Version 19 (modified by terryk, 8 years ago) (diff) |
---|
Page Contents
Adding ESGF-Security to TDS
Before publishing test datasets, it is necessary to install some security components and filters to support ESGF-Security.
Keystore and Truststore
To enable SSL we need a valid certificate from a Certificate Authority such as Verisign, Geotrust... although we can create one but the browser will not recognize it as trusted. We will need two files: keystore and truststore. A keystore is a file which contains private keys and certificates. The certificates are sent to the remote server in a SSL connection. A Truststore contains the CA certificates you are willing to trust when a remote party presents its certificate.
You have two options to get these files:
1.Download the original esg-truststore and prepare your own certificates or download our esg-truststore esg-truststore.ts and Keystore .keystore which are prepared for localhost.
2.Create your own keypair following this process:
Keystore creation
Create a keystore file to store the server's private key and self-signed certificate by executing the following:
Important: set your hostname as CN. (See error "Target is not trusted" http://esgf.org/wiki/Security/FAQ). For example, if you are deploying tomcat for testing in your own machine use CN=localhost and alias localhost.
keytool -genkey -alias localhost -keyalg RSA Enter keystore password: Re-enter new password: What is yout first and last name?: [Unknown]: localhost What is the name of your organizational unit? [Unknown]: MACC What is the name of your organization? [Unknown]: UNICAN What is the name of your City or Locality? [Unknown]: Santander What is the name of your State or Province? [Unknown]: Cantabria What is the two-letter country code for this unit? [Unknown]: ES Is CN=localhost, OU=MACC, O=UNICAN, L=SANTANDER, ST=CANTABRIA, C=ES correct? [no]: yes Enter key password for <certificatekey> (RETURN if same as keystorepassword): Re-enter new password:
This command will create a file in your user home directory named ".keystore". This Keystore contains the server certificate whose alias is localhost. Find the .keystore file in your user folder and check if it is ok with the following command:
keytool -list -v -keystore .keystore
The result it would be something like this:
Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: localhost Creation date: 13-mar-2013 Entry type: PrivateKeyEntry Certificate chain lenght: 1 Certificate[1]: Owner: CN=localhost, OU=MACC, O=UNICAN, L=SANTANDER, ST=CANTABRIA, C=ES Emisor: CN=localhost, OU=MACC, O=UNICAN, L=SANTANDER, ST=CANTABRIA, C=ES Serial number: 355b667a Valid from: Wed Mar 13 10:21:02 CET 2013 until: Tue Jun 11 11:21:02 CEST 2013 Certificate fingerprints: MD5: 51:FE:89:BA:40:9D:AB:92:DD:22:58:11:60:E3:E6:F7 SHA1: 1E:11:8D:31:2F:43:6D:69:5C:F8:29:51:13:50:C5:37:FB:DF:61:E2 SHA256: 33:34:97:34:21:81:8A:AE:36:9C:A5:C6:24:90:55:45:89:61:1F:C6:14: signature algorithm name: SHA256withRSA Version: 3 ... ...
Truststore creation
Download the original ESGF truststore from here https://rainbow.llnl.gov/dist/certs/esg-truststore.ts and add your host certificate. For this process you have to export the localhost certificate from .keystore and import to esg-truststore.ts:
keytool -export -alias localhost -keystore .keystore -rfc -file localhost.cer keytool -import -alias localhost -file localhost.cer
Check if esg-truststore.ts contains the localhost certificate:
keytool -list -v -keystore esg-truststore.ts -alias localhost
Configure SSL support on Tomcat 6
- Uncomment the SSL HTTP/1.1 Connector entry in $CATALINA_HOME/conf/server.xml and add the following:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" keystoreFile="$CATALINA_HOME/config_files/esg-orp/.keystore" keystorePassword="changeit" truststoreFile="$CATALINA_HOME/config_files/esg-orp/esg-truststore.ts" truststorePass="changeit" sslProtocol="TLS" />
Note: It is a good practise creating a config folder into $CATALINA_HOME which contains our certificates. These certificates will be available to the deployed apps.
- Add the truststore to the classpath (it will be required by Java):
Windows: edit %CATALINA_HOME%/bin/setclasspath.bat
set "JAVA_OPTS=-Xmx2560m -Xms2560m -Ddebug=true -Djavax.net.ssl.trustStore=%CATALINA_HOME%/config_files/esg-orp/esg-truststore.ts -Djavax.net.ssl.trustStorePassword=changeit" echo %JAVA_OPTS%
Linux: edit $CATALINA_HOME/bin/setclasspath.sh
set "JAVA_OPTS=-Xmx2560m -Xms2560m -Ddebug=true -Djavax.net.ssl.trustStore=$CATALINA_HOME/config_files/esg-orp/esg-truststore.ts -Djavax.net.ssl.trustStorePassword=changeit" echo $JAVA_OPTS
Configuration of ESG-ORP and deployment
- Start tomcat server. Run $CATALINA_HOME/bin/startup.bat on windows or $CATALINA_HOME/bin/startup.sh on Linux
- Download esg-orp.war and move it to $CATALINA_HOME/webapps. A new directory called 'esg-orp' will be created by Tomcat.
