source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini @ 4521

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini@4521
Revision 4521, 13.6 KB checked in by pjkersha, 11 years ago (diff)

Completed tests running Attribute Authority and Session Manager in the same WSGI stack:

  • ndg.security.server.wsgi.utils.attributeauthorityclient.WSGIAttributeAuthorityClient: completed this class and tested in combinedservices unit tests. This class enables WSGI apps to access an AttributeAuthority? WSGI app running in the same stack or else make a callout to a remote SOAP service.
  • ndg.security.server.wsgi.wssecurity: improved config set-up
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7#
8# The %(here)s variable will be replaced with the parent directory of this file
9#
10# Author: P J Kershaw
11# date: 30/11/05
12# Copyright: (C) 2008 STFC & NERC
13# license: This software may be distributed under the terms of the Q Public
14# License, version 1.0 or later.
15# Contact: Philip.Kershaw@stfc.ac.uk
16# Revision: $Id$
17
18[DEFAULT]
19# Settings for WS-Security signature handler
20#wsseCfgFilePath = %(here)s/services.ini
21#wsseCfgFileSection = WS-Security
22
23#______________________________________________________________________________
24# Attribute Authority settings
25# 'name' setting MUST agree with map config file 'thisHost' name attribute
26attributeAuthority.name: Site A
27
28# Lifetime is measured in seconds
29attributeAuthority.attCertLifetime: 28800 
30
31# Allow an offset for clock skew between servers running
32# security services. NB, measured in seconds - use a minus sign for time in the
33# past
34attributeAuthority.attCertNotBeforeOff: 0
35
36# All Attribute Certificates issued are recorded in this dir
37attributeAuthority.attCertDir: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/attCertLog
38
39# Files in attCertDir are stored using a rotating file handler
40# attCertFileLogCnt sets the max number of files created before the first is
41# overwritten
42attributeAuthority.attCertFileName: ac.xml
43attributeAuthority.attCertFileLogCnt: 16
44attributeAuthority.dnSeparator:/
45
46# Location of role mapping file
47attributeAuthority.mapConfigFile: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteAMapConfig.xml
48
49# Settings for custom AAUserRoles derived class to get user roles for given
50# user ID
51attributeAuthority.userRolesModFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority
52attributeAuthority.userRolesModName: siteAUserRoles
53attributeAuthority.userRolesClassName: TestUserRoles
54
55# Config for XML signature of Attribute Certificate
56attributeAuthority.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key
57attributeAuthority.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt
58attributeAuthority.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
59
60#______________________________________________________________________________
61# Session Manager specific settings - commented out settings will take their
62# default settings.  To override the defaults uncomment and set as required.
63# See ndg.security.server.sessionMgr.SessionMgr class for details
64
65# Credential Wallet Settings - global to all user sessions
66#
67# CA certificates for Attribute Certificate signature validation
68sessionManager.credentialWallet.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
69
70# CA certificates for SSL connection peer cert. validation - required if
71# connecting to an Attribute Authority over SSL
72sessionManager.credentialWallet.sslCACertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
73
74# Allow Get Attribute Certificate calls to try to get a mapped certificate
75# from another organisation trusted by the target Attribute Authority
76sessionManager.credentialWallet.mapFromTrustedHosts=True
77sessionManager.credentialWallet.rtnExtAttCertList=True
78
79# Refresh an Attribute Certificate, if an existing one in the wallet has only
80# this length of time left before it expires
81credentialWallet.attCertRefreshElapse=7200
82
83# Pointer to WS-Security settings.  These WS-Security settings are for use
84# by user credential wallets held in user sessions hosted by the Session
85# Manager.  They enable individual wallets to query Attribute Authorities for
86# user Attribute Certificates.  Nb. the difference between these settings and
87# the WS-Security section for handling requests to the Session Manager.
88#
89# Settings are identified by a prefix. 
90sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
91
92# ...A section name could also be used.
93#sessionManager.credentialWallet.wssCfgSection=
94
95# SOAP Signature Handler settings for the Credential Wallet's Attribute
96# Authority interface
97#
98# CA Certificates used to verify X.509 certs used in Attribute Certificates.
99# The CA certificates of other NDG trusted sites should go here.  NB, multiple
100# values should be delimited by a space
101sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
102
103# Signature of an outbound message
104#
105# Certificate associated with private key used to sign a message.  The sign
106# method will add this to the BinarySecurityToken element of the WSSE header. 
107# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
108# As an alternative, use signingCertChain - see below...
109
110# PEM encoded cert
111sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.crt
112
113# ... or provide file path to PEM encoded private key file
114sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.key
115
116# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
117# signed message.  See __setReqBinSecTokValType method and binSecTokValType
118# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
119# give full namespace to alternative - see
120# ZSI.wstools.Namespaces.OASIS.X509TOKEN
121#
122# binSecTokValType determines whether signingCert or signingCertChain
123# attributes will be used.
124sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
125
126# Add a timestamp element to an outbound message
127sessionManager.credentialWallet.wssecurity.addTimestamp: True
128
129# For WSSE 1.1 - service returns signature confirmation containing signature
130# value sent by client
131sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
132
133# Authentication service properties
134sessionManager.authNService.moduleFilePath: 
135sessionManager.authNService.moduleName: ndg.security.test.combinedservices.sessionmanager.userx509certauthn
136sessionManager.authNService.className: UserX509CertAuthN
137
138# Specific settings for UserCertAuthN Session Manager authentication plugin
139# This sets up PKI credentials for a single test account
140sessionManager.authNService.userX509CertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.crt
141sessionManager.authNService.userPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.key
142sessionManager.authNService.userPriKeyPwd: testpassword
143
144
145[server:main]
146use = egg:Paste#http
147host = 0.0.0.0
148port = 5000
149
150[app:mainApp]
151paste.app_factory = ndg.security.test.combinedservices.serverapp:app_factory
152
