Difference between revisions of "SOA3 HowTo"
(→Installation steps) |
(→Authentication and UserManagement) |
||
| Line 21: | Line 21: | ||
===Configuration=== | ===Configuration=== | ||
==== Authentication and UserManagement==== | ==== Authentication and UserManagement==== | ||
| − | Authentication and User Management Services | + | There is a single, common configuration file for Authentication and User Management Services: |
$CATALINA_HOME/conf/soa3/soa3.properties. | $CATALINA_HOME/conf/soa3/soa3.properties. | ||
| Line 27: | Line 27: | ||
The file contains the following properties: | The file contains the following properties: | ||
| − | * '''LDAP_URL''' the url of the LDAP | + | * '''LDAP_URL''' the url of the LDAP with the user list (default "ldap://127.0.0.1:1389") |
* '''LDAP_BASE''' the LDAP search base (default "o=mojo") | * '''LDAP_BASE''' the LDAP search base (default "o=mojo") | ||
* '''LDAP_USER_DN''' the administrator DN (default "cn=Directory Manager") | * '''LDAP_USER_DN''' the administrator DN (default "cn=Directory Manager") | ||
* '''LDAP_PASSWORD''' the administrator account password (default "secret") | * '''LDAP_PASSWORD''' the administrator account password (default "secret") | ||
| − | |||
| − | The following properties are | + | The following properties are used only by Authentication Service They are concerns federated authentication and the connection with Shibboleth Service Provider (look at [http://shibboleth.net/ Shibboleth site] and [[Shibboleth and gCube|Shibboleth installation giude in gCube]]): |
* '''CA_CERT''' = CA Key or keystore folder for assertion validation (default /etc/grid-security/certificates) | * '''CA_CERT''' = CA Key or keystore folder for assertion validation (default /etc/grid-security/certificates) | ||
| Line 42: | Line 41: | ||
Further information on Shibboleth deployment and configuration can be found in [[Shibboleth and gCube]] | Further information on Shibboleth deployment and configuration can be found in [[Shibboleth and gCube]] | ||
| − | |||
====Connector==== | ====Connector==== | ||
Revision as of 17:42, 11 March 2013
Contents
Introduction
SOA3 (Service Oriented Authentication, Authorization and Accounting) is composed of four REST web services:
- Authentication Service
- Authorization Service
- User Management Service
- Connector Service
A detailed section about SOA3 Architecture is provided in Data e-Infrastructure Policy-oriented Security Facilities: this page aims at providing a quick guide on the installation and configuration processes.
Installation steps
The four services are packaged in four wars running on Apache Tomcat 7, in particular:
- authService.war (org.gcube.vo-management.soa3.authentication.rest) is the Authentication Service
- The Authorization Service has not been completed yet
- userService.war (org.gcube.vo-management.soa3.usermanagement.rest) is the User Management Service
- soa3Service (org.gcube.vo-management.soa3.connector.service) is the Connector Service
In addition to Tomcat 7, in order to use Authentication and User Management Services, an LDAP Directory is needed. There are no particular requirements on the LDAP Directory: the tests have been performed on OpenDS 2.2.
Configuration
Authentication and UserManagement
There is a single, common configuration file for Authentication and User Management Services:
$CATALINA_HOME/conf/soa3/soa3.properties.
The file contains the following properties:
- LDAP_URL the url of the LDAP with the user list (default "ldap://127.0.0.1:1389")
- LDAP_BASE the LDAP search base (default "o=mojo")
- LDAP_USER_DN the administrator DN (default "cn=Directory Manager")
- LDAP_PASSWORD the administrator account password (default "secret")
The following properties are used only by Authentication Service They are concerns federated authentication and the connection with Shibboleth Service Provider (look at Shibboleth site and Shibboleth installation giude in gCube):
- CA_CERT = CA Key or keystore folder for assertion validation (default /etc/grid-security/certificates)
- ASSERTION_SIGNATURE_VALIDATION Assertion signature validation enabled (default true)
- ASSERTION_TIME_VALIDATION Assertion time validation enabled (default true)
- SAML_ASSERTION_SOURCE_URL SAML Source host (default http://localhost/Shibboleth.sso/GetAssertion)
Further information on Shibboleth deployment and configuration can be found in Shibboleth and gCube
Connector
The connector uses two configuration files:
- $CATALINA_HOME/conf/soa3/connector.properties (mandatory)
- $CATALINA_HOME/conf/soa3/services.properties (optional)
The properties of connector.properties are:
- SOA3_ENDPOINT the endpoint of the other services of soa3 (default http://localhost:8080)
- SERVICE_NAME the name of the current instance (default soa3)
- AUTHENTICATION_SESSION the lifetime of a security session in minutes (defautl 5 min)
- CERT_FILE x509 certificate in pem format (default /etc/grid-security/hostcert.pem)
- KEY_FILE x509 key in pem format (default /etc/grid-security/hostkey.pem)
- TRUST_DIR x509 truststore (default /etc/grid-security/certificates)
- TRUST_FILE_EXTENSION extension of the ca files in the truststore default .0)
services.properties, if exists, contains a list of key=value representing the names and the endpoints of other soa3 instance in our ecosystem.
Security
For security reason, it is recommended to run the container in HTTPS mode. It is strongly suggested to use tomcat combined with Apache HTTPD and mod_jk, setting a certificate trusted by the GHNs.
