Difference between revisions of "Argus Configuration"

From Gcube Wiki
Jump to: navigation, search
Line 1: Line 1:
In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site<ref name="Argus_Site">https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework</ref>. The only special configuration needed enables '''Role Based Access Control''': it concerns the first two sections of file ''attribute-mappings.ini'' in PAP configuration folder:  
+
In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site<ref name="Argus_Site">https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework</ref>. In this section some further configuration steps are provided.
 +
 
 +
==Policy Administration Point==
 +
 
 +
In order to enable the '''Role Based Access Control''': the first two sections of file ''attribute-mappings.ini'' in PAP configuration folder:  
  
 
<source lang="text">
 
<source lang="text">
Line 17: Line 21:
 
The other sections of the file are the default ones.
 
The other sections of the file are the default ones.
  
 +
==Policy Decision Point==
 +
The PDP configuration is the one described in Argus Site <ref name="Argus_Site"/>: the only difference is that https should be enabled to secure the communication.
 +
 +
In the file conf/pdp.ini add the following row:
 +
 +
<source lang="text">
 +
enableSSL = true
 +
</source>
 +
 +
and check if the properties
 +
 +
<source lang="text">
 +
serviceCertificate
 +
servicePrivateKey
 +
trustInfoDir
 +
</source>
 +
 +
point to the correct ''certificate'', ''private key'' and ''trust store folder''.
 +
 +
An example could be:
 +
 +
<source lang="text">
 +
serviceCertificate = /etc/grid-security/hostcert.pem
 +
servicePrivateKey = /etc/grid-security/hostkey.pem
 +
trustInfoDir = /etc/grid-security/certificates
 +
</source>
 +
 +
If the non-glite version of the PAP has been downloaded, it could be a good idea to check if the ''paps'' property points to the correct url:
 +
 +
<source lang="text">
 +
https:<pap_address>/pap/services/ProvisioningService
 +
</source>
 +
 +
sometimes in the default configuration provided the ''paps'' property points to:
 +
 +
<source lang="text">
 +
https:<pap_address>/glite-authz-pap/services/ProvisioningService
 +
</source>
 +
 +
which could not work correctly.
  
 
==References==
 
==References==

Revision as of 14:06, 4 October 2011

In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site[1]. In this section some further configuration steps are provided.

Policy Administration Point

In order to enable the Role Based Access Control: the first two sections of file attribute-mappings.ini in PAP configuration folder:

id = subject
subject.xacml-id = urn:oasis:names:tc:xacml:2.0:subject:role
subject.xacml-datatype = http://www.w3.org/2001/XMLSchema#anyURI
subject.xacml-target-element = subject
subject.xacml-match-function = urn:oasis:names:tc:xacml:1.0:function:anyURI-equal
 
id = subject-issuer
subject-issuer.xacml-id = http://authz-interop.org/xacml/subject/subject-x509-issuer
subject-issuer.xacml-datatype = http://www.w3.org/2001/XMLSchema#string
subject-issuer.xacml-target-element = subject
subject-issuer.xacml-match-function = urn:oasis:names:tc:xacml:1.0:function:string-equal

The other sections of the file are the default ones.

Policy Decision Point

The PDP configuration is the one described in Argus Site [1]: the only difference is that https should be enabled to secure the communication.

In the file conf/pdp.ini add the following row:

enableSSL = true

and check if the properties

serviceCertificate
servicePrivateKey
trustInfoDir

point to the correct certificate, private key and trust store folder.

An example could be:

serviceCertificate = /etc/grid-security/hostcert.pem
servicePrivateKey = /etc/grid-security/hostkey.pem
trustInfoDir = /etc/grid-security/certificates

If the non-glite version of the PAP has been downloaded, it could be a good idea to check if the paps property points to the correct url:

https:<pap_address>/pap/services/ProvisioningService

sometimes in the default configuration provided the paps property points to:

https:<pap_address>/glite-authz-pap/services/ProvisioningService

which could not work correctly.

References

  1. 1.0 1.1 https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework