5.2.2 Getting the Binaries</H3> |
---|
2962 | <P CLASS="western" ALIGN=LEFT>The package can be obtained from the |
---|
2963 | MySQL web site (<FONT COLOR="#0000ff"><U><A HREF="http://dev.mysql.com/downloads/mysql/5.0.html">http://dev.mysql.com/downloads/mysql/5.0.html</A></U></FONT>). |
---|
2964 | Scroll to the correct version - Linux (non RPM, Intel C/C++ |
---|
2965 | compiled, glibc-X.X) downloads. The version of glibc on the target |
---|
2966 | machine can be checked using same machine as the web server.</P> |
---|
2967 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2968 | <COL WIDTH=605> |
---|
2969 | <TR> |
---|
2970 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2971 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$ |
---|
2972 | ls /lib/libc-*</FONT></P> |
---|
2973 | </TD> |
---|
2974 | </TR> |
---|
2975 | </TABLE> |
---|
2976 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
2977 | </P> |
---|
2978 | <H3 CLASS="western"><A NAME="5.2.3. New mysql User Account|outline"></A> |
---|
2979 | 5.2.3 New <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><I>mysql</I></SPAN></FONT> |
---|
2980 | User Account</H3> |
---|
2981 | <P CLASS="western" ALIGN=JUSTIFY>Make a new account to run MySQL if |
---|
2982 | it doesnât already exist:</P> |
---|
2983 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2984 | <COL WIDTH=605> |
---|
2985 | <TR> |
---|
2986 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
2987 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$ |
---|
2988 | groupadd mysql<BR>$ useradd -g mysql mysql</FONT></P> |
---|
2989 | </TD> |
---|
2990 | </TR> |
---|
2991 | </TABLE> |
---|
2992 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
2993 | </P> |
---|
2994 | <H3 CLASS="western"><A NAME="5.2.4. Unpacking the tarball|outline"></A> |
---|
2995 | 5.2.4 Unpacking the tarball</H3> |
---|
2996 | <P CLASS="western" ALIGN=LEFT>As root copy the tarball to the target |
---|
2997 | directory for installation e.g. /usr/local, unpack the file:</P> |
---|
2998 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
2999 | <COL WIDTH=605> |
---|
3000 | <TR> |
---|
3001 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3002 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$ |
---|
3003 | cd /usr/local<BR>$ tar zxvf |
---|
3004 | mysql-standard-5.0.20a-linux-i686-icc-glibc23.tar.gz</FONT></P> |
---|
3005 | </TD> |
---|
3006 | </TR> |
---|
3007 | </TABLE> |
---|
3008 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
3009 | </P> |
---|
3010 | <P CLASS="western" ALIGN=LEFT>Make a symbolic link to the new |
---|
3011 | directory and â<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">cd</SPAN></FONT>â |
---|
3012 | to it: |
---|
3013 | </P> |
---|
3014 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3015 | <COL WIDTH=605> |
---|
3016 | <TR> |
---|
3017 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3018 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$ |
---|
3019 | ln -s /usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23 |
---|
3020 | mysql<BR>$ cd mysql</FONT></P> |
---|
3021 | </TD> |
---|
3022 | </TR> |
---|
3023 | </TABLE> |
---|
3024 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
3025 | </P> |
---|
3026 | <P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin</SPAN></FONT> |
---|
3027 | directory contains client programs and the server. You should add |
---|
3028 | the full pathname of this directory to your <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">PATH</SPAN></FONT> |
---|
3029 | environment variable so that your shell finds the MySQL programs |
---|
3030 | properly. |
---|
3031 | </P> |
---|
3032 | <H3 CLASS="western"><A NAME="5.2.5. Configuration File|outline"></A>5.2.5 |
---|
3033 | Configuration File</H3> |
---|
3034 | <P CLASS="western" ALIGN=JUSTIFY>Create a configuration file called |
---|
3035 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">my.cnf</SPAN></FONT> |
---|
3036 | in the target directory (<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT> |
---|
3037 | in this example) to enable custom settings to be made for this |
---|
3038 | installation. Note that if there is an existing installation of |
---|
3039 | MySQL, there may be settings existing settings in a file <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/my.cnf</SPAN></FONT>. |
---|
3040 | To use the settings from this file, <I>ignore</I> this step.</P> |
---|
3041 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3042 | <COL WIDTH=605> |
---|
3043 | <TR> |
---|
3044 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3045 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
3046 | </P> |
---|
3047 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld]</FONT></P> |
---|
3048 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">datadir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23/data</FONT></P> |
---|
3049 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">socket=/tmp/mysql.sock</FONT></P> |
---|
3050 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># |
---|
3051 | Default to using old password format for compatibility with mysql |
---|
3052 | 3.x</FONT></P> |
---|
3053 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># |
---|
3054 | clients (those using the mysqlclient10 compatibility package).</FONT></P> |
---|
3055 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">old_passwords=1</FONT></P> |
---|
3056 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
3057 | </P> |
---|
3058 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysql.server]</FONT></P> |
---|
3059 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">user=mysql</FONT></P> |
---|
3060 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">basedir=/usr/local/mysql-standard-5.0.20a-linux-i686-icc-glibc23</FONT></P> |
---|
3061 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
3062 | </P> |
---|
3063 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">[mysqld_safe]</FONT></P> |
---|
3064 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">err-log=/var/log/mysqld.log</FONT></P> |
---|
3065 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">pid-file=/tmp/mysql.pid</FONT></P> |
---|
3066 | <P><BR> |
---|
3067 | </P> |
---|
3068 | </TD> |
---|
3069 | </TR> |
---|
3070 | </TABLE> |
---|
3071 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3072 | </P> |
---|
3073 | <P CLASS="western" ALIGN=JUSTIFY>The settings above will mean that |
---|
3074 | MySQLâs tables and the Credential Repository database will be |
---|
3075 | stored under <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql/data</SPAN></FONT>.</P> |
---|
3076 | <H3 CLASS="western"><A NAME="5.2.6. Create the Grant Tables|outline"></A> |
---|
3077 | 5.2.6 Create the Grant Tables</H3> |
---|
3078 | <P CLASS="western" ALIGN=LEFT>The <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">scripts</SPAN></FONT> |
---|
3079 | directory contains the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql_install_db</SPAN></FONT> |
---|
3080 | script used to initialize the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT> |
---|
3081 | database containing the grant tables that store the server access |
---|
3082 | permissions. If you have not installed MySQL before, you must create |
---|
3083 | the MySQL grant tables:</P> |
---|
3084 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3085 | <COL WIDTH=605> |
---|
3086 | <TR> |
---|
3087 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3088 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$ |
---|
3089 | scripts/mysql_install_db --user=mysql</FONT></P> |
---|
3090 | </TD> |
---|
3091 | </TR> |
---|
3092 | </TABLE> |
---|
3093 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
3094 | </P> |
---|
3095 | <P CLASS="western" ALIGN=LEFT>If you run the command as <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT>, |
---|
3096 | you must use the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">--user</SPAN></FONT> |
---|
3097 | option as shown. The value of the option should be the name of the |
---|
3098 | login account that you created in the first step to use for running |
---|
3099 | the server. If you run the command while logged in as that user, you |
---|
3100 | can omit the -user option. After creating or updating the grant |
---|
3101 | tables, you need to restart the server manually.</P> |
---|
3102 | <H3 CLASS="western"><A NAME="5.2.7. File and Directory Permissions|outline"></A> |
---|
3103 | 5.2.7 File and Directory Permissions</H3> |
---|
3104 | <P CLASS="western" ALIGN=LEFT>Change the ownership of program |
---|
3105 | binaries to <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT> |
---|
3106 | and ownership of the data directory <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT>. |
---|
3107 | Assuming that you are located in the installation directory |
---|
3108 | (<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/usr/local/mysql</SPAN></FONT>), |
---|
3109 | the commands look like this:</P> |
---|
3110 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3111 | <COL WIDTH=605> |
---|
3112 | <TR> |
---|
3113 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3114 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>$ |
---|
3115 | chown -R root .<BR>$ chown -R mysql data<BR>$ chgrp -R mysql .</FONT></P> |
---|
3116 | </TD> |
---|
3117 | </TR> |
---|
3118 | </TABLE> |
---|
3119 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
3120 | </P> |
---|
3121 | <P CLASS="western" ALIGN=LEFT>The first command changes the owner |
---|
3122 | attribute of the files to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">root</SPAN></FONT> |
---|
3123 | user. The second changes the owner attribute of the data directory to |
---|
3124 | the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT> |
---|
3125 | user. The third changes the group attribute to the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysql</SPAN></FONT> |
---|
3126 | group.</P> |
---|
3127 | <H3 CLASS="western"><A NAME="5.2.8. Starting the Server|outline"></A>5.2.8 |
---|
3128 | Starting the Server</H3> |
---|
3129 | <P CLASS="western" ALIGN=LEFT>If you want MySQL to start |
---|
3130 | automatically when you boot your machine, you can copy |
---|
3131 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT> |
---|
3132 | to the location where your system has its startup files. More |
---|
3133 | information can be found in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">support-files/mysql.server</SPAN></FONT> |
---|
3134 | script itself.</P> |
---|
3135 | <P CLASS="western" ALIGN=LEFT>To start the MySQL server, use the |
---|
3136 | following command:</P> |
---|
3137 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3138 | <COL WIDTH=605> |
---|
3139 | <TR> |
---|
3140 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3141 | <P><BR><BR> |
---|
3142 | </P> |
---|
3143 | <P LANG="nb-NO"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
3144 | bin/mysqld_safe --user=mysql &</FONT></P> |
---|
3145 | </TD> |
---|
3146 | </TR> |
---|
3147 | </TABLE> |
---|
3148 | <P LANG="nb-NO" CLASS="western" ALIGN=LEFT><BR><BR> |
---|
3149 | </P> |
---|
3150 | <P CLASS="western" ALIGN=LEFT>If that command fails immediately and |
---|
3151 | prints <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">mysqld |
---|
3152 | ended</SPAN></FONT>, you can find some information in the |
---|
3153 | <hostname><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">.err</SPAN></FONT> |
---|
3154 | file in the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">data</SPAN></FONT> |
---|
3155 | directory.</P> |
---|
3156 | <H3 CLASS="western"><A NAME="_Ref133893123"></A><A NAME="5.2.9. Securing MySQL Accounts|outline"></A> |
---|
3157 | 5.2.9 Securing MySQL Accounts</H3> |
---|
3158 | <P CLASS="western" ALIGN=JUSTIFY>To delete the anonymous accounts:</P> |
---|
3159 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3160 | <COL WIDTH=605> |
---|
3161 | <TR> |
---|
3162 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3163 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
3164 | </P> |
---|
3165 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
3166 | mysql -u root</FONT></P> |
---|
3167 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql> |
---|
3168 | DELETE FROM mysql.user WHERE User = '';</FONT></P> |
---|
3169 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql> |
---|
3170 | FLUSH PRIVILEGES;</FONT></P> |
---|
3171 | <P><BR> |
---|
3172 | </P> |
---|
3173 | </TD> |
---|
3174 | </TR> |
---|
3175 | </TABLE> |
---|
3176 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3177 | </P> |
---|
3178 | <P CLASS="western" ALIGN=JUSTIFY>Set the password for the root |
---|
3179 | account:</P> |
---|
3180 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3181 | <COL WIDTH=605> |
---|
3182 | <TR> |
---|
3183 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3184 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
3185 | </P> |
---|
3186 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql> |
---|
3187 | SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');</FONT></P> |
---|
3188 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">mysql> |
---|
3189 | SET PASSWORD FOR 'root'@'<I>hostname</I>' = PASSWORD('newpwd');</FONT></P> |
---|
3190 | <P><BR> |
---|
3191 | </P> |
---|
3192 | </TD> |
---|
3193 | </TR> |
---|
3194 | </TABLE> |
---|
3195 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3196 | </P> |
---|
3197 | <P CLASS="western" ALIGN=JUSTIFY>The hostname can be checked using |
---|
3198 | the query:</P> |
---|
3199 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3200 | <COL WIDTH=605> |
---|
3201 | <TR> |
---|
3202 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3203 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql> |
---|
3204 | SELECT Host, User FROM mysql.user;</FONT></P> |
---|
3205 | </TD> |
---|
3206 | </TR> |
---|
3207 | </TABLE> |
---|
3208 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
3209 | </P> |
---|
3210 | <P CLASS="western" ALIGN=LEFT>Add a new account for use with the |
---|
3211 | Credential Repository database e.g.</P> |
---|
3212 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3213 | <COL WIDTH=605> |
---|
3214 | <TR> |
---|
3215 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3216 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql> |
---|
3217 | GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO |
---|
3218 | 'ndgUser'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P> |
---|
3219 | </TD> |
---|
3220 | </TR> |
---|
3221 | </TABLE> |
---|
3222 | <P CLASS="western" ALIGN=LEFT><BR>The above statement grants the |
---|
3223 | user, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgUser</SPAN></FONT> |
---|
3224 | with password, <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">password</SPAN></FONT>, |
---|
3225 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">select</SPAN></FONT>, |
---|
3226 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">update</SPAN></FONT> |
---|
3227 | and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">insert</SPAN></FONT> |
---|
3228 | privileges on the tables of database <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndgCredRepos</SPAN></FONT>. |
---|
3229 | The user may only connect from the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">localhost</SPAN></FONT>. |
---|
3230 | Hence, in this case the Session Manager and Credential Repository |
---|
3231 | must be installed on the same machine. To allow the Credential |
---|
3232 | Repository to run on a separate machine to the Session Manager, the |
---|
3233 | account must have permission to connect remotely. This can be |
---|
3234 | achieved by altering the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">GRANT</SPAN></FONT> |
---|
3235 | statement above to:</P> |
---|
3236 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3237 | <COL WIDTH=605> |
---|
3238 | <TR> |
---|
3239 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3240 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><BR>mysql> |
---|
3241 | GRANT SELECT, UPDATE, INSERT, DELETE ON ndgCredRepos.* TO |
---|
3242 | 'ndgUser'@â%â IDENTIFIED BY 'password' WITH GRANT OPTION;</FONT></P> |
---|
3243 | </TD> |
---|
3244 | </TR> |
---|
3245 | </TABLE> |
---|
3246 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
3247 | </P> |
---|
3248 | <P CLASS="western" ALIGN=LEFT>You also can set up new accounts using |
---|
3249 | the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">bin/mysql_setpermission</SPAN></FONT> |
---|
3250 | script if you install the `DBI' and `DBD::mysql' Perl modules.</P> |
---|
3251 | <P CLASS="western" ALIGN=LEFT>See section 4.4.1 for details about |
---|
3252 | creation of the Credential Repository database.</P> |
---|
3253 | <H3 CLASS="western"><A NAME="5.2.10. Server Automated Start up|outline"></A> |
---|
3254 | 5.2.10 Server Automated Start up</H3> |
---|
3255 | <P CLASS="western" ALIGN=JUSTIFY><todo: ></P> |
---|
3256 | <P CLASS="western" ALIGN=LEFT><BR><BR> |
---|
3257 | </P> |
---|
3258 | <H2 CLASS="western"><A NAME="5.3. HTTPS set-up with Apache Web Server|outline"></A> |
---|
3259 | 5.3 HTTPS set-up with Apache Web Server</H2> |
---|
3260 | <P CLASS="western" ALIGN=JUSTIFY>NDG security requires HTTPS for the |
---|
3261 | transfer of user credentials across cookie domains between a data |
---|
3262 | provider web page requesting user credentials and a userâs NDG home |
---|
3263 | login page.</P> |
---|
3264 | <P CLASS="western" ALIGN=JUSTIFY><todo: full explanation - incl. |
---|
3265 | mod_ssl must be installed></P> |
---|
3266 | <H3 CLASS="western"><A NAME="5.3.1. Web Server Host Certificate Generation|outline"></A> |
---|
3267 | 5.3.1 Web Server Host Certificate Generation</H3> |
---|
3268 | <P CLASS="western" ALIGN=JUSTIFY>Generate a new private key and |
---|
3269 | certificate request.</P> |
---|
3270 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3271 | <COL WIDTH=605> |
---|
3272 | <TR> |
---|
3273 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3274 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
3275 | </P> |
---|
3276 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
3277 | openssl genrsa âout server.key 2048</FONT></P> |
---|
3278 | <P STYLE="margin-bottom: 0cm"><A NAME="OLE_LINK1"></A><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
3279 | openssl req ânew âkey server.key âout server.csr</FONT></P> |
---|
3280 | <P><BR> |
---|
3281 | </P> |
---|
3282 | </TD> |
---|
3283 | </TR> |
---|
3284 | </TABLE> |
---|
3285 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3286 | </P> |
---|
3287 | <P CLASS="western" ALIGN=JUSTIFY>Send the certificate request to the |
---|
3288 | relevant CA (NDG if appropriate) for signing.</P> |
---|
3289 | <H3 CLASS="western"><A NAME="5.3.2.Apache Configuration File Settings|outline"></A> |
---|
3290 | 5.3.2Apache Configuration File Settings</H3> |
---|
3291 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3292 | </P> |
---|
3293 | <H2 CLASS="western"><A NAME="_Ref132181551"></A><A NAME="5.4. Apache Web Server Proxy Settings Configuration for Web Services|outline"></A> |
---|
3294 | 5.4 Apache Web Server Proxy Settings Configuration for Web Services</H2> |
---|
3295 | <P CLASS="western" ALIGN=JUSTIFY>Apache provides a convenient |
---|
3296 | mechanism to re-route web service ports through port 80 and so make |
---|
3297 | them available to the outside world. This may be helpful if when |
---|
3298 | deploying NDG Security you do not wish to open additional ports in |
---|
3299 | your site firewall settings.</P> |
---|
3300 | <P CLASS="western" ALIGN=JUSTIFY>Edit the Apache configuration file. |
---|
3301 | This should be located at <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">/etc/httpd/conf</SPAN></FONT></P> |
---|
3302 | <P CLASS="western" ALIGN=JUSTIFY>Add <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPass</SPAN></FONT> |
---|
3303 | and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ProxyPassReverse</SPAN></FONT> |
---|
3304 | entries for the Session Manager and Attribute Authority web services. |
---|
3305 | The first argument after the directive name itself is the directory |
---|
3306 | that the service will be served from relative to the web server URL. |
---|
3307 | So below, if the URL of the web server is <FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/">http://www.badc.rl.ac.uk</A></U></FONT>, |
---|
3308 | then the Session Manager would be available at |
---|
3309 | <FONT COLOR="#0000ff"><U><A HREF="http://www.badc.rl.ac.uk/sessionMgr">https://www.badc.rl.ac.uk/sessionMgr</A></U></FONT>. |
---|
3310 | The second argument is the actual location where the web service is |
---|
3311 | running locally. In the example below, the Session Manager is |
---|
3312 | running on port 5700 on the same machine as the web server.</P> |
---|
3313 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3314 | <COL WIDTH=605> |
---|
3315 | <TR> |
---|
3316 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3317 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
3318 | </P> |
---|
3319 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"># |
---|
3320 | Session Manager and Attribute Authority settings</FONT></P> |
---|
3321 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass |
---|
3322 | /sessionMgr https://localhost:5700</FONT></P> |
---|
3323 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse |
---|
3324 | /sessionMgr https://localhost:5700</FONT></P> |
---|
3325 | <P STYLE="margin-bottom: 0cm"><BR> |
---|
3326 | </P> |
---|
3327 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPass |
---|
3328 | /attAuthority http://localhost:5000</FONT></P> |
---|
3329 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">ProxyPassReverse |
---|
3330 | /attAuthority http://localhost:5000</FONT></P> |
---|
3331 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
3332 | </P> |
---|
3333 | </TD> |
---|
3334 | </TR> |
---|
3335 | </TABLE> |
---|
3336 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3337 | </P> |
---|
3338 | <P CLASS="western" ALIGN=JUSTIFY>Restart the Apache web server. This |
---|
3339 | can be done in a variety of ways. As root user:</P> |
---|
3340 | <OL> |
---|
3341 | <LI><P CLASS="western" ALIGN=LEFT>On Redhat machines, using the |
---|
3342 | command <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">redhat-config-services</SPAN></FONT> |
---|
3343 | or <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">system-config-services</SPAN></FONT> |
---|
3344 | In the GUI, click on httpd in the list and press the Restart button</P> |
---|
3345 | </OL> |
---|
3346 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3347 | <COL WIDTH=605> |
---|
3348 | <TR> |
---|
3349 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3350 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
3351 | </P> |
---|
3352 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
3353 | redhat-config-services</FONT></P> |
---|
3354 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
3355 | </P> |
---|
3356 | </TD> |
---|
3357 | </TR> |
---|
3358 | </TABLE> |
---|
3359 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3360 | </P> |
---|
3361 | <OL START=2> |
---|
3362 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">service |
---|
3363 | </SPAN></FONT>command</P> |
---|
3364 | </OL> |
---|
3365 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3366 | <COL WIDTH=605> |
---|
3367 | <TR> |
---|
3368 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3369 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
3370 | </P> |
---|
3371 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
3372 | /sbin/service httpd restart</FONT></P> |
---|
3373 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
3374 | </P> |
---|
3375 | </TD> |
---|
3376 | </TR> |
---|
3377 | </TABLE> |
---|
3378 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3379 | </P> |
---|
3380 | <OL START=3> |
---|
3381 | <LI><P CLASS="western" ALIGN=JUSTIFY>apache command</P> |
---|
3382 | </OL> |
---|
3383 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3384 | <COL WIDTH=605> |
---|
3385 | <TR> |
---|
3386 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3387 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
3388 | </P> |
---|
3389 | <P STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
3390 | apachectl restart</FONT></P> |
---|
3391 | <P CLASS="western" ALIGN=LEFT><BR> |
---|
3392 | </P> |
---|
3393 | </TD> |
---|
3394 | </TR> |
---|
3395 | </TABLE> |
---|
3396 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3397 | </P> |
---|
3398 | <OL START=4> |
---|
3399 | <LI><P CLASS="western" ALIGN=JUSTIFY>Using <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><FONT SIZE=2 STYLE="font-size: 9pt">kill</FONT></SPAN></FONT></P> |
---|
3400 | </OL> |
---|
3401 | <TABLE WIDTH=621 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0> |
---|
3402 | <COL WIDTH=605> |
---|
3403 | <TR> |
---|
3404 | <TD WIDTH=605 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3405 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><BR> |
---|
3406 | </P> |
---|
3407 | <P LANG="sv-SE" STYLE="margin-bottom: 0cm"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">$ |
---|
3408 | kill -HUP `cat /etc/httpd/run/httpd.pid`</FONT></P> |
---|
3409 | <P LANG="sv-SE" CLASS="western" ALIGN=LEFT><BR> |
---|
3410 | </P> |
---|
3411 | </TD> |
---|
3412 | </TR> |
---|
3413 | </TABLE> |
---|
3414 | <P LANG="sv-SE" CLASS="western" ALIGN=JUSTIFY STYLE="margin-left: 0.64cm"> |
---|
3415 | <BR><BR> |
---|
3416 | </P> |
---|
3417 | <P CLASS="western" ALIGN=JUSTIFY>Note in the last case that the |
---|
3418 | location of the pid file will depend on your installation.</P> |
---|
3419 | <P CLASS="western" ALIGN=JUSTIFY>Once the changes have been made, |
---|
3420 | ensure that <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">sessionMgr.wsdl</SPAN></FONT> |
---|
3421 | and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">attAuthority.wsdl</SPAN></FONT> |
---|
3422 | contain the new locations for the web services in the tag |
---|
3423 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB"><soap:address |
---|
3424 | location=ââŠâ></SPAN></FONT> |
---|
3425 | </P> |
---|
3426 | <H2 CLASS="western"><A NAME="5.5.An Example Attribute Authority AAUserRoles interface class|outline"></A> |
---|
3427 | 5.5An Example Attribute Authority AAUserRoles interface class</H2> |
---|
3428 | <P><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace">This |
---|
3429 | interface is required in order to link the Attribute Authority to the |
---|
3430 | data centreâs system for identifying registered users and managing |
---|
3431 | their roles. The installation comes with a simple test class which |
---|
3432 | illustrates this. See ndg.security.server.conf.userRoles.</FONT></P> |
---|
3433 | <P CLASS="western" ALIGN=JUSTIFY>The class must inherit from the |
---|
3434 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">AAUserRoles</SPAN></FONT> |
---|
3435 | interface class. It must override the <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT> |
---|
3436 | and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT> |
---|
3437 | methods:</P> |
---|
3438 | <UL> |
---|
3439 | <LI VALUE=1><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered()</SPAN></FONT> |
---|
3440 | â returns True if the user with the given input Distinguished Name |
---|
3441 | is registered at the site. This method might contain an SQL query |
---|
3442 | to the siteâs user database for example. This method is <I>optional |
---|
3443 | </I><SPAN STYLE="font-style: normal">and is not part of the API to |
---|
3444 | the Attribute Authority.</SPAN></P> |
---|
3445 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles()</SPAN></FONT> |
---|
3446 | â returns a list of roles to which the user with the given input |
---|
3447 | Distinguished Name is enrolled. Again, this method could be |
---|
3448 | implemented with an SQL query to retrieve the roles for a given |
---|
3449 | user. Note, that if not roles are found, the method should return |
---|
3450 | [].</P> |
---|
3451 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">__init__()</SPAN></FONT> |
---|
3452 | â optionally, the initialisation method may be overridden to |
---|
3453 | enable for example the setting up of a database connection. The |
---|
3454 | path to a properties file may be passed in. This could contain |
---|
3455 | database connection settings.</P> |
---|
3456 | </UL> |
---|
3457 | <P CLASS="western" ALIGN=JUSTIFY>The custom class used by the BODC is |
---|
3458 | a more detailed example:</P> |
---|
3459 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0 STYLE="page-break-before: auto"> |
---|
3460 | <COL WIDTH=610> |
---|
3461 | <TR> |
---|
3462 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3463 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>"""NDG |
---|
3464 | Attribute Authority User Roles class - acts as an interface |
---|
3465 | between</FONT></FONT></P> |
---|
3466 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>the |
---|
3467 | data centre's user roles configuration and the Attribute Authority</FONT></FONT></P> |
---|
3468 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3469 | </P> |
---|
3470 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>BODC |
---|
3471 | User Roles Interface to Oracle database</FONT></FONT></P> |
---|
3472 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3473 | </P> |
---|
3474 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@author: |
---|
3475 | P J Kershaw 09/08/07</FONT></FONT></P> |
---|
3476 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@copyright: |
---|
3477 | (C) 2007 STFC & NERC</FONT></FONT></P> |
---|
3478 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>@licence: |
---|
3479 | This software may be distributed under the terms of the Q Public</FONT></FONT></P> |
---|
3480 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>License, |
---|
3481 | version 1.0 or later.</FONT></FONT></P> |
---|
3482 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>"""</FONT></FONT></P> |
---|
3483 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000">__revision__ |
---|
3484 | = </FONT><I><FONT COLOR="#00aa00">'$Id:$'</FONT></I></FONT></FONT></P> |
---|
3485 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3486 | </P> |
---|
3487 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3488 | </P> |
---|
3489 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000"> |
---|
3490 | ConfigParser </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000"> |
---|
3491 | SafeConfigParser</FONT></FONT></FONT></P> |
---|
3492 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3493 | </P> |
---|
3494 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2># |
---|
3495 | Use a conditional import here because if the TestUserRoles class |
---|
3496 | is used,</FONT></FONT></P> |
---|
3497 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2># |
---|
3498 | cx_Oracle is not required</FONT></FONT></P> |
---|
3499 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3500 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3501 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000"> |
---|
3502 | cx_Oracle</FONT></FONT></FONT></P> |
---|
3503 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000"> |
---|
3504 | ImportError, e:</FONT></FONT></FONT></P> |
---|
3505 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3506 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000"> |
---|
3507 | warnings </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000"> |
---|
3508 | warn</FONT></FONT></FONT></P> |
---|
3509 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3510 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>warn(str(e), |
---|
3511 | RuntimeWarning)</FONT></FONT></P> |
---|
3512 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3513 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P> |
---|
3514 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3515 | </P> |
---|
3516 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000"> |
---|
3517 | ndg.security.server.AttAuthority </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000"> |
---|
3518 | AAUserRoles, AAUserRolesError</FONT></FONT></FONT></P> |
---|
3519 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">from</FONT><FONT COLOR="#000000"> |
---|
3520 | ndg.security.common.X509 </FONT><FONT COLOR="#0000ff">import</FONT><FONT COLOR="#000000"> |
---|
3521 | X500DN</FONT></FONT></FONT></P> |
---|
3522 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3523 | </P> |
---|
3524 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3525 | </P> |
---|
3526 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000"> |
---|
3527 | <B>TestUserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P> |
---|
3528 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3529 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">"""Test |
---|
3530 | User Roles class dynamic import for Attribute Authority</FONT></I></FONT></FONT></P> |
---|
3531 | <P STYLE="margin-bottom: 0cm; background: transparent"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>NOT |
---|
3532 | for use on production system"""</FONT></FONT></P> |
---|
3533 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3534 | </P> |
---|
3535 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3536 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000"> |
---|
3537 | <B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P> |
---|
3538 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3539 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">pass</FONT></FONT></FONT></P> |
---|
3540 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3541 | </P> |
---|
3542 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3543 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000"> |
---|
3544 | <B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P> |
---|
3545 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3546 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">"""Test |
---|
3547 | getRoles returns role attributes regardless of user Id!"""</FONT></I></FONT></FONT></P> |
---|
3548 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3549 | </P> |
---|
3550 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3551 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3552 | Parse username from DN string</FONT></FONT></FONT></P> |
---|
3553 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3554 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3555 | TODO: this may be e-mail address for BODC?</FONT></FONT></FONT></P> |
---|
3556 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3557 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3558 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3559 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn |
---|
3560 | = X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P> |
---|
3561 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3562 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> |
---|
3563 | len(cn) == </FONT><FONT COLOR="#800000">2</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3564 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3565 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3566 | Proxy cert has two common names set - assume extra common </FONT></FONT></FONT> |
---|
3567 | </P> |
---|
3568 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3569 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3570 | name will be 'proxy' or a number</FONT></FONT></FONT></P> |
---|
3571 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3572 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username=[n |
---|
3573 | </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000"> |
---|
3574 | cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> |
---|
3575 | n!=</FONT><I><FONT COLOR="#00aa00">"proxy"</FONT></I><FONT COLOR="#000000"> |
---|
3576 | </FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000"> |
---|
3577 | n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P> |
---|
3578 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3579 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">else</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3580 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3581 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username |
---|
3582 | = cn</FONT></FONT></P> |
---|
3583 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3584 | </P> |
---|
3585 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3586 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000"> |
---|
3587 | Exception, e:</FONT></FONT></FONT></P> |
---|
3588 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3589 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> |
---|
3590 | AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"Parsing |
---|
3591 | username from DN %s: %s"</FONT></I><FONT COLOR="#000000"> % |
---|
3592 | (dn,e)</FONT></FONT></FONT></P> |
---|
3593 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3594 | </P> |
---|
3595 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3596 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000"> |
---|
3597 | [</FONT><I><FONT COLOR="#00aa00">'Public'</FONT></I><FONT COLOR="#000000">, |
---|
3598 | </FONT><I><FONT COLOR="#00aa00">'Researcher'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P> |
---|
3599 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3600 | </P> |
---|
3601 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3602 | </P> |
---|
3603 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">class</FONT><FONT COLOR="#000000"> |
---|
3604 | <B>UserRoles</B>(AAUserRoles):</FONT></FONT></FONT></P> |
---|
3605 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3606 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">"""User |
---|
3607 | Roles class dynamically imported for Attribute Authority</FONT></I></FONT></FONT></P> |
---|
3608 | <P STYLE="margin-bottom: 0cm; background: transparent"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>- |
---|
3609 | see the Attribute Authority Properties file to make the correct</FONT></FONT></P> |
---|
3610 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3611 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>settings"""</FONT></FONT></P> |
---|
3612 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3613 | </P> |
---|
3614 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3615 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000"> |
---|
3616 | <B>__init__</B>(<I>self</I>, propertiesFilePath=</FONT><FONT COLOR="#0000ff">None</FONT><FONT COLOR="#000000">):</FONT></FONT></FONT></P> |
---|
3617 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3618 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> |
---|
3619 | </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000"> |
---|
3620 | propertiesFilePath:</FONT></FONT></FONT></P> |
---|
3621 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3622 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> |
---|
3623 | AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"No user |
---|
3624 | roles property file set"</FONT></I></FONT></FONT></P> |
---|
3625 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3626 | </P> |
---|
3627 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000"> |
---|
3628 | </FONT><FONT COLOR="#c0c0c0"># Retrieve database connection and |
---|
3629 | query settings from config file</FONT></FONT></FONT></P> |
---|
3630 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3631 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>configParser |
---|
3632 | = SafeConfigParser()</FONT></FONT></P> |
---|
3633 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3634 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>configParser.read(propertiesFilePath)</FONT></FONT></P> |
---|
3635 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3636 | </P> |
---|
3637 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3638 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__conxnStr |
---|
3639 | = configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">, |
---|
3640 | </FONT><I><FONT COLOR="#00aa00">'connection'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P> |
---|
3641 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3642 | </P> |
---|
3643 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3644 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3645 | The Oracle connection could be made HERE to make getRoles method</FONT></FONT></FONT></P> |
---|
3646 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3647 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3648 | more efficient but then AA would hog an Oracle connection as long |
---|
3649 | as</FONT></FONT></FONT></P> |
---|
3650 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3651 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3652 | it is running. There may be away to avoid this using a connection</FONT></FONT></FONT></P> |
---|
3653 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#000000"> |
---|
3654 | </FONT><FONT COLOR="#c0c0c0"># pool</FONT></FONT></FONT></P> |
---|
3655 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3656 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I>self</I>.__query |
---|
3657 | = configParser.get(</FONT><I><FONT COLOR="#00aa00">'Oracle'</FONT></I><FONT COLOR="#000000">, |
---|
3658 | </FONT><I><FONT COLOR="#00aa00">'query'</FONT></I><FONT COLOR="#000000">)</FONT></FONT></FONT></P> |
---|
3659 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3660 | </P> |
---|
3661 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3662 | </P> |
---|
3663 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3664 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">def</FONT><FONT COLOR="#000000"> |
---|
3665 | <B>getRoles</B>(<I>self</I>, dn):</FONT></FONT></FONT></P> |
---|
3666 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3667 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><I><FONT COLOR="#00aa00">'''Roles |
---|
3668 | interface for BODC database'''</FONT></I></FONT></FONT></P> |
---|
3669 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3670 | </P> |
---|
3671 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3672 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3673 | Parse username from DN string</FONT></FONT></FONT></P> |
---|
3674 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3675 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3676 | TODO: this may be e-mail address for BODC?</FONT></FONT></FONT></P> |
---|
3677 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3678 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3679 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3680 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cn |
---|
3681 | = X500DN(dn)[</FONT><I><FONT COLOR="#00aa00">'CN'</FONT></I><FONT COLOR="#000000">]</FONT></FONT></FONT></P> |
---|
3682 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3683 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> |
---|
3684 | len(cn) == </FONT><FONT COLOR="#800000">2</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3685 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3686 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3687 | Proxy cert has two common names set - assume extra common </FONT></FONT></FONT> |
---|
3688 | </P> |
---|
3689 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3690 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3691 | name will be 'prixy' or a number</FONT></FONT></FONT></P> |
---|
3692 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3693 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username=[n |
---|
3694 | </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> n </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000"> |
---|
3695 | cn </FONT><FONT COLOR="#0000ff">if</FONT><FONT COLOR="#000000"> |
---|
3696 | n!=</FONT><I><FONT COLOR="#00aa00">"proxy"</FONT></I><FONT COLOR="#000000"> |
---|
3697 | </FONT><FONT COLOR="#0000ff">and</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#0000ff">not</FONT><FONT COLOR="#000000"> |
---|
3698 | n.isdigit()][</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">]</FONT></FONT></FONT></P> |
---|
3699 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3700 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">else</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3701 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3702 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>username |
---|
3703 | = cn</FONT></FONT></P> |
---|
3704 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3705 | </P> |
---|
3706 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3707 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000"> |
---|
3708 | Exception, e:</FONT></FONT></FONT></P> |
---|
3709 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3710 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> |
---|
3711 | AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"Parsing |
---|
3712 | username from DN %s: %s"</FONT></I><FONT COLOR="#000000"> % |
---|
3713 | (dn,e)</FONT></FONT></FONT></P> |
---|
3714 | <P STYLE="margin-bottom: 0cm; background: transparent"><BR> |
---|
3715 | </P> |
---|
3716 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3717 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3718 | It may be possible to use a connection pool and move this</FONT></FONT></FONT></P> |
---|
3719 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3720 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3721 | connect call to __init__ see:</FONT></FONT></FONT></P> |
---|
3722 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3723 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P> |
---|
3724 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3725 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3726 | http://www.python.net/crew/atuining/cx_Oracle/html/module.html</FONT></FONT></FONT></P> |
---|
3727 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3728 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P> |
---|
3729 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3730 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3731 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3732 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>con |
---|
3733 | = cx_Oracle.connect(<I>self</I>.__conxnStr)</FONT></FONT></P> |
---|
3734 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3735 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cursor |
---|
3736 | = con.cursor()</FONT></FONT></P> |
---|
3737 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3738 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000"> |
---|
3739 | Exception, e:</FONT></FONT></FONT></P> |
---|
3740 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3741 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> |
---|
3742 | AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"Error |
---|
3743 | connecting to Oracle database: "</FONT></I><FONT COLOR="#000000"> |
---|
3744 | +\</FONT></FONT></FONT></P> |
---|
3745 | <P STYLE="margin-bottom: 0cm; background: transparent"> <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2> |
---|
3746 | str(e)</FONT></FONT></P> |
---|
3747 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3748 | </P> |
---|
3749 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3750 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3751 | Substitute the username into the query - the query is expected to </FONT></FONT></FONT> |
---|
3752 | </P> |
---|
3753 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3754 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3755 | have a "%s" to allow this</FONT></FONT></FONT></P> |
---|
3756 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3757 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0">#</FONT></FONT></FONT></P> |
---|
3758 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3759 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3760 | Convert username to string type explicitly as the execute method </FONT></FONT></FONT> |
---|
3761 | </P> |
---|
3762 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3763 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3764 | doesn't like unicode type</FONT></FONT></FONT></P> |
---|
3765 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3766 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3767 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3768 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3769 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3770 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>query |
---|
3771 | = <I>self</I>.__query % str(username)</FONT></FONT></P> |
---|
3772 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3773 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>cursor.execute(query)</FONT></FONT></P> |
---|
