Administrator Guide. 1.0

INAF-OATsTechnical Report 233

Installation, configuration, deployment andrun guide for the Access Control module.

Sara Bertocco

Giuliano Taffoni

INAF-OATs Technical Report 233

Administrator Guide. 1.0 INAF-OATs Technical Report 233Installation, configuration, deployment and run guide for theAccess Control module.Edition 1

Author Sara Bertocco bertocco@oats.inaf.itAuthor Giuliano Taffoni taffoni@oats.inaf.itThis guide explains how to install, configure, deploy and run the Access Control module of Opensoftware library of Canadian Astronomy Data Center.

iii

1. Introduction 11.1. Requirements and recomendations ................................................................................ 1

2. Tomcat Web Server Installation 32.1. Tomcat Download and Install ........................................................................................ 32.2. Run tomcat web server ................................................................................................. 32.3. Run tomcat web server as tomcat user on port 80 or 443 using JSVC .............................. 4

3. Tomcat Web Server Configuration 53.1. Introduction to SSL/TLS ................................................................................................ 53.2. Server Certificate .......................................................................................................... 53.3. Certificates bundle ........................................................................................................ 63.4. SSL tomcat configuration .............................................................................................. 73.5. Enable SSL debug ........................................................................................................ 83.6. Enable proxy usage in tomcat ....................................................................................... 83.7. Enable login-password authentication cadc software specific ........................................... 8

4. 389 Directory Server Install and Configure 114.1. Performance and security setup ................................................................................... 114.2. Installation steps ......................................................................................................... 124.3. Ldap server configuration ............................................................................................ 124.4. Start/Stop 389-ds services ........................................................................................... 164.5. Use and test the system ............................................................................................. 17

5. 389 Directory server configuration 195.1. Enable SSL support step by step ................................................................................. 195.2. Enable SSL troubleshooting ........................................................................................ 215.3. Modify 389 Directory Server Schema ........................................................................... 235.4. 389-console log-in ....................................................................................................... 245.5. Enable MemberOf Plug-in ........................................................................................... 245.6. Initializing and syncronizing memberOf attributes with fixup-memberof.pl script ............... 285.7. Create LDAP tree ....................................................................................................... 285.8. Create your own (admin) user ..................................................................................... 295.9. Initialize LDAP Tree Access Control Instructions (ACI) .................................................. 295.10. Graphycal representation of the LDAP tree ................................................................. 32

6. The CADC Access Control Software 356.1. Access Control software description ............................................................................. 356.2. Build Access Control software module ......................................................................... 366.3. Access Control configuration ....................................................................................... 376.4. Access Control deployment ......................................................................................... 41

A. Revision History 43

Index 45

iv

Chapter 1.

1

IntroductionAccess Control is a client and server authentication and authorization implementation for user andgroup management.

It has LDAP as default persistence layer built-ina and it provides a RESTful interface to authentication,authorization and user and group management.

1.1. Requirements and recomendationsPrerequisites and recomendations to run the Access Control Service are:

• Centos 7 Operative System is recommended,

• A Tomcat 7 installation with SSL/TLS support enabled is required,

• An LDAP installation supporting the memberOf feature and secure connection is required. 389Directory Server is recommended.

2

Chapter 2.

3

Tomcat Web Server InstallationThis chapter explains how to install Tomcat 7, the packages needed to support SSL/TLS and how torun it on privileged ports. the guide is referred to the centOS 7 distribution.

2.1. Tomcat Download and InstallInstall epel repository:

•

yum install epel-release

Install tomcat server:

•

yum install tomcat -y

Install APR native support to add SSL/TLS support:

•

yum install openssl-devel -yyum install tomcat-native -y

Install the tomcat-jsvc package. It allows tomcat process to bind to ports 80 and 443 running as nonprivileged user.

•

yum install tomcat-jsvc -y

The server, as installed until now, does not serve any content. Some content can be placed into theserver installing optional packages:

•

yum install tomcat-admin-webapps.noarch yum install tomcat-docs-webapp.noarch yum install tomcat-javadoc.noarch yum install tomcat-systemv.noarch yum install tomcat-webapps.noarch

2.2. Run tomcat web serverEnable tomcat to start at boot time:

systemctl enable tomcat

Start tomcat:

systemctl start tomcat

Chapter 2. Tomcat Web Server Installation

4

2.3. Run tomcat web server as tomcat user on port 80 or443 using JSVCUsing jsvc, the tomcat web server can be run as tomcat user on port 80 or 443:

Enable tomcat-jsvc to start at boot time:

systemctl enable tomcat-jsvc

Start tomcat-jsvc:

systemctl start tomcat-jsvc

Chapter 3.

5

Tomcat Web Server ConfigurationThis chapter explains how to configure tomcat web server to support

• SSL/TLS using APR (Apache Portable Runtime) native support

• proxies

• opencadc name-password login.

Reference guide for tomcat SSL/TLS configuration is:

https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

3.1. Introduction to SSL/TLSTransport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are cryptographicprotocols which allow web browsers and web servers to communicate in a secure way. This meansthat the data being sent is encrypted by one side, transmitted and then decrypted by the other sidebefore processing. This is a two-way process, meaning that both the server and the browser encryptall traffic before sending out data.

SSL/TLS protocol requires Authentication. During the initial attempt to communicate with a web serverover a SSL/TLS connection, the server will present to the web browser with a set of credentials, in theform of a "Certificate", proving the site it is who and what it claims to be. The "Client Authentication"can also be required, i.e. the server may also request a certificate from the web browser, as proof thatit is who it claimis to be.

3.2. Server CertificateIn order to implement SSL/TLS, a web server must have an associated certificate for each externalinterface (IP address) that accepts secure connections. The certificate is like a "digital passport", itstates that its owner is who it should be.

For the certificate to work in the visitors browsers without warnings, it needs to be cryptographicallysigned by a trusted third party. These third parties are called Certificate Authorities (CAs).

A signed certificate can be obtained asking to a Certification Authority following the instructionsprovided by the CA itself. A range of CAs is available and some CA offers certificates free of charge.

We need a server certificate to implement the server side SSL/TLS configuration. For this reason, wewill ask a certificate to a certification authority which release three files:

SERVER-CERT.pemSERVER-KEY.pemCA_CERT_CHAIN.pem

Sometimes the certificate file is provided in .p12 format. In this case the two files .crt(.pem) and .keycan be obtained using openssl commands:

openssl pkcs12 -nocerts -in cert.p12 -out certkey.pemopenssl pkcs12 -clcerts -nokeys -in cert.p12 -out certcrt.pem

The Certification Authority Certificate chain is a single file in case of a root CA. It can be aconcatenation of more files in case of subordinate CAs. A subordinate CA is a CA that has been

Chapter 3. Tomcat Web Server Configuration

6

issued a certificate by another CA (root CA). There can be more levels of subordinate CAs. In caseof a root CA with two layers of subordinate CAs and server certificate released by the second levelsubordinate CA, e.g.

Root Certificate (root-cacert.pem) Sub CA 1 (subCA1-cacert.pem) Sub CA 2 (subCA2-cacert.pem) Server Certificate (my_server_cert.p12)

the CA certificate chain file is obtained chaining the files in the order below:

cat subCA2-cacert.pem subCA1-cacert.pem root-cacert.pem >> CA_CERT_CHAIN.pem

Be careful that the order matters. The right order is the inverse one:

Intermediate 3, Intermediate 2, Intermediate 1, Root Certificate.

After combining the ASCII data into one file, the certificate chain validity for sslserver usagei can beverified issuing:

openssl verify -verbose -purpose sslserver -CAfile MY_CA_CERT_CHAIN.pem MY-SERVER-CERT.pem

3.3. Certificates bundleIn order to support the client authentication, tomcat must know the Certificates of CertificationAuthorities (CAs) whose clients he deal with. This is done configuring a certificate bundle. Thebest way is to configure tomcat to use the system cartificate bundle adding to it all the needed CAscertificates. The default system cartificate bundle is:

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

The instructions to modify the system ca-bundle provided by the CentOS 7 distribution are below:

cat /etc/pki/ca-trust/extracted/pem/READMEThis directory /etc/pki/ca-trust/extracted/pem/ contains CA certificate bundle files which are automatically createdbased on the information found in the/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/directories.

All files are in the BEGIN/END CERTIFICATE file format, as described in the x509(1) manual page.

Distrust information cannot be represented in this file format,and distrusted certificates are missing from these files.

If your application isn't able to load the PKCS#11 module p11-kit-trust.so,then you can use these files in your application to load a list of globalroot CA certificates.

Please never manually edit the files stored in this directory,because your changes will be lost and the files automatically overwritten,

SSL tomcat configuration

7

each time the update-ca-trust command gets executed.

Please refer to the update-ca-trust(8) manual page for additional information.

The steps to perform are slightly different (the target directory where to copy the certificate files is /etc/pki/ca-trust/source/anchors/. Using our example:

cp subCA2-cacert.pem /etc/pki/ca-trust/source/anchors/cp subCA1-cacert.pem /etc/pki/ca-trust/source/anchors/cp root-cacert.pem /etc/pki/ca-trust/source/anchors/update-ca-trust extract

A wide set of Certification Authorities can be supported. The CA certificates can be added using rpmdistributions. Two useful reference links with instructions on how to install Certification Authorities are:

• EGI IGTF Release1

• Open Science Grid: Installing Certificate Authorities Certificates and related RPMs 2

Here a quick reference to install EGI IGTF distribution and to populate the system ca-bundele with thenewly installed certificates:

wget -O /etc/yum.repos.d/EGI-trustanchors.repo http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo yum install ca-policy-egi-corecd /etc/grid-security/certificates/for i in `ls *.pem` do; ln -s /etc/grid-security/certificates/$i /etc/pki/ca-trust/source/anchors/$i`; doneupdate-ca-trust extract

3.4. SSL tomcat configurationTomcat can use two different implementations of SSL:

• the JSSE implementation provided as part of the Java runtime (since 1.4)

• the APR implementation, which uses the OpenSSL engine by default.

This guide explains how to configure the APR implementation.

The APR connector can be configured in $TOMCAT_HOME/conf/server.xml, as below:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" />

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

1 https://wiki.egi.eu/wiki/EGI_IGTF_Release2 https://twiki.grid.iu.edu/bin/view/Documentation/Release3/InstallCertAuth

Chapter 3. Tomcat Web Server Configuration

8

SSLCertificateFile="/opt/tomcat/conf/tls/MY-SERVER-CERT.pem" SSLCertificateKeyFile="/opt/tomcat/conf/tls/MY-SERVER-KEY.key" SSLCertificateChainFile="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" SSLCACertificateFile="/etc/pki/tls/certs/ca-bundle.crt" SSLVerifyClient="require" SSLVerifyDepth="10" SSLProtocol="ALL" />

Where

• MY-SERVER-CERT.pem and MY-SERVER-KEY.key are the server certificate

• MY_CA_CERT_CHAIN.pem is the CA certificate file chain as explained above.

• ca-bundle.crt is the system default ca-bundle enriched with the installed certificates, as explainedabove.

The defaul OpenSSL engine, can be used configuring it in ${TOMCAT_HOME}/conf/server.xml:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

the APR library must be available (see tomcat installation guide for instructions).

To check the SSL/TLS configuration and verify the set of supported CA, use:

openssl s_client -showcerts -connect <YOUR_SERVER_HOST_FQDN>:443 -debug

3.5. Enable SSL debugTo enable the SSL debug output in catalina.out, set

JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl -Djava.net.debug=record,keygen,handshake"

in ${TOMCAT_HOME/bin/catalina.sh

3.6. Enable proxy usage in tomcatTo enable the proxy support in Tomcat, it must be defined an environment variableOPENSSL_ALLOW_PROXY_CERTS and set it equals to 1. This can be achieved adding

export OPENSSL_ALLOW_PROXY_CERTS=1

at the beginning of ${TOMCAT_HOME}/bin/catalina.sh or in the systemd service script or in a file${TOMCAT_HOME}/bin/setenv.sh.

3.7. Enable login-password authentication cadc softwarespecificThe login-password authentication in the cadc software is provided through a plugin for Tomcat 7. Theauthentication mechanism will call the access control web service (in module cadc-access-control-server) to see if the credentials are correct.

Enable login-password authentication cadc software specific

9

This plugin is obtained compiling the ac/cadc-tomcat module. It must be install it in the tomcatinstallation:

cp cadc-tomcat-<version>.jar ${TOMCAT_HOME}/lib

and configured adding to the file ${TOMCAT_HOME}/conf/server.xml a Realm element as below:

<Realm className="ca.nrc.cadc.tomcat.CadcBasicAuthenticator" loginURL="http://YOUR_AC_SERVER_HOST/ac/login" />

10

Chapter 4.

11

389 Directory Server Install andConfigure389-DS (389 Directory Server) is an open source enterprise class LDAP server for Linux.

The istallation of 389 Directory ldap Server is a prerequisite for the opencadc deployment and usage.389 ds natively supported Operative Systems are: RHEL/CentOS/EPEL (RHEL 6, RHEL 7, CentOS 6,CentOS 7). This guide refers to a Centos7 installation.

This chapter is based mainly on the information resources below:

Directory Server Install And Configure LDAP Server In CentOS 71

and from the

389 Directory Server fedoraproject documentation2

389 Directory Server redhat documentation3

4.1. Performance and security setupAs prereqiuisite, set performance and security for LDAP server. To display the maximum number offile descriptors:

sysctl fs.file-max

If the setting is lower than 64000, edit the file /etc/sysctl.conf and add the following line at theend:

net.ipv4.tcp_keepalive_time = 300net.ipv4.ip_local_port_range = 1024 65000fs.file-max = 64000

Edit file /etc/security/limits.conf adding the following lines at the bottom:

* soft nofile 8192* hard nofile 8192

Edit file /etc/profile adding the following line at the end:

ulimit -n 8192

For the change to take effect, enter:

# sysctl --system

1 http://www.unixmen.com/install-and-configure-ldap-server-in-centos-72 http://directory.fedoraproject.org/3 https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/

Chapter 4. 389 Directory Server Install and Configure

12

4.2. Installation stepsInstall epel repository

yum install epel-release

and check it is enabled.

Create a LDAP user account

useradd ldapadminpasswd ldapadmin

Install 389 directory:

389-ds-base : 389 Directory Server (base)389-ds : 389 Directory, Administration, and Console Suite389-admin : 389 Administration Server (admin)389-adminutil : Utility library for 389 administration389-adminutil-devel : Development and header files for 389-adminutil389-console.noarch : 389 Management Console389-dsgw : 389 Directory Server Gateway (dsgw)

yum install openldap-clientsyum install 389-ds-base 389-ds 389-admin 389-adminutil 389-adminutil-devel 389-dsgw yum install 389-console

4.3. Ldap server configurationBe sure that 389-ds is stopped:

systemctl stop dirsrv.targetsystemctl stop dirsrv-admin

Configure LDAP server running the following command:

setup-ds-admin.pl

Following, it is an example output with setup answers. Where the answer is not present, the defaul istaken. If the field is a password, it is not displayed but has to be filled.

==============================================================================This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: y

==============================================================================

Ldap server configuration

13

Your system has been scanned for potential problems, missing patches,etc. The following output is a report of the items found that need tobe addressed before running this software in a productionenvironment.

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux3.10.0-229.20.1.el7.x86_64 (1 processor).

Would you like to continue? [yes]: y

==============================================================================Choose a setup type:

1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products.

2. Typical Allows you to specify common defaults and options.

3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]:

============================================================================================================================================================Enter the fully qualified domain name of the computeron which you're setting up server software. Using the form<hostname>.<domainname>Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS serverscan not be reached or if DNS is not configured correctly. Ifyou would rather not wait, hit Ctrl-C and run this program againwith the following command line option to specify the hostname:

General.FullMachineName=your.hostname.domain.name

Computer name [marmolada.oats.inaf.it]:

==============================================================================The servers must run as a specific user in a specific group.It is strongly recommended that this user should have no privilegeson the computer (i.e. a non-root user). The setup procedurewill give this user/group some permissions in specific paths/filesto perform server-specific operations.

If you have not yet created a user and group for the servers,create this user and group using your native operatingsystem utilities.

System User [nobody]: ldapadminSystem Group [nobody]: ldapadmin

==============================================================================Server information is stored in the configuration directory server.This information is used by the console and administration server toconfigure and manage your servers. If you have already set up aconfiguration directory server, you should register any servers you

Chapter 4. 389 Directory Server Install and Configure

14

set up or create with the configuration server. To do so, thefollowing information about the configuration server is required: thefully qualified host name of the form<hostname>.<domainname>(e.g. hostname.example.com), the port number(default 389), the suffix, the DN and password of a user havingpermission to write the configuration information, usually theconfiguration directory administrator, and if you are using security(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) portnumber (default 636) instead of the regular LDAP port number, andprovide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' tobe prompted to set up one.

Do you want to register this software with an existingconfiguration directory server? [no]:

==============================================================================Please enter the administrator ID for the configuration directoryserver. This is the ID typically used to log in to the console. Youwill also be prompted for the password.

Configuration directory serveradministrator ID [admin]: rootPassword:Password (confirm):

============================================================================================================================================================The information stored in the configuration directory server can beseparated into different Administration Domains. If you are managingmultiple software releases at the same time, or managing informationabout multiple domains, you may use the Administration Domain to keepthem separate.

If you are not using administrative domains, press Enter to select thedefault. Otherwise, enter some descriptive, unique name for theadministration domain, such as the name of the organizationresponsible for managing the domain.

Administration Domain [oats.inaf.it]:

==============================================================================The standard directory server network port number is 389. However, ifyou are not logged as the superuser, or port 389 is in use, thedefault value will be a random unused port number greater than 1024.If you want to use port 389, make sure that you are logged in as thesuperuser, that port 389 is not in use.

Directory server network port [389]:

==============================================================================Each instance of a directory server requires a unique identifier.This identifier is used to name the variousinstance specific files and directories in the file system,as well as for other uses as a server instance identifier.

Directory server identifier [marmolada]: gms-ds

==============================================================================The suffix is the root of your directory tree. The suffix must be a valid DN.It is recommended that you use the dc=domaincomponent suffix convention.For example, if your domain is example.com,you should use dc=example,dc=com for your suffix.Setup will create this initial suffix for you,but you may have more than one suffix.Use the directory server utilities to create additional suffixes.

Ldap server configuration

15

Suffix [dc=oats, dc=inaf, dc=it]:

============================================================================================================================================================Certain directory server operations require an administrative user.This user is referred to as the Directory Manager and typically has abind Distinguished Name (DN) of cn=Directory Manager.You will also be prompted for the password for this user. The password mustbe at least 8 characters long, and contain no spaces.Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]:Password:Password (confirm):

==============================================================================The Administration Server is separate from any of your web or applicationservers since it listens to a different port and access to it isrestricted.

Pick a port number between 1024 and 65535 to run your AdministrationServer on. You should NOT use a port number which you plan torun a web or application server on, rather, select a number which youwill remember and which will not be used for anything else.

Administration port [9830]:

==============================================================================Are you ready to set up your servers? [yes]:Creating directory server . . .Your new DS instance 'gms-ds' was successfully created.Creating the configuration directory server . . .Beginning Admin Server creation . . .Creating Admin Server files and directories . . .Updating adm.conf . . .Updating admpw . . .Registering admin server with the configuration directory server . . .Updating adm.conf with information from configuration directory server . . .Updating the configuration for the httpd engine . . .SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory/sbin/load_policy: Can't load policy: No such file or directorylibsemanage.semanage_reload_policy: load_policy returned error code 2.SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory/sbin/load_policy: Can't load policy: No such file or directorylibsemanage.semanage_reload_policy: load_policy returned error code 2.ValueError: Could not commit semanage transactionStarting admin server . . .The admin server was successfully started.Admin server was successfully created, configured, and started.Exiting . . .Log file is '/tmp/setupWOnBnE.log'

After the configuration reboot the system

reboot

Chapter 4. 389 Directory Server Install and Configure

16

Note

If something goes bad, the configuration should be romoved befor to re-try:

remove-ds-admin.pl -y

4.4. Start/Stop 389-ds servicesMake the LDAP server services to start automatically on every reboot.

systemctl enable dirsrv.target systemctl enable dirsrv-admin

1. To start directory server, run

systemctl start dirsrv.target or start-dirsrv

2. To stop directory server, run

systemctl stop dirsrv.target or stop-dirsrv

3. To start directory server admin, run

systemctl start dirsrv-admin or start-ds-admin

4. To stop directory server admin, run

systemctl stop dirsrv-admin or stop-ds-admin

5. Commands to check the status of the both services:

systemctl status dirsrv.target systemctl status dirsrv-admin

6. Commands to restart the services:

Use and test the system

17

systemctl restart dirsrv.target systemctl restart dirsrv-admin

Configuration files are in /etc/dirsrv/ directory.

