source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini @ 4501

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini@4501
Revision 4501, 10.2 KB checked in by pjkersha, 11 years ago (diff)

New ndg.security.server.wsgi.utils package to hold Session Manager and Attribute Authority client wrappers. These check environ for a local SM/AA instance or call a remote service if a URI is given.

  • Added a test for Combined Services unit test to try out a Session Manager connect using the new wrapper.
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7# * OpenID Provider
8#
9# The %(here)s variable will be replaced with the parent directory of this file
10#
11# Author: P J Kershaw
12# date: 30/11/05
13# Copyright: (C) 2008 STFC & NERC
14# license: This software may be distributed under the terms of the Q Public
15# License, version 1.0 or later.
16# Contact: Philip.Kershaw@stfc.ac.uk
17# Revision: $Id$
18
19[DEFAULT]
20# WS-Security settings in THIS file
21wsseCfgFilePath = %(here)s/services.ini
22wsseCfgFileSection = WS-Security
23
24# Attribute Authority settings
25# 'name' setting MUST agree with map config file 'thisHost' name attribute
26attributeAuthority.name: Site A
27
28# Lifetime is measured in seconds
29attributeAuthority.attCertLifetime: 28800 
30
31# Allow an offset for clock skew between servers running
32# security services. NB, measured in seconds - use a minus sign for time in the
33# past
34attributeAuthority.attCertNotBeforeOff: 0
35
36# All Attribute Certificates issued are recorded in this dir
37attributeAuthority.attCertDir: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/attCertLog
38
39# Files in attCertDir are stored using a rotating file handler
40# attCertFileLogCnt sets the max number of files created before the first is
41# overwritten
42attributeAuthority.attCertFileName: ac.xml
43attributeAuthority.attCertFileLogCnt: 16
44attributeAuthority.dnSeparator:/
45
46# Location of role mapping file
47attributeAuthority.mapConfigFile: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteAMapConfig.xml
48
49# Settings for custom AAUserRoles derived class to get user roles for given
50# user ID
51attributeAuthority.userRolesModFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority
52attributeAuthority.userRolesModName: siteAUserRoles
53attributeAuthority.userRolesClassName: TestUserRoles
54
55# Config for XML signature of Attribute Certificate
56attributeAuthority.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key
57attributeAuthority.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt
58attributeAuthority.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
59
60
61# Session Manager specific settings - commented out settings will take their
62# default settings.  To override the defaults uncomment and set as required.
63# See ndg.security.server.sessionMgr.SessionMgr class for details
64
65# Credential Wallet Settings - global to all user sessions
66#
67# CA certificates for Attribute Certificate signature validation
68sessionManager.credentialWallet.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
69
70# CA certificates for SSL connection peer cert. validation - required if
71# connecting to an Attribute Authority over SSL
72sessionManager.credentialWallet.sslCACertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
73
74# Allow Get Attribute Certificate calls to try to get a mapped certificate
75# from another organisation trusted by the target Attribute Authority
76sessionManager.credentialWallet.mapFromTrustedHosts=True
77sessionManager.credentialWallet.rtnExtAttCertList=True
78
79# Refresh an Attribute Certificate, if an existing one in the wallet has only
80# this length of time left before it expires
81credentialWallet.attCertRefreshElapse=7200
82
83# Pointer to WS-Security settings.  These WS-Security settings are for use
84# by user credential wallets held in user sessions hosted by the Session
85# Manager.  They enable individual wallets to query Attribute Authorities for
86# user Attribute Certificates.  Nb. the difference between these settings and
87# the WS-Security section for handling requests to the Session Manager.
88#
89# Settings are identified by a prefix. 
90sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
91
92# ...A section name could also be used.
93#sessionManager.credentialWallet.wssCfgSection=
94
95# SOAP Signature Handler settings for the Credential Wallet's Attribute
96# Authority interface
97#
98# CA Certificates used to verify X.509 certs used in Attribute Certificates.
99# The CA certificates of other NDG trusted sites should go here.  NB, multiple
100# values should be delimited by a space
101sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
102# Signature of an outbound message
103#
104# Certificate associated with private key used to sign a message.  The sign
105# method will add this to the BinarySecurityToken element of the WSSE header. 
106# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
107# As an alternative, use signingCertChain - see below...
108
109# PEM encoded cert
110sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.crt
111
112# ... or provide file path to PEM encoded private key file
113sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.key
114
115# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
116# signed message.  See __setReqBinSecTokValType method and binSecTokValType
117# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
118# give full namespace to alternative - see
119# ZSI.wstools.Namespaces.OASIS.X509TOKEN
120#
121# binSecTokValType determines whether signingCert or signingCertChain
122# attributes will be used.
123sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
124
125# Add a timestamp element to an outbound message
126sessionManager.credentialWallet.wssecurity.addTimestamp: True
127
128# For WSSE 1.1 - service returns signature confirmation containing signature
129# value sent by client
130sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
131
132# Authentication service properties
133sessionManager.authNService.moduleFilePath: 
134sessionManager.authNService.moduleName: ndg.security.test.combinedservices.sessionmanager.usercertauthn
135sessionManager.authNService.className: UserCertAuthN
136
137# Specific settings for UserCertAuthN Session Manager authentication plugin
138# This sets up PKI credentials for a single test account
139sessionManager.authNService.userX509CertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.crt
140sessionManager.authNService.userPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.key
141sessionManager.authNService.userPriKeyPwd: testpassword
142
143
144[server:main]
145use = egg:Paste#http
146host = 0.0.0.0
147port = 5000
148
149[app:mainApp]
150paste.app_factory = ndg.security.test.combinedservices.serverapp:app_factory
151
152# Chain of SOAP Middleware filters
153[pipeline:main]
154pipeline = wsseSignatureVerificationFilter AttributeAuthorityFilter SessionManagerFilter wsseSignatureFilter mainApp
155
156
157[filter:AttributeAuthorityFilter]
158paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
159ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
160ServiceSOAPBindingPropPrefix = AttributeAuthority
161AttributeAuthority.propPrefix = attributeAuthority
162AttributeAuthority.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini
163referencedFilters = wsseSignatureVerificationFilter01
164path = /AttributeAuthority
165enableWSDLQuery = True
166charset = utf-8
167filterID = attributeAuthorityFilter
168
169[filter:SessionManagerFilter]
170paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
171ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
172ServiceSOAPBindingPropPrefix = SessionManager
173SessionManager.propPrefix = sessionManager
174SessionManager.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini
175SessionManager.attributeAuthorityFilterID = attributeAuthorityFilter
176referencedFilters = wsseSignatureVerificationFilter01 attributeAuthorityFilter
177path = /SessionManager
178enableWSDLQuery = True
179charset = utf-8
180filterID = ndg.security.server.sessionmanager.SessionManager
181
182[filter:wsseSignatureVerificationFilter]
183paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
184filterID = wsseSignatureVerificationFilter01
185
186[filter:wsseSignatureFilter]
187paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
188
189# Reference the verification filter in order to be able to apply signature
190# confirmation
191referencedFilters = wsseSignatureVerificationFilter01
192
193# Last filter in chain SOAP handlers writes the response
194writeResponse = True
195
196
197[WS-Security]
198#
199# OUTBOUND MESSAGE CONFIG
200
201# Signature of an outbound message
202
203# Certificate associated with private key used to sign a message.  The sign
204# method will add this to the BinarySecurityToken element of the WSSE header. 
205signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt
206#signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.crt
207
208# PEM encoded private key file
209signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key
210#signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.key
211
212# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
213# signed message.  See __setReqBinSecTokValType method and binSecTokValType
214# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
215# give full namespace to alternative - see
216# ZSI.wstools.Namespaces.OASIS.X509TOKEN
217#
218# binSecTokValType determines whether signingCert or signingCertChain
219# attributes will be used.
220reqBinSecTokValType=X509v3
221
222# Add a timestamp element to an outbound message
223addTimestamp=True
224
225# For WSSE 1.1 - service returns signature confirmation containing signature
226# value sent by client
227applySignatureConfirmation=True
228
229#
230# INBOUND MESSAGE CONFIG
231
232# Provide a space separated list of file paths
233caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
234#caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/java-ca.crt
235
236
237# Logging configuration
238[loggers]
239keys = root, ndg
240
241[handlers]
242keys = console
243
244[formatters]
245keys = generic
246
247[logger_root]
248level = INFO
249handlers = console
250
251[logger_ndg]
252level = DEBUG
253handlers =
254qualname = ndg
255
256[handler_console]
257class = StreamHandler
258args = (sys.stderr,)
259level = NOTSET
260formatter = generic
261
262[formatter_generic]
263format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
264datefmt = %H:%M:%S
265
Note: See TracBrowser for help on using the repository browser.