Page Comparison - Administrators Guide (v.19 vs v.20) - WebSSO 1.3

Version 19 by Sarah Honacki
on Nov 03, 2009 15:46.

<< Changes from 18 to 19

compared with

Current by Mark Grand
on Oct 08, 2010 08:22.

Key

This line was removed.

This word was removed. This word was added.

This line was added.

Changes (23)

View Page History

...

{toc:outline=false||exclude=Administrator's Guide|style=bullets}
{cagridroundpanel}

h1. Web Single Sign On (WebSSO) Server Installation and Configuration
----

...

{info}In order for SyncGTS to 'sync' up the CA certificates on the WebSSO Server, the master GTS Certificate Authority .0 file must be copied from GTS to WebSSO.
Copy the MASTER GTS CA.0 file from the GTS server that is at the $HOME/.globus/certificates to the $HOME/.globus/certificates folder on the WebSSO server.

{info}{*}Note:* if you don't opt to start syncGTS programatically.For detailed steps refer Step 5 and Step 6.
{info}We MUST configure Globus to trust the CA that issued the host credentials obtained in the previous step. To do this, place a copy of the certificate for the CA that issued the host credentials in the Globus trusted certificates directory. Unless otherwise specified during installation, this is usually _USER_HOME/.globus/certificates_. Globus requires all CA certificates in its trusted certificates directory to be in PEM format and to have a digit extension (0-9). For example, if a CA certificate is stored in the file _cacert.pem_, it should be copied to the directory _USER_HOME/.globus/certificates_ (create directory if needed) with the file name "_cacert.0_"

h2. Step 5: Configuring the WebSSO Server

Configure cas.properties and websso-properties-template.xml requires *host certificate,host key* obtained from step 3, websso server host name, websso server https port, start auto sync gts \[yes\]/\[no\]. Type the commands given below on the command prompt and provide details when prompted as shown in the sample output:

{noformat}%> cd WEBSSO_LOCATION %> ant configure-websso

%> ant configure-websso

{noformat}Following is sample output :

{code:xml}Buildfile: build.xml

configure-websso:
[input] Enter the location of the host certificate (PEM format):
C:/Documents and Settings/user_account/host-cert.pem
[input] Enter the location of the host key (PEM format):
C:/Documents and Settings/user_account/host-key.pem
[input] Enter websso server host name:
localhost
[input] Enter websso server https port (int value):
8443
[input] Enter start auto sync gts (yes or no) : [no]
yes

defineAntTask:

-resolve-template-tokens:

-replace-token-contents:
[copy] Copying 1 file to C:\devroot\caGrid\cagrid-1-0\caGrid\projects\websso\src\resources
[copy] Copying 1 file to C:\devroot\caGrid\cagrid-1-0\caGrid\projects\websso\src\resources

{code:xml}Buildfile: build.xml configure-websso: [input] Enter the location of the host certificate (PEM format): C:/Documents and Settings/user_account/host-cert.pem [input] Enter the location of the host key (PEM format): C:/Documents and Settings/user_account/host-key.pem [input] Enter websso server host name: localhost [input] Enter websso server https port (int value): 8443 [input] Enter start auto sync gts (yes or no) : [no] yes defineAntTask: -resolve-template-tokens: -replace-token-contents: [copy] Copying 1 file to C:\devroot\caGrid\cagrid-1-0\caGrid\projects\websso\src\resources [copy] Copying 1 file to C:\devroot\caGrid\cagrid-1-0\caGrid\projects\websso\src\resources

{code}The WebSSO is configured through an file, *WEBSSO_LOCATION/src/resources/websso-properties.xml.* Below is an example of the websso property file, followed by a description of each of the properties:

{code:xml}<websso-properties xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="websso-properties.xsd">

<websso-server-information> {code:xml}<websso-propertiesxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:noNamespaceSchemaLocation="websso-properties.xsd"><websso-server-information><start-auto-syncgts>@START.AUTO.SYNC.GTS@</start-auto-syncgts><host-credential-certificate-file-path>@WEBSSO.SERVER.HOST.CERTIFICATE@</host-credential-certificate-file-path><host-credential-key-file-path>@WEBSSO.SERVER.HOST.KEY@</host-credential-key-file-path></websso-server-information><credential-delegation-service-information><service-url>https://cds.training.cagrid.org:8443/wsrf/services/cagrid/CredentialDelegationService</service-url><service-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/cds.training.cagrid.org</service-identity><delegation-lifetime-hours>8</delegation-lifetime-hours><delegation-lifetime-minutes>0</delegation-lifetime-minutes><delegation-lifetime-seconds>0</delegation-lifetime-seconds><issued-credential-path-length>0</issued-credential-path-length></credential-delegation-service-information><dorian-services-information><dorian-service-descriptor><display-name>>Training</display-name><service-url>https://dorian.training.cagrid.org:8443/wsrf/services/cagrid/Dorian</service-url><service-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/dorian.training.cagrid.org</service-identity><proxy-lifetime-hours>12</proxy-lifetime-hours><proxy-lifetime-minutes>0</proxy-lifetime-minutes><proxy-lifetime-seconds>0</proxy-lifetime-seconds></dorian-service-descriptor></dorian-services-information><delegated-applications-group><group-name>String</group-name><delegated-application-list><delegated-application><application-name>webssoclientexample1-1.3-dev</application-name><host-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/WEBSSOCLIENT1</host-identity></delegated-application><delegated-application><application-name>webssoclientexample2-1.3-dev</application-name><host-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/WEBSSOCLIENT2</host-identity></delegated-application></delegated-application-list></delegated-applications-group></websso-properties>

<start-auto-syncgts>@START.AUTO.SYNC.GTS@</start-auto-syncgts>
<host-credential-certificate-file-path>@WEBSSO.SERVER.HOST.CERTIFICATE@</host-credential-certificate-file-path>
<host-credential-key-file-path>@WEBSSO.SERVER.HOST.KEY@</host-credential-key-file-path>
</websso-server-information>
<credential-delegation-service-information>
<service-url>https://cds.training.cagrid.org:8443/wsrf/services/cagrid/CredentialDelegationService</service-url>
<service-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/cds.training.cagrid.org</service-identity>
<delegation-lifetime-hours>8</delegation-lifetime-hours>
<delegation-lifetime-minutes>0</delegation-lifetime-minutes>
<delegation-lifetime-seconds>0</delegation-lifetime-seconds>
<issued-credential-path-length>0</issued-credential-path-length>
</credential-delegation-service-information>
<dorian-services-information>
<dorian-service-descriptor>
<display-name>>Training</display-name>
<service-url>https://dorian.training.cagrid.org:8443/wsrf/services/cagrid/Dorian</service-url>
<service-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/dorian.training.cagrid.org</service-identity>
<proxy-lifetime-hours>12</proxy-lifetime-hours>
<proxy-lifetime-minutes>0</proxy-lifetime-minutes>
<proxy-lifetime-seconds>0</proxy-lifetime-seconds>
</dorian-service-descriptor>
</dorian-services-information>
<delegated-applications-group>
<group-name>String</group-name>
<delegated-application-list>
<delegated-application>
<application-name>webssoclientexample1-1.3-dev</application-name>
<host-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/WEBSSOCLIENT1</host-identity>
</delegated-application>
<delegated-application>
<application-name>webssoclientexample2-1.3-dev</application-name>
<host-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/WEBSSOCLIENT2</host-identity>
</delegated-application>
</delegated-application-list>
</delegated-applications-group>
</websso-properties>

{code}

h1. WebSSO Properties
----

...

# *websso-server-information* \- This section contains information about the WebSSO Server.
## *start-auto-syncgts* \- This is a configuration parameter indicating whether the WebSSO Server should start SyncGTS automatically or not. "yes" indicates WebSSO Server to start the SyncGTS daemon.
## *host-credential-certificate-file-path* \- This is the path to the WebSSO Server's Host Certificate File obtained in Step 3 above.
## *host-credential-key-file-path* \- This is the path to the WebSSO Server's Host Key File obtained in Step 3 above.
# *credential-delegation-service-information* \- This section is used to configure the Credential Delegation Service which will be used to publish the delegation policy for User's Grid Credentials
## *service-url* \- This is the URL to the Credential Delegation Service.This information is known based on the prior installation of CDS.
## *service-identity* \- This is the service Identity for Credential Delegation Service.
## *delegation-lifetime-hours* \- This is the hours for which the delegation policy remains alive.
## *delegation-lifetime-minutes* \- This is the minutes for which the delegation policy remains alive.
## *delegation-lifetime-seconds* \- This is the seconds for which the delegation policy remains alive.
## *issued-credential-path-length* \- A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Issued Credential Path Length specifies the path length of the credentials issued to third parties. An Issued Credential Path Length of 0 indicates that the third party may not further delegate the user's credential.
# *dorian-services-information* \-
## *dorian-service-descriptor* \- This section is used to configure the Dorian Server which will be used to retrieve User's Grid Credentials.
### *display-name* \- This is the display name for the Dorian Service which is displayed on the login screen.
### *service-url* \- This is the URL to the Dorian Service.
### *service-identity* \- This is the service Identity for the Dorian Service.
### *proxy-lifetime-hours* \- This is the hours for which the proxy remains alive.
### *proxy-lifetime-minutes* \- This is the minutes for which the proxy remains alive.
### *proxy-lifetime-seconds* \- This is the seconds for which the proxy remains alive.
# *delegated-applications-group* \- These are the group of applications to which user's credentials are to be delegated. In future these will be provided as a choice to the user. As of now they are just static list.
## *group-name* \- This is the name given to the group of the applications to which a user's credentials is delegated.
## *delegated-application-list* \- These are the list of the applications to which user's credentials are to be delegated.
### *delegated-application* \- This is the entry for an application to which the user's credentials are delegated..
#### *application-name* \- This is the name of the application to which the user's credentials are delegated.
#### *host-identity* \- This is the host identity (obtained from the Host Credentials that are obtained from the Dorian) of the application to which the user's credentials are delegated.

