Changes between Version 36 and Version 37 of InstallDiscoveryBrowse


Ignore:
Timestamp:
04/06/08 17:16:24 (11 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • InstallDiscoveryBrowse

    v36 v37  
    196196}}} 
    197197 
    198 The Gatekeeper needs information in order to checks Attribute Certificates received from the Attribute Authority: a copy of the CA certificate used by the Attribute Authority and the Distinguished Name of the Attribute Authority's X.509 certificate: 
     198When a request is made for secured data an Attribute Certificate is submitted on behalf of the user. This contains a list of roles or attributes that they are entitled to. It is digitally signed by the Attribute Authority service that issued it. 
     199 
     200The `acIssuer` and `acCACertFilePathList` fields enable the Gatekeeper to verify that your organisation's Attribute Authority signed the Attribute Certificate submitted to it. 
     201 
     202Set the `acIssuer` field to the Distinguished Name of the Attribute Authority's X.509 Certificate. The Attribute Authority holds an X.509 certificate on its host machine. This is normally in `/etc/ndg/security/conf/certs` on the security web services host machine. To check the Distinguished Name: 
     203 
     204{{{ 
     205openssl x509 -in aa.crt -subject 
     206}}} 
     207 
     208The acCACertFilePathList should be set to the CA certificate that issued the Attribute Authority's X.509 Certificate. This would be expected to be the one previously obtained in /etc/ndg/ows_server/conf/cacert.crt. 
     209 
     210{{{ 
     211acIssuer: /CN=AttributeAuthority/O=NDG/OU=YourOrganisationName 
     212}}} 
     213 
    199214{{{ 
    200215acCACertFilePathList: certs/badc-ca.crt 
    201216}}} 
    202217 
    203 {{{ 
    204 acIssuer: /CN=AttributeAuthority/O=NDG Security Test/OU=Site A 
    205 }}} 
    206  
    207   Set-up includes the following steps:   
    208  * certificates are created to secure communication with security web services (WS-Security and SSL Settings) 
    209  * the Discovery/Browse service is set up to run over http and https Virtual Hosts and  
    210  * parameters are configured to enable access control decisions for secure data requests. 
    211  
    212 For help contact [mailto:P.J.Kershaw@rl.ac.uk Phil]. 
     218For help with set-up contact [mailto:P.J.Kershaw@rl.ac.uk Phil]. 
    213219 
    214220==== 3. WS-Security Settings ==== 
     
    338344. 
    339345. 
    340 [NDG_SECURITY] 
     346[NDG_SECURITY.ssoService] 
    341347sslServer: https://<your-site-discovery-url> 
    342 }}} 
    343  
    344 ==== Gatekeeper Settings ==== 
    345 When a request is made for secured data an Attribute Certificate is submitted on behalf of the user.  This contains a list of roles or attributes that they are entitled to.  It is digitally signed by the Attribute Authority service that issued it. 
    346  
    347 The `acIssuer` and `acCACertFilePathList` fields enable the Gatekeeper to verify that your organisation's Attribute Authority signed the Attribute Certificate submitted to it. 
    348  
    349 Set the `acIssuer` field to the Distinguished Name of the Attribute Authority's X.509 Certificate.  The Attribute Authority holds an X.509 certificate on its host machine.  This is normally in `/etc/ndg/security/conf/certs`.  To check the Distinguished Name: 
    350  
    351 {{{ 
    352 openssl x509 -in aa.pem -subject 
    353 }}} 
    354  
    355 The `acCACertFilePathList` should be set to the CA certificate that issued the Attribute Authority's X.509 Certificate.  This would be expected to be the one previously obtained in `/etc/ndg/ows_server/conf/cacert.crt`.   
    356  
    357 {{{ 
    358 # Gatekeeper Attribute Certificate check 
    359 # Issuer - should match with the issuer element of the users Attribute 
    360 # Certificate submitted in order to gain access 
    361 acIssuer: /CN=AttributeAuthority/O=NDG/OU=YourOrganisationName 
    362  
    363 # verification of X.509 cert back to CA 
    364 acCACertFilePathList: /etc/ndg/ows_server/conf/cacert.crt 
    365 }}} 
     348server: http://<your-site-discovery-url> 
     349}}} 
     350 
    366351 
    367352== Step 11: Start the services == 
     
    477462Please note any problems encountered or issues here - along with the solution if you know it. 
    478463 
    479 == Issue 1. Numeric Install ==  
    480 The Numeric install doesn't always go smoothly, see step 6 for possible solution. 
    481  
    482464== Issue 2. Routes not working properly. == 
    483465If you try a URL such as this: