Changes between Version 11 and Version 12 of ESGF-Security


Ignore:
Timestamp:
Mar 13, 2013 1:16:33 PM (9 years ago)
Author:
vegasm
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ESGF-Security

    v11 v12  
    55== Enable Tomcat SSL security ==
    66
    7 To enable ssl we need a valid certificate from a Certificate Authority such as Verisign but we can create one although the browser will not recognize as trusted. We will need two files: keystore and truststore.
     7To enable ssl we need a valid certificate from a Certificate Authority such as Verisign. We can create one although the browser will not recognize as trusted. We will need two files: keystore and truststore.
    88A keystore is a file which contains private keys and certificates. The certificates are sent to the remote server in a SSLConnection. A truststore contains the CA certificates you are willing to trust when a remote party presents its certificate.
    99
     
    1212Create a keystore file to store the server's private key and self-signed certificate by executing the following:
    1313
    14 '''Important: set your hostname as CN.''' For example, if you are deploying tomcat with localhost url's, set CN=localhost.
     14'''Important: set your hostname as CN.''' (See error "Target is not trusted" [[http://esgf.org/wiki/Security/FAQ]]. For example, if you are deploying tomcat for testing in your own machine use CN=localhost.
    1515
    1616{{{
     
    1818password: changeit
    1919}}}
    20 This command will create a file in your user home directory named ".keystore". This keystore contains the server certificate whose alias is ''tomcat''.
     20This command will create a file in your user home directory named ".keystore". This keystore contains the server certificate whose alias is ''localhost''.
    2121
    22 Download the ESGF Truststore which contains the trusted CA's and add your tomcat certificate:
     22Download the ESGF Truststore which contains the trusted CA's and add your localhost certificate:
    2323
    24241. You can download the ESGF truststore from here https://rainbow.llnl.gov/dist/certs/esg-truststore.ts and add your tomcat certificate by yourself or download the [[attachment:esg-truststore.ts]] which contains the tomcat pem. You can also download the [[attachment:.keystore]]
     
    7171== TDS Configuration ==
    7272
    73 Firstable, copy the following jars onto the TDS WEB-INF/lib directory
     73Firstable, copy the following jars onto the TDS WEB-INF/lib directory [[attachment:thredds_esg_security_libraries.zip​]].
     74
     75Then edit the file $CATALINA_HOME/webapps/thredds/WEB-INF/web.xml and
     76
     77Then edit the file $CATALINA_HOME/webapps/thredds/WEB-INF/web.xml and insert the XML snippet that configures the ESG access control filters to intercepts all requests sent to the TDS (see example below). You must configure the filter parameters to values that are specific to your system, specifically:
     78
     79{{{
     80  <!-- web.xml entry for the esg node  access Control Filter chain -->
     81
     82  <filter>
     83    <filter-name>authenticationFilter</filter-name>
     84    <filter-class>esg.orp.app.AuthenticationFilter</filter-class>
     85    <init-param>
     86      <param-name>policyServiceClass</param-name>
     87      <param-value>esg.orp.app.CompositePolicyService</param-value>
     88    </init-param>
     89        <init-param>
     90      <param-name>policyServiceClasses</param-name>
     91      <param-value>esg.orp.app.RegexPolicyService, esg.orp.app.LocalXmlPolicyService</param-value>
     92    </init-param>
     93        <init-param>
     94      <param-name>authenticationNotRequiredPatterns</param-name>
     95      <param-value>"[^?]*(/|(/admin/)(.*)|(/remoteCatalogService\?.*)|(?&lt;=\.(html|xml|css|gif|pdf))(\?.*)?)"</param-value>
     96    </init-param>
     97         <init-param>
     98      <param-name>policyFiles</param-name>
     99      <param-value>thredds/config/esgf_policies_local.xml, thredds/config/esgf_policies_common.xml</param-value>
     100    </init-param>
     101    <init-param>
     102      <param-name>openidRelyingPartyUrl</param-name>
     103      <param-value>https://localhost:8443/esg-orp/home.htm</param-value>
     104    </init-param>
     105    <init-param>
     106      <param-name>trustoreFile</param-name>
     107      <param-value>C:/apache-tomcat-6.0.36/config_files/esg-orp/esg-truststore.ts</param-value>
     108    </init-param>
     109        <init-param>
     110      <param-name>trimURIRegEx</param-name>
     111      <param-value>\.ascii.*,\.dods.*,\.dds.*,\.das.*</param-value>
     112    </init-param>
     113    <init-param>
     114      <param-name>trustorePassword</param-name>
     115      <param-value>changeit</param-value>
     116    </init-param>
     117  </filter>
     118  <filter-mapping>
     119    <filter-name>authenticationFilter</filter-name>
     120    <url-pattern>/*</url-pattern>
     121  </filter-mapping>
     122}}}
     123{{{
     124  <!-- web.xml entry for the esg node authorization Control Filter chain -->
     125
     126  <filter>
     127    <filter-name>authorizationFilter</filter-name>
     128    <filter-class>esg.orp.app.AuthorizationFilter</filter-class>
     129    <init-param>
     130      <param-name>authorizationServiceClass</param-name>
     131      <param-value>esg.orp.app.SAMLAuthorizationServiceFilterCollaborator</param-value>
     132    </init-param>
     133    <init-param>
     134      <param-name>urlTransformer</param-name>
     135      <param-value>esg.orp.app.RegexReplaceAuthorizationFilterUrlTransformer</param-value>
     136    </init-param>
     137    <init-param>
     138      <param-name>urlTransformerReplacements</param-name>
     139      <param-value>"\?.*":"", "/dodsC/":"/fileServer/", "\.(asc|ascii|das|dds|dods|html)\Z":""</param-value>
     140    </init-param>
     141    <init-param>
     142      <param-name>authorizationServiceUrl</param-name>
     143      <param-value>
     144        https://localhost:8443/esg-orp/saml/soap/secure/authorizationService.htm
     145      </param-value>
     146    </init-param>
     147  </filter>
     148  <filter-mapping>
     149    <filter-name>authorizationFilter</filter-name>
     150    <url-pattern>/*</url-pattern>
     151  </filter-mapping>
     152}}}
     153
     154
    74155
    75156=== References ===