153# Chain of SOAP Middleware filters
154[pipeline:main]
155pipeline = wsseSignatureVerificationFilter AttributeAuthorityFilter SessionManagerFilter wsseSignatureFilter httpBasicAuthFilter mainApp
156
157#______________________________________________________________________________
158# Attribute Authority WSGI settings
159#
160[filter:AttributeAuthorityFilter]
161# This filter is a container for a binding to a SOAP based interface to the
162# Attribute Authority
163paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
164
165# Use this ZSI generated SOAP service interface class to handle i/o for this
166# filter
167ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
168
169# SOAP Binding Class specific keywords are in this section identified by this
170# prefix:
171ServiceSOAPBindingPropPrefix = AttributeAuthority
172
173# The AttributeAuthority class has settings in the default section above
174# identified by this prefix:
175AttributeAuthority.propPrefix = attributeAuthority
176AttributeAuthority.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini
177
178# Provide an identifier for this filter so that main WSGI app
179# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
180# directly
181referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
182
183# Path from URL for Attribute Authority in this Paste deployment
184path = /AttributeAuthority
185
186# Enable ?wsdl query argument to list the WSDL content
187enableWSDLQuery = True
188charset = utf-8
189filterID = ndg.security.server.wsgi.attributeAuthorityFilter
190
191#______________________________________________________________________________
192# Session Manager WSGI settings
193#
194[filter:SessionManagerFilter]
195# This filter is a container for a binding to a SOAP based interface to the
196# Session Manager
197paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
198
199# Use this ZSI generated SOAP service interface class to handle i/o for this
200# filter
201ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
202
203# SOAP Binding Class specific keywords are in this section identified by this
204# prefix:
205ServiceSOAPBindingPropPrefix = SessionManager
206
207# The SessionManager class has settings in the default section above identified
208# by this prefix:
209SessionManager.propPrefix = sessionManager
210SessionManager.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini
211
212# This filter references other filters - a local Attribute Authority (optional)
213# and a WS-Security signature verification filter (required if using signature
214# to authenticate user in requests
215SessionManager.attributeAuthorityFilterID = ndg.security.server.wsgi.attributeAuthorityFilter
216SessionManager.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
217
218# The SessionManagerWS SOAP interface class needs to know about these other
219# filters
220referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01 ndg.security.server.wsgi.attributeAuthorityFilter
221
222# Path from URL for Session Manager in this Paste deployment
223path = /SessionManager
224
225# Enable ?wsdl query argument to list the WSDL content
226enableWSDLQuery = True
227charset = utf-8
228
229# Provide an identifier for this filter so that main WSGI app
230# CombinedServicesWSGI can call this Session Manager directly
231filterID = ndg.security.server.wsgi.sessionManagerFilter
232
233#______________________________________________________________________________
234# WS-Security Signature Verification
235[filter:wsseSignatureVerificationFilter]
236paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
237filterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
238
239# Settings for WS-Security SignatureHandler class used by this filter
240wsseCfgFilePath = %(here)s/services.ini
241wsseCfgFileSection = WS-Security
242
243#______________________________________________________________________________
244# Apply WS-Security Signature
245[filter:wsseSignatureFilter]
246paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
247
248# Reference the verification filter in order to be able to apply signature
249# confirmation
250referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
251wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
252
253# Last filter in chain SOAP handlers writes the response
254writeResponse = True
255
256# Settings for WS-Security SignatureHandler class used by this filter
257wsseCfgFilePath = %(here)s/services.ini
258wsseCfgFileSection = WS-Security
259
260#______________________________________________________________________________
261# Apply HTTP Basic Authentication using AuthKit to enable a convenient no SOAP
262# based call to Session Manager connect method
263[filter:httpBasicAuthFilter]
264paste.filter_app_factory = authkit.authenticate:middleware
265setup_method=basic
266basic_realm=NDG Security Combined Services Tests
267basic_authenticate_function=ndg.security.test.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication
268
269
270#______________________________________________________________________________
271# Common WS-Security settings for wsseSignatureFilter and
272# wsseSignatureVerificationFilter
273[WS-Security]
274#
275# OUTBOUND MESSAGE CONFIG
276
277# Signature of an outbound message
278
279# Certificate associated with private key used to sign a message.  The sign
280# method will add this to the BinarySecurityToken element of the WSSE header. 
281signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt
282#signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.crt
283
284# PEM encoded private key file
285signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key
286#signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.key
287
288# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
289# signed message.  See __setReqBinSecTokValType method and binSecTokValType
290# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
291# give full namespace to alternative - see
292# ZSI.wstools.Namespaces.OASIS.X509TOKEN
293#
294# binSecTokValType determines whether signingCert or signingCertChain
295# attributes will be used.
296reqBinSecTokValType=X509v3
297
298# Add a timestamp element to an outbound message
299addTimestamp=True
300
301# For WSSE 1.1 - service returns signature confirmation containing signature
302# value sent by client
303applySignatureConfirmation=True
304
305#
306# INBOUND MESSAGE CONFIG
307
308# Provide a space separated list of file paths
309caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
310#caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/java-ca.crt
311
312
313# Logging configuration
314[loggers]
315keys = root, ndg
316
317[handlers]
318keys = console
319
320[formatters]
321keys = generic
322
323[logger_root]
324level = INFO
325handlers = console
326
327[logger_ndg]
328level = DEBUG
329handlers =
330qualname = ndg
331
332[handler_console]
333class = StreamHandler
334args = (sys.stderr,)
335level = NOTSET
336formatter = generic
337
338[formatter_generic]
339format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
340datefmt = %H:%M:%S
341
Note: See TracBrowser for help on using the repository browser.