|
|
(10 intermediate revisions by 4 users not shown) |
Line 1: |
Line 1: |
− | This page contains useful information for DILIGENT administrators about configuration of DHN to comply with the [[DILIGENT Security Model]].
| + | ==Configure GHN security== |
− | | + | [https://wiki.gcore.research-infrastructures.eu/gCore-dev/index.php/Administrator_Guide#Configure_container_security Configure security] |
− | ==Configure DHN security== | + | |
− | | + | |
− | This step must be performed only once when the DHN is installed. With this step CA certificates and DHN credentials are installed. At the end the container is ready to host secure services.
| + | |
− | | + | |
− | ===Run the ntp daemon===
| + | |
− | It is necesary to run the ntp daemon on your machine to properly validate credentials.
| + | |
− | This can be done with the command:
| + | |
− | | + | |
− | <code>/etc/init.d/ntpd start</code>
| + | |
− | | + | |
− | For more information about the installation and configuration of the ntp daemon see [http://grid-deployment.web.cern.ch/grid-deployment/documentation/LCG2-Manual-Install/LCG2-Manual-Install.html#SECTION00050000000000000000 here].
| + | |
− | | + | |
− | ===Install CA certificates===
| + | |
− | | + | |
− | Follows [http://glite.web.cern.ch/glite/packages/R3.0/R20060502/doc/installation_guide_3.0-2.html#_Toc135537472 this] document to install trusted CA certificates in your new DHN node.
| + | |
− | | + | |
− | You have now to install certificates of the CA trusted in DILIGENT. You can find these certificates in rpm format [http://dlib.sns.it/bscw/bscw.cgi/0/19457 here]
| + | |
− | It is always a good idea to (periodically) refresh Certificates Revocation Lists (CRL), these lists contains certificates revoked by trusted CAs. To refresh these certificate execute this command: <code>/usr/sbin/fetch-crl -o /etc/grid-security/certificates</code>
| + | |
− | | + | |
− | [[Image:Info.gif]] ''You should schedule the execution of the <code>/usr/sbin/fetch-crl</code> command using the cron to avoid certificate verification exception. The [http://it.wikipedia.org/wiki/Cron wikipedia cron] page explains how to do this in detail''
| + | |
− | | + | |
− | ===Install host credentials===
| + | |
− | | + | |
− | Copy host certificate and private key respectively in:
| + | |
− | | + | |
− | * <code>/etc/grid-security/hostpubliccert.pem</code> (please check that the certificate file has -rw-r--r-- permissions)
| + | |
− | * <code>/etc/grid-security/hostprivatekey.pem</code> (please check that the private key file has -r-------- permissions).
| + | |
− | | + | |
− | Both certificate and private key must be owned by the user that runs the container.
| + | |
− |
| + | |
− | You can obtain host credentials (certificate and private key from an official Certification Authority)
| + | |
− | | + | |
− | ===Configure container security===
| + | |
− | | + | |
− | Set Global security descriptor of Java-WS-Core container in file <code>$GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml</code>.
| + | |
− | | + | |
− | See [[Media:global_security_descriptor.xml]] example.
| + | |
− | | + | |
− | [[Image:Alert_icon2.gif]] Please be sure to properly set the <context-timer-interval value="300000"/>
| + | |
− | property to ease the effect of the GSISecureConversation memory leak problem of the Java-WS-Core.
| + | |
− | | + | |
− | Modify the $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd file adding following lines inside the <code><globalConfiguration></code> tag:
| + | |
− | | + | |
− | <parameter name="logicalHost" value="yourHostName.yourDomain"/>
| + | |
− | <parameter name="publishHostName" value="true"/>
| + | |
− |
| + | |
− | <parameter name="containerSecDesc" value="etc/globus_wsrf_core/global_security_descriptor.xml"/>
| + | |
− | | + | |
− | (of course you have to replace yourHostName and yourDomain properties with correct values, E.g: grids15.eng.it)
| + | |
− | | + | |
− | Then start the contianer using the <code>-nosec</code> option (This disable HTTPS transport and enbale GSISecureConversation support)
| + | |
− | | + | |
− | ===Configure VOMS credentials===
| + | |
− | | + | |
− | VOMS credentials must be installed in the local system to verify VOMS assertions. To do this first of all copy in the <code>/etc/grid-security/vomsdir</code> directory certificates of trusted VOMS servers. You can find certificates of VOMS used in DILIGENT [http://dlib.sns.it/bscw/bscw.cgi/0/22426 here] (please check that certificate files have <code>-rw-r--r--</code> permissions).
| + | |
− | | + | |
− | You also need to create vomses files in <code>/opt/glite/etc/vomses</code>. These files should follows this naming convention:
| + | |
− | | + | |
− | <name of the VO>-<hostname of the VOMS service>
| + | |
− | | + | |
− | (E.g: <code>diligent-grids10.eng.it</code>)
| + | |
− | | + | |
− | The content of each file must be as follows (on one single line):
| + | |
− | | + | |
− | "<name of the VO>" "<hostname of the VOMS service>" "<port of the VOMS service>"
| + | |
− | "<Distinguished Name of the VOMS certificate>" "<local name of the VO>"
| + | |
− | | + | |
− | E.g:
| + | |
− | | + | |
− | "diligent" "grids13.eng.it" "15001" "/C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids13.eng.it" "diligent"
| + | |
− | | + | |
− | [[Image:Info.gif]] ''Please notice that the VO name 'diligent' should be associated to the VOMS service running on grids13.eng.it, this will assure to properly validate assertions contained in proxy credentials''
| + | |
− | | + | |
− | ==Optional Configuration==
| + | |
− | | + | |
− | ===Install voms-proxy-init command===
| + | |
− | | + | |
− | Download from BSCW required [http://dlib.sns.it/bscw/bscw.cgi/0/33487 rpm and configuration file].
| + | |
− | | + | |
− | Install rpm in the order they appear in the BSCW.
| + | |
− | | + | |
− | Copy the configuration file to the directory /etc/glite/profile.d/
| + | |
− | | + | |
− | Modify the configuration file to set the right JAVA_HOME and GLOBUS_LOCATION.
| + | |
− | | + | |
| | | |
| [[Category:Security]] | | [[Category:Security]] |