wiki:ESGF-Security

Version 8 (modified by vegasm, 9 years ago) (diff)

--

Before publishing test datasets, it is necessary to install some security components and filters to support ESGF-Security.

Enable Tomcat SSL security

To enable ssl we need a valid certificate from a Certificate Authority such as Verisign but we can create one although the browser will not recognize as trusted. We will need two files: keystore and truststore. A keystore is a file which contains private keys and certificates. The certificates are sent to the remote server in a SSLConnection. A truststore contains the CA certificates you are willing to trust when a remote party presents its certificate.

Install and configure SSL support on Tomcat 6

Create a keystore file to store the server's private key and self-signed certificate by executing the following:

keytool -genkey -alias tomcat -keyalg RSA
password: changeit

This command will create a file in your user home directory named ".keystore". This keystore contains the server certificate whose alias is tomcat.

Download the ESGF Truststore which contains the trusted CA's and add your tomcat certificate:

  1. You can download the ESGF truststore from here https://rainbow.llnl.gov/dist/certs/esg-truststore.ts and add your tomcat certificate by yourself or download the attachment:esg-truststore.ts which contains the tomcat pem. You can also download the attachment:.keystore
  1. Uncomment the SSL HTTP/1.1 Connector entry in $CATALINA_HOME/conf/server.xml and add the following:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"  SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
       clientAuth="want" keystoreFile="C:\apache-tomcat-6.0.36\config_files\esg-orp\.keystore" keystorePassword="changeit"
       truststoreFile="C:\apache-tomcat-6.0.36\config_files\esg-orp\esg-truststore.ts" truststorePass="changeit" sslProtocol="TLS" /> 
    
  1. Add the truststore to the classpath (it will be required by Java)

Edit $CATALINA_HOME/bin/setclasspath.bat (windows) or $CATALINA_HOME/bin/setclasspath.sh (Linux) and add the following:

 rem Windows
 set "JAVA_OPTS=-Xmx2560m -Xms2560m -Ddebug=true -Djavax.net.ssl.trustStore=C:/apache-tomcat-6.0.36/config_files/esg-orp/esg-truststore.ts -Djavax.net.ssl.trustStorePassword=changeit"
 echo %JAVA_OPTS%

Deploy and configure ESG-ORP

  1. Start tomcat server. Run $CATALINA_HOME/bin/startup.bat on windows or $CATALINA_HOME/bin/startup.sh on Linux
  2. Move the attachment:esg-orp.war to $CATALINA_HOME/webapps. A new directory called 'esg-orp' will be created.

Edit WEB-INF/classes/esg-orp.properties to configure ESG-ORP to sign the cookies:

#location of keystore used to sign the authentication cookie
keystoreFile=C:/apache-tomcat-6.0.36/config_files/esg-orp/.keystore

#password used to read the keystore
keystorePassword=changeit

#alias of keystore entry used to sign the authentication cookie
keystoreAlias=tomcat

ESG-ORP manages a whitelist. This list is used by the app to allow the idp's. The idp's are entities which provide an openid login and return a valid cookie. We will need two lists and you can download them from here attachment:esgf_idp.xml attachment:esgf_idp_static.xml. If your idp is not contained by esgf_idp_static.xml just add your idp to the file. These files have to be saved in WEB-INF/classes/esg/config due to an apps bug. The app only accepts Linux paths or relative paths. Windows paths are not considered by the momment.

The file which reads the lists is located in WEB-INF/classes/esg/orp/orp/config/security-context-auth.xml Go to the line 84 and replace it with this line:

<property name="idpWhiteListFile" value="esg/config/esgf_idp.xml, esg/config/esgf_idp_static.xml" />

Test ESG-ORP

Open your browser and type this url: http://localhost:8080/OpenidRelyingParty . You should be redirected to an HTTPS page where you are prompted to enter your openid.

References

Tomcat configuration - http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Configuration

Esg-orp configuration - https://oodt.jpl.nasa.gov/wiki/display/CLIMATE/Part+2+-+Deploy+an+ESG+Openid+Relying+Party

Idps information - http://esgf.org/wiki/ESGF_IdPs

Manage openssl command - http://www.madboa.com/geek/openssl/#verify-standard

Esg-truststore - http://esgf.org/esg-certs/#ESG_Federation_Trust_Roots

Keystore and truststore - http://www.techbrainwave.com/?p=953

keytool commands - https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Attachments (6)