Single sign on
From Ogce
Contents |
Single Sign-on and Community Account Authentication Modules
The OGCE portal includes a set of configurable grid authentication modules which allow one to perform grid authentication upon signing in to the portal. This module allows you to get a Grid credential when you log in to the portal. This is also useful for setting up TeraGrid community account access: you can deliver credentials to users without revealing the account password.
The single sign on module requires either a MyProxy or local Gridport-style credential repository.
Configuration
There are a few properties that you can configure in the main project.properties file of the demo portal.
You can enable and disable the authentication modes by setting the auth.enable properties to either true or false. true will turn the module on and false will turn the module off.
### # AUTHENTICATION MODULE PROPERTIES # Set to 'true' to enable and 'false' to disable. ### gridport.auth.enable=true myproxy.auth.enable=false
In order for changes to take effect in the portal you must re-deploy the modules and restart tomcat.
Configuring GridPort Repository Authentication
OGCE includes the GridPort Repository, a local credential store that allows a developer to set up grid authentication without a MyProxy server. Prerequisites for a GridPort Repository are at least one certificate and private key pair of .pem files and at least one GridSphere portal account created for the user you wish to have single sign-on grid capability through the portal.
If the GridPort authentication module is enabled then a GridPort repository will be created automatically in $HOME/.globus/GridPortRepository with the appropriate directory structure. You can also configure the GridPort repository to install in a directory other than the default by setting the gridport.repo property in project.properties.
###
# GRIDPORT REPOSITORY CONFIGURATION
###
gridport.repo=${user.home}/.globus/GridPortRepository
Inside the repository you will find three directories, storeCredentials/, storedProxies/, and sessions/. You should copy your certificate and private key .pem files into storedCredentials/ and rename them to have your portal user's username as a prefix followed by _cert.pem and _key.pem, respectively.
localhost> pwd /home/ericrobe/.globus/GridPortRepository/storedCredentials localhost> ls -l total 12 -r-------- 1 ericrobe users 4860 2005-08-01 18:43 ericrobe_cert.pem -r-------- 1 ericrobe users 1743 2005-08-01 18:43 ericrobe_key.pem
You should also ensure that all of the directories in the GridPort repository have read, write and execute permissions only for the user running the portal (in UNIX this would be 700). In the example above the user ericrobe is also running the portal.
NOTE: Use the GridPort Repository with CAUTION. It does not provide the same level of security that a MyProxy server or other authentication mechanisms do but does allow GridPort users to easily start using the interactive grid capabilities of the demo portal without having to install a MyProxy server.
Configuring MyProxy Authentication
You can configure these authentication modules with as many as 2 different MyProxy servers. If authentication with the first MyProxy server is successful the module will not try the second one. However, if authentication to the first MyProxy server fails the module will automatically try to authenticate to the second one.
The properties that you can configure for each server are the hostname, port and lifetime. By default, the port properties are set to 7512 which is the default port that MyProxy runs on. The default proxy lifetime is set to 2. You will need to set the hostnames to point to actual MyProxy servers as the properties are blank by default. NOTE: You do not have to configure both MyProxy servers at the same time.
# MYPROXY CONFIGURATION # You can configure up to 2 MyProxy servers myproxy.host.1=myproxy.teragