source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini @ 4587

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini@4587
Revision 4587, 19.2 KB checked in by pjkersha, 12 years ago (diff)
  • Completed integration work for common WSGI/SOAP client based interfaces (ndg.security.server.wsgi.utils.sessionmanagerclient and ndg.security.server.wsgi.utils.attributeauthorityclient) with Pylons Single Sign On package (ndg.security.server.sso)
  • Integrated Single Sign On service into Combined Services Paste service as a Pylons app. This also includes Session Manager, Attribute Authority, OpenID. SSO Service will eventually be removed replaced with OpenID based SSO.
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7#
8# The %(here)s variable will be replaced with the parent directory of this file
9#
10# Author: P J Kershaw
11# date: 30/11/05
12# Copyright: (C) 2008 STFC & NERC
13# license: This software may be distributed under the terms of the Q Public
14# License, version 1.0 or later.
15# Contact: Philip.Kershaw@stfc.ac.uk
16# Revision: $Id$
17
18[DEFAULT]
19# Settings for WS-Security signature handler
20#wsseCfgFilePath = %(here)s/services.ini
21#wsseCfgFileSection = WS-Security
22
23#______________________________________________________________________________
24# Attribute Authority settings
25# 'name' setting MUST agree with map config file 'thisHost' name attribute
26attributeAuthority.name: Site A
27
28# Lifetime is measured in seconds
29attributeAuthority.attCertLifetime: 28800 
30
31# Allow an offset for clock skew between servers running
32# security services. NB, measured in seconds - use a minus sign for time in the
33# past
34attributeAuthority.attCertNotBeforeOff: 0
35
36# All Attribute Certificates issued are recorded in this dir
37attributeAuthority.attCertDir: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/attCertLog
38
39# Files in attCertDir are stored using a rotating file handler
40# attCertFileLogCnt sets the max number of files created before the first is
41# overwritten
42attributeAuthority.attCertFileName: ac.xml
43attributeAuthority.attCertFileLogCnt: 16
44attributeAuthority.dnSeparator:/
45
46# Location of role mapping file
47attributeAuthority.mapConfigFile: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteAMapConfig.xml
48
49# Settings for custom AAUserRoles derived class to get user roles for given
50# user ID
51attributeAuthority.userRolesModFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority
52attributeAuthority.userRolesModName: siteAUserRoles
53attributeAuthority.userRolesClassName: TestUserRoles
54
55# Config for XML signature of Attribute Certificate
56attributeAuthority.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key
57attributeAuthority.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt
58attributeAuthority.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
59
60#______________________________________________________________________________
61# Session Manager specific settings - commented out settings will take their
62# default settings.  To override the defaults uncomment and set as required.
63# See ndg.security.server.sessionMgr.SessionMgr class for details
64
65# Credential Wallet Settings - global to all user sessions
66#
67# CA certificates for Attribute Certificate signature validation
68sessionManager.credentialWallet.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
69
70# CA certificates for SSL connection peer cert. validation - required if
71# connecting to an Attribute Authority over SSL
72sessionManager.credentialWallet.sslCACertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
73
74# Allow Get Attribute Certificate calls to try to get a mapped certificate
75# from another organisation trusted by the target Attribute Authority
76sessionManager.credentialWallet.mapFromTrustedHosts=True
77sessionManager.credentialWallet.rtnExtAttCertList=True
78
79# Refresh an Attribute Certificate, if an existing one in the wallet has only
80# this length of time left before it expires
81credentialWallet.attCertRefreshElapse=7200
82
83# Pointer to WS-Security settings.  These WS-Security settings are for use
84# by user credential wallets held in user sessions hosted by the Session
85# Manager.  They enable individual wallets to query Attribute Authorities for
86# user Attribute Certificates.  Nb. the difference between these settings and
87# the WS-Security section for handling requests to the Session Manager.
88#
89# Settings are identified by a prefix. 
90sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
91
92# ...A section name could also be used.
93#sessionManager.credentialWallet.wssCfgSection=
94
95# SOAP Signature Handler settings for the Credential Wallet's Attribute
96# Authority interface
97#
98# CA Certificates used to verify X.509 certs used in Attribute Certificates.
99# The CA certificates of other NDG trusted sites should go here.  NB, multiple
100# values should be delimited by a space
101sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
102
103# Signature of an outbound message
104#
105# Certificate associated with private key used to sign a message.  The sign
106# method will add this to the BinarySecurityToken element of the WSSE header. 
107# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
108# As an alternative, use signingCertChain - see below...
109
110# PEM encoded cert
111sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.crt
112
113# ... or provide file path to PEM encoded private key file
114sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.key
115
116# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
117# signed message.  See __setReqBinSecTokValType method and binSecTokValType
118# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
119# give full namespace to alternative - see
120# ZSI.wstools.Namespaces.OASIS.X509TOKEN
121#
122# binSecTokValType determines whether signingCert or signingCertChain
123# attributes will be used.
124sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
125
126# Add a timestamp element to an outbound message
127sessionManager.credentialWallet.wssecurity.addTimestamp: True
128
129# For WSSE 1.1 - service returns signature confirmation containing signature
130# value sent by client
131sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
132
133# Authentication service properties
134sessionManager.authNService.moduleFilePath: 
135sessionManager.authNService.moduleName: ndg.security.test.combinedservices.sessionmanager.userx509certauthn
136sessionManager.authNService.className: UserX509CertAuthN
137
138# Specific settings for UserCertAuthN Session Manager authentication plugin
139# This sets up PKI credentials for a single test account
140sessionManager.authNService.userX509CertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.crt
141sessionManager.authNService.userPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.key
142sessionManager.authNService.userPriKeyPwd: testpassword
143
144[server:main]
145use = egg:Paste#http
146host = 0.0.0.0
147port = 5000
148
149[app:mainApp]
150paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app
151cache_dir = %(here)s/data
152beaker.session.key = sso
153beaker.session.secret = somesecret
154
155# If you'd like to fine-tune the individual locations of the cache data dirs
156# for the Cache data, or the Session saves, un-comment the desired settings
157# here:
158#beaker.cache.data_dir = %(here)s/data/cache
159#beaker.session.data_dir = %(here)s/data/sessions
160
161# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
162# Debug mode will enable the interactive debugging tool, allowing ANYONE to
163# execute malicious code after an exception is raised.
164set debug = false
165
166configfile = %(here)s/singleSignOnService/sso.cfg
167#configfile = /home/pjkersha/workspace/security/python/ndg.security.server/ndg/security/server/sso/sso.cfg
168
169# AuthKit Set-up
170authkit.setup.method=openid, cookie
171authkit.cookie.secret=secret encryption string
172authkit.cookie.signoutpath = /logout
173authkit.openid.path.signedin=/
174authkit.openid.store.type=file
175authkit.openid.store.config=%(here)s/data/openid
176authkit.openid.session.key = authkit_openid
177authkit.openid.session.secret = random string
178
179authkit.openid.baseurl = http://localhost
180
181# Template for signin
182authkit.openid.template.obj = ndg.security.server.sso.sso.lib.openid_util:make_template
183
184# Handler for parsing OpenID and creating a session from it
185authkit.openid.urltouser = ndg.security.server.sso.sso.lib.openid_util:url2user
186
187# Chain of SOAP Middleware filters
188[pipeline:main]
189pipeline = wsseSignatureVerificationFilter
190                   AttributeAuthorityFilter
191           SessionManagerFilter
192           wsseSignatureFilter
193           httpBasicAuthFilter
194           SessionMiddlewareFilter
195           OpenIDProviderFilter
196           testHarnessFilter
197           mainApp
198
199[filter:testHarnessFilter]
200paste.filter_app_factory = 
201        ndg.security.test.combinedservices.serverapp:filter_app_factory
202
203
204#______________________________________________________________________________
205# Attribute Authority WSGI settings
206#
207[filter:AttributeAuthorityFilter]
208# This filter is a container for a binding to a SOAP based interface to the
209# Attribute Authority
210paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
211
212# Use this ZSI generated SOAP service interface class to handle i/o for this
213# filter
214ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
215
216# SOAP Binding Class specific keywords are in this section identified by this
