1 | # |
---|
2 | # NERC DataGrid Security |
---|
3 | # |
---|
4 | # Paste configuration for combined security web services deployment: |
---|
5 | # * Session Manager |
---|
6 | # * Attribute Authority |
---|
7 | # * OpenID Provider |
---|
8 | # |
---|
9 | # The %(here)s variable will be replaced with the parent directory of this file |
---|
10 | # |
---|
11 | # Author: P J Kershaw |
---|
12 | # date: 30/11/05 |
---|
13 | # Copyright: (C) 2008 STFC |
---|
14 | # license: BSD - see LICENSE file in top-level directory |
---|
15 | # Contact: Philip.Kershaw@stfc.ac.uk |
---|
16 | # Revision: $$Id$$ |
---|
17 | |
---|
18 | [DEFAULT] |
---|
19 | #______________________________________________________________________________ |
---|
20 | # Attribute Authority settings |
---|
21 | # 'name' setting MUST agree with map config file 'thisHost' name attribute |
---|
22 | attributeAuthority.name: ${attributeAuthorityID} |
---|
23 | |
---|
24 | # Lifetime is measured in seconds |
---|
25 | attributeAuthority.attCertLifetime: 28800 |
---|
26 | |
---|
27 | # Allow an offset for clock skew between servers running |
---|
28 | # security services. NB, measured in seconds - use a minus sign for time in the |
---|
29 | # past |
---|
30 | attributeAuthority.attCertNotBeforeOff: 0 |
---|
31 | |
---|
32 | # All Attribute Certificates issued are recorded in this dir |
---|
33 | attributeAuthority.attCertDir: %(here)s/attributeauthority/attCertLog |
---|
34 | |
---|
35 | # Files in attCertDir are stored using a rotating file handler |
---|
36 | # attCertFileLogCnt sets the max number of files created before the first is |
---|
37 | # overwritten |
---|
38 | attributeAuthority.attCertFileName: ac.xml |
---|
39 | attributeAuthority.attCertFileLogCnt: 16 |
---|
40 | attributeAuthority.dnSeparator:/ |
---|
41 | |
---|
42 | # Location of role mapping file |
---|
43 | attributeAuthority.mapConfigFile: %(here)s/attributeauthority/mapConfig.xml |
---|
44 | |
---|
45 | # Settings for custom AttributeInterface derived class to get user roles for given |
---|
46 | # user ID |
---|
47 | attributeAuthority.userRolesModFilePath: %(here)s/attributeauthority |
---|
48 | attributeAuthority.userRolesModName: attributeinterface |
---|
49 | attributeAuthority.userRolesClassName: TestAttributeInterface |
---|
50 | |
---|
51 | # Config for XML signature of Attribute Certificate |
---|
52 | attributeAuthority.signingPriKeyFilePath: %(here)s/attributeauthority/aa.key |
---|
53 | attributeAuthority.signingCertFilePath: %(here)s/attributeauthority/aa.crt |
---|
54 | attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt |
---|
55 | |
---|
56 | #______________________________________________________________________________ |
---|
57 | # Session Manager specific settings - commented out settings will take their |
---|
58 | # default settings. To override the defaults uncomment and set as required. |
---|
59 | # See ndg.security.server.sessionmanager module for details |
---|
60 | |
---|
61 | # Credential Wallet Settings - global to all user sessions |
---|
62 | # |
---|
63 | # CA certificates for Attribute Certificate signature validation |
---|
64 | sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt |
---|
65 | |
---|
66 | # CA certificates for SSL connection peer cert. validation - required if |
---|
67 | # connecting to an Attribute Authority over SSL |
---|
68 | sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt |
---|
69 | |
---|
70 | # Allow Get Attribute Certificate calls to try to get a mapped certificate |
---|
71 | # from another organisation trusted by the target Attribute Authority |
---|
72 | sessionManager.credentialWallet.mapFromTrustedHosts=True |
---|
73 | sessionManager.credentialWallet.rtnExtAttCertList=True |
---|
74 | |
---|
75 | # Refresh an Attribute Certificate, if an existing one in the wallet has only |
---|
76 | # this length of time left before it expires |
---|
77 | credentialWallet.attCertRefreshElapse=7200 |
---|
78 | |
---|
79 | # Pointer to WS-Security settings. These WS-Security settings are for use |
