Changes between Version 31 and Version 32 of InstallDiscoveryBrowse

04/06/08 14:13:30 (12 years ago)



  • InstallDiscoveryBrowse

    v31 v32  
    140140=== Security Configuration === 
    141 If Browse is run, then security needs to be configured. 
    143 Security settings are organised under the `[NDG_SECURITY.*]` sections of the `ndgDiscovery.config` file.  Set-up includes the following steps:   
     141If Browse is run, then security needs to be configured.  There are two components that need to be configured: 
     142 1. Single Sign On Service - this enables uses from other trusted sites to login at your Browse site with their home ID. 
     143 2. Gatekeeper - MOLES and CSML records available from the Browse interface can be secured with role based access control using the Gatekeeper. 
     145Security settings are organised under the `[NDG_SECURITY.*]` sections of the `ndgDiscovery.config` file. 
     147==== 1. Single Sign On Service ==== 
     148Settings are organised under the section `[NDG_SECURITY.ssoService]`.  Only the most important settings are described here.  The rest should be left as their default values. 
     150 * Server Address settings - the single sign on service relies on the ability to serve the Browse interface over http and https.  This can be configured with Apache - see later.  The `sslServer` setting should be the same as the `server` setting in the with the exception that the protocol is `https` e.g. 
     160 * Security web service addresses.  - Put in here the addresses for the local Session Manager and Attribute Authority services e.g. 
     167 * SSL Connections - the Browse interface includes a login facility as part of the Single Sign On service.  If another site requests the user to login, the Single Sign On Service can check that site's SSL certificate.  This is an anti-phishing measure.  Include in this parameter a space separated list of all the CA certificates required to enable this site to verify trusted site login requests.  For help getting these files contact [ Phil]. 
     170sslCACertFilePathList: certs/badc-ca.crt certs/bodc-ca.crt certs/nocs-ca.crt certs/neodaas-ca.crt 
     173  Set-up includes the following steps:   
    144174 * certificates are created to secure communication with security web services (WS-Security and SSL Settings) 
    145175 * the Discovery/Browse service is set up to run over http and https Virtual Hosts and  
    203233Finally, the field `sslCACertFilePathList` can be used to authenticate peers for SSL connections to ''security web services''.  In the current implementation this applies to the Session Manager web service.  This runs over https.  On a request to the Session Manager, the Discovery service can verify the Session Manager's X.509 certificate against a list of acceptable CA certificates.  If the Session Manager's X.509 certificate is not issued by any of the CA certificates in the list the connection is rejected. 
    205 {{{ 
    206 # SSL Connections 
    207 # 
    208 # Space separated list of CA cert. files.  The peer cert. 
    209 # must verify against at least one of these otherwise the connection is 
    210 # dropped. 
    211 sslCACertFilePathList: /etc/ndg/ows_server/conf/certs/cacert.crt 
    212 }}} 
    214236==== Virtual Hosting of the Discovery Service over http and https ====