Changes between Version 4 and Version 5 of ESGF-Security


Ignore:
Timestamp:
Mar 6, 2013 11:03:13 AM (9 years ago)
Author:
vegasm
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ESGF-Security

    v4 v5  
    33== Enable Tomcat SSL security ==
    44
    5 To enable ssl we need a valid certificate from a Certificate Authority such as Verisign. We can create one but the browser will not recognize as trusted.
     5To enable ssl we need a valid certificate from a Certificate Authority such as Verisign but we can create one although the browser will not recognize as trusted. We will need two files: keystore and truststore.
     6A keystore is a file which contains private keys and certificates. The certificates are sent to the remote server in a SSLConnection. A truststore contains the CA certificates you are willing to trust when a remote party presents its certificate.
    67
    7 To install and configure SSL support on Tomcat 6, you need to follow these simple steps:
     8=== Install and configure SSL support on Tomcat 6 ===
    89
    910Create a keystore file to store the server's private key and self-signed certificate by executing the following:
     
    1213password: changeit
    1314}}}
    14 This command will create a file in your user home directory named ".keystore". This keystore contains a certificate whose alias is ''tomcat''
     15This command will create a file in your user home directory named ".keystore". This keystore contains the server certificate whose alias is ''tomcat''.
    1516
    1617Download the ESGF Truststore which contains the trusted CA's and add your tomcat certificate:
     
    2526}}}
    2627
    27 Deploy esg-orp.war into tomcat 6
     283. Add the truststore to the classpath (it will be required by Java)
     29Edit $CATALINA_HOME/bin/setclasspath.bat (windows) or $CATALINA_HOME/bin/setclasspath.sh (Linux) and add the following:
     30{{{
     31 rem Windows
     32 set "JAVA_OPTS=-Xmx2560m -Xms2560m -Ddebug=true -Djavax.net.ssl.trustStore=C:/apache-tomcat-6.0.36/config_files/esg-orp/esg-truststore.ts -Djavax.net.ssl.trustStorePassword=changeit"
     33 echo %JAVA_OPTS%
     34}}}
     35
     36=== Deploy and configure ESG-ORP===
    2837
    2938 1. Start tomcat server. Run '''$CATALINA_HOME/bin/startup.bat on windows''' or '''$CATALINA_HOME/bin/startup.sh''' on Linux
     
    3140
    3241
     42ESG-ORP manages a whitelist. This list is used by the app to allow the idp's. The idp's are entities which provide an openid login and return a valid cookie. We will need two lists and you can download them from here
     43To work properly, ESG-ORP needs some configuration changes.
     44
     45Edit line 84 of /WEB-INF/classes/esg/orp/orp/config/security-context-auth.xml
     46{{{
     47<property name="idpWhiteListFile" value="esg/config/esgf_idp.xml, esg/config/esgf_idp_static.xml" />
     48}}}
     49
     50
     51
     52
     53 
     54
     55Configure ORP to sign the cookies with our keystore
     56
     57Edit the file WEB-INF/classes/esg/orp/orp/config/appli
     58
    3359For further information visit: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Configuration