---|
80 | # by user credential wallets held in user sessions hosted by the Session |
---|
81 | # Manager. They enable individual wallets to query Attribute Authorities for |
---|
82 | # user Attribute Certificates. Nb. the difference between these settings and |
---|
83 | # the WS-Security section for handling requests to the Session Manager. |
---|
84 | # |
---|
85 | # Settings are identified by a prefix. |
---|
86 | sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity |
---|
87 | |
---|
88 | # ...A section name could also be used. |
---|
89 | #sessionManager.credentialWallet.wssCfgSection= |
---|
90 | |
---|
91 | # SOAP Signature Handler settings for the Credential Wallet's Attribute |
---|
92 | # Authority interface |
---|
93 | # |
---|
94 | # CA Certificates used to verify X.509 certs used in Attribute Certificates. |
---|
95 | # The CA certificates of other NDG trusted sites should go here. NB, multiple |
---|
96 | # values should be delimited by a space |
---|
97 | sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt |
---|
98 | |
---|
99 | # Signature of an outbound message |
---|
100 | # |
---|
101 | # Certificate associated with private key used to sign a message. The sign |
---|
102 | # method will add this to the BinarySecurityToken element of the WSSE header. |
---|
103 | # binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. |
---|
104 | # As an alternative, use signingCertChain - see below... |
---|
105 | |
---|
106 | # PEM encoded cert |
---|
107 | sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt |
---|
108 | |
---|
109 | # ... or provide file path to PEM encoded private key file |
---|
110 | sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key |
---|
111 | |
---|
112 | # Set the ValueType for the BinarySecurityToken added to the WSSE header for a |
---|
113 | # signed message. See __setReqBinSecTokValType method and binSecTokValType |
---|
114 | # class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or |
---|
115 | # give full namespace to alternative - see |
---|
116 | # ZSI.wstools.Namespaces.OASIS.X509TOKEN |
---|
117 | # |
---|
118 | # binSecTokValType determines whether signingCert or signingCertChain |
---|
119 | # attributes will be used. |
---|
120 | sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3 |
---|
121 | |
---|
122 | # Add a timestamp element to an outbound message |
---|
123 | sessionManager.credentialWallet.wssecurity.addTimestamp: True |
---|
124 | |
---|
125 | # For WSSE 1.1 - service returns signature confirmation containing signature |
---|
126 | # value sent by client |
---|
127 | sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True |
---|
128 | |
---|
129 | # Authentication service properties |
---|
130 | sessionManager.authNService.moduleFilePath: |
---|
131 | sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn |
---|
132 | sessionManager.authNService.className: UserX509CertAuthN |
---|
133 | |
---|
134 | # Specific settings for UserCertAuthN Session Manager authentication plugin |
---|
135 | # This sets up PKI credentials for a single test account |
---|
136 | sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt |
---|
137 | sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key |
---|
138 | sessionManager.authNService.userPriKeyPwd: testpassword |
---|
139 | |
---|
140 | [server:main] |
---|
141 | use = egg:Paste#http |
---|
142 | host = 0.0.0.0 |
---|
143 | port = 8000 |
---|
144 | |
---|
145 | [filter-app:mainApp] |
---|
146 | use = egg:Paste#httpexceptions |
---|
147 | next = cascade |
---|
148 | |
---|
149 | # Put OpenID Provider and Static URL parser together in a cascade |
---|
150 | [composit:cascade] |
---|
151 | use = egg:Paste#cascade |
---|
152 | app1 = StaticOpenIDProviderContent |
---|
153 | app2 = OpenIDProviderApp |
---|
154 | catch = 404 |
---|
155 | |
---|
156 | [app:StaticOpenIDProviderContent] |
---|
157 | # Static URL Parser to serve OpenID Provider static page content such as CSS |
---|
158 | # and graphics |
---|
159 | use = egg:Paste#static |
---|
160 | document_root = %(here)s/openidprovider |
---|
161 | |
---|
162 | [app:OpenIDProviderApp] |
---|
163 | # OpenID Provider set as the main application |
---|
164 | paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.main_app |
---|
165 | openid.provider.path.openidserver=/openid/endpoint |
---|
166 | openid.provider.path.login=/openid/login |
---|
167 | openid.provider.path.loginsubmit=/openid/loginsubmit |
---|
168 | |
---|
169 | # Comment out next two lines and uncomment the third to disable URL based |
---|
170 | # discovery and allow only Yadis based instead |
---|
171 | openid.provider.path.id=/openid/id |
---|
172 | openid.provider.path.yadis=/openid/yadis |
---|
173 | #openid.provider.path.yadis=/id/ |
---|
174 | |
---|
175 | openid.provider.path.serveryadis=/openid/serveryadis |
---|
176 | openid.provider.path.allow=/openid/allow |
---|
177 | openid.provider.path.decide=/openid/decide |
---|
178 | openid.provider.path.mainpage=/openid/ |
---|
179 | openid.provider.session_middleware=beaker.session |
---|
180 | openid.provider.base_url=http://localhost:8000 |
---|
181 | openid.provider.trace=False |
---|
182 | openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering |
---|
183 | #openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface |
---|
184 | |
---|
185 | openid.provider.rendering.templateType = kid |
---|
186 | openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates |
---|
187 | openid.provider.rendering.kid.assume_encoding= utf-8 |
---|
188 | openid.provider.rendering.kid.encoding = utf-8 |
---|
189 | |
---|
190 | # Layout |
---|
191 | openid.provider.rendering.baseURL = %(openid.provider.base_url)s |
---|
192 | openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif |
---|
193 | openid.provider.rendering.leftAlt = Natural Environment Research Council |
---|
194 | openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/ |
---|
195 | openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif |
---|
196 | openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development. |
---|
197 | openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/ |
---|
198 | openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif |
---|
199 | openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png |
---|
200 | |
---|
201 | |
---|
202 | #openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler |
---|
203 | #openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler |
---|
204 | |
---|
205 | # Basic Authentication interface to demonstrate capabilities |
---|
206 | #openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface |
---|
207 | #openid.provider.authN.userCreds=pjk:test |
---|
208 | #openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw |
---|
209 | |
---|
210 | # Link Authentication to a Session Manager instance running in the same WSGI |
---|
211 | # stack or on a remote service |
---|
212 | openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface |
---|
213 | |
---|
214 | # Omit or leave as blank if the Session Manager is accessible locally in the |
---|
215 | # same WSGI stack. |
---|
216 | openid.provider.authN.sessionManagerURI= |
---|
217 | |
---|
218 | # environ dictionary key to Session Manager WSGI instance held locally. The |
---|
219 | # setting below is the default and can be omitted if it matches the filterID |
---|
220 | # set for the Session Manager |
---|
221 | #openid.provider.authN.environKey=filter:SessionManagerFilter |
---|
222 | |
---|
223 | # Database connection to enable check between username and OpenID identifier |
---|
224 | openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb |
---|
225 | openid.provider.authN.logonSQLQuery: select username from openid where username = '$$username' and ident = '$$userIdentifier' |
---|
226 | openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$$username' |
---|
227 | |
---|
228 | # Basic authentication for testing/admin - comma delimited list of |
---|
229 | # <username>:<password> pairs |
