Difference between revisions of "SOA3 HowTo"
(→Installation steps) |
(→Security) |
||
(18 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | [[Category:Administrator's Guide]] | ||
==Introduction== | ==Introduction== | ||
SOA3 (Service Oriented Authentication, Authorization and Accounting) is composed of four REST web services: | SOA3 (Service Oriented Authentication, Authorization and Accounting) is composed of four REST web services: | ||
Line 10: | Line 11: | ||
==Installation steps== | ==Installation steps== | ||
− | The four services are packaged in four wars running on | + | The four services are packaged in four wars running on [http://tomcat.apache.org/download-70.cgi Apache Tomcat 7], in particular: |
* ''authService.war'' (org.gcube.vo-management.soa3.authentication.rest) is the Authentication Service | * ''authService.war'' (org.gcube.vo-management.soa3.authentication.rest) is the Authentication Service | ||
− | * | + | * ''policyService.war'' (org.gcube.vo-management.soa3.authorization.policymanagementservice) is the Authorization and Policy Management Service |
* ''userService.war'' (org.gcube.vo-management.soa3.usermanagement.rest) is the User Management Service | * ''userService.war'' (org.gcube.vo-management.soa3.usermanagement.rest) is the User Management Service | ||
* ''soa3Service'' (org.gcube.vo-management.soa3.connector.service) is the Connector Service | * ''soa3Service'' (org.gcube.vo-management.soa3.connector.service) is the Connector Service | ||
− | In addition to Tomcat 7, in order to use Authentication and User Management Services, an LDAP Directory is needed. There are no particular requirements on the LDAP Directory: the tests have been performed on | + | In addition to Tomcat 7, in order to use Authentication and User Management Services, an LDAP Directory is needed. There are no particular requirements on the LDAP Directory: the tests have been performed on [http://opends.java.net OpenDS 2.2]. |
+ | For the Authorization and Policy Management Service, [http://repository.egi.eu/2012/10/09/argus-1-5-0/ Argus Authorization Framework] 1.5.0 or above is needed. | ||
===Configuration=== | ===Configuration=== | ||
− | ==== Authentication and UserManagement==== | + | ==== Authentication, Authorization and UserManagement==== |
− | Authentication and User Management Services | + | There is a single, common configuration file for Authentication and User Management Services to be installed under: |
$CATALINA_HOME/conf/soa3/soa3.properties. | $CATALINA_HOME/conf/soa3/soa3.properties. | ||
Line 27: | Line 29: | ||
The file contains the following properties: | The file contains the following properties: | ||
− | * '''LDAP_URL''' the url of the LDAP | + | * '''LDAP_URL''' the url of the LDAP with the user list (default "ldap://127.0.0.1:1389") |
* '''LDAP_BASE''' the LDAP search base (default "o=mojo") | * '''LDAP_BASE''' the LDAP search base (default "o=mojo") | ||
* '''LDAP_USER_DN''' the administrator DN (default "cn=Directory Manager") | * '''LDAP_USER_DN''' the administrator DN (default "cn=Directory Manager") | ||
* '''LDAP_PASSWORD''' the administrator account password (default "secret") | * '''LDAP_PASSWORD''' the administrator account password (default "secret") | ||
− | |||
− | The following properties are | + | The following properties are used only by Authentication Service. They concern federated authentication and the connection with Shibboleth Service Provider (look at [http://shibboleth.net/ Shibboleth site] and [[Shibboleth and gCube|Shibboleth installation in gCube guide]]): |
* '''CA_CERT''' = CA Key or keystore folder for assertion validation (default /etc/grid-security/certificates) | * '''CA_CERT''' = CA Key or keystore folder for assertion validation (default /etc/grid-security/certificates) | ||
Line 40: | Line 41: | ||
* '''ASSERTION_TIME_VALIDATION''' Assertion time validation enabled (default true) | * '''ASSERTION_TIME_VALIDATION''' Assertion time validation enabled (default true) | ||
* '''SAML_ASSERTION_SOURCE_URL''' SAML Source host (default http://localhost/Shibboleth.sso/GetAssertion) | * '''SAML_ASSERTION_SOURCE_URL''' SAML Source host (default http://localhost/Shibboleth.sso/GetAssertion) | ||
+ | |||
Further information on Shibboleth deployment and configuration can be found in [[Shibboleth and gCube]] | Further information on Shibboleth deployment and configuration can be found in [[Shibboleth and gCube]] | ||
+ | The following properties are used for Authorization and Policy Management services: | ||
+ | |||
+ | * '''POLICY_REPOSITORY_URL''' the url of the Policy Administration Point (default https://localhost:8150/pap/services) | ||
+ | * '''AUTHZ_QUERY_ENDPOINT''' the url of the Authorization query endpoint (default https://localhost:8154/authz) | ||
+ | * '''POLICY_LOADER_URL''' the url of the endpoint used to refresh the policies after an update (default http://localhost:8153) | ||
+ | |||
+ | A step by step guide to install Argus Authorization Framework is provided [[Argus Installation|here]] | ||
====Connector==== | ====Connector==== | ||
Line 50: | Line 59: | ||
* $CATALINA_HOME/conf/soa3/services.properties (optional) | * $CATALINA_HOME/conf/soa3/services.properties (optional) | ||
− | The | + | The file <code>connector.properties</code> contains the following properties: |
− | * '''SOA3_ENDPOINT''' the endpoint of the other services of soa3 (default http://localhost:8080) | + | * '''SOA3_ENDPOINT''' the endpoint of the other services of soa3 (default <code>http://localhost:8080</code>) |
* '''SERVICE_NAME''' the name of the current instance (default soa3) | * '''SERVICE_NAME''' the name of the current instance (default soa3) | ||
* '''AUTHENTICATION_SESSION''' the lifetime of a security session in minutes (defautl 5 min) | * '''AUTHENTICATION_SESSION''' the lifetime of a security session in minutes (defautl 5 min) | ||
− | * '''CERT_FILE''' x509 certificate in pem format (default /etc/grid-security/hostcert.pem) | + | * '''CERT_FILE''' x509 certificate in pem format (default <code>/etc/grid-security/hostcert.pem</code>) |
− | * '''KEY_FILE''' x509 key in pem format (default /etc/grid-security/hostkey.pem) | + | * '''KEY_FILE''' x509 key in pem format (default <code>/etc/grid-security/hostkey.pem</code>) |
− | * '''TRUST_DIR''' x509 truststore (default /etc/grid-security/certificates) | + | * '''TRUST_DIR''' x509 truststore (default <code>/etc/grid-security/certificates</code>) |
− | * '''TRUST_FILE_EXTENSION''' extension of the ca files in the truststore default .0) | + | * '''TRUST_FILE_EXTENSION''' extension of the ca files in the truststore (default <code>.0</code>) |
+ | * '''AUTHORIZATION_ENABLED''' default true | ||
+ | * '''GCUBE_SCOPE''' the scope for IS queries (default /gcube) | ||
− | services.properties, if exists, contains a list of key=value representing the names and the endpoints of other soa3 instance in | + | If in the entire infrastructure a single SOA3 instance exists, using the certificate and keys in the standard folders (or not using certificates and keys because they are managed by Apache HTTP Server), the default configuration works well. |
+ | |||
+ | The file <code>services.properties</code>, if exists, contains a list of key=value representing the names and the endpoints of other soa3 instance in the infrastructure. This configuration is needed if a security ticket must be propagated and validated in the infrastructure across multiple SOA3 instances (more details in [[SOA3 Connector]]). | ||
===Security=== | ===Security=== | ||
− | For security | + | For security reasons, it is recommended to run the container in HTTPS mode. It is strongly suggested to use Tomcat 7 combined with Apache HTTP Server and mod_jk, setting a certificate trusted by the GHNs. |
+ | |||
+ | The following guides provide information on the configuration of the components: | ||
+ | |||
+ | * a guide to configure Tomcat 7 is available [http://tomcat.apache.org/tomcat-7.0-doc/index.html here] | ||
+ | * a guide to configure Apache HTTP Server is available [http://httpd.apache.org here] | ||
+ | * information on mod_jk is available [http://tomcat.apache.org/connectors-doc here] |
Latest revision as of 17:55, 27 January 2014
Contents
Introduction
SOA3 (Service Oriented Authentication, Authorization and Accounting) is composed of four REST web services:
- Authentication Service
- Authorization Service
- User Management Service
- Connector Service
A detailed section about SOA3 Architecture is provided in Data e-Infrastructure Policy-oriented Security Facilities: this page aims at providing a quick guide on the installation and configuration processes.
