How to install SASL CA
From GEANT2-JRA1 Wiki
Contents |
[edit]
Installing the SASL CA
SASL CA requires Java and ANT, which have to be installed before.
- Download the custom version of SASL CA prepared for eduGAIN in the following URL:
http://wiki.perfsonar.net/jra1-wiki/images/1/10/Saslca-edugain-1.0.tar.gz
- Extract the downloaded file:
tar xzvf saslca-edugain-1.0.tar.gz
- Go to the created folder:
cd saslca
The next step is generating the asymmetric and symmetric keys needed by SASL CA. To do this:
- Generate the private key in a new keystore:
keytool -genkey -alias SASL-CA -keyalg RSA -keysize 2048 -validity 365 \ -keystore apps/server/handle.jks -storetype JCEKS
- Generate a certificate request file, which has to be signed by the eduGAIN CA:
keytool -certreq -alias SASL-CA -file cert.csr -keystore \ apps/server/handke.jks -storetype JCEKS
The file “cert.csr” has to be sent to the administrators of the eduGAIN CA because it has to be signed. When they send the signed certificate, it has to be imported in the keystore. But, for this, first it has to be imported the certificate of the CA which has issued the signed certificate, located at https://oca.edugain.org/cacert/cacert.pem:
wget https://oca.edugain.org/cacert/cacert.pem
keytool -import -file eduGAINOCA.pem -alias ca -keystore \ apps/server/handle.jks -storetype JCEKS
keytool -import –trustcacerts -file signed.cert.file -alias SASL-CA \ -keystore apps/server/handle.jks -storetype JCEKS
[edit]
Configuring the SASL CA
There are two files that define the behaviour of SASL CA. They are located inside the directory saslca/apps/server/.
[edit]
jaas_server.conf
This file defines how to authenticate users agains an LDAP:
SASL-CA {
edu.psu.sasl_ca.mechanisms.VoidLoginModule required;
};
PLAIN {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="my.ldap.org:389"
base="dc=directory,dc=org"
userField="uid";
};
Where,
- host: it is the LDAP server.
- base: it is the base DN for performing searches.
- userField: it is the attribute containing the name or the identificator of the user.
[edit]
sasl-ca.properties
This file configures the SASL CA:
saslca.ServerName = localhost saslca.ServerPort = 4088 saslca.MaxThreads = 20 saslca.SaslMechanisms = PLAIN saslca.PrincipalMapper.PLAIN = edu.psu.sasl_ca.mapper.EchoPrincipalMapper saslca.OpaqueCertLifetime = 28800 saslca.IdentityCertLifetime = 28800 saslca.PeerServerCertLifetime = 31536000 saslca.KeyStore.File = apps/server/handle.jks saslca.KeyStore.Type = jceks saslca.KeyStore.Password = 12345678 saslca.KeyStore.Alias = SASL-CA saslca.KeyStore.PrivateKeyPassword = 12345678 saslca.authz = edu.psu.sasl_ca.authz.PeerServer edu.psu.sasl_ca.authz.BannedUsers PeerServer.File = apps/server/peerserver.authz BannedUsers.File = apps/server/bannedusers.authz saslca.CryptoHandleAlg = DESede/CBC/PKCS5Padding saslca.KeyStore.EncryptionKeyAlias = handleKey saslca.KeyStore.EncryptionKeyPassword = shibhs saslca.CryptoHandleMAC = HmacSHA1 saslca.KeyStore.MACKeyAlias = handleKey saslca.KeyStore.MACKeyPassword = shibhs saslca.C = string saslca.ST = string saslca.L = attribute saslca.O = string saslca.OU = attribute saslca.CN = attribute saslca.mail = attribute saslca.URL = attribute saslca.Principal = attribute saslca.C.value = US saslca.ST.value = Pennsylvania saslca.L.value = urn:mace:dir:attribute-def:psCampus saslca.O.value = Pennsylvania State University saslca.OU.value = urn:mace:dir:attribute-def:psDepartment saslca.CN.value = urn:mace:dir:attribute-def:displayName saslca.mail.value = urn:mace:dir:attribute-def:mail saslca.URL.value = urn:mace:dir:attribute-def:labeledURI saslca.Principal.value = urn:mace:dir:attribute-def:eduPersonPrincipalName saslca.ResolverFile = apps/server/resolver.xml saslca.CertSigningAlgorithm = SHA1withRSA saslca.CertSkewSeconds = 300 saslca.CertDB = edu.psu.sasl_ca.certdb.provider.RawCertDB saslca.CertDB.RawCertDB.LoggingPath = /tmp saslca.SerialNumberGenerator = edu.psu.sasl_ca.serial.HashedTimeSerialNumberGenerator saslca.crlurls = https://www.personal.psu.edu/~dvm105/crl_bogus saslca.EduGAIN.CertLifetime = 28800 saslca.EduGAIN.ComponentPrefix = urn:geant:edugain:component:be saslca.EduGAIN.Federation = gidp saslca.EduGAIN.SubjectPrefix = O=saslca,OU=gidp saslca.PolicyOID = 1.3.6.1.4.1.7547.2.0.2 saslca.CPS = https://www.personal.psu.edu/~dvm105/cps_bogus
Where,
- saslca.ServerName: it is the server name where the SASL CA will be running.
- saslca.KeyStore.Password: it is the password for the keystore introduced when that was generated.
- saslca.KeyStore.PrivateKeyPassword: it is the password for the private key introduced when that was generated.
- saslca.EduGAIN.Federation: it is the name of the federation. For example, if the name of the federation is “gidp”, the URNs urn:geant:edugain:component:be:gidp and urn:geant:edugain:component:be:gidp:user have to registered in eduGAIN registry service, http://registry.edugain.org, in order of get a full interoperability with eduGAIN.
- saslca.EduGAIN.SubjectPrefix: it is the prefix for subject DNs of certificates issued by the SASL CA. Although it can be modified, it strongly recommended to use “O=saslca,OU=%name_of_the_federation%”.
[edit]
resolver.xml
This file defines how to get user’s attributes from an LDAP:
<AttributeResolver
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:mace:shibboleth:resolver:1.0"
xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver-1.0.xsd">
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonAffiliation">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
smartScope="psu.edu">
<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonPrincipalName"
smartScope="psu.edu">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:psCampus">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:labeledURI">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:mail">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:displayName">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:psDepartment">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<JNDIDirectoryDataConnector id="directory">
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:mail">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:displayName">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:psDepartment">
<DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>
<JNDIDirectoryDataConnector id="directory">
<Search filter="uid=%PRINCIPAL%">
<Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property name="java.naming.provider.url" value="ldap://my.ldap.org:389/dc=directory,dc=org" />
</JNDIDirectoryDataConnector>
</AttributeResolver>
Where,
- java.naming.provider.url: it is the URI of the LDAP server.
[edit]
Finishing the installation
For finishing the installation of the SASL CA, after it has been configured, the symmetric keys have to be generated:
ant gensecret
The system is ready for being executed:
sh runserver.sh
