Changes between Version 31 and Version 32 of InstallDiscoveryBrowse


Ignore:
Timestamp:
04/06/08 14:13:30 (11 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • InstallDiscoveryBrowse

    v31 v32  
    139139 
    140140=== Security Configuration === 
    141 If Browse is run, then security needs to be configured. 
    142  
    143 Security settings are organised under the `[NDG_SECURITY.*]` sections of the `ndgDiscovery.config` file.  Set-up includes the following steps:   
     141If Browse is run, then security needs to be configured.  There are two components that need to be configured: 
     142 1. Single Sign On Service - this enables uses from other trusted sites to login at your Browse site with their home ID. 
     143 2. Gatekeeper - MOLES and CSML records available from the Browse interface can be secured with role based access control using the Gatekeeper. 
     144 
     145Security settings are organised under the `[NDG_SECURITY.*]` sections of the `ndgDiscovery.config` file. 
     146 
     147==== 1. Single Sign On Service ==== 
     148Settings are organised under the section `[NDG_SECURITY.ssoService]`.  Only the most important settings are described here.  The rest should be left as their default values. 
     149 
     150 * Server Address settings - the single sign on service relies on the ability to serve the Browse interface over http and https.  This can be configured with Apache - see later.  The `sslServer` setting should be the same as the `server` setting in the with the exception that the protocol is `https` e.g. 
     151  
     152{{{ 
     153sslServer: https://ndgbeta.badc.rl.ac.uk 
     154}}} 
     155 
     156{{{ 
     157server: http://ndgbeta.badc.rl.ac.uk 
     158}}} 
     159 
     160 * Security web service addresses.  - Put in here the addresses for the local Session Manager and Attribute Authority services e.g. 
     161 
     162{{{ 
     163sessionMgrURI: https://ndgbeta.badc.rl.ac.uk/SessionManager 
     164attAuthorityURI: http://ndgbeta.badc.rl.ac.uk/AttributeAuthority 
     165}}} 
     166 
     167 * SSL Connections - the Browse interface includes a login facility as part of the Single Sign On service.  If another site requests the user to login, the Single Sign On Service can check that site's SSL certificate.  This is an anti-phishing measure.  Include in this parameter a space separated list of all the CA certificates required to enable this site to verify trusted site login requests.  For help getting these files contact [mailto:P.J.Kershaw@rl.ac.uk Phil]. 
     168 
     169{{{ 
     170sslCACertFilePathList: certs/badc-ca.crt certs/bodc-ca.crt certs/nocs-ca.crt certs/neodaas-ca.crt 
     171}}} 
     172 
     173  Set-up includes the following steps:   
    144174 * certificates are created to secure communication with security web services (WS-Security and SSL Settings) 
    145175 * the Discovery/Browse service is set up to run over http and https Virtual Hosts and  
     
    203233Finally, the field `sslCACertFilePathList` can be used to authenticate peers for SSL connections to ''security web services''.  In the current implementation this applies to the Session Manager web service.  This runs over https.  On a request to the Session Manager, the Discovery service can verify the Session Manager's X.509 certificate against a list of acceptable CA certificates.  If the Session Manager's X.509 certificate is not issued by any of the CA certificates in the list the connection is rejected. 
    204234 
    205 {{{ 
    206 # SSL Connections 
    207 # 
    208 # Space separated list of CA cert. files.  The peer cert. 
    209 # must verify against at least one of these otherwise the connection is 
    210 # dropped. 
    211 sslCACertFilePathList: /etc/ndg/ows_server/conf/certs/cacert.crt 
    212 }}} 
    213235 
    214236==== Virtual Hosting of the Discovery Service over http and https ====