Context Navigation

Changes between Version 12 and Version 13 of Aaa

Timestamp:: Oct 12, 2010, 4:45:54 PM (14 years ago)
Author:: tim.bauge
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

Aaa

-                      v12
+                      v13
 ||keystore.filepath||File path of keystore, as an absolute path||
 ||keystore.password||Keystore password, defined during the keystore deployement||
 ||key.alias||Key alias, obtained from ''__???__''||
 ||key.password||Key password, obtained from ''__???__''||
 ||partner.aaaservice.filepath||File path of AAA Service metadata. ''__how do you include multiple AAA services ???__''  This metadata is generated by ''__???__''||
 ||partner.sts1.filepath||File path of trusted STS metadata. This metadata is generated by ''__???__''||
 ||partner.sts2.filepath||File path of trusted STS metadata. This metadata is generated by ''__???__''||
+Note that more partner STS can be added, with incremental numbers. This allows peering between STS, and can be removed for a stand alone STS.
+||key.alias||Key alias, defined during the keystore deployement||
+||key.password||Key password, defined during the keystore deployement||
+||partner.aaaservice.filepath ^^1||File path of AAA Service metadata. This metadata file is available from the AAA service provider (file name hostedAaaMetadata.xml found in aaa.war/WEB-INF/classes/trustedEntities/)||
+||partner.sts1.filepath ^^1||File path of a trusted STS metadata if needed (one with which a federation agreement is in place). This metadata file is available from the remote STS provider (file name hostedStsMetadata.xml found in sts.war/WEB-INF/classes/trustedEntities/)||
+||partner.sts2.filepath ^^1||File path of another trusted STS metadata if needed (one with which a federation agreement is in place). This metadata file is available from the remote STS provider (file name hostedStsMetadata.xml found in sts.war/WEB-INF/classes/trustedEntities/)||
+^^1 For simplicity of configuration, the STS is by default set to have one AAA service which it trusts, and up to two federated STS (i.e. a federation of three in all). If more AAA services of STSs are required to be used in the deployment, further configuration changes are required which are beyond the scope of this cookbook. Please contact TRT (UK) directly for further instructions.
 * sts.war/WEB-INF/classes/trustedEntities/hostedStsMetadata.xml
 Configuration fields:
 …
 * sts.war/WEB-INF/classes/metadata.properties
 Configuration fields:
-'''COPY THESE FROM ABOVE'''
 ||= '''Field''' =||= '''Expected content''' =||
 ||keystore.file||File path of keystore||
 ||keystore.pass||Keystore password||
 ||key.pass||Key password||
 ||key.alias||Key alias||
 ||partner.aaaservice.file||File path of AAA Service metadata||
 ||partner.sts1.file||File path of trusted STS metadata||
 ||partner.sts2.file||File path of trusted STS metadata||
+||keystore.file||File path of keystore, as an absolute path||
+||keystore.pass||Keystore password, defined during the keystore deployement||
+||key.pass||Key password, defined during the keystore deployement||
+||key.alias||Key alias, defined during the keystore deployement||
+||partner.aaaservice.file||File path of AAA Service metadata, as described in pom.xml above||
+||partner.sts1.file||File path of a trusted STS metadata, as described in pom.xml above||
+||partner.sts2.file||File path of another trusted STS metadata, as described in pom.xml above||
+-----------------------------
+----------------------------------
+==== Configure ====
+ located in ???/WEB-INF.
+===== Setting up a keystore =====
+=== User administration ===
+The User Register contains user account data relating to users and their roles. It is configured in applicationContext-security.xml.
+The default configuration is an in-memory list that is populated using a properties file, “users.properties”. To add a user add the following to the file:
+==== User administration ====
+The STS holds user accounts. These are configured in sts.war/WEB-INF/classes/users.properties, and require entries of the following type:
 {{{
 username=password,role[,role][,enabled|disabled]
 e.g.    user1=password,USER,ADMIN,enabled
+e.g.    joe.blogs=zsd*7d],USER,ADMIN,enabled
 }}}
+The implementation of the user register can easily be changed, for example, to a database by changing the configuration of the userRegister bean.