Edit WEB-INF/classes/esg-orp.properties to configure ESG-ORP to sign the cookies:
#location of keystore used to sign the authentication cookie keystoreFile=$CATALINA_HOME/config_files/esg-orp/.keystore #password used to read the keystore keystorePassword=changeit #alias of keystore entry used to sign the authentication cookie keystoreAlias=localhost
ESG-ORP manages a list that is used to allow the idp's. It is called whitelist. The idp's are entities which provide an openid login and return a valid cookie. ESG-ORP reads the idp's from two lists: esgf_idp and esgf_idp_static.xml. The file esgf_idp_static.xml contains a static list of idp's and we can add all the idps that wee need. The original files contianed in ESG-ORP does not contain idp's such as PCMDI9 so you can download our whitelist from here which contains most of them: esgf_idp.xml esgf_idp_static.xml. You can also add the idp's that you want as well.
We have to indicate to ESG-ORP where our whitelists are placed. Go to the file WEB-INF/classes/esg/orp/orp/config/security-context-auth.xml and find the property idpWhiteListFile. Replace it with this line:
<property name="idpWhiteListFile" value="esg/config/orp/orp/esgf_idp.xml, esg/config/orp/orp/esgf_idp_static.xml" />
Test ESG-ORP
Open your browser and type this url: http://localhost:8080/OpenidRelyingParty . You should be redirected to an HTTPS page where you are prompted to enter your openid.
TDS Configuration
Firstly, copy these jars onto the TDS WEB-INF/lib directory thredds_esg_security_libraries.zip
After that, edit the file $CATALINA_HOME/webapps/thredds/WEB-INF/web.xml and insert the XML snippet that configures the ESG access control filters to intercept all requests sent to the TDS. You must configure the filter parameters to values that are specific to your system, specifically:
<!-- web.xml entry for the esg node access Control Filter chain --> <filter> <filter-name>authenticationFilter</filter-name> <filter-class>esg.orp.app.AuthenticationFilter</filter-class> <init-param> <param-name>policyServiceClass</param-name> <param-value>esg.orp.app.CompositePolicyService</param-value> </init-param> <init-param> <param-name>policyServiceClasses</param-name> <param-value>esg.orp.app.RegexPolicyService, esg.orp.app.LocalXmlPolicyService</param-value> </init-param> <init-param> <param-name>authenticationNotRequiredPatterns</param-name> <param-value>"[^?]*(/|(/admin/)(.*)|(/remoteCatalogService\?.*)|(?<=\.(html|xml|css|gif|pdf))(\?.*)?)"</param-value> </init-param> <init-param> <param-name>policyFiles</param-name> <param-value>thredds/config/esgf_policies_local.xml, thredds/config/esgf_policies_common.xml</param-value> </init-param> <init-param> <param-name>openidRelyingPartyUrl</param-name> <param-value>https://localhost:8443/esg-orp/home.htm</param-value> </init-param> <init-param> <param-name>trustoreFile</param-name> <param-value>C:/apache-tomcat-6.0.36/config_files/esg-orp/esg-truststore.ts</param-value> </init-param> <init-param> <param-name>trimURIRegEx</param-name> <param-value>\.ascii.*,\.dods.*,\.dds.*,\.das.*</param-value> </init-param> <init-param> <param-name>trustorePassword</param-name> <param-value>changeit</param-value> </init-param> </filter> <filter-mapping> <filter-name>authenticationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
<!-- web.xml entry for the esg node authorization Control Filter chain --> <filter> <filter-name>authorizationFilter</filter-name> <filter-class>esg.orp.app.AuthorizationFilter</filter-class> <init-param> <param-name>authorizationServiceClass</param-name> <param-value>esg.orp.app.SAMLAuthorizationServiceFilterCollaborator</param-value> </init-param> <init-param> <param-name>urlTransformer</param-name> <param-value>esg.orp.app.RegexReplaceAuthorizationFilterUrlTransformer</param-value> </init-param> <init-param> <param-name>urlTransformerReplacements</param-name> <param-value>"\?.*":"", "/dodsC/":"/fileServer/", "\.(asc|ascii|das|dds|dods|html)\Z":""</param-value> </init-param> <init-param> <param-name>authorizationServiceUrl</param-name> <param-value> https://localhost:8443/esg-orp/saml/soap/secure/authorizationService.htm </param-value> </init-param> </filter> <filter-mapping> <filter-name>authorizationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
References
Tomcat configuration - http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Configuration
Esg-orp configuration - https://oodt.jpl.nasa.gov/wiki/display/CLIMATE/Part+2+-+Deploy+an+ESG+Openid+Relying+Party
Idps information - http://esgf.org/wiki/ESGF_IdPs
Manage openssl command - http://www.madboa.com/geek/openssl/#verify-standard
Esg-truststore - http://esgf.org/esg-certs/#ESG_Federation_Trust_Roots
Keystore and truststore - http://www.techbrainwave.com/?p=953
keytool commands - https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
Attachments (6)
-
esg-orp.war
(22.4 MB) -
added by vegasm 9 years ago.
esg-orp app
-
esgf_idp.xml
(112 bytes) -
added by vegasm 9 years ago.
idp's
-
esgf_idp_static.xml
(2.5 KB) -
added by vegasm 9 years ago.
static idp's
-
thredds_esg_security_libraries.zip
(6.6 MB) -
added by vegasm 9 years ago.
Necessary libraries to add esg security to thredds
-
.keystore
(2.2 KB) -
added by vegasm 9 years ago.
Necessary for esg-orp. Contains localhost pem
-
esg-truststore.ts
(177.8 KB) -
added by vegasm 9 years ago.
Truststore with localhost and pcmdi9 pems