Changes between Version 21 and Version 22 of InstallDiscoveryBrowse


Ignore:
Timestamp:
11/10/07 10:00:24 (12 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • InstallDiscoveryBrowse

    v21 v22  
    178178}}} 
    179179 
    180 === Security Settings === 
    181 Security settings are made under the `[NDG_SECURITY]` section of the config file.  Set-up includes the following steps:   
     180=== Security Configuration === 
     181Security settings are organised under the `[NDG_SECURITY]` section of the config file.  Set-up includes the following steps:   
    182182 * certificates are created to secure communication with security web services (WS-Security) 
    183183 * the Discovery service is set up to run over http and https Virtual Hosts and  
    184184 * parameters are configured to enable the Gatekeeper to make access control decisions for secure data requests. 
    185185 
    186 For help with these settings contact [mailto:P.J.Kershaw@rl.ac.uk Phil]. 
     186For help contact [mailto:P.J.Kershaw@rl.ac.uk Phil]. 
    187187 
    188188==== WS-Security Settings ==== 
     
    309309 
    310310==== Gatekeeper Settings ==== 
     311When a request is made for secured data an Attribute Certificate is submitted on behalf of the user.  This contains a list of roles or attributes that they are entitled to.  It is digitally signed by the Attribute Authority service that issued it. 
     312 
     313The `acIssuer` and `acCACertFilePathList` fields enable the Gatekeeper to verify that your organisation's Attribute Authority signed the Attribute Certificate submitted to it. 
     314 
     315Set the `acIssuer` field to the Distinguished Name of the Attribute Authority's X.509 Certificate.  The Attribute Authority holds an X.509 certificate on its host machine.  This is normally in `/etc/ndg/security/conf/certs`.  To check the Distinguished Name: 
     316 
     317{{{ 
     318openssl x509 -in aa.pem -subject 
     319}}} 
     320 
     321The `acCACertFilePathList` should be set to the CA certificate that issued the Attribute Authority's X.509 Certificate.  This would be expected to be the one previously obtained in `/etc/ndg/ows_server/conf/cacert.crt`.   
     322 
     323{{{ 
     324# Gatekeeper Attribute Certificate check 
     325# Issuer - should match with the issuer element of the users Attribute 
     326# Certificate submitted in order to gain access 
     327acIssuer: /CN=AttributeAuthority/O=NDG/OU=YourOrganisationName 
     328 
     329# verification of X.509 cert back to CA 
     330acCACertFilePathList: /etc/ndg/ows_server/conf/cacert.crt 
     331}}} 
    311332 
    312333== Step 11: Start the services ==