Installation steps
The four services are packaged in four wars running on Apache Tomcat 7, in particular:
- authService.war (org.gcube.vo-management.soa3.authentication.rest) is the Authentication Service
- policyService.war (org.gcube.vo-management.soa3.authorization.policymanagementservice) is the Authorization and Policy Management Service
- userService.war (org.gcube.vo-management.soa3.usermanagement.rest) is the User Management Service
- soa3Service (org.gcube.vo-management.soa3.connector.service) is the Connector Service
In addition to Tomcat 7, in order to use Authentication and User Management Services, an LDAP Directory is needed. There are no particular requirements on the LDAP Directory: the tests have been performed on OpenDS 2.2. For the Authorization and Policy Management Service, Argus Authorization Framework 1.5.0 or above is needed.
Configuration
Authentication, Authorization and UserManagement
There is a single, common configuration file for Authentication and User Management Services to be installed under:
$CATALINA_HOME/conf/soa3/soa3.properties.
The file contains the following properties:
- LDAP_URL the url of the LDAP with the user list (default "ldap://127.0.0.1:1389")
- LDAP_BASE the LDAP search base (default "o=mojo")
- LDAP_USER_DN the administrator DN (default "cn=Directory Manager")
- LDAP_PASSWORD the administrator account password (default "secret")
The following properties are used only by Authentication Service. They concern federated authentication and the connection with Shibboleth Service Provider (look at Shibboleth site and Shibboleth installation in gCube guide):
- CA_CERT = CA Key or keystore folder for assertion validation (default /etc/grid-security/certificates)
- ASSERTION_SIGNATURE_VALIDATION Assertion signature validation enabled (default true)
- ASSERTION_TIME_VALIDATION Assertion time validation enabled (default true)
- SAML_ASSERTION_SOURCE_URL SAML Source host (default http://localhost/Shibboleth.sso/GetAssertion)
Further information on Shibboleth deployment and configuration can be found in Shibboleth and gCube
The following properties are used for Authorization and Policy Management services:
- POLICY_REPOSITORY_URL the url of the Policy Administration Point (default https://localhost:8150/pap/services)
- AUTHZ_QUERY_ENDPOINT the url of the Authorization query endpoint (default https://localhost:8154/authz)
- POLICY_LOADER_URL the url of the endpoint used to refresh the policies after an update (default http://localhost:8153)
A step by step guide to install Argus Authorization Framework is provided here
Connector
The connector uses two configuration files:
- $CATALINA_HOME/conf/soa3/connector.properties (mandatory)
- $CATALINA_HOME/conf/soa3/services.properties (optional)
The file connector.properties
contains the following properties:
- SOA3_ENDPOINT the endpoint of the other services of soa3 (default
http://localhost:8080
) - SERVICE_NAME the name of the current instance (default soa3)
- AUTHENTICATION_SESSION the lifetime of a security session in minutes (defautl 5 min)
- CERT_FILE x509 certificate in pem format (default
/etc/grid-security/hostcert.pem
) - KEY_FILE x509 key in pem format (default
/etc/grid-security/hostkey.pem
) - TRUST_DIR x509 truststore (default
/etc/grid-security/certificates
) - TRUST_FILE_EXTENSION extension of the ca files in the truststore (default
.0
) - AUTHORIZATION_ENABLED default true
- GCUBE_SCOPE the scope for IS queries (default /gcube)
If in the entire infrastructure a single SOA3 instance exists, using the certificate and keys in the standard folders (or not using certificates and keys because they are managed by Apache HTTP Server), the default configuration works well.
The file services.properties
, if exists, contains a list of key=value representing the names and the endpoints of other soa3 instance in the infrastructure. This configuration is needed if a security ticket must be propagated and validated in the infrastructure across multiple SOA3 instances (more details in SOA3 Connector).
Security
For security reasons, it is recommended to run the container in HTTPS mode. It is strongly suggested to use Tomcat 7 combined with Apache HTTP Server and mod_jk, setting a certificate trusted by the GHNs.
The following guides provide information on the configuration of the components: