Changes between Version 20 and Version 21 of InstallDiscoveryBrowse


Ignore:
Timestamp:
11/10/07 09:43:45 (12 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • InstallDiscoveryBrowse

    v20 v21  
    179179 
    180180=== Security Settings === 
     181Security settings are made under the `[NDG_SECURITY]` section of the config file.  Set-up includes the following steps:   
     182 * certificates are created to secure communication with security web services (WS-Security) 
     183 * the Discovery service is set up to run over http and https Virtual Hosts and  
     184 * parameters are configured to enable the Gatekeeper to make access control decisions for secure data requests. 
     185 
     186For help with these settings contact [mailto:P.J.Kershaw@rl.ac.uk Phil]. 
     187 
     188==== WS-Security Settings ==== 
     189Create a Discovery Service certificate and private key to enable it communicate securely with security services.  First, generate a new private key: 
     190{{{ 
     191cd /etc/ndg/ows_server/conf/certs 
     192openssl genrsa -des3 -out discovery.key 2048 
     193chmod 400 discovery.key 
     194}}} 
     195 
     196You will be prompted for a password to protect the file.  If you don't want to password protect it, omit the `-des3` argument. 
     197 
     198Then, create a new certificate request: 
     199 
     200{{{ 
     201openssl req -new -key discovery.key -out discovery.csr 
     202}}} 
     203 
     204You will be prompted for the fields that will make up the Distinguished Name of the certificate when it is issued.  It is recommended that a Common Name is set to `DiscoveryService`.   Organisation can be `NDG` and Organisation Unit, the name of your organisation.  Other fields can be left blank.   
     205 
     206[mailto:P.J.Kershaw@rl.ac.uk E-mail] the request file so that it can signed and sent back to you: 
     207 
     208{{{ 
     209mail p.j.kershaw@rl.ac.uk -s 'Certificate Request' < discovery.csr 
     210}}} 
     211 
     212When you receive the signed certificate copy it into `/etc/ndg/ows_server/conf/certs/discovery.crt`. Once you have the certificate, the certificate request file `discovery.csr` can be removed.  You should also receive a copy of the CA certificate.  If not [mailto:P.J.Kershaw@rl.ac.uk request] it.  Copy the CA certificate to `/etc/ndg/ows_server/conf/certs/cacert.crt` 
     213 
     214Certificate files can be checked with `openssl` e.g. the following command will print out the Distinguished Name for the CA certificate: 
     215 
     216{{{ 
     217openssl x509 -in cacert.crt -subject 
     218}}} 
     219 
     220The new discovery certificate and private key and CA certificate files should be referenced in the discovery config `/etc/ndg/ows_server/conf/ndgDiscovery.config`) as follows: 
     221{{{ 
     222# WS-Security signature handler 
     223# This is an application certificate ... (which may be a machine certificate) 
     224# X.509 certificate sent with outbound signed messages 
     225wssCertFilePath: /etc/ndg/ows_server/conf/certs/discovery.crt 
     226 
     227# Private key used to sign messages 
     228# This is an application certificate ... (which may be a machine certificate) 
     229wssKeyFilePath: /etc/ndg/ows_server/conf/certs/discovery.key 
     230 
     231# Password for private key - comment out if the file is not password protected 
     232wssKeyPwd: password 
     233 
     234# Space separated list of CA cert. files to validate certs against when 
     235# verifying responses 
     236wssCACertFilePathList: /etc/ndg/ows_server/conf/certs/cacert.crt 
     237}}} 
     238 
     239In the above replace `password` with the password you set to protect the private key.  If no password was set leave this field blank. 
     240 
    181241==== Virtual Hosting of the Discovery Service over http and https ==== 
    182242Paste, the Discovery application server runs over http but pages for Single Sign On require https for the secure transfer of user credentials.  One way to achieve this is to run `paste` on a port hidden inside the firewall exposing it to the outside using Virtual Hosting e.g. with Apache.  The service running on a particular port is exposed outside on 80 (http) and 443 (https): 
     
    248308}}} 
    249309 
    250 ==== WS-Security Settings ==== 
    251 Create a Discovery Service certificate and private key to enable it communicate securely with security services.  First, generate a new private key: 
    252 {{{ 
    253 cd /etc/ndg/ows_server/conf/certs 
    254 openssl genrsa -des3 -out discovery.key 2048 
    255 chmod 400 discovery.key 
    256 }}} 
    257  
    258 You will be prompted for a password to protect the file.  If you don't want to password protect it, omit the `-des3` argument. 
    259  
    260 Then, create a new certificate request: 
    261  
    262 {{{ 
    263 openssl req -new -key discovery.key -out discovery.csr 
    264 }}} 
    265  
    266 You will be prompted for the fields that will make up the Distinguished Name of the certificate when it is issued.  It is recommended that a Common Name is set to `DiscoveryService`.   Organisation can be `NDG` and Organisation Unit, the name of your organisation.  Other fields can be left blank.   
    267  
    268 [mailto:P.J.Kershaw@rl.ac.uk E-mail] the request file so that it can signed and sent back to you: 
    269  
    270 {{{ 
    271 mail p.j.kershaw@rl.ac.uk -s 'Certificate Request' < discovery.csr 
    272 }}} 
    273  
    274 When you receive the signed certificate copy it into `/etc/ndg/ows_server/conf/certs/discovery.crt`. Once you have the certificate, the certificate request file `discovery.csr` can be removed.  You should also receive a copy of the CA certificate.  If not [mailto:P.J.Kershaw@rl.ac.uk request] it. 
    275  
    276 Certificate files can be checked with `openssl` e.g. the command following command will print out the Distinguished Name for the CA certificate: 
    277  
    278 {{{ 
    279 openssl x509 -in cacert.crt -subject 
    280 }}} 
    281  
    282 The new discovery certificate and private key and CA certificate files should be referenced in the discovery config `/etc/ndg/ows_server/conf/ndgDiscovery.config`) as follows: 
    283 {{{ 
    284 # WS-Security signature handler 
    285 # This is an application certificate ... (which may be a machine certificate) 
    286 # X.509 certificate sent with outbound signed messages 
    287 wssCertFilePath: /etc/ndg/ows_server/conf/certs/discovery.crt 
    288  
    289 # Private key used to sign messages 
    290 # This is an application certificate ... (which may be a machine certificate) 
    291 wssKeyFilePath: /etc/ndg/ows_server/conf/certs/discovery.key 
    292  
    293 # Password for private key - comment out if the file is not password protected 
    294 wssKeyPwd: password 
    295  
    296 # Space separated list of CA cert. files to validate certs against when 
    297 # verifying responses 
    298 wssCACertFilePathList: /etc/ndg/ows_server/conf/certs/cacert.crt 
    299 }}} 
    300  
    301 In the above replace `password` with the password you set to protect the private key.  If no password was set leave this field blank. 
    302  
    303 Contact [mailto:P.J.Kershaw@rl.ac.uk Phil] in order to get help making the other security settings under `[NDG_SECURITY]` section of the config file. 
     310==== Gatekeeper Settings ==== 
    304311 
    305312== Step 11: Start the services ==