SOA3 HowTo

From Gcube Wiki
Revision as of 16:32, 11 March 2013 by Ciro.formisano (Talk | contribs) (Installation steps)

Jump to: navigation, search

Introduction

SOA3 (Service Oriented Authentication, Authorization and Accounting) is composed of four REST web services:

  • Authentication Service
  • Authorization Service
  • User Management Service
  • Connector Service

A detailed section about SOA3 Architecture is provided in Data e-Infrastructure Policy-oriented Security Facilities: this page aims at providing a quick guide on the installation and configuration processes.

Installation steps

The four services are packaged in four wars running on |Apache Tomcat 7, in particular:

  • authService.war (org.gcube.vo-management.soa3.authentication.rest) is the Authentication Service
  • The Authorization Service has not been completed yet
  • userService.war (org.gcube.vo-management.soa3.usermanagement.rest) is the User Management Service
  • soa3Service (org.gcube.vo-management.soa3.connector.service) is the Connector Service

In addition to Tomcat 7, in order to use Authentication and User Management Services, an LDAP Directory is needed. There are no particular requirements on the LDAP Directory: the tests have been performed on |OpenDS 2.2.

Configuration

Authentication and UserManagement

Authentication and User Management Services use a common configuration file:

$CATALINA_HOME/conf/soa3/soa3.properties.

The file contains the following properties:

  • LDAP_URL the url of the LDAP containing the users (default "ldap://127.0.0.1:1389")
  • LDAP_BASE the LDAP search base (default "o=mojo")
  • LDAP_USER_DN the administrator DN (default "cn=Directory Manager")
  • LDAP_PASSWORD the administrator account password (default "secret")

the properties above are used by both Authentication Service and User Management Service

The following properties are related to federated authentication and concerns the connection with Shibboleth

  • CA_CERT = CA Key or keystore folder for assertion validation (default /etc/grid-security/certificates)
  • ASSERTION_SIGNATURE_VALIDATION Assertion signature validation enabled (default true)
  • ASSERTION_TIME_VALIDATION Assertion time validation enabled (default true)
  • SAML_ASSERTION_SOURCE_URL SAML Source host (default http://localhost/Shibboleth.sso/GetAssertion)

Further information on Shibboleth deployment and configuration can be found in Shibboleth and gCube


Connector

The connector uses two configuration files:

  • $CATALINA_HOME/conf/soa3/connector.properties (mandatory)
  • $CATALINA_HOME/conf/soa3/services.properties (optional)

The properties of connector.properties are:

  • SOA3_ENDPOINT the endpoint of the other services of soa3 (default http://localhost:8080)
  • SERVICE_NAME the name of the current instance (default soa3)
  • AUTHENTICATION_SESSION the lifetime of a security session in minutes (defautl 5 min)
  • CERT_FILE x509 certificate in pem format (default /etc/grid-security/hostcert.pem)
  • KEY_FILE x509 key in pem format (default /etc/grid-security/hostkey.pem)
  • TRUST_DIR x509 truststore (default /etc/grid-security/certificates)
  • TRUST_FILE_EXTENSION extension of the ca files in the truststore default .0)

services.properties, if exists, contains a list of key=value representing the names and the endpoints of other soa3 instance in our ecosystem.

Security

For security reason, it is recommended to run the container in HTTPS mode. It is strongly suggested to use tomcat combined with Apache HTTPD and mod_jk, setting a certificate trusted by the GHNs.