Changes between Version 34 and Version 35 of InstallDiscoveryBrowse


Ignore:
Timestamp:
04/06/08 17:11:01 (11 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • InstallDiscoveryBrowse

    v34 v35  
    154154 
    155155=== Security Configuration === 
    156 If Browse is run, then security needs to be configured.  There are two components that need to be configured: 
     156If Browse is run, then security needs to be configured.  The steps are: 
    157157 1. Single Sign On Service - this enables uses from other trusted sites to login at your Browse site with their home ID. 
    158  2. Gatekeeper - MOLES and CSML records available from the Browse interface can be secured with role based access control using the Gatekeeper. 
     158 1. Gatekeeper - MOLES and CSML records available from the Browse interface can be secured with role based access control using the Gatekeeper. 
     159 1. WS-Security Settings - secures transactions between Browse and NDG security web services. 
     160 1. Apache Virtual Hosts - enables Browse to be exposed outside the site firewall and serves Browse over http and https for the Single Sign On Service. 
    159161 
    160162Security settings are organised under the `[NDG_SECURITY.*]` sections of the `ndgDiscovery.config` file. 
     
    210212For help contact [mailto:P.J.Kershaw@rl.ac.uk Phil]. 
    211213 
    212 ==== Secure Communication with Security Web Services ==== 
     214==== WS-Security Settings ==== 
     215Settings are contained in the section `[NDG_SECURITY.wssecurity]`. 
     216 
    213217Create a certificate and private key for the Browse PDP (Policy Decision Point).  For the private key: 
    214218{{{ 
     
    242246}}} 
    243247 
    244 The new discovery certificate and private key and CA certificate files should be referenced in the discovery config `/etc/ndg/ows_server/conf/ndgDiscovery.config`) as follows: 
    245 {{{ 
    246 # WS-Security signature handler 
    247 # This is an application certificate ... (which may be a machine certificate) 
    248 # X.509 certificate sent with outbound signed messages 
    249 wssCertFilePath: /etc/ndg/ows_server/conf/certs/discovery.crt 
    250  
    251 # Private key used to sign messages 
    252 # This is an application certificate ... (which may be a machine certificate) 
    253 wssKeyFilePath: /etc/ndg/ows_server/conf/certs/discovery.key 
    254  
    255 # Password for private key - comment out if the file is not password protected 
    256 wssKeyPwd: password 
    257  
    258 # Space separated list of CA cert. files to validate certs against when 
    259 # verifying responses 
    260 wssCACertFilePathList: /etc/ndg/ows_server/conf/certs/cacert.crt 
    261 }}} 
    262  
    263 In the above, replace `password` with the password you set to protect the private key.  If no password was set leave this field blank. 
    264  
    265 Finally, the field `sslCACertFilePathList` can be used to authenticate peers for SSL connections to ''security web services''.  In the current implementation this applies to the Session Manager web service.  This runs over https.  On a request to the Session Manager, the Discovery service can verify the Session Manager's X.509 certificate against a list of acceptable CA certificates.  If the Session Manager's X.509 certificate is not issued by any of the CA certificates in the list the connection is rejected. 
    266  
     248The new certificate and private key and CA certificate files should be referenced in the discovery config `/etc/ndg/ows_server/conf/ndgDiscovery.config`) as follows: 
     249{{{ 
     250signingCertFilePath=certs/browse-pdp.crt 
     251}}} 
     252 
     253{{{ 
     254signingPriKeyFilePath=certs/clnt.key 
     255}}} 
     256 
     257If the private key is password protected, enter the password here: 
     258{{{ 
     259signingPriKeyPwd: opensesame 
     260}}} 
     261If no password was set leave this field blank. 
     262 
     263Nb. As a security precaution, `ndgDiscovery.config` should be set with minimal file permissions required for the Browse running user ID to read and write the file e.g.  
     264{{{ 
     265chmod 600 ndgDiscovery.config 
     266}}} 
     267 
     268Provide a list of the CA certificates used by NDG trusted sites 
     269{{{ 
     270caCertFilePathList: certs/badc-ca.crt certs/bodc-ca.crt certs/nocs-ca.crt certs/neodaas-ca.crt 
     271}}} 
    267272 
    268273==== Virtual Hosting of the Discovery Service over http and https ====