---|
230 | #openid.provider.usercreds=pjk:test |
---|
231 | |
---|
232 | #______________________________________________________________________________ |
---|
233 | # Beaker Session Middleware (used by OpenID Provider Filter) |
---|
234 | [filter:SessionMiddlewareFilter] |
---|
235 | paste.filter_app_factory=beaker.middleware:SessionMiddleware |
---|
236 | |
---|
237 | # Chain of SOAP Middleware filters |
---|
238 | [pipeline:main] |
---|
239 | pipeline = wsseSignatureVerificationFilter |
---|
240 | AttributeAuthorityFilter |
---|
241 | SessionManagerFilter |
---|
242 | wsseSignatureFilter |
---|
243 | SessionMiddlewareFilter |
---|
244 | mainApp |
---|
245 | |
---|
246 | |
---|
247 | #______________________________________________________________________________ |
---|
248 | # Attribute Authority WSGI settings |
---|
249 | # |
---|
250 | [filter:AttributeAuthorityFilter] |
---|
251 | # This filter is a container for a binding to a SOAP based interface to the |
---|
252 | # Attribute Authority |
---|
253 | paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware |
---|
254 | |
---|
255 | # Use this ZSI generated SOAP service interface class to handle i/o for this |
---|
256 | # filter |
---|
257 | ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS |
---|
258 | |
---|
259 | # SOAP Binding Class specific keywords are in this section identified by this |
---|
260 | # prefix: |
---|
261 | ServiceSOAPBindingPropPrefix = AttributeAuthority |
---|
262 | |
---|
263 | # The AttributeAuthority class has settings in the default section above |
---|
264 | # identified by this prefix: |
---|
265 | AttributeAuthority.propPrefix = attributeAuthority |
---|
266 | AttributeAuthority.propFilePath = %(here)s/services.ini |
---|
267 | AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter |
---|
268 | |
---|
269 | # Provide an identifier for this filter so that main WSGI app |
---|
270 | # CombinedServicesWSGI Session Manager filter can call this Attribute Authority |
---|
271 | # directly |
---|
272 | referencedFilters = filter:wsseSignatureVerificationFilter |
---|
273 | |
---|
274 | # Path from URL for Attribute Authority in this Paste deployment |
---|
275 | path = /AttributeAuthority |
---|
276 | |
---|
277 | # Enable ?wsdl query argument to list the WSDL content |
---|
278 | enableWSDLQuery = True |
---|
279 | charset = utf-8 |
---|
280 | filterID = %(__name__)s |
---|
281 | |
---|
282 | #______________________________________________________________________________ |
---|
283 | # Session Manager WSGI settings |
---|
284 | # |
---|
285 | [filter:SessionManagerFilter] |
---|
286 | # This filter is a container for a binding to a SOAP based interface to the |
---|
287 | # Session Manager |
---|
288 | paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware |
---|
289 | |
---|
290 | # Use this ZSI generated SOAP service interface class to handle i/o for this |
---|
291 | # filter |
---|
292 | ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS |
---|
293 | |
---|
294 | # SOAP Binding Class specific keywords are in this section identified by this |
---|
295 | # prefix: |
---|
296 | ServiceSOAPBindingPropPrefix = SessionManager |
---|
297 | |
---|
298 | # The SessionManager class has settings in the default section above identified |
---|
299 | # by this prefix: |
---|
300 | SessionManager.propPrefix = sessionManager |
---|
301 | SessionManager.propFilePath = %(here)s/services.ini |
---|
302 | |
---|
303 | # This filter references other filters - a local Attribute Authority (optional) |
---|
304 | # and a WS-Security signature verification filter (required if using signature |
---|
305 | # to authenticate user in requests |
---|
306 | SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter |
---|
307 | SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter |
---|
308 | |
---|
309 | # The SessionManagerWS SOAP interface class needs to know about these other |
---|
310 | # filters |
---|
311 | referencedFilters = filter:wsseSignatureVerificationFilter |