 The allowed roles are:
+Modifying the users.properties file required a restart of the STS to take effect.
+The default deployment uses the following role semantics:
 * GUEST
 * USER
 …
 * ADMIN
 * SECURITY_CONTROLLER
+Other role semantics can be used, but require additional configuration. Please contact TRT (UK) directly for further instructions.
 == Access control decision making: AAA block ==
 A system provider MAY choose to deploy a AAA block. If it does not, resource and framework component providers wishing to use access control will have to provide their own.
 === Deployment ===
+The AAA Service is provided as a web app, to be deployed in a servlet container. A number of configuration options need to be set in the WAR file before it is deployed.
+==== Configure ====
+The configuration files are located in /WEB-INF within the WAR file. The Spring Security and authentication filters are configured in applicationContext-security.xml. The rest of the code is configured in applicationContext.xml. However, many of the properties set in the Spring context can configured in the properties files located in /WEB-INF/classes.
+===== Keystore =====
+The AAA Service requires a JKS keystore that contains a private key. This is the key that will be used to sign all SAML objects such as requests. A keystore can be generated using the Java Keytool. Instructions here: http://wiki.eclipse.org/Generating_a_Private_Key_and_a_Keystore
+The keystoreManager bean needs to be configured to use this keystore. This can be done by changing the following properties in metadata.properties:
+||=Property=||=Description=||
+||keystore.file||Location of the keystore. Default is classpath:keystore.jks||
+||keystore.pass||Keystore password||
+||key.alias||Certificate alias to be used for signing objects||
+||key.pass||Password for the certificate alias||
+===== Metadata =====
+The exchange of SAML metadata is the first stage in enabling SAML single sign-on. Entities that wish to establish trust with the hosted AAA Service will need to exchange metadata. Therefore the STS used by the AAA Service to generate tokens must have the metadata for the AAA Service. Similarly, the AAA Service must have the metadata for the STS. The metadata follows the SAML 2.0 Metadata specification [1]. Metadata for the AAA Service should be created by hand or in the same way as for the STS above.
+In addition, the following properties must be set in metadata.properties
+||=Property=||=Description=||
+||sts.uri||Location of the STS to use to generate tokens||
+||sts.request.uri||URI on the STS to which requests for tokens should be sent||
+||aaaservice.uri||Location of the hosted AAA Service||
+===== Trusted Entity Register =====
+The Trusted Entity Register contains the metadata for all trusted Service Providers and trusted STSs. It is configured in the metadataProvider bean in applicationContext-saml.xml.
+To register a trusted entity, you will need the metadata for that entity either in a file or as a URL. The default metadata files are stored in /WEB-INF/classes/trustedEntities. Configure a bean for each trusted entity using the org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider class for metadata contained in a file or the org.opensaml.saml2.metadata.provider.HTTPMetadataProvider class for metadata as a URL.
+===== Accounting =====
+The database used for storing the accounting data may be configured by changing the following properties in application.properties.
+||=Property=||=Description=||
+||jdbc.driverClassName||The fully qualified Java classname of the JDBC driver to be used||
+||jdbc.url||The connection URL to be passed to the JDBC driver to establish a connection||
+||jdbc.username||The connection username to be passed to the JDBC driver to establish a connection||
+||jdbc.password||The connection password to be passed to the JDBC driver to establish a connection||
+||hibernate.dialect||The classname of a org.hibernate.dialect.Dialect which allows Hibernate to generate SQL optimised for a particular relational database||
+The AAA Service requires the following permissions for the database:
+* Create
+* Update
+* Delete
+* Select
+* Insert
+The AAA service is provided as a web app, to be deployed in a servlet container. A number of configuration options need to be set by editing property files in the WAR file before deployment.
+==== Getting the software components for the AAA service ====
+* Apache Tomcat servlet container or equivalent
+Instructions for setting up Apache Tomcat can be found [http://tomcat.apache.org/tomcat-6.0-doc/setup.html here].