h2. Step 6: Copy the Sync Description File

In order to sync with the Grid Trust Fabric, the WebSSO Server needs a sync-description.xml file in its classpath to start SyncGTS programatically if the *start-auto-syncgts* entry in WebSSO Configuration file is set to 'yes'. Depending upon the grid you are trying to connect to, you need to obtain the sync-description.xml file from the corresponding Grid Administrator. This file needs to be placed in *WEBSSO_LOCATION/ext/target_grid* folder.
{info}{*}NOTE:* if you have turned *start-auto-syncgts* to 'no', then the onus of syncing with the trust fabric relies on the administrator. This can be done manually by starting the syncGTS Daemon. For detailed steps refer to [GTS|gts:home]
{info}
h2. Step 7: Building WebSSO Server

Build WebSSO server. Type the following from a command prompt:

{noformat}%> cd WEBSSO_LOCATION %> ant clean all

%> ant clean all

{noformat}
h2. Step 8: Configuring Tomcat

Creating host credential keystore from host credentials requires *host certficate* and *host key* obtained from step 3. Type the commands given below on the command prompt and provide details when prompted as shown in the sample output:

{noformat}%> cd WEBSSO_LOCATION %> ant create-tomcat-https-keystore

%> ant create-tomcat-https-keystore

{noformat}Following is sample output :

{code:xml}uildfile: build.xml

create-tomcat-https-keystore:
[java] Changes to environment variables are ignored when same JVM is used.
[java] Enter a location and name for your keystore:
C:/Documents and Settings/user_account/mykeystore
[java] Enter a password for your keystore:
websso
[java] Enter the location of the certificate (PEM format):
C:/Documents and Settings/user_account/host-cert.pem
[java] Enter the location of the private key (PEM format):
C:/Documents and Settings/user_account/host-key.pem
[java] Enter the current password of the private key:
websso

{code:xml}uildfile: build.xml create-tomcat-https-keystore: [java] Changes to environment variables are ignored when same JVM is used. [java] Enter a location and name for your keystore: C:/Documents and Settings/user_account/mykeystore [java] Enter a password for your keystore: websso [java] Enter the location of the certificate (PEM format): C:/Documents and Settings/user_account/host-cert.pem [java] Enter the location of the private key (PEM format): C:/Documents and Settings/user_account/host-key.pem [java] Enter the current password of the private key: websso

{code}Since the WebSSO Server would be running using SSL we need to configure Tomcat to enable SSL. Add https connector in *CATALINA_HOME/conf/server.xml*.
# Edit the file *CATALINA_HOME/conf/server.xml* (example shown below).

...

# Add *keystoreFile* parameter containing the location of the keystore you just created.
# Add *keystorePass* parameter containing the the password of the keystore you just created.

{noformat} <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:/Documents and Settings/user_account/mykeystore" keystorePass="password" />

{noformat}

h2. Step 9: Deploying WebSSO into Tomcat

{noformat}%> cd WEBSSO_LOCATION %> ant deployTomcat

%> ant deployTomcat

{noformat}
h2. Step 10: Verifying the Installation

...

Once you have deployed WebSSO, you have completed the installation and configuration of WebSSO. Next verify that the installation was successful by starting the container that WebSSO was deployed to. To start a secure Tomcat container run the startup script (startup.sh or startup.bat) located in TOMCAT_INSTALLATION_DIRECTORY/bin. If the container starts up we are ready to verify that the WebSSO installation was successful.
\\

From browser type [http://@WEBSSO_SERVER_NAME@:@PORT_NUMBER@/webssoserver|http://@WEBSSO_SERVER_NAME@:@PORT_NUMBER@/webssoserver] https://@WEBSSO_SERVER_NAME@:@PORT_NUMBER@/webssoserver and make sure you are able to login into WebSSO by providing user name and password credentials.