Dorian Configuration

Dorian: Administrators Guide | Developers Guide | Users Guide | caGrid: Documentation Guides

This guide provides technical details on the configuration options for Dorian. Dorian leverages the Spring Frameworkfor configuration. The use of the Spring Framework provides provides Dorian alot of flexibility in being able to replace components with alternative implemenations. The Dorian configuration file is contained in the file DORIAN_HOME/etc/dorian-configuration.xml, this file contains the Spring Beans for the configurable components of Dorian. In most cases users will not need to make changes to the Dorian Configuration file, we will highlight the more common changes in the section Configuration Beans. The second configuration file Dorian uses is the Dorian properties file, which is contained in the file DORIAN_HOME/etc/dorian.properties. The Dorian properties file contains commonly edited properties for configuring Dorian. Details of each property will be documents in the Properties section.

Properties

This section documents the configuration properties specified in the Dorian properties file. Properties that need to be edited for most deployments are shown in bold.

Core Properties

Property Name	Value(s)	Description
gaards.dorian.name	String	Name of the Dorian must be unique per host.
gaards.dorian.db.host	String	The host name of the Mysql Server.
gaards.dorian.db.port	Integer	The port the Mysql server bind to.
gaards.dorian.db.user	String	The user id of the Mysql user.
gaards.dorian.db.password	String	The password of the Mysql user

Identity Provider Properties

Property Name	Value(s)	Description
gaards.dorian.idp.name	String	The name of the Dorian IdP.
gaards.dorian.idp.renew.asserting.credentials	true or false	Whether or not to renew the credentials used in signing SAML Assertions.
gaards.dorian.idp.asserting.credentials.password	String	The password used for the private key used in signing SAML Assertions
gaards.dorian.idp.min.uid	Integer	The mininum user id length for accounts issued by the Dorian IdP.
gaards.dorian.idp.max.uid	Integer	The maximum user id length for accounts issued by the Dorian IdP.
gaards.dorian.idp.password.min.length	Integer	The mininum password length for account issued by the Dorian IdP.
gaards.dorian.idp.password.max.length	Integer	The maximum password length for accounts issued by the Dorian IdP.
gaards.dorian.idp.password.lock.hours	Integer	Number of hours to lock an account for when the number of consecutive invalid logins is exceeded.
gaards.dorian.idp.password.lock.minutes	Integer	Number of minutes to lock an account for when the number of consecutive invalid logins is exceeded.
gaards.dorian.idp.password.lock.seconds	Integer	Number of seconds to lock an account for when the number of consecutive invalid logins is exceeded.
gaards.dorian.idp.password.cons.invalid.login	Integer	Number of consecutive invalid logins that can occur before locking an account for the configured time frame.
gaards.dorian.idp.password.max.invalid.login	Integer	Number of total invalid logins that can occur before the account is locked until the password is reset.
gaards.dorian.idp.account.modification.policy	String	Policy used for determining if the user can modify their own profile. Set to "User" to allow a user to modify their profile or set to "Admin" to make profile editing a administrative only task.

Federation Properties

Property Name	Value(s)	Description
gaards.dorian.federation.identity.policy	name or id	Policy used for assigning the IdP portion of user grid identities.
gaards.dorian.federation.min.idp.name.length	Integer	The minimum length of a trusted identity providers name.
gaards.dorian.federation.max.idp.name.length	Integer	The maximum length of a trusted identity providers name.
gaards.dorian.federation.certificate.lifetime.years	Integer	The number of years to issue host certificates for.
gaards.dorian.federation.certificate.lifetime.months	Integer	The number of months to issue host certificates for.
gaards.dorian.federation.certificate.lifetime.days	Integer	The number of days to issue host certificates for.
gaards.dorian.federation.certificate.lifetime.hours	Integer	The number of hours to issue host certificates for.
gaards.dorian.federation.certificate.lifetime.minutes	Integer	The number of minutes to issue host certificates for.
gaards.dorian.federation.certificate.lifetime.seconds	Integer	The number of seconds to issue host certificates for.
gaards.dorian.federation.auto.host.certificate.approval	true or false	Whether or not to automatically approve host certificate requests.
gaards.dorian.federation.user.certificate.lifetime.hours	Integer	The number of hours to issue user certificates for.
gaards.dorian.federation.user.certificate.lifetime.minutes	Integer	The number of hours to issue user certificates for.
gaards.dorian.federation.user.certificate.lifetime.seconds	Integer	The number of hours to issue user certificates for.
gaards.dorian.federation.user.search.policy	String	Policy used to determine who can preform a user search. Accepted values: Admin, Authenticated, or Public
gaards.dorian.federation.host.search.policy	String	Policy used to determine who can preform a host search. Accepted values: Admin, Authenticated, or Public
gaards.dorian.federation.crl.publish	Comma Separated List of URLS	The list of Grid Trust Services to publish the Dorian's CRL to.

Certificate Authority Properties

Property Name	Value(s)	Description
gaards.dorian.ca.password	String	The password Dorian uses for accessing its Certificate Authority
gaards.dorian.ca.policy.oid	OID	The Certificate Authority Policy OID.
gaards.dorian.ca.auto.create	true or false	Whether or not to automatically generate a certificate authority for Dorian.
gaards.dorian.ca.auto.create.subject	String	The Distinguished Name to use in creating the Dorian Certificate Authority
gaards.dorian.ca.auto.create.key.size	512, 1024, 2048	The size of the private key for the Dorian Certificate Authority.
gaards.dorian.ca.auto.create.lifetime.years	Integer	The number of years to make the Dorian Certificate Authority valid for.
gaards.dorian.ca.auto.create.lifetime.months	Integer	The number of months to make the Dorian Certificate Authority valid for.
gaards.dorian.ca.auto.create.lifetime.days	Integer	The number of days to make the Dorian Certificate Authority valid for.
gaards.dorian.ca.auto.create.lifetime.hours	Integer	The number of hours to make the Dorian Certificate Authority valid for.
gaards.dorian.ca.auto.create.lifetime.minutes	Integer	The number of minutes to make the Dorian Certificate Authority valid for.
gaards.dorian.ca.auto.create.lifetime.seconds	Integer	The number of seconds to make the Dorian Certificate Authority valid for.
gaards.dorian.ca.auto.renew	true of false	Whether or not to renew the Dorian CA when expires
gaards.dorian.ca.auto.renew.lifetime.years	Integer	The number of years to renew the Dorian Certificate Authority for.
gaards.dorian.ca.auto.renew.lifetime.months	Integer	The number of months to renew the Dorian Certificate Authority for.
gaards.dorian.ca.auto.renew.lifetime.days	Integer	The number of days to renew the Dorian Certificate Authority for.
gaards.dorian.ca.auto.renew.lifetime.hours	Integer	The number of hours to renew the Dorian Certificate Authority for.
gaards.dorian.ca.auto.renew.lifetime.minutes	Integer	The number of minutes to renew the Dorian Certificate Authority for.
gaards.dorian.ca.auto.renew.lifetime.seconds	Integer	The number of seconds to renew the Dorian Certificate Authority for.
gaards.dorian.ca.eracom.slot	Integer	The slot number on the SafeNet protect server gold, containing the Dorian CA. (Required if using the Eracom Certificate Authority)

Configuration Beans

This section documents the common edits that operators of Dorian might make to the beans in the Dorian configuration file.

Identity Provider Registration Policy

The Identity Provider Registration Policy specifies to Dorian what to do when a user registers for an account with the Dorian Identity Provider. This policy is represented and enforced by a Java class that implements the interfaceorg.cagrid.gaards.dorian.idp.IdPRegistrationPolicy. This allows custom policies to be plugged in for handling user registrations. In the Dorian Configuration, the Identity Provider Registration Policy is represented by the registrationPolicy bean:

<bean id="registrationPolicy" class="org.cagrid.gaards.dorian.idp.ManualRegistrationPolicy" />

Out of the box Dorian supports two registration policies; (1) Automatic Registration which automatically issues an account for each user that registers, this policy is represented by the org.cagrid.gaards.dorian.idp.AutomaticRegistrationPolicy class and (2) Manual Registration which requires an administrator to approve each user that registers, this policy is represented by the org.cagrid.gaards.dorian.idp.ManualRegistrationPolicy class.

Certificate Authority

Dorian supports the multiple implementations for Certificate Authorities. A Certificate Authority is implemented by extending the org.cagrid.gaards.dorian.ca.CertificateAuthority abstract class. A Certificate Authority implementation is configured in the Dorian Configuration file with the certificateAuthority bean. Out of the box Dorian supports two Certificate Authority implementations: (1) A Database Certificate Authority (org.cagrid.gaards.dorian.ca.DBCertificateAuthority) which persists CA information in Dorian's Mysql database and (2) A Hardware Security Module Certificate Authority (org.cagrid.gaards.dorian.ca.EracomCertificateAuthority) which generates and stores the CA keys in a SafeNet Protect Server Gold Hardware Security Module (HSM) and persists the certificate authority information in Dorian's Mysql database. Below we show the valid configurations for each of these certificate authorites.

Database Certificate Authority

<bean id="certificateAuthority" class="org.cagrid.gaards.dorian.ca.DBCertificateAuthority">
		<constructor-arg index="0" ref="database" />
		<constructor-arg index="1" ref="caProperties" />
	</bean>
	<bean id="caProperties" class="org.cagrid.gaards.dorian.ca.CertificateAuthorityProperties">
		<constructor-arg index="0" value="${gaards.dorian.ca.password}" />
                <constructor-arg index="1" value="${gaards.dorian.ca.policy.oid}" />
		<constructor-arg index="2" value="${gaards.dorian.ca.issued.cert.key.size}" />
		<constructor-arg index="3" value="${gaards.dorian.ca.auto.create}" />
		<constructor-arg index="4" ref="caCreationPolicy" />
		<constructor-arg index="5" value="${gaards.dorian.ca.auto.renew}" />
		<constructor-arg index="6" ref="caRenewalLifetime" />
	</bean>

SafeNet Protect Server Gold Certificate Authority

If using the SafeNet Protect Server Gold Certificate Authority you must specify the gaards.dorian.ca.eracom.slot in the Dorian properties file. You must also install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files ([Java 5|http://java.sun.com/javase/downloads/index_jdk5.jsp], [Java 6|http://java.sun.com/javase/downloads/index.jsp]) in your JVM.

   <bean id="certificateAuthority" class="org.cagrid.gaards.dorian.ca.EracomCertificateAuthority">
		<constructor-arg index="0" ref="eracomCAProperties"/>
   </bean>
   <bean id="eracomCAProperties" class="org.cagrid.gaards.dorian.ca.EracomCertificateAuthorityProperties">
		<constructor-arg index="0" value="${gaards.dorian.ca.password}" />
		<constructor-arg index="1" value="${gaards.dorian.ca.policy.oid}" />
		<constructor-arg index="2" value="${gaards.dorian.ca.issued.cert.key.size}"/>
                <constructor-arg index="3" value="${gaards.dorian.ca.auto.create}" />
                <constructor-arg index="4" ref="caCreationPolicy" />
                <constructor-arg index="5" value="${gaards.dorian.ca.auto.renew}" />
                <constructor-arg index="6" ref="caRenewalLifetime" />
                <constructor-arg index="7" value="${gaards.dorian.ca.eracom.slot}" />
</bean>