+* Keystore
+The AAA service requires a JKS keystore that contains a private key. A keystore can be generated using the Java Keytool. Instructions [http://wiki.eclipse.org/Generating_a_Private_Key_and_a_Keystore here].
+* AAA service WAR file
+The AAA service WAR file can be downloaded from here: [wiki:trt-war AAA downloads page].
+The WAR files should be first configured for the deployment setup (see below) and then deployed in the servlet container. For Tomcat, instructions are provided [http://tomcat.apache.org/tomcat-6.0-doc/deployer-howto.html here] (see in particular the "Deployment on Tomcat startup" section).
+==== AAA Service Configuration ====
+The WAR file contains 3 files which need configuring to run correctly on the target deployment platform. Each field requiring a deployment specific value has been identified with the string "REPLACE:". Other fields have been set to typical defaults which should satisfy most deployments. These can however be modified for advanced tuning of the AAA service. For more information contact TRT (UK).
+The WAR file is an archive containing object code, presentation templates and configuration files. The downloaded WAR file should therefore be opened (e.g. using [http://www.7-zip.org/ 7-zip]) to edit the following configuration files:
+* aaa.war/META-INF/maven/com.thalesresearch.sensei/sensei-sts-service/pom.xml
+Configuration fields:
+||= '''Field''' =||= '''Expected content''' =||
+||aaaservice.uri||URL of AAA. This will be the Tomcat server URL route suffixed with /AAA||
+||sts.uri||URL of the trusted STS||
+||sts.requestUri||URL of the trusted STS's request interface. By default, sts.uri/'''???'''||
+||sts.metadata.file||File path to the trusted STS metadata. This metadata file is available from the STS provider (file name hostedStsMetadata.xml found in sts.war/WEB-INF/classes/trustedEntities/)||
+||keystore.file||File path of keystore, as an absolute path||
+||keystore.password||Keystore password, defined during the keystore deployement||
+||key.alias||Key alias, defined during the keystore deployement||
+||key.password||Key password, defined during the keystore deployement||
+* aaa.war/WEB-INF/classes/trustedEntities/AaaMetadata.xml
+Configuration fields:
+||= '''Field''' =||= '''Expected content''' =||
+||entityID=||add the URL of this AAA service after the =||
+||ds:X509Certificate||encoded signing key of this AAA service (instructions on obtaining it [wiki:encoded_signing_key here]).||
+||Location=||add the URL of this AAA service between the = and the /.||
+* aaa.war/WEB-INF/classes/metadata.properties
+||= '''Field''' =||= '''Expected content''' =||
+||keystore.file||File path of keystore, as an absolute path||
+||keystore.pass||Keystore password, defined during the keystore deployement||
+||key.alias||Key alias, defined during the keystore deployement||
+||key.pass||Key password, defined during the keystore deployement||
+||sts.metadata.file||File path to the trusted STS metadata. This metadata file is available from the STS provider (file name hostedStsMetadata.xml found in sts.war/WEB-INF/classes/trustedEntities/)||
+||sts.uri||URL of trusted STS||
+||sts.request.uri||URL of the trusted STS's request interface. By default, sts.uri/'''???'''||
+||aaaservice.uri||URL of this AAA Service||
 === Management ===
 ==== Accounting interface ====
-* what it does
-The AAA Service records data about each request for an access control decision. It stores the following information:
-* The time at which the request was received
-* The username and role of the user accessing the resource
-* The identifier of the requested resource
-* The AAA decision and reason
-The Accounting interface provides access to the accounting information stored by the AAA Service.
-* how to view / reset / etc
 The Accounting data can be viewed at <aaaservice URI>/REST/Accounting
 The data can also be cleared at <aaaservice URI>/REST/Accounting/ClearAll
 Access to both of these URLs can be restricted by configuring the Spring Security Filter in applicationContext-security.xml
+Access to both of these URLs can be restricted by configuring the Spring Security Filter in applicationContext-security.xml. For more information contact TRT (UK).