Difference between revisions of "Argus Configuration"
(Created page with 'In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site<ref name="Argus_Site">https://twiki.cern.ch/t…') |
m |
||
| (2 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site<ref name="Argus_Site">https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework</ref>. | + | [[Category: TO BE REMOVED]] |
| + | In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site<ref name="Argus_Site">https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework</ref>. In this section some further configuration steps are provided. | ||
| + | |||
| + | ==Policy Administration Point== | ||
| + | |||
| + | In order to enable the '''Role Based Access Control''': the first two sections of file ''attribute-mappings.ini'' in PAP configuration folder: | ||
<source lang="text"> | <source lang="text"> | ||
| Line 17: | Line 22: | ||
The other sections of the file are the default ones. | The other sections of the file are the default ones. | ||
| + | ==Policy Decision Point== | ||
| + | The PDP configuration is the one described in Argus Site <ref name="Argus_Site"/>: the only difference is that https should be enabled to secure the communication. | ||
| + | |||
| + | In the file conf/pdp.ini add the following row: | ||
| + | |||
| + | <source lang="text"> | ||
| + | enableSSL = true | ||
| + | </source> | ||
| + | |||
| + | and check if the properties | ||
| + | |||
| + | <source lang="text"> | ||
| + | serviceCertificate | ||
| + | servicePrivateKey | ||
| + | trustInfoDir | ||
| + | </source> | ||
| + | |||
| + | point to the correct ''certificate'', ''private key'' and ''trust store folder''. | ||
| + | |||
| + | An example could be: | ||
| + | |||
| + | <source lang="text"> | ||
| + | serviceCertificate = /etc/grid-security/hostcert.pem | ||
| + | servicePrivateKey = /etc/grid-security/hostkey.pem | ||
| + | trustInfoDir = /etc/grid-security/certificates | ||
| + | </source> | ||
| + | |||
| + | If the non-glite version of the PAP has been downloaded, it could be a good idea to check if the ''paps'' property points to the correct url: | ||
| + | |||
| + | <source lang="text"> | ||
| + | https:<pap_address>/pap/services/ProvisioningService | ||
| + | </source> | ||
| + | |||
| + | sometimes in the default configuration provided the ''paps'' property points to: | ||
| + | |||
| + | <source lang="text"> | ||
| + | https:<pap_address>/glite-authz-pap/services/ProvisioningService | ||
| + | </source> | ||
| + | |||
| + | which could not work correctly. | ||
==References== | ==References== | ||
<references/> | <references/> | ||
| + | |||
| + | [[Category:Security]] | ||
Latest revision as of 17:18, 6 July 2016
In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site[1]. In this section some further configuration steps are provided.
Policy Administration Point
In order to enable the Role Based Access Control: the first two sections of file attribute-mappings.ini in PAP configuration folder:
id = subject subject.xacml-id = urn:oasis:names:tc:xacml:2.0:subject:role subject.xacml-datatype = http://www.w3.org/2001/XMLSchema#anyURI subject.xacml-target-element = subject subject.xacml-match-function = urn:oasis:names:tc:xacml:1.0:function:anyURI-equal id = subject-issuer subject-issuer.xacml-id = http://authz-interop.org/xacml/subject/subject-x509-issuer subject-issuer.xacml-datatype = http://www.w3.org/2001/XMLSchema#string subject-issuer.xacml-target-element = subject subject-issuer.xacml-match-function = urn:oasis:names:tc:xacml:1.0:function:string-equal
The other sections of the file are the default ones.
Policy Decision Point
The PDP configuration is the one described in Argus Site [1]: the only difference is that https should be enabled to secure the communication.
In the file conf/pdp.ini add the following row:
enableSSL = true
and check if the properties
serviceCertificate servicePrivateKey trustInfoDir
point to the correct certificate, private key and trust store folder.
An example could be:
serviceCertificate = /etc/grid-security/hostcert.pem servicePrivateKey = /etc/grid-security/hostkey.pem trustInfoDir = /etc/grid-security/certificates
If the non-glite version of the PAP has been downloaded, it could be a good idea to check if the paps property points to the correct url:
https:<pap_address>/pap/services/ProvisioningService
sometimes in the default configuration provided the paps property points to:
https:<pap_address>/glite-authz-pap/services/ProvisioningService
which could not work correctly.
