Difference between revisions of "How To Configure Security"
(New page: ciao) |
|||
| Line 1: | Line 1: | ||
| − | + | This page contains useful information about configuration of DHN and services to comply with the DILIGENT Security Model | |
| + | |||
| + | ==Configure DHN security== | ||
| + | |||
| + | This step must be performed only once when the DHN is installed. With this step CA certificates and DHN credentials are installed. At the end the container is ready to host secure services. | ||
| + | |||
| + | ===Install credentials=== | ||
| + | |||
| + | ====Install CA certificates==== | ||
| + | |||
| + | Follows [http://glite.web.cern.ch/glite/packages/R3.0/R20060502/doc/installation_guide_3.0-2.html#_Toc135537472 this] document to install trusted CA certificates in your new DHN node. | ||
| + | |||
| + | You have now to install certificates of the CA trusted in DILIGENT. You can find these certificates in rpm format [http://dlib.sns.it/bscw/bscw.cgi/0/19457 here] | ||
| + | It is always a good idea to (periodically) refresh Certificates Revocation Lists (CRL), these lists contains certificates revoked by trusted CAs. To refresh these certificate execute this command: <code>/usr/sbin/fetch-crl -o /etc/grid-security/certificates</code> | ||
| + | |||
| + | ====Install host credentials==== | ||
| + | |||
| + | copy host certificate and private key respectively in: | ||
| + | |||
| + | * <code>/etc/grid-security/hostpubliccert.pem</code> (please check that the certificate file has -rw-r--r-- permissions) | ||
| + | * <code>/etc/grid-security/hostprivatekey.pem</code> (please check that the private key file has -r-------- permissions). | ||
| + | |||
| + | You can obtain host credentials (certificate and private key from an official Certification Authority) | ||
| + | |||
| + | ====Configure container security==== | ||
| + | |||
| + | Set Global security descriptor of Java-WS-Core container contained in file <code>$GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml</code>. | ||
| + | |||
| + | See [[Media:global_security_descriptor.xml]] example. | ||
| + | |||
| + | Modify the $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd file adding following lines inside the <code><globalConfiguration></code> tag: | ||
| + | |||
| + | <parameter name="logicalHost" value="yourHostName.yourDomain"> | ||
| + | <parameter name="publishHostName" value="true"/> | ||
| + | |||
| + | <parameter name="containerSecDesc" value="etc/globus_wsrf_core/global_security_descriptor.xml"/> | ||
| + | |||
| + | (of course you have to replace yourHostName and yourDomain properties with correct values, E.g: grids15.eng.it) | ||
| + | |||
| + | ===Deploy required libraries and services=== | ||
| + | |||
| + | Following libraries must be copied in the local <code>$GLOBUS_LOCATION/lib</code> directory | ||
| + | |||
| + | * bcprov-jdk14-122.jar : bouncycastle encryption library | ||
| + | * glite-security-util-java.jar : gLite security libraries | ||
| + | * dvos.authentication-api.jar : authentication utility classes | ||
| + | * dvos.delegation-stubs.jar : delegation stubs | ||
| + | * dvos.authorization-stubs.jar : authorization stubs | ||
| + | * dvos.authorization-api.jar : authorization API | ||
| + | |||
| + | Following gar files must be deployed in your DHN | ||
| + | |||
| + | * dvos.common.gar : common DVOS classes and XML data types | ||
| + | * dvos.delegation-service.gar : delegation service | ||
| + | |||
| + | All these packages are available [http://grids17.eng.it/engrepository/ here] except for the bouncycastle one (the first one) you can find [http://www.bouncycastle.org/download/bcprov-jdk14-122.jar here] | ||
| + | |||
| + | Please install the 0_1_1 version of DVOS components (most stable versions). | ||
| + | |||
| + | Then start contianer using the <code>-nosec</code> option (This disable HTTPS transport and enbale GSISecureConversation support) | ||
| + | |||
| + | ===Configure VOMS credentials=== | ||
| + | |||
| + | VOMS credentials must be installed in the local system to verify VOMS assertions. To do this first of all copy in the <code>/etc/grid-security/vomsdir</code> directory certificates of trusted VOMS servers. You can find certificates of VOMS used in DILIGENT [http://dlib.sns.it/bscw/bscw.cgi/0/22426 here] (please check that certificate files have <code>-rw-r--r--</code> permissions). | ||
| + | |||
| + | You also need to create vomses files in <code>/opt/glite/etc/vomses</code>. These files should follows this naming convention: | ||
| + | |||
| + | <name of the VO>-<hostname of the VOMS service> | ||
| + | |||
| + | (E.g: <code>diligent-grids10.eng.it</code>) | ||
| + | |||
| + | The content of each file must be as follows (on one single line): | ||
| + | |||
| + | "<name of the VO>" "<hostname of the VOMS service>" "<port of the VOMS service>" | ||
| + | "<Distinguished Name of the VOMS certificate>" "<local name of the VO>" | ||
| + | |||
| + | E.g: | ||
| + | |||
| + | "diligent" "grids10.eng.it" "15001" | ||
| + | "/O=Grid/OU=GlobusTest/OU=simpleCA-gauss.eng.it/CN=grids10.eng.it" "diligent" | ||
Revision as of 20:37, 14 March 2007
This page contains useful information about configuration of DHN and services to comply with the DILIGENT Security Model
Contents
Configure DHN security
This step must be performed only once when the DHN is installed. With this step CA certificates and DHN credentials are installed. At the end the container is ready to host secure services.