Log files are in /var/log/dirsrv/ directory.

It is suggested to disable SELINUX setting SELINUX=disabled in the file /etc/selinux/config

4.5. Use and test the systemTo test the system you can try by command line:

ldapsearch -x -b "dc=oats,dc=inaf,dc=it"ldapsearch -b "dc=oats,dc=inaf,dc=it" -D "cn=Directory Manager,dc=inaf,dc=it"ldapsearch -b "dc=oats,dc=inaf,dc=it" -D "cn=Directory Manager,dc=inaf,dc=it" -Wldapsearch -b "dc=oats,dc=inaf,dc=it" -D "cn=Directory Manager" -W

To open the graphycal console:

389-console

18

Chapter 5.

19

389 Directory server configurationThe directory server must be configured to support SSL connection through x509 certificates andsuitably initialized.

Reference documentation:

Product Documentation for Red Hat Directory Server1

Configuring TLS/SSL Enabled 389 Directory Server2

and specifically

Importing an Existing Self Sign Key/Cert or 3rd Party Ca/Cert3

and

Preparing PIN/password files for the certificate databases4.

5.1. Enable SSL support step by step1. Stop 389 ds

2. Require a x509 certificate for your server to a Certification Authority.

3. Create a .p12 version of your server certificate with empty password (press <enter> whenpassword is asked):

openssl pkcs12 -export -inkey PRIVATE-KEY -in CERTIFICATE -out /path/crt.p12 -nodes -name ’Server-Cert’

4. Import your .p12 cert in admin-srv:

cd /etc/dirsrv/admin-servpk12util -i /path/crt.p12 -d .

5. Import the CA chain in admin-srv. If there are a root cert and intermediate certs, the process mustbe repeated one time for each cert.

certutil -d /etc/dirsrv/admin-serv -A -n "My Local CA Intermediate" -t CT,, -a -i /path/CAIntermediateCert.pemcertutil -d /etc/dirsrv/admin-serv -A -n "My Trusted Root CA Cert" -t CT,, -a -i /path/CATrustedRootCert.pem

6. Start 389 ds

1 https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html2 http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html3 http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#importing-an-existing-self-sign-keycert-or-3rd-party-cacert4 http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html#preparing-pinpassword-files-for-the-certificate-databases

Chapter 5. 389 Directory server configuration

20

7. open 389-console, open Directory Server, click on "Manage certificates". The console ask tochoose a password for the certificate database, choose one (<your_cert_db_password>). Exit andstop 389 ds.

8. Import the .p12 server cert and the ca certs in your local ds instance:

cd /etc/dirsrv/slapd-<your_local_instance>pk12util -i /path/crt.p12 -d . Enter Password or Pin for "NSS Certificate DB": <your_cert_db_password> Enter password for PKCS12 file: <empty> pk12util: PKCS12 IMPORT SUCCESSFULcertutil -d /etc/dirsrv/slapd-<your_local_instance> -A -n "My Local CA Intermediate" -t CT,, -a -i /path/CAIntermediateCert.pemcertutil -d /etc/dirsrv/slapd-<your_local_instance> -A -n "My Trusted Root CA Cert" -t CT,, -a -i /path/CATrustedRootCert.pem

9. Edit /etc/dirsrv/admin-serv/nss.conf and change NSSPassPhraseDialog:

NSSPassPhraseDialog file://///etc/dirsrv/admin-serv/password.conf

10. Create /etc/dirsrv/admin-serv/password.conf:

touch /etc/dirsrv/admin-serv/password.conf chmod 600 /etc/dirsrv/admin-serv/password.conf chown ldapadmin /etc/dirsrv/admin-serv/password.conf

11. Edit /etc/dirsrv/admin-serv/password.conf and place this single line in there:

internal:<your_cert_db_password>

12. For your local Directory Server instance create /etc/dirsrv/slapd-<your_local_instance>/pin.txt(substitute slapd-<your_local_instance> for actual server instance’s directory name):

touch /etc/dirsrv/slapd-<your_local_instance>/pin.txt chmod 600 /etc/dirsrv/slapd-<your_local_instance>/pin.txt chown ldapadmin /etc/dirsrv/slapd-<your_local_instance>/pin.txt

13. Edit the pin.txt file and place a single line in it (notice the difference in internal token namebetween this and Admin Server’s):

Internal (Software) Token:dirserv_cert_password

Restart the server to test whether it doesn’t ask for the PIN anymore and starts up properly with TLS/SSL.

Verify that certificates are correctly installed both in Directory Server and in Administration Server:

Open 389-console, open Directory Server, in "Tasks" tab choose "Manage certificates". Server certshould be already installed, also CA certs should be installed but if not, choose the tab "CA certs"and install your CA certificates (root and intermediates) providing the file path using the browse

Enable SSL troubleshooting

21

option. Then open Administration Server and repeat the same steps done for Directory Server. In bothcases, check that the CA certificates are trusted for each operation opening the "Edit trust" option andchecking all the options available.

Enable SSL and configure encryption both in Directory Server and in Administration Server:

In the Directory Server Window select "Configuration tab and then "Encryption" tab. Select "EnableSSL for this server", check "Use this cipher family:RSA". Leave the "Allow client authentication"checkbox checked. In the Admin Server Window choose "Configure Admin Server", enter in the"Encryption" tab, select "Enable SSL for this server", check "Use this cipher family:RSA". Leave the"disable client authentication" checkbox checked.

Restart the server and check if SSL is correctly enabled, for example trying:

ldapsearch -x -b "dc=oats,dc=inaf,dc=it" -D "cn=Directory Manager" -Z -W

5.2. Enable SSL troubleshootingIf after 389-ds SSL support configuration, doing

ldapsearch -x -b "dc=oats,dc=inaf,dc=it" -D "cn=Directory Manager" -Z -W

it appears the error:

ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

more information about the error can be obtained doing:

ldapsearch -x -b "dc=oats,dc=inaf,dc=it" -D "cn=Directory Manager" -Z -W -d 9

The problem can be that the Certification Authority issuing the server certificate is not correctlyconfigured and recognized client or server side.

• Client side: openssl does not recognize the CA. It stores its trusted CA certificates in a directoryconfigured in /etc/openldap/ldap.conf file.