3774 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3775 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>result |
---|
3776 | = cursor.fetchall()</FONT></FONT></P> |
---|
3777 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3778 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000"> |
---|
3779 | Exception, e:</FONT></FONT></FONT></P> |
---|
3780 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3781 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">raise</FONT><FONT COLOR="#000000"> |
---|
3782 | AAUserRolesError, </FONT><I><FONT COLOR="#00aa00">"Error |
---|
3783 | executing query: "</FONT></I><FONT COLOR="#000000"> + str(e)</FONT></FONT></FONT></P> |
---|
3784 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3785 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">finally</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3786 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3787 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2> cursor.close()</FONT></FONT></P> |
---|
3788 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3789 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2> con.close()</FONT></FONT></P> |
---|
3790 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3791 | </P> |
---|
3792 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3793 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3794 | Result is a list of tuples. The first element of each tuple is a</FONT></FONT></FONT></P> |
---|
3795 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3796 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3797 | role name -> Convert into a simple list of role names</FONT></FONT></FONT></P> |
---|
3798 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3799 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">try</FONT><FONT COLOR="#000000">:</FONT></FONT></FONT></P> |
---|
3800 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3801 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>roleNames |
---|
3802 | = [role[</FONT><FONT COLOR="#800000">0</FONT><FONT COLOR="#000000">] |
---|
3803 | </FONT><FONT COLOR="#0000ff">for</FONT><FONT COLOR="#000000"> role |
---|
3804 | </FONT><FONT COLOR="#0000ff">in</FONT><FONT COLOR="#000000"> |
---|
3805 | result]</FONT></FONT></FONT></P> |
---|
3806 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3807 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#0000ff">except</FONT><FONT COLOR="#000000"> |
---|
3808 | TypeError:</FONT></FONT></FONT></P> |
---|
3809 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3810 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT COLOR="#c0c0c0"># |
---|
3811 | Catch non-iterable error with result var</FONT></FONT></FONT></P> |
---|
3812 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3813 | <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2>roleNames |
---|
3814 | = []</FONT></FONT></P> |
---|
3815 | <P STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3816 | </P> |
---|
3817 | <P STYLE="margin-bottom: 0cm; background: transparent"><FONT COLOR="#000000"> |
---|
3818 | </FONT><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><FONT SIZE=2><FONT FACE="Monospace"><FONT COLOR="#0000ff">return</FONT><FONT COLOR="#000000"> |
---|
3819 | roleNames</FONT></FONT></FONT></FONT></P> |
---|
3820 | <P STYLE="background: transparent"><BR> |
---|
3821 | </P> |
---|
3822 | </TD> |
---|
3823 | </TR> |
---|
3824 | </TABLE> |
---|
3825 | <P CLASS="western" ALIGN=JUSTIFY><BR><BR> |
---|
3826 | </P> |
---|
3827 | <P CLASS="western" ALIGN=JUSTIFY>Note:</P> |
---|
3828 | <UL> |
---|
3829 | <LI><P CLASS="western" ALIGN=JUSTIFY>It uses the Python library |
---|
3830 | cx_<FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">Oracle</SPAN></FONT> |
---|
3831 | to connect to an Oracle database.</P> |
---|
3832 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ElementTree</SPAN></FONT> |
---|
3833 | Python library is used to parse an XML properties file.</P> |
---|
3834 | <LI><P CLASS="western" ALIGN=JUSTIFY><FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">ndg.security.common.X509</SPAN></FONT> |
---|
3835 | security python library is used to parse the user Distinguished Name |
---|
3836 | passed into <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">getRoles</SPAN></FONT> |
---|
3837 | and <FONT FACE="Lucida Console, DejaVu Sans Mono, monospace"><SPAN LANG="en-GB">userIsRegistered</SPAN></FONT> |
---|
3838 | methods.</P> |
---|
3839 | <LI><P CLASS="western" ALIGN=JUSTIFY>Database connection and query |
---|
3840 | settings are taken from a config file:</P> |
---|
3841 | </UL> |
---|
3842 | <TABLE WIDTH=626 BORDER=1 BORDERCOLOR="#000000" CELLPADDING=7 CELLSPACING=0 STYLE="page-break-before: auto"> |
---|
3843 | <COL WIDTH=610> |
---|
3844 | <TR> |
---|
3845 | <TD WIDTH=610 VALIGN=TOP BGCOLOR="#e0e0e0"> |
---|
3846 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P> |
---|
3847 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2># |
---|
3848 | BODC Attribute Authority - Oracle interface settings</FONT></FONT></FONT></P> |
---|
3849 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P> |
---|
3850 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2># |
---|
3851 | P J Kershaw 09/08/07</FONT></FONT></FONT></P> |
---|
3852 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2>#</FONT></FONT></FONT></P> |
---|
3853 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2>[Oracle]</FONT></FONT></P> |
---|
3854 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2># |
---|
3855 | Database connection string</FONT></FONT></FONT></P> |
---|
3856 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT FACE="Monospace"><FONT SIZE=2><FONT COLOR="#000000">connection |
---|
3857 | = </FONT><FONT COLOR="#2a00ff">user/password@dsn</FONT></FONT></FONT></P> |
---|
3858 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm"><FONT COLOR="#3f7f5f"><FONT FACE="Monospace"><FONT SIZE=2># |
---|
3859 | Query string "%%s" will be substituted by the username |
---|
3860 | specified by the code</FONT></FONT></FONT></P> |
---|
3861 | <P CLASS="western" ALIGN=LEFT STYLE="margin-bottom: 0cm; background: transparent"> |
---|
3862 | <FONT FACE="Monospace"><FONT SIZE=2><FONT COLOR="#000000">query = |
---|
3863 | </FONT><FONT COLOR="#2a00ff">select</FONT><FONT COLOR="#000000"> |
---|
3864 | </FONT><FONT COLOR="#2a00ff">something</FONT><FONT COLOR="#000000"> |
---|
3865 | </FONT><FONT COLOR="#2a00ff">from</FONT><FONT COLOR="#000000"> |
---|
3866 | </FONT><FONT COLOR="#2a00ff">atable</FONT><FONT COLOR="#000000"> |
---|
3867 | </FONT><FONT COLOR="#2a00ff">where</FONT><FONT COLOR="#000000"> |
---|
3868 | </FONT><FONT COLOR="#2a00ff">username</FONT><FONT COLOR="#000000"> |
---|
3869 | </FONT><FONT COLOR="#2a00ff">=</FONT><FONT COLOR="#000000"> </FONT><FONT COLOR="#2a00ff">'%%s'</FONT></FONT></FONT></P> |
---|
3870 | <P CLASS="western" ALIGN=LEFT STYLE="background: transparent"><BR> |
---|
3871 | </P> |
---|
3872 | </TD> |
---|
3873 | </TR> |
---|
3874 | </TABLE> |
---|
3875 | <P CLASS="western" ALIGN=LEFT& |
---|