Changes between Version 17 and Version 18 of ESGF-Security


Ignore:
Timestamp:
Apr 16, 2013 12:44:20 PM (9 years ago)
Author:
vegasm
Comment:

Cambios corregidos de Barron Jr, Tom O

Legend:

Unmodified
Added
Removed
Modified
  • ESGF-Security

    v17 v18  
    33Before publishing test datasets, it is necessary to install some security components and filters to support ESGF-Security.
    44
    5 == Enable Tomcat SSL security ==
    6 
    7 To enable ssl we need a valid certificate from a Certificate Authority such as Verisign. We can create one although the browser will not recognize as trusted. We will need two files: keystore and truststore.
    8 A keystore is a file which contains private keys and certificates. The certificates are sent to the remote server in a SSLConnection. A truststore contains the CA certificates you are willing to trust when a remote party presents its certificate.
    9 
    10 === Install and configure SSL support on Tomcat 6 ===
     5== Keystore and Truststore ==
     6
     7To enable SSL we need a valid certificate from a Certificate Authority such as Verisign, Geotrust... although we can create one but the browser will not recognize it as trusted. We will need two files: keystore and truststore.
     8A keystore is a file which contains private keys and certificates. The certificates are sent to the remote server in a SSL connection. A Truststore contains the CA certificates you are willing to trust when a remote party presents its certificate.
     9
     10You have two options to get these files:
     11
     121.Download the original esg-truststore and prepare your own certificates or download our esg-truststore [[attachment:esg-truststore.ts]] and Keystore [[attachment:.keystore]] which are prepared for localhost.
     13
     142.Create your own keypair following this process:
     15
     16=== Keystore creation ===
    1117
    1218Create a keystore file to store the server's private key and self-signed certificate by executing the following:
    1319
    14 '''Important: set your hostname as CN.''' (See error "Target is not trusted" [[http://esgf.org/wiki/Security/FAQ]]). For example, if you are deploying tomcat for testing in your own machine use CN=localhost.
    15 
    16 {{{
    17 keytool -genkey -alias tomcat -keyalg RSA
    18 password: changeit
    19 }}}
    20 This command will create a file in your user home directory named ".keystore". This keystore contains the server certificate whose alias is ''localhost''.
    21 
    22 Download the ESGF Truststore which contains the trusted CA's and add your localhost certificate:
    23 
    24 1. You can download the ESGF truststore from here https://rainbow.llnl.gov/dist/certs/esg-truststore.ts and add your tomcat certificate by yourself or download the [[attachment:esg-truststore.ts]] which contains the tomcat pem. You can also download the [[attachment:.keystore]]
    25 
    26 2. Uncomment the ''SSL HTTP/1.1 Connector'' entry in '''$CATALINA_HOME/conf/server.xml''' and add the following:
     20'''Important: set your hostname as CN.''' (See error "Target is not trusted" [[http://esgf.org/wiki/Security/FAQ]]). For example, if you are deploying tomcat for testing in your own machine use CN=localhost and alias localhost.
     21
     22{{{
     23keytool -genkey -alias localhost -keyalg RSA
     24Enter keystore password:
     25Re-enter new password:
     26What is yout first and last name?:
     27[Unknown]: localhost
     28What is the name of your organizational unit?
     29[Unknown]: MACC
     30What is the name of your organization?
     31[Unknown]: UNICAN
     32What is the name of your City or Locality?
     33[Unknown]: Santander
     34What is the name of your State or Province?
     35[Unknown]: Cantabria
     36What is the two-letter country code for this unit?
     37[Unknown]: ES
     38Is CN=localhost, OU=MACC, O=UNICAN, L=SANTANDER, ST=CANTABRIA, C=ES correct?
     39[no]: yes
     40Enter key password for <certificatekey>
     41                (RETURN if same as keystorepassword):
     42Re-enter new password:
     43}}}
     44 
     45This command will create a file in your user home directory named ".keystore". This Keystore contains the server certificate whose alias is ''localhost''. Find the .keystore file in your user folder and check if it is ok with the following command:
     46{{{
     47keytool -list -v -keystore .keystore
     48}}}
     49The result it would be something like this:
     50{{{
     51Enter keystore password:
     52
     53Keystore type: JKS
     54Keystore provider: SUN
     55
     56Your keystore contains 1 entry
     57
     58Alias name: localhost
     59Creation date: 13-mar-2013
     60Entry type: PrivateKeyEntry
     61Certificate chain lenght: 1
     62Certificate[1]:
     63Owner: CN=localhost, OU=MACC, O=UNICAN, L=SANTANDER, ST=CANTABRIA, C=ES
     64Emisor: CN=localhost, OU=MACC, O=UNICAN, L=SANTANDER, ST=CANTABRIA, C=ES
     65Serial number: 355b667a
     66Valid from: Wed Mar 13 10:21:02 CET 2013 until: Tue Jun 11 11:21:02 CEST 2013
     67Certificate fingerprints:
     68         MD5: 51:FE:89:BA:40:9D:AB:92:DD:22:58:11:60:E3:E6:F7
     69         SHA1: 1E:11:8D:31:2F:43:6D:69:5C:F8:29:51:13:50:C5:37:FB:DF:61:E2
     70         SHA256: 33:34:97:34:21:81:8A:AE:36:9C:A5:C6:24:90:55:45:89:61:1F:C6:14:
     71         signature algorithm name: SHA256withRSA
     72         Version: 3
     73...
     74...
     75}}}
     76
     77=== Truststore creation ===
     78
     79Download the original ESGF truststore from here https://rainbow.llnl.gov/dist/certs/esg-truststore.ts and add your host certificate. For this process you have to export the localhost certificate from .keystore and import to esg-truststore.ts:
     80{{{
     81keytool -export -alias localhost -keystore .keystore -rfc -file localhost.cer
     82keytool -import -alias localhost -file localhost.cer
     83}}}
     84Check if esg-truststore.ts contains the localhost certificate:
     85{{{
     86keytool -list -v -keystore esg-truststore.ts -alias localhost
     87}}}
     88
     89== Configure SSL support on Tomcat 6 ==
     90
     911. Uncomment the ''SSL HTTP/1.1 Connector'' entry in '''$CATALINA_HOME/conf/server.xml''' and add the following:
    2792{{{
    2893<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"  SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
    29    clientAuth="want" keystoreFile="C:\apache-tomcat-6.0.36\config_files\esg-orp\.keystore" keystorePassword="changeit"
    30    truststoreFile="C:\apache-tomcat-6.0.36\config_files\esg-orp\esg-truststore.ts" truststorePass="changeit" sslProtocol="TLS" />
    31 }}}
    32 
    33 3. Add the truststore to the classpath (it will be required by Java)
    34 Edit '''$CATALINA_HOME/bin/setclasspath.bat''' (windows) or '''$CATALINA_HOME/bin/setclasspath.sh''' (Linux) and add the following:
    35 {{{
    36  rem Windows
     94   clientAuth="want" keystoreFile="$CATALINA_HOME/config_files/esg-orp/.keystore" keystorePassword="changeit"
     95   truststoreFile="$CATALINA_HOME/config_files/esg-orp/esg-truststore.ts" truststorePass="changeit" sslProtocol="TLS" />
     96}}}
     97'''Note: It is a good practise creating a config folder into $CATALINA_HOME which contains our certificates. These certificates will be available to the deployed apps.'''
     98
     992. Add the truststore to the classpath (it will be required by Java):
     100
     101Windows: edit '''%CATALINA_HOME%/bin/setclasspath.bat'''
     102{{{
     103 set "JAVA_OPTS=-Xmx2560m -Xms2560m -Ddebug=true -Djavax.net.ssl.trustStore=%CATALINA_HOME%/config_files/esg-orp/esg-truststore.ts -Djavax.net.ssl.trustStorePassword=changeit"
     104 echo %JAVA_OPTS%
     105}}}
     106
     107Linux: edit '''$CATALINA_HOME/bin/setclasspath.sh'''
     108{{{
    37109 set "JAVA_OPTS=-Xmx2560m -Xms2560m -Ddebug=true -Djavax.net.ssl.trustStore=$CATALINA_HOME/config_files/esg-orp/esg-truststore.ts -Djavax.net.ssl.trustStorePassword=changeit"
    38  echo %JAVA_OPTS%
    39 }}}
    40 
    41 === Deploy and configure ESG-ORP===
     110 echo $JAVA_OPTS
     111}}}
     112
     113== Configuration of ESG-ORP and deployment ==
    42114
    43115 1. Start tomcat server. Run '''$CATALINA_HOME/bin/startup.bat on windows''' or '''$CATALINA_HOME/bin/startup.sh''' on Linux
    44  1. Download [[attachment:esg-orp.war]] and move it to '''$CATALINA_HOME/webapps'''. A new directory called 'esg-orp' will be created by Tomcat.
     116 2. Download [[attachment:esg-orp.war]] and move it to '''$CATALINA_HOME/webapps'''. A new directory called 'esg-orp' will be created by Tomcat.
    45117
    46118
     