# cat /etc/openldap/ldap.conf## LDAP Defaults#

# See ldap.conf(5) for details# This file should be world readable but not world writable.

#BASE dc=example,dc=com#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12#TIMELIMIT 15#DEREF never

TLS_CACERTDIR /etc/openldap/certs

Chapter 5. 389 Directory server configuration

22

# Turning this off breaks GSSAPI used with krb5 when rdns = falseSASL_NOCANON on

The directory /etc/openldap/certs must be a directory (not a certificate file bundle or a keystore) andcontain a working certificate store including the certificate of the CA issuing the server certificate. Toadd the CA cert in /etc/openldap/certs copy your CA cert in there and then create a symlink to it thatis named after the c_hash of the cert. The c_hash of the cert can be calculated issuing:

/etc/pki/tls/misc/c_hash /etc/openldap/certs/ca.crt

this will return an 8 digit hex number. A symlink called that 8 digit number.0 pointing to the ca.crt filemust be created:

ln -s /etc/openldap/cacerts/ca.crt /etc/openldap/cacerts/<CA_cert_c_hash>.0

• Server side: The CA issuing the server certificate should not be correctly configuredi (e.g anintermediate CA cert is missed). You should add trusted certs in /etc/dirsrv/admin-servand /etc/dirsrv/slapd-<your_local_instance> So, check the trusted certs listing themissuing:

certutil -L -d /etc/dirsrv/admin-servcertutil -L -d /etc/dirsrv/slapd-<your_local_instance>

Be careful: the –L cannot work only with a cert8.db in a folder. It is also dependent on two otherfiles, key3.db and secmod.db. So in a folder where all the above 3 files are present, -L works onlythere. And that’s why -d parameter takes a folder path and not the cert8.db file. If it is needed to adda cert:

certutil -d <directory_where_add> -A -n "alias_name" -t CT,, -a -i /path/CATrustedRootCert.pem

Where:

• "-A" command adds a certificate to the certificate database.

• "-d .\" specifies the directory where the database, cert8.db, is located.

• "-i /path/CACert.pem specifies the input root CA certificate file.

• '-n 'alias_name' specifies a name for this certificate.

• '-t "CT,,"' specifies trust arguments: "trusted CA to issue server certs" for SSL category, TrustedCA to issue client certificates (implies c) - Valid CA). No trust for email and object signingcategories.

Useful links: CentOS openLDAP cert trust issues5NSS Tools certutil6NSS-OpenSSL Command Howto: The complete list.7

5 http://serverfault.com/questions/437546/centos-openldap-cert-trust-issues

Modify 389 Directory Server Schema

23

To list all certificates in a keystore file:

keytool -v -list -storepass changeit -keystore /etc/pki/java/cacerts |grep Issuer

To list all certificates in a ca-bundle file:

keytool -printcert -v -file /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

5.3. Modify 389 Directory Server SchemaFirst step is to modify the ldap schema to define a custom user account, which main feature isto have a field numericid used by the software as a unique user identification key. To performthis modification create the subsequent file with the content below (where you substitute suitably<YOUR_SERVER_NAME.FQDN>, <YOUR_INSTANCE_NAME>):

cat /etc/dirsrv/slapd-<your_local_instance>/schema/90canfar.ldif

dn: cn=schemaobjectClass: topobjectClass: ldapSubentryobjectClass: subschemacn: schemaaci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-YOUR_INSTANCE_NAME,cn=389 Directory Server,cn=Server Group,cn=YOUR_SERVER_NAME.FQDN,ou=FQDN,o=NetscapeRoot";)modifiersName: cn=directory managerobjectClasses: ( cadcaccount-oid NAME 'cadcaccount' DESC '' SUP top STRUCTURAL MAY ( cn $ givenName $ sn $ address $ city $ country $ distinguishedName $ email $ institute $ numericid ) X-ORIGIN 'user defined' )attributeTypes: ( numericid-oid NAME 'numericid' DESC 'Intermal CADC ID (numeric)' EQUALITY numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN 'user defined' )attributeTypes: ( email-oid NAME 'email' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreOrderingMatch-default SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )attributeTypes: ( address-oid NAME 'address' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringMatch-default SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )attributeTypes: ( city-oid NAME 'city' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreOrderingMatch-default SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )attributeTypes: ( country-oid NAME 'country' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringMatch-default SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )attributeTypes: ( cadcid-oid NAME 'cadcid' DESC 'Internal CADC ID (numeric)'EQUALITY numericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN 'user defined' )

6 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil7 http://firstyear.id.au/blog/html/2014/07/10/NSS-OpenSSL_Command_How_to:_The_complete_list..html

Chapter 5. 389 Directory server configuration

24

attributeTypes: ( institute-oid NAME 'institute' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringMatch-default SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )nsSchemaCSN: 56057cfd000000000000

5.4. 389-console log-inLogin in the directory console as 'Directory Manager'. Parameters:

User ID: cn=Directory ManagerPassword: ********Administration URL: https://<YOUR_SERVER_NAME.FQDN>:9830

5.5. Enable MemberOf Plug-inUseful links:

MemberOf Plugin - Auto Add Objectclass,8

Using the memberOf Attribute to Manage Group Membership Information9

The MemberOf Plug-in provides a way to view the groups to which a user belongs simply by looking atthe entry, including nested group membership.

The most common people object classes — such as inetorgperson and i person — do not allow thememberof attribute. To allow the MemberOf Plug-in to add the memberof attribute to a user entry,make sure that entry belongs to the inetUser object class, which does allow the memberof attribute.

1. Select the Configuration tab of "Directory Server" window, and expand to the Plugins folder.

8 http://directory.fedoraproject.org/docs/389ds/design/memberof-auto-add-oc.html9 https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Advanced_Entry_Management.html#groups-cmd-memberof

Enable MemberOf Plug-in

25

2. Scroll to the Memberof Plugin entry.

3. Enable the plug-in which is disabled by default

Chapter 5. 389 Directory server configuration

26

4. Click the Advanced button to open the Advanced Properties Editor.

5. The memberofgroupattr attribute sets the attribute in the group entry which the server uses toidentify member entries. The memberofattr attribute sets the attribute which the plug-in createsand manages on user entries.

Set

Enable MemberOf Plug-in

27

memberofgroupattr = uniquemembermemeberofattr = memberOf

6. Save the changes.

7. Restart the server to update the plug-in. For example, open the Tasks tab and click the Restartserver task.

Chapter 5. 389 Directory server configuration

28

5.6. Initializing and syncronizing memberOf attributes withfixup-memberof.pl scriptIn case of inconsistencies between the memberOf configuration managed by the server plug-in andthe actual memberships defined for an entry, the fixup-memberof.pl script can be used. Thisscript launches a special clean-up task to regenerate all of the memberOf attributes. It synchronizesthe membership defined in group ntries and the corresponding user entries and overwrites anyaccidental or improper edits on the user entries.

Usage:

cd /var/lib/dirsrv/slapd-<your_local_instance>fixup-memberof.pl -D "cn=Directory Manager" -w password

5.7. Create LDAP treeCreate your directory server root:

• Go through the tree on the left side panel to reach "Directory Server", open it clicking on "open".

• Click on the "Configuration" tab,

• On the left side tree right click "Data" and choose "New Root Suffix". Input in the 'Name' field"dc=testcanfar", check "Create associated database automatically" and choose a database name(i.e. testcanfar).

• Go to "Directory" tab.

• In to the tree on the left side, right click on your root, choose "New Root Object", select the newlycreated "cn=testcanfar" and choose to create it as "domain".

Create the tree included in the newly created testcanfar root. Content to be created:

• Organizational Units "SpecialUsers", "ds"

• In "SpecialUsers" OU create a new user with "User ID" testproxy.

• In "ds" OU create four other OUs:

"Groups""AdminGroups""UserRequests""Users"

The procedure to create a new leaf on a tree is: right click on the root where you want to add, choose"new", choose the type of the leaf (OU, USER,...), fill the name of the unit to be created and eventuallyother mandatory fields.

In "Groups" OU add a group to manageg operations,e.g. with name "cadc-ops"

Create the root directory organizational unit the same way has been created the "testcanfar" tree: itmust exist an Organizational Unit "SpecialUsers" and a "ds" subtree equals to the "ds" subtree createdin "testcanfar" root. The only difference is that in "SpecialUsers" a user with User ID webproxy must becreated (in place of the "testproxy" present in testcanfar-SpecialUsers).

Create your own (admin) user

29

5.8. Create your own (admin) userIn your tree, create in Users a user with a numeric ID and add to it your distinguished name asbelow. Create the user, clicking on the right mouse button open "Advanced properties", click on"objectclass" and push "Add value". Choose "cadcaccount". Then click on a row in the left table, push"Add attribute", choose "distinguishedname" and add your distinguished name as value.

To know your distinguished name, you can do:

openssl x509 -subject -noout -in your_personal_cert.pem

An object class "inetuser" must be added to the newly created user the same way the "cadcaccount"object class has been added.

At the end, the objectclass must be:

• top

• person

• organizationalPerson

• inetorgperson

• cadcaccount

• inetuser

5.9. Initialize LDAP Tree Access Control Instructions (ACI)The configuration can be fast edited using ldapvi.

An example of the ACI configuration is below.

ldapvi -D "cn=directory manager" -b dc=testcanfar "objectclass=*" aci

# -*- coding: utf-8 -*-# http://www.lichteblau.com/ldapvi/manual#syntax

0 dc=testcanfaraci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)aci: (targetattr != "nsroledn||aci")(version 3.0; acl "Allow self entry modification except for nsroledn and aci attributes"; allow (write)userdn ="ldap:///self";)aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators Group";allow (all) (groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot");)aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ldap:///dc=testcanfar";)

1 ou=SpecialUsers,dc=testcanfar

2 ou=ds,dc=testcanfaraci: (targetattr = "*") (version 3.0;acl "Admin access";allow (all,moddn)(groupdn = "ldap:///cn=inaf-ops,ou=Groups,ou=ds,dc=testcanfar");)

3 ou=Groups,ou=ds,dc=testcanfar

Chapter 5. 389 Directory server configuration

30

aci: (targetattr = "*") (version 3.0;acl "Allow testproxy full access";allow (read,compare,search,write,delete,add,moddn)(userdn = "ldap:///uid=testproxy,ou=SpecialUsers,dc=testcanfar");)

4 ou=AdminGroups,ou=ds,dc=testcanfaraci: (targetattr = "*")(version 3.0;acl "Allow testproxy full access";allow (read,compare,search,write,delete,add,moddn)(userdn = "ldap:///uid=testproxy,ou=SpecialUsers,dc=testcanfar");)

5 ou=UserRequests,ou=ds,dc=testcanfaraci: (targetattr = "*") (version 3.0;acl "Add new user requests";allow (add)(userdn = "ldap:///uid=testproxy,ou=SpecialUsers,dc=testcanfar");)

6 ou=Users,ou=ds,dc=testcanfaraci: (targetattr = "*") (version 3.0;acl "Allow testproxy full access to attribute of existing users";allow (read,compare,search,write,delete)(userdn = "ldap:///uid=testproxy,ou=SpecialUsers,dc=testcanfar");)

7 cn=inaf-ops,ou=Groups,ou=ds,dc=testcanfaraci: (targetattr = "*")(version 3.0; acl "Admin access"; allow (all,moddn) groupdn=" ldap:///cn=inaf-ops,ou=groups,ou=ds,dc=canfar,dc=net";)

8 uid=testproxy,ou=SpecialUsers,dc=testcanfaraci: (targetattr = "*") (version 3.0;acl "grant full access to testproxy";allow (all,proxy,moddn)(userdn = "ldap:///uid=testproxy,ou=SpecialUsers,dc=testcanfar");)

ldapvi -D "cn=directory manager" -b dc=oats,dc=inaf,dc=it "objectclass=*" aci

# -*- coding: utf-8 -*-# http://www.lichteblau.com/ldapvi/manual#syntax

0 dc=oats,dc=inaf,dc=itaci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)aci: (targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=oats,dc=inaf,dc=it");)aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-gms,cn=389 Directory Server,cn=Server Group,cn=vospace-gms.oats.inaf.it,ou=oats.inaf.it,o=NetscapeRoot";)

1 cn=Directory Administrators,dc=oats,dc=inaf,dc=it

2 ou=Groups,dc=oats,dc=inaf,dc=it

3 ou=People,dc=oats,dc=inaf,dc=itaci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = "ldap:///cn=Accounting Managers,ou=groups,dc=oats,dc=inaf,dc=it");)aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human Resources)")(version 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR Managers,ou=groups,dc=oats,dc=inaf,dc=it");)

Initialize LDAP Tree Access Control Instructions (ACI)

31

aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(version 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Managers,ou=groups,dc=oats,dc=inaf,dc=it");)aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product Development)")(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups,dc=oats,dc=inaf,dc=it");)

4 ou=SpecialUsers,dc=oats,dc=inaf,dc=it

5 cn=Accounting Managers,ou=Groups,dc=oats,dc=inaf,dc=it

6 cn=HR Managers,ou=Groups,dc=oats,dc=inaf,dc=it

7 cn=QA Managers,ou=Groups,dc=oats,dc=inaf,dc=it

8 cn=PD Managers,ou=Groups,dc=oats,dc=inaf,dc=it

9 ou=ds,dc=oats,dc=inaf,dc=itaci: (targetattr = "*") (version 3.0;acl "Admin access";allow (all)(groupdn = "ldap:///cn=inaf-ops,ou=Groups,ou=ds,dc=oats,dc=inaf,dc=it");)

10 ou=Groups,ou=ds,dc=oats,dc=inaf,dc=itaci: (targetattr = "*") (version 3.0;acl "Allow webproxy full access";allow (read,compare,search,write,delete,add)(userdn = "ldap:///uid=webproxy,ou=SpecialUsers,dc=oats,dc=inaf,dc=it");)

11 ou=AdminGroups,ou=ds,dc=oats,dc=inaf,dc=itaci: (targetattr = "*") (version 3.0;acl "Allow webproxy full access";allow (read,compare,search,write,delete,add)(userdn = "ldap:///uid=webproxy,ou=SpecialUsers,dc=oats,dc=inaf,dc=it");)

12 ou=UserRequests,ou=ds,dc=oats,dc=inaf,dc=itaci: (targetattr = "*") (version 3.0;acl "Add new user requests";allow (add)(userdn = "ldap:///uid=webproxy,ou=SpecialUsers,dc=oats,dc=inaf,dc=it");)

13 ou=Users,ou=ds,dc=oats,dc=inaf,dc=itaci: (targetattr = "*") (version 3.0;acl "Allow webproxy full access to attribute of existing users";allow (read,compare,search,write,delete)(userdn = "ldap:///uid=webproxy,ou=SpecialUsers,dc=oats,dc=inaf,dc=it");)

14 uid=webproxy,ou=SpecialUsers,dc=oats,dc=inaf,dc=itaci: (targetattr = "*") (version 3.0;acl "webproxyACI";allow (all)(userdn = "ldap:///uid=webproxy,ou=SpecialUsers,dc=oats,dc=inaf,dc=it");)

15 uid=1234567890,ou=Users,ou=ds,dc=oats,dc=inaf,dc=it

16 cn=inaf-ops,ou=Groups,ou=ds,dc=oats,dc=inaf,dc=itaci: (targetattr = "*") (version 3.0;acl "admin rights";allow (all,moddn)(userdn = "ldap:///anyone");)

17 uid=984024276,ou=Users,ou=ds,dc=oats,dc=inaf,dc=it

Chapter 5. 389 Directory server configuration

32

5.10. Graphycal representation of the LDAP tree

Graphycal representation of the LDAP tree

33

34

Chapter 6.

35

The CADC Access Control SoftwareThe CADC (Canadian Astronomy Data Center) open source software is available on a githubrepository:

https://github.com/opencadc

6.1. Access Control software descriptionThe Access Control is a client and server authentication and authorization implementation for user andgroup management.

It contains four modules:

1. cadc-access-control : Access control clients and common model objects and exceptions.

This module contains the shared model classes and exceptions used by the access control clientsand server. It also contains the UserClient and GMSClient (group management service client).

2. cadc-access-control-admin : Administrative tool for managing users.

This module provides a command line tool for managing users. It uses the persistence layer code(rather than the web service) for the various functions.

3. cadc-access-control-server : Access control web service implementation.

It provides a RESTful interface to authentication, authorization and user and group management.There are three software layers:

• The action classes - these coordinate the functions of the REST API

• The persistence layer - Authorization and connection management

• The DAO layer - interface to persistent storage

cadc-access-control-server has a default LDAP persistence layer built-in. However, byimplementating the Persistence and DAO interfaces, one can easily configure this service tocommunicate with a different storage mechanism (such as a relational database).

4. cadc-access-control-identity : Access control web service client implementation to discover allthe identities of a user.

When the the cadc-access-control-identity jar file is in the classpath of any of the web servicesoffered in opencadc, it will, upon entry into the web service, make a call to the cadc-access-control-server service to discover all the identities of the user making the initial web service call.We call this subject augmentation. These identities are available for use by downstream code forpuposes such as authentication decisions and logging.

Without the cadc-access-control-identity jar file, web services only know about the identity whichthe user used to connect to the web service (a cookie value for example). With the jar file, webservice will know about the other identities for the user, such as username, X.509 distinguishedname, and potentially various external identity provider information. Additionally, this informationallows services to call other opencadc services as the user by making use of the credentialdelegation service.

5. cadc-tomcat : Tomcat 7 authentication realm implementation that uses the AC web service.

Chapter 6. The CADC Access Control Software

36

This module contains two plugins for Tomcat 7:

• A authentication realm plugin

• An SSL plugin to enable x509 Client Certificates to work directly with tomcat

This guide explains how to use the realm plugin to perform login-password access, but does nottake into account the SSL plugin because it refers to tomcat native SSL support.

6.2. Build Access Control software moduleA copy of the Access Control can be obtained by:

git clone https://github.com/opencadc/ac

This is the main reference repository, but it is often updated and no tags are available, so, a tagged/versioned repo (forked by the main) can be reached at

https://www.ict.inaf.it/gitlab/OATS-CADC/gitlab/ac

This guide is relative to the version tagged as v0.2.1

To work with it, issue:

git clone https://www.ict.inaf.it/gitlab/OATS-CADC/ac.gitgit checkout tags/v0.2.1

or to work on a new local branch:

git clone https://www.ict.inaf.it/gitlab/OATS-CADC/ac.gitgit checkout tags/v0.2.1 -b <branch-name>

Each software module can be easily built using gradle (a build.gradle file is included in each module).

To build with the newer library version published in maven central repository, the build.gradle file mustcontain cadc dependencies written as:

compile 'org.opencadc:cadc-log:1.+'

To build using a local build of cadc libraries, the file must contain cadc dependencies written as:

compile files('/<local-path>/core/cadc-log/build/libs/cadc-log.jar')

The right order to build opencadc libraries locally is:

•

core/cadc-util

•

core/cadc-log

Access Control configuration

37

•

ac/cadc-tomcat

•

reg/cadc-registry

•

reg/cadc-vosi

•

uws/cadc-uws

•

uws/cadc-uws-server

•

cdp/cadc-cdp

•

cdp/cadc-cdp-server

•

ac/cadc-access-control

•

ac/cadc-access-control-server

•

ac/cadc-access-control-admin

•

ac/cadc-access-control-identity

6.3. Access Control configurationThe Access Control Service must be configured conveniently filling some configuration files andputting them in the expected location. Some of these files are distributed in the software repositorywith the .template extension. Involved files and respective locations are described below.

1.~<user-launching-tomcat>/.ssl/cadcproxy.pem

Server-side applications typically have to have valid credentials for the current user in order to callother services on the user's behalf. The standard pattern to perform this task is:

• check user's Subject for a valid proxy certificate

• discard stored but invalid certificate

• load certificate for opierational user from ${user.home}/.ssl/cadcproxy.pem

Chapter 6. The CADC Access Control Software

38

• use credential client as operational user to retrieve a new proxy certificate for the current user

• store the user certificate in the Subject

This is the reason why a proxy certificate for an operational user is needed in ${user.home}/.ssl/cadcproxy.pem

To create the cadcproxy.pem file it is needed a X.509 user certificate released by a trustedCertification Authority for authentication: mycert.crt, mykey.key

The proxy can be created sing a script provided in the core module:

core/cadc-util/scripts/createProxyCert /path/mykey_and_cert.pem <days of validity number> cadcproxy

Where

cat mykey.key mycert.pem > mykey_and_cert.pem

Certificate and key must not contain bag attributes and key must be no password protected. Ifneeded, the password can be removed doing:

openssl rsa -in mykey.pem -out mykey.pem.newEnter pass phrase for mykey.pem: ****************writing RSA key$>mv mykey.pem.new mykey.pem

It is suggested to link this file also in

~<user-launching-tomcat>/.pub/proxy.pem

because some test utility uses this one.

2.~/.dbrc file

The bind to LDAP is done as user 'webproxy'. The webproxy credentials are stored in the filenamed .dbrc that must exist in the home directory of the user running the web service. A templatefile can be found in:

ac/cadc-access-control-server/.dbrc_example

An example of this file is the following:

#server proxyuser proxyUserDN password driver serverURL#<server hostname> <proxyUser in LdapConfig.properties> <proxyUserLdapDN> <password> N/A N/A

More than one user can be configured in this file as shown in the subsequent example:

Access Control configuration

39

devLdap uid=webproxy,ou=SpecialUsers,cd=inaf,dc=oats,dc=it uid=webproxy,ou=SpecialUsers,cd=inaf,dc=oats,dc=it peperone N/A N/AdevLdap uid=testproxy,ou=SpecialUsers,dc=testcanfar uid=testproxy,ou=SpecialUsers,dc=testcanfar peperone N/A N/A

3.~/config/LdapConfig.properties

There are three different connection pools to LDAP per web server: one for read operations, onefor write operations, and one for binding as the calling user (for login and password change.)All connections are made over TLS on port 636. Pool and connection information is configuredin LdapConfig.properties file. It must exist in the directory ~/config/ of the user running the webservice. A template of this file can be found in:

ac/cadc-access-control-server/LdapConfig.properties

Warning

Care must be taken in configuring the same server host and proxyuser in both ~/.dbrc and~/config/LdapConfig.properties

Note

Other copies of similar files are present in the github repository. Not all these files have to beconfigured. The files:

ac/cadc-access-control-server/src/test/config/testConfig1.propertiesac/cadc-access-control-server/src/test/config/testConfig2.properties

must not be modified because they are used by the test system as they are.

4.~/config/LocalAuthority.properties

Contains the configuration of the local authority map for User Management Service (ums), GroupManagement Service (gms), Credential Delegation Service (cred). A template of this file can befound in:

ac/cadc-access-control-server/src/test/resources/LocalAuthority.properties

5.~/config/ac-admin-email.properties

Contains the configuration of a mail server to be used to send a confirmation e-mail to users afterregistration. An example of this file is:

Chapter 6. The CADC Access Control Software

40

cat ac/cadc-access-control-admin/config/ac-admin-email.properties##### This file is used by the cadcAccessControl-Admin tool for sending# account approval messages to newly approved users.## If this file is not present the admin tool will continue to function# but without sending an email.## 5 fields are requried:## smtp.host=<host> The SMTP host name.# smtp.sender=<email addr> The user who will send the email.# smtp.replyto=<reply to addr> The reply to email address.# mail.subject The subject of the email.# mail.body=body The email body. The %s character in the# body will be replaced with the user's# userid (if present). The # character in# the body will be replaced with a# carriage return.## 1 field is optional:## smtp.bcc=<bcc addr> A single bcc email address####

smtp.host=example.hostsmtp.sender=id@example.comsmtp.replyto=id@example.comsmtp.bcc=id@example.commail.subject=New Accountmail.body=Dear User##Your new account is %s ##Thank you

6.~/config/CapabilitySource.config

This file maps resource identifiers to the location of capability information.

cat CapabilitySource.config## This file maps resource identifiers to the location of capability# information.#

ivo://cadc.nrc.ca/gms = http://www.canfar.phys.uvic.ca/ac/capabilitiesivo://cadc.nrc.ca/ad = http://www.cadc-ccda.hia-iha.nrc-cnrc.gc.ca/ad/capabilitiesivo://cadc.nrc.ca/caom2ops = http://www.cadc-ccda.hia-iha.nrc-cnrc.gc.ca/caom2ops/capabilitiesivo://cadc.nrc.ca/caom2repo = http://www.cadc-ccda.hia-iha.nrc-cnrc.gc.ca/caom2repo/capabilitiesivo://cadc.nrc.ca/cat = http://www.cadc-ccda.hia-iha.nrc-cnrc.gc.ca/cat/capabilitiesivo://cadc.nrc.ca/cred = http://www.cadc-ccda.hia-iha.nrc-cnrc.gc.ca/cred/capabilitiesivo://cadc.nrc.ca/data = http://www.cadc-ccda.hia-iha.nrc-cnrc.gc.ca/data/capabilitiesivo://cadc.nrc.ca/proc = http://www.canfar.phys.uvic.ca/proc/capabilitiesivo://cadc.nrc.ca/sia = http://www.cadc-ccda.hia-iha.nrc-cnrc.gc.ca/sia/capabilitiesivo://cadc.nrc.ca/tap = http://www.cadc-ccda.hia-iha.nrc-cnrc.gc.ca/tap/capabilitiesivo://cadc.nrc.ca/vospace = http://www.canfar.phys.uvic.ca/vospace/capabilities

ivo://oats.inaf.it/gms = http://vospace-gms.oats.inaf.it/ac/capabilitiesivo://oats.inaf.it/cred = https://vospace-gms.oats.inaf.it/cred/capabilitiesivo://oats.inaf.it/vospace = http://vospace-gms.oats.inaf.it/vospace/capabilities

Access Control deployment

41

All the .properties files have to be correctly configured also in the source code tree, where existing,before to compile the code, to be included in the classpath at build time and to be found in theclasspath when needed.

6.4. Access Control deploymentThe Access Control Service deployment package can be obtained issuing:

git clone https://www.ict.inaf.it/gitlab/OATS-CADC/oats-ac-web.git

The repository contains some files to customize:

oats-ac-web/src/main/webapp/WEB-INF/web.xml.templateoats-ac-web/src/main/resources/RsaSignaturePub.key.templateoats-ac-web/src/main/resources/RsaSignaturePriv.key.templateoats-ac-web/build.gradle.templateoats-ac-web/src/main/webapp/capabilities.xml

Each template file contains comments/instructions on how to customize it, exceptbuild.gradle.template which can be customized, as previously described, vs. maven central hosted orlocal libraries.

The file capabilities.xml defines standards and capabilities (e.g., IVOA defined interfaces) provided bythe service and it must be customized accordingly to the local service features.

The compilation produces the ac.war file. It can be deployed issuing:

systemctl stop tomcatcp ac.war $TOMCAT_HOME/webappssystemctl start tomcat

If some customization is done in the file contained in the deployment location, be careful that theexpected behavior of Tomcat is to treat the .war file deletion as a request to redeploy or undeploythe application. So, if the war file is deleted until tomcat is running, the application is undeployed(removed) by tomcat.

If tomcat is stopped before deleting WAR file and started only after that, the application will not beundeployed.

42

43

Appendix A. Revision HistoryRevision 1.0-0 Fri March 03 2017 Sara Bertocco

sara.bertocco@oats.inaf.it

Initial creation by publican

44

45

Index

46