217# prefix:
218ServiceSOAPBindingPropPrefix = AttributeAuthority
219
220# The AttributeAuthority class has settings in the default section above
221# identified by this prefix:
222AttributeAuthority.propPrefix = attributeAuthority
223AttributeAuthority.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini
224AttributeAuthority.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
225
226# Provide an identifier for this filter so that main WSGI app
227# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
228# directly
229referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
230
231# Path from URL for Attribute Authority in this Paste deployment
232path = /AttributeAuthority
233
234# Enable ?wsdl query argument to list the WSDL content
235enableWSDLQuery = True
236charset = utf-8
237filterID = ndg.security.server.wsgi.attributeAuthorityFilter
238
239#______________________________________________________________________________
240# Session Manager WSGI settings
241#
242[filter:SessionManagerFilter]
243# This filter is a container for a binding to a SOAP based interface to the
244# Session Manager
245paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
246
247# Use this ZSI generated SOAP service interface class to handle i/o for this
248# filter
249ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
250
251# SOAP Binding Class specific keywords are in this section identified by this
252# prefix:
253ServiceSOAPBindingPropPrefix = SessionManager
254
255# The SessionManager class has settings in the default section above identified
256# by this prefix:
257SessionManager.propPrefix = sessionManager
258SessionManager.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini
259
260# This filter references other filters - a local Attribute Authority (optional)
261# and a WS-Security signature verification filter (required if using signature
262# to authenticate user in requests
263SessionManager.attributeAuthorityFilterID = ndg.security.server.wsgi.attributeAuthorityFilter
264SessionManager.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
265
266# The SessionManagerWS SOAP interface class needs to know about these other
267# filters
268referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01 ndg.security.server.wsgi.attributeAuthorityFilter
269
270# Path from URL for Session Manager in this Paste deployment
271path = /SessionManager
272
273# Enable ?wsdl query argument to list the WSDL content
274enableWSDLQuery = True
275charset = utf-8
276
277# Provide an identifier for this filter so that main WSGI app
278# CombinedServicesWSGI can call this Session Manager directly
279filterID = ndg.security.server.wsgi.sessionManagerFilter
280
281#______________________________________________________________________________
282# WS-Security Signature Verification
283[filter:wsseSignatureVerificationFilter]
284paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
285filterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
286
287# Settings for WS-Security SignatureHandler class used by this filter
288#wsseCfgFilePath = %(here)s/services.ini
289#wsseCfgFileSection = WS-Security
290wsseCfgFilePrefix = wssecurity
291
292# Verify against known CAs - Provide a space separated list of file paths
293wssecurity.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt
294#wssecurity.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/java-ca.crt
295
296#______________________________________________________________________________
297# Apply WS-Security Signature
298[filter:wsseSignatureFilter]
299paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
300
301# Reference the verification filter in order to be able to apply signature
302# confirmation
303referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
304wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01
305
306# Last filter in chain of SOAP handlers writes the response
307writeResponse = True
308
309# Settings for WS-Security SignatureHandler class used by this filter
310wsseCfgFilePrefix = wssecurity
311
312# Certificate associated with private key used to sign a message.  The sign
313# method will add this to the BinarySecurityToken element of the WSSE header. 
314wssecurity.signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt
315#wssecurity.signingCertFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.crt
316
317# PEM encoded private key file
318wssecurity.signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key
319#wssecurity.signingPriKeyFilePath=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/java-ca-server.key
320
321# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
322# signed message.  See __setReqBinSecTokValType method and binSecTokValType
323# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
324# give full namespace to alternative - see
325# ZSI.wstools.Namespaces.OASIS.X509TOKEN
326#
327# binSecTokValType determines whether signingCert or signingCertChain
328# attributes will be used.
329wssecurity.reqBinSecTokValType=X509v3
330
331# Add a timestamp element to an outbound message
332wssecurity.addTimestamp=True
333
334# For WSSE 1.1 - service returns signature confirmation containing signature
335# value sent by client
336wssecurity.applySignatureConfirmation=True
337
338#______________________________________________________________________________
339# Apply HTTP Basic Authentication using AuthKit to enable a convenient no SOAP
340# based call to Session Manager connect method
341[filter:httpBasicAuthFilter]
342paste.filter_app_factory = authkit.authenticate:middleware
343setup_method=basic
344basic_realm=NDG Security Combined Services Tests
345basic_authenticate_function=ndg.security.test.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication
346
347
348#______________________________________________________________________________
349# OpenID Provider WSGI Settings
350[filter:OpenIDProviderFilter]
351paste.filter_app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware
352openid.provider.path.openidserver=/openid/endpoint
353openid.provider.path.login=/openid/login
354openid.provider.path.loginsubmit=/openid/loginsubmit
355
356# Comment out next two lines and uncomment the third to disable URL based
357# discovery and allow only Yadis based instead
358openid.provider.path.id=/openid/id
359openid.provider.path.yadis=/openid/yadis
360#openid.provider.path.yadis=/id/
361
362openid.provider.path.serveryadis=/openid/serveryadis
363openid.provider.path.allow=/openid/allow
364openid.provider.path.decide=/openid/decide
365openid.provider.path.mainpage=/openid/
366openid.provider.session_middleware=beaker.session
367openid.provider.base_url=http://localhost:8000
368openid.provider.trace=False
369openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
370#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
371
372openid.provider.rendering.templateType = kid
373openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
374openid.provider.rendering.kid.assume_encoding= utf-8
375openid.provider.rendering.kid.encoding = utf-8
376
377# Layout
378openid.provider.rendering.baseURL = %(openid.provider.base_url)s
379openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
380openid.provider.rendering.leftAlt = Natural Environment Research Council
381openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
382openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
383openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
384openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/
385openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
386openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
387
388
389#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
390#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
391
392# Basic Authentication interface to demonstrate capabilities
393#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.BasicAuthNInterface
394#openid.provider.authN.userCreds=pjk:test
395#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
396
397# Link Authentication to a Session Manager instance running in the same WSGI
398# stack or on a remote service
399openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
400
401# Omit or leave as blank if the Session Manager is accessible locally in the
402# same WSGI stack.
403openid.provider.authN.sessionManagerURI=
404
405# environ dictionary key to Session Manager WSGI instance held locally.  The
406# setting below is the default and can be omitted if it matches the filterID
407# set for the Session Manager
408#openid.provider.authN.environKey=ndg.security.server.wsgi.sessionManagerFilter
409
410# Database connection to enable check between username and OpenID identifier
411openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb
412openid.provider.authN.logonSQLQuery: select username from openid where username = '$username' and ident = '$userIdentifier'
413openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$username'
414
415# Basic authentication for testing/admin - comma delimited list of
416# <username>:<password> pairs
417#openid.provider.usercreds=pjk:test
418
419#______________________________________________________________________________
420# Beaker Session Middleware (used by OpenID Provider Filter)
421[filter:SessionMiddlewareFilter]
422paste.filter_app_factory=beaker.middleware:SessionMiddleware
423
424# Logging configuration
425[loggers]
426keys = root, ndg
427
428[handlers]
429keys = console
430
431[formatters]
432keys = generic
433
434[logger_root]
435level = INFO
436handlers = console
437
438[logger_ndg]
439level = DEBUG
440handlers =
441qualname = ndg
442
443[handler_console]
444class = StreamHandler
445args = (sys.stderr,)
446level = NOTSET
447formatter = generic
448
449[formatter_generic]
450format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
451datefmt = %H:%M:%S
452
Note: See TracBrowser for help on using the repository browser.