    57129}}}
    58130
    59 ESG-ORP manages a list that is used to allow the idp's. It is called whitelist. The idp's are entities which provide an openid login and return a valid cookie. We will need two lists and you can download them from here [[attachment:esgf_idp.xml]] [[attachment:esgf_idp_static.xml]]. If your idp is not contained by ''esgf_idp_static.xml'' just add your idp to the file. It is recommended to save these files in '''WEB-INF/classes/esg/config''' to work properly in all environments because Windows paths are not considered by the momment.
    60 
    61 The whitelist files are read by '''WEB-INF/classes/esg/orp/orp/config/security-context-auth.xml'''
    62 Go to the line 84 and replace it with this line:
    63 {{{
    64 <property name="idpWhiteListFile" value="esg/config/esgf_idp.xml, esg/config/esgf_idp_static.xml" />
     131ESG-ORP manages a list that is used to allow the idp's. It is called whitelist. The idp's are entities which provide an openid login and return a valid cookie. ESG-ORP reads the idp's from two lists: esgf_idp and esgf_idp_static.xml. The file esgf_idp_static.xml contains a static list of idp's and we can add all the idps that wee need. The original files contianed in ESG-ORP does not contain idp's such as PCMDI9 so you can download our whitelist from here which contains most of them: [[attachment:esgf_idp.xml]] [[attachment:esgf_idp_static.xml]]. You can also add the idp's that you want as well.
     132
     133We have to indicate to ESG-ORP where our whitelists are placed. Go to the file '''WEB-INF/classes/esg/orp/orp/config/security-context-auth.xml''' and find the property idpWhiteListFile. Replace it with this line:
     134{{{
     135<property name="idpWhiteListFile" value="esg/config/orp/orp/esgf_idp.xml, esg/config/orp/orp/esgf_idp_static.xml" />
    65136}}}
    66137
     
    71142== TDS Configuration ==
    72143
    73 Firstable, copy the following jars onto the TDS ''WEB-INF/lib directory'' [[attachment:"thredds_esg_security_libraries.zip​"]]
    74 
    75 After that, edit the file '''$CATALINA_HOME/webapps/thredds/WEB-INF/web.xml''' and insert the XML snippet that configures the ESG access control filters to intercepts all requests sent to the TDS. You must configure the filter parameters to values that are specific to your system, specifically:
     144Firstly, copy these jars onto the TDS ''WEB-INF/lib directory'' [[attachment:"thredds_esg_security_libraries.zip​"]]
     145
     146After that, edit the file '''$CATALINA_HOME/webapps/thredds/WEB-INF/web.xml''' and insert the XML snippet that configures the ESG access control filters to intercept all requests sent to the TDS. You must configure the filter parameters to values that are specific to your system, specifically:
    76147
    77148{{{