WebSSO 1.4 Administrators Guide

[ WebSSO: Administrators Guide | Developers Guide | Users Guide | caGrid: Documentation Guides ]


	Contents 1 Install and Configure a Web Single Sign On (WebSSO) Server 1.1 Step 1: Install Prerequisite Software 1.2 Step 2: Set Up Environment Variables 1.3 Step 3: Obtain a Host Credential 1.4 Step 4: Configure Globus to Trust the CA 1.5 Step 5: Configure the WebSSO Server 1.5.1 WebSSO Properties 1.6 Step 6: Copy the Sync Description File 1.7 Step 7: Build the WebSSO Server 1.8 Step 8: Configure Tomcat 1.9 Step 9: Deploy WebSSO into Tomcat 1.10 Step 10: Verify the Installation

Install and Configure a Web Single Sign On (WebSSO) Server

The Web Single Sign On (WebSSO) is distributed both as a standalone project and as a component of other projects (such as caGrid). This guide details the steps involved in deploying a WebSSO server. To learn how to install a WebSSO client to use the server, refer to the WebSSO Client Developers Guide. Each distribution contains a websso directory, herein referred to as WEBSSO_LOCATION. To install and configure the WebSSO, follow the steps below.

Step 1: Install Prerequisite Software

WEBSSO requires the same prerequisite software as caGrid. You can perform either of the following actions to install the prerequisites:

Option 1:
Follow the instructions for the installation of caGrid using the caGrid Installer .

Option 2:
Install caGrid manually

Step 2: Set Up Environment Variables

Create the following environment variables.

Create a GLOBUS_LOCATION environment variable and point it at the directory in which you installed Globus.
Create a CATALINA_HOME environment variable and point it at the directory in which you installed Tomcat.
Create a ANT_HOME environment variable and point it at the directory in which you installed Ant.

Step 3: Obtain a Host Credential

The WebSSO must run a securely, so the hosting container must run with a host credential. A host credential consist of an X.509 certificate and private key. Dorian provides the ability to issue and manage host credentials.

Request a credential using the GAARDS UI.

Step 4: Configure Globus to Trust the CA

Note
If you opt to start syncGTS programatically, see Step 5 and Step 6 for the detailed procedures.

For SyncGTS to 'sync' up the CA certificates on the WebSSO Server, the master GTS Certificate Authority .0 file must be copied from GTS to WebSSO.

Copy the MASTER GTS CA.0 file from the GTS server that is at the $HOME/.globus/certificates to the $HOME/.globus/certificates folder on the WebSSO server.

Note
If you don't opt to start syncGTS programatically, see Step 5 and Step 6 for the detailed procedures.

We MUST configure Globus to trust the CA that issued the host credentials obtained in the previous step. To do this, place a copy of the certificate for the CA that issued the host credentials in the Globus trusted certificates directory. Unless otherwise specified during installation, this is usually USER_HOME/.globus/certificates. Globus requires all CA certificates in its trusted certificates directory to be in PEM format and to have a digit extension (0-9). For example, if a CA certificate is stored in the file cacert.pem, it should be copied to the directory USER_HOME/.globus/certificates (create directory if needed) with the file name "cacert.0"

Step 5: Configure the WebSSO Server

Configuring cas.properties and websso-properties-template.xml requires host certificate,host key obtained from Step 3, websso server host name, websso server https port, and start auto sync gts [yes]/[no].

Type the commands below at the command prompt and provide details when prompted as shown in the sample output:

%> cd WEBSSO_LOCATION
%> ant configure-websso

Following is sample output:

Buildfile: build.xml

configure-websso:
    [input] Enter the location of the host certificate (PEM format):
C:/Documents and Settings/user_account/host-cert.pem
    [input] Enter the location of the host key (PEM format):
C:/Documents and Settings/user_account/host-key.pem
    [input] Enter websso server host name:
localhost
    [input] Enter websso server https port (int value):
8443
    [input] Enter start auto sync gts (yes or no) : [no]
yes

defineAntTask:

-resolve-template-tokens:

-replace-token-contents:
     [copy] Copying 1 file to C:\devroot\caGrid\cagrid-1-0\caGrid\projects\websso\src\resources
     [copy] Copying 1 file to C:\devroot\caGrid\cagrid-1-0\caGrid\projects\websso\src\resources

The WebSSO is configured through an file, WEBSSO_LOCATION/src/resources/websso-properties.xml. Below is an example of the websso property file, followed by a description of each of the properties:

<websso-properties xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="websso-properties.xsd">
	<websso-server-information>
		<start-auto-syncgts>@START.AUTO.SYNC.GTS@</start-auto-syncgts>
		<host-credential-certificate-file-path>@WEBSSO.SERVER.HOST.CERTIFICATE@</host-credential-certificate-file-path>
		<host-credential-key-file-path>@WEBSSO.SERVER.HOST.KEY@</host-credential-key-file-path>
	</websso-server-information>
	<credential-delegation-service-information>
		<service-url>https://cds.training.cagrid.org:8443/wsrf/services/cagrid/CredentialDelegationService</service-url>
		<service-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/cds.training.cagrid.org</service-identity>
		<delegation-lifetime-hours>8</delegation-lifetime-hours>
		<delegation-lifetime-minutes>0</delegation-lifetime-minutes>
		<delegation-lifetime-seconds>0</delegation-lifetime-seconds>
		<issued-credential-path-length>0</issued-credential-path-length>
	</credential-delegation-service-information>
	<dorian-services-information>
		<dorian-service-descriptor>
			<display-name>>Training</display-name>
			<service-url>https://dorian.training.cagrid.org:8443/wsrf/services/cagrid/Dorian</service-url>
			<service-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/dorian.training.cagrid.org</service-identity>
			<proxy-lifetime-hours>12</proxy-lifetime-hours>
			<proxy-lifetime-minutes>0</proxy-lifetime-minutes>
			<proxy-lifetime-seconds>0</proxy-lifetime-seconds>
		</dorian-service-descriptor>
	</dorian-services-information>
	<delegated-applications-group>
		<group-name>String</group-name>
		<delegated-application-list>
			<delegated-application>
				<application-name>webssoclientexample1-1.4-dev</application-name>
				<host-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/WEBSSOCLIENT1</host-identity>
			</delegated-application>
			<delegated-application>
				<application-name>webssoclientexample2-1.4-dev</application-name>
				<host-identity>/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/WEBSSOCLIENT2</host-identity>
			</delegated-application>
		</delegated-application-list>
	</delegated-applications-group>
</websso-properties>

WebSSO Properties

Property Group	Property Name	Description
websso-server-information		This section contains information about the WebSSO Server.
	start-auto-syncgts	This is a configuration parameter indicating whether the WebSSO Server should start SyncGTS automatically or not. "yes" indicates WebSSO Server to start the SyncGTS daemon.
	host-credential-certificate-file-path	This is the path to the WebSSO Server's Host Certificate File obtained in Step 3.
	host-credential-key-file-path	This is the path to the WebSSO Server's Host Key File obtained in Step 3.
credential-delegation-service-information		This section is used to configure the Credential Delegation Service which will be used to publish the delegation policy for User's Grid Credentials
	service-url	This is the URL to the Credential Delegation Service.This information is known based on the prior installation of CDS.
	service-identity	This is the service Identity for Credential Delegation Service.
	delegation-lifetime-hours	This is the hours for which the delegation policy remains alive.
	delegation-lifetime-minutes	This is the minutes for which the delegation policy remains alive.
	delegation-lifetime-seconds	This is the seconds for which the delegation policy remains alive.
	issued-credential-path-length	A path length specifies the length of a credential chain. For example a credential with a length of 2 means that the credential can be delegated to a second party and the second party could in turn delegate the credential to a third party at which point the third party can no longer delegate the credential. The Issued Credential Path Length specifies the path length of the credentials issued to third parties. An Issued Credential Path Length of 0 indicates that the third party may not further delegate the user's credential.
dorian-services-information
	dorian-service-descriptor	This section is used to configure the Dorian Server which will be used to retrieve User's Grid Credentials.
		display-name - This is the display name for the Dorian Service which is displayed on the login screen.
		service-url - This is the URL to the Dorian Service.
		service-identity - This is the service Identity for the Dorian Service.
		proxy-lifetime-hours - This is the hours for which the proxy remains alive.
		proxy-lifetime-minutes - This is the minutes for which the proxy remains alive.
		proxy-lifetime-seconds - This is the seconds for which the proxy remains alive.
delegated-applications-group		These are the group of applications to which user's credentials are to be delegated. In the future, users will be able to choose these. As of now they are just in a static list.
	group-name	This is the name given to the group of the applications to which a user's credentials is delegated.
	delegated-application-list	These are the list of the applications to which user's credentials are to be delegated.
		delegated-application - This is the entry for an application to which the user's credentials are delegated.
		application-name - This is the name of the application to which the user's credentials are delegated.
		host-identity - This is the host identity (obtained from the Host Credentials that are obtained from the Dorian) of the application to which the user's credentials are delegated.

Step 6: Copy the Sync Description File

To sync with the Grid Trust Fabric and start SyncGTS programatically if the start-auto-syncgts entry in WebSSO Configuration file is set to 'yes', the WebSSO server needs a sync-description.xml file in its classpath. Depending on which grid you are trying to connect to, obtain the sync-description.xml file from the relevant grid administrator. Place this file in the WEBSSO_LOCATION/ext/target_grid folder.

Note
If you have turned start-auto-syncgts to 'no', the administrator must handle syncing with the trust fabric. This can be done manually by starting the syncGTS daemon. For detailed steps, refer to the GTS documentation.

Step 7: Build the WebSSO Server

Build WebSSO server. Type the following from a command prompt:

%> cd WEBSSO_LOCATION
%> ant clean all

Step 8: Configure Tomcat

Creating the host credential keystore from host credentials requires the host certificate and host key obtained from Step 3. Type the commands given below at the command prompt and provide details when prompted as shown in the sample output:

%> cd WEBSSO_LOCATION
%> ant create-tomcat-https-keystore

Following is sample output :

buildfile: build.xml

create-tomcat-https-keystore:
     [java] Changes to environment variables are ignored when same JVM is used.
     [java] Enter a location and name for your keystore:
C:/Documents and Settings/user_account/mykeystore
     [java] Enter a password for your keystore:
password
     [java] Enter the location of the certificate (PEM format):
C:/Documents and Settings/user_account/host-cert.pem
     [java] Enter the location of the private key (PEM format):
C:/Documents and Settings/user_account/host-key.pem
     [java] Enter the current password of the private key:

At the Enter the current password of the private key: prompt, enter the password for your private key. If you private key does not have a password (most cases), just press Enter.

Since the WebSSO Server would be running using SSL, we need to configure Tomcat to enable SSL.

Add the https connector in CATALINA_HOME/conf/server.xml.

Edit the file CATALINA_HOME/conf/server.xml (example shown below).
Uncomment connector element for port 8443 (SSL)
Add keystoreFile parameter containing the location of the keystore you just created.

Add keystorePass parameter containing the the password of the keystore you just created.

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:/Documents and Settings/user_account/mykeystore"
keystorePass="password" />

Step 9: Deploy WebSSO into Tomcat

%> cd WEBSSO_LOCATION
%> ant deployTomcat

Step 10: Verify the Installation

Once you have deployed WebSSO, you have completed the installation and configuration of WebSSO. Next verify that the installation was successful by starting the container to which WebSSO was deployed. To start a secure Tomcat container, run the startup script (startup.sh or startup.bat) located in TOMCAT_INSTALLATION_DIRECTORY/bin. If the container starts up, we are ready to verify that the WebSSO installation was successful.
Type the following in a browser: http://@WEBSSO_SERVER_NAME@:@PORT_NUMBER@/webssoserver and make sure you are able to log in to WebSSO by providing user name and password credentials.