---|
312 | filter:AttributeAuthorityFilter |
---|
313 | |
---|
314 | # Path from URL for Session Manager in this Paste deployment |
---|
315 | path = /SessionManager |
---|
316 | |
---|
317 | # Enable ?wsdl query argument to list the WSDL content |
---|
318 | enableWSDLQuery = True |
---|
319 | charset = utf-8 |
---|
320 | |
---|
321 | # Provide an identifier for this filter so that main WSGI app |
---|
322 | # CombinedServicesWSGI can call this Session Manager directly |
---|
323 | filterID = %(__name__)s |
---|
324 | |
---|
325 | #______________________________________________________________________________ |
---|
326 | # WS-Security Signature Verification |
---|
327 | [filter:wsseSignatureVerificationFilter] |
---|
328 | paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter |
---|
329 | filterID = %(__name__)s |
---|
330 | |
---|
331 | # Settings for WS-Security SignatureHandler class used by this filter |
---|
332 | wsseCfgFilePrefix = wssecurity |
---|
333 | |
---|
334 | # Verify against known CAs - Provide a space separated list of file paths |
---|
335 | wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt |
---|
336 | |
---|
337 | #______________________________________________________________________________ |
---|
338 | # Apply WS-Security Signature |
---|
339 | [filter:wsseSignatureFilter] |
---|
340 | paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter |
---|
341 | |
---|
342 | # Reference the verification filter in order to be able to apply signature |
---|
343 | # confirmation |
---|
344 | referencedFilters = filter:wsseSignatureVerificationFilter |
---|
345 | wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter |
---|
346 | |
---|
347 | # Last filter in chain of SOAP handlers writes the response |
---|
348 | writeResponse = True |
---|
349 | |
---|
350 | # Settings for WS-Security SignatureHandler class used by this filter |
---|
351 | wsseCfgFilePrefix = wssecurity |
---|
352 | |
---|
353 | # Certificate associated with private key used to sign a message. The sign |
---|
354 | # method will add this to the BinarySecurityToken element of the WSSE header. |
---|
355 | wssecurity.signingCertFilePath=%(here)s/pki/wsse-server.crt |
---|
356 | |
---|
357 | # PEM encoded private key file |
---|
358 | wssecurity.signingPriKeyFilePath=%(here)s/pki/wsse-server.key |
---|
359 | |
---|
360 | # Set the ValueType for the BinarySecurityToken added to the WSSE header for a |
---|
361 | # signed message. See __setReqBinSecTokValType method and binSecTokValType |
---|
362 | # class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or |
---|
363 | # give full namespace to alternative - see |
---|
364 | # ZSI.wstools.Namespaces.OASIS.X509TOKEN |
---|
365 | # |
---|
366 | # binSecTokValType determines whether signingCert or signingCertChain |
---|
367 | # attributes will be used. |
---|
368 | wssecurity.reqBinSecTokValType=X509v3 |
---|
369 | |
---|
370 | # Add a timestamp element to an outbound message |
---|
371 | wssecurity.addTimestamp=True |
---|
372 | |
---|
373 | # For WSSE 1.1 - service returns signature confirmation containing signature |
---|
374 | # value sent by client |
---|
375 | wssecurity.applySignatureConfirmation=True |
---|
376 | |
---|
377 | |
---|
378 | # Logging configuration |
---|
379 | [loggers] |
---|
380 | keys = root, ndg |
---|
381 | |
---|
382 | [handlers] |
---|
383 | keys = console |
---|
384 | |
---|
385 | [formatters] |
---|
386 | keys = generic |
---|
387 | |
---|
388 | [logger_root] |
---|
389 | level = INFO |
---|
390 | handlers = console |
---|
391 | |
---|
392 | [logger_ndg] |
---|
393 | level = DEBUG |
---|
394 | handlers = |
---|
395 | qualname = ndg |
---|
396 | |
---|
397 | [handler_console] |
---|
398 | class = StreamHandler |
---|
399 | args = (sys.stderr,) |
---|
400 | level = NOTSET |
---|
401 | formatter = generic |
---|
402 | |
---|
403 | [formatter_generic] |
---|
404 | format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s |
---|
405 | datefmt = %H:%M:%S |
---|
406 | |
---|