Install credentials
Install CA certificates
Follows this document to install trusted CA certificates in your new DHN node.
You have now to install certificates of the CA trusted in DILIGENT. You can find these certificates in rpm format here
It is always a good idea to (periodically) refresh Certificates Revocation Lists (CRL), these lists contains certificates revoked by trusted CAs. To refresh these certificate execute this command: /usr/sbin/fetch-crl -o /etc/grid-security/certificates
Install host credentials
copy host certificate and private key respectively in:
-
/etc/grid-security/hostpubliccert.pem(please check that the certificate file has -rw-r--r-- permissions) -
/etc/grid-security/hostprivatekey.pem(please check that the private key file has -r-------- permissions).
You can obtain host credentials (certificate and private key from an official Certification Authority)
Configure container security
Set Global security descriptor of Java-WS-Core container contained in file $GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml.
See Media:global_security_descriptor.xml example.
Modify the $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd file adding following lines inside the <globalConfiguration> tag:
<parameter name="logicalHost" value="yourHostName.yourDomain"> <parameter name="publishHostName" value="true"/> <parameter name="containerSecDesc" value="etc/globus_wsrf_core/global_security_descriptor.xml"/>
(of course you have to replace yourHostName and yourDomain properties with correct values, E.g: grids15.eng.it)
Deploy required libraries and services
Following libraries must be copied in the local $GLOBUS_LOCATION/lib directory
- bcprov-jdk14-122.jar : bouncycastle encryption library
- glite-security-util-java.jar : gLite security libraries
- dvos.authentication-api.jar : authentication utility classes
- dvos.delegation-stubs.jar : delegation stubs
- dvos.authorization-stubs.jar : authorization stubs
- dvos.authorization-api.jar : authorization API
Following gar files must be deployed in your DHN
- dvos.common.gar : common DVOS classes and XML data types
- dvos.delegation-service.gar : delegation service
All these packages are available here except for the bouncycastle one (the first one) you can find here
Please install the 0_1_1 version of DVOS components (most stable versions).
Then start contianer using the -nosec option (This disable HTTPS transport and enbale GSISecureConversation support)
Configure VOMS credentials
VOMS credentials must be installed in the local system to verify VOMS assertions. To do this first of all copy in the /etc/grid-security/vomsdir directory certificates of trusted VOMS servers. You can find certificates of VOMS used in DILIGENT here (please check that certificate files have -rw-r--r-- permissions).
You also need to create vomses files in /opt/glite/etc/vomses. These files should follows this naming convention:
<name of the VO>-<hostname of the VOMS service>
(E.g: diligent-grids10.eng.it)
The content of each file must be as follows (on one single line):
"<name of the VO>" "<hostname of the VOMS service>" "<port of the VOMS service>" "<Distinguished Name of the VOMS certificate>" "<local name of the VO>"
E.g:
"diligent" "grids10.eng.it" "15001" "/O=Grid/OU=GlobusTest/OU=simpleCA-gauss.eng.it/CN=grids10.eng.it" "diligent"
