Difference between revisions of "Argus Configuration"
| Line 1: | Line 1: | ||
| − | In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site<ref name="Argus_Site">https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework</ref>. | + | In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site<ref name="Argus_Site">https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework</ref>. In this section some further configuration steps are provided. |
| + | |||
| + | ==Policy Administration Point== | ||
| + | |||
| + | In order to enable the '''Role Based Access Control''': the first two sections of file ''attribute-mappings.ini'' in PAP configuration folder: | ||
<source lang="text"> | <source lang="text"> | ||
| Line 17: | Line 21: | ||
The other sections of the file are the default ones. | The other sections of the file are the default ones. | ||
| + | ==Policy Decision Point== | ||
| + | The PDP configuration is the one described in Argus Site <ref name="Argus_Site"/>: the only difference is that https should be enabled to secure the communication. | ||
| + | |||
| + | In the file conf/pdp.ini add the following row: | ||
| + | |||
| + | <source lang="text"> | ||
| + | enableSSL = true | ||
| + | </source> | ||
| + | |||
| + | and check if the properties | ||
| + | |||
| + | <source lang="text"> | ||
| + | serviceCertificate | ||
| + | servicePrivateKey | ||
| + | trustInfoDir | ||
| + | </source> | ||
| + | |||
| + | point to the correct ''certificate'', ''private key'' and ''trust store folder''. | ||
| + | |||
| + | An example could be: | ||
| + | |||
| + | <source lang="text"> | ||
| + | serviceCertificate = /etc/grid-security/hostcert.pem | ||
| + | servicePrivateKey = /etc/grid-security/hostkey.pem | ||
| + | trustInfoDir = /etc/grid-security/certificates | ||
| + | </source> | ||
| + | |||
| + | If the non-glite version of the PAP has been downloaded, it could be a good idea to check if the ''paps'' property points to the correct url: | ||
| + | |||
| + | <source lang="text"> | ||
| + | https:<pap_address>/pap/services/ProvisioningService | ||
| + | </source> | ||
| + | |||
| + | sometimes in the default configuration provided the ''paps'' property points to: | ||
| + | |||
| + | <source lang="text"> | ||
| + | https:<pap_address>/glite-authz-pap/services/ProvisioningService | ||
| + | </source> | ||
| + | |||
| + | which could not work correctly. | ||
==References== | ==References== | ||
Revision as of 14:06, 4 October 2011
In gCube Secure Infratructure only the PAP and PDP elements of Argus are needed. The configuration steps are described in Argus Site[1]. In this section some further configuration steps are provided.
Policy Administration Point
In order to enable the Role Based Access Control: the first two sections of file attribute-mappings.ini in PAP configuration folder:
id = subject subject.xacml-id = urn:oasis:names:tc:xacml:2.0:subject:role subject.xacml-datatype = http://www.w3.org/2001/XMLSchema#anyURI subject.xacml-target-element = subject subject.xacml-match-function = urn:oasis:names:tc:xacml:1.0:function:anyURI-equal id = subject-issuer subject-issuer.xacml-id = http://authz-interop.org/xacml/subject/subject-x509-issuer subject-issuer.xacml-datatype = http://www.w3.org/2001/XMLSchema#string subject-issuer.xacml-target-element = subject subject-issuer.xacml-match-function = urn:oasis:names:tc:xacml:1.0:function:string-equal
The other sections of the file are the default ones.
Policy Decision Point
The PDP configuration is the one described in Argus Site [1]: the only difference is that https should be enabled to secure the communication.
In the file conf/pdp.ini add the following row:
enableSSL = true
and check if the properties
serviceCertificate servicePrivateKey trustInfoDir
point to the correct certificate, private key and trust store folder.
An example could be:
serviceCertificate = /etc/grid-security/hostcert.pem servicePrivateKey = /etc/grid-security/hostkey.pem trustInfoDir = /etc/grid-security/certificates
If the non-glite version of the PAP has been downloaded, it could be a good idea to check if the paps property points to the correct url:
https:<pap_address>/pap/services/ProvisioningService
sometimes in the default configuration provided the paps property points to:
https:<pap_address>/glite-authz-pap/services/ProvisioningService
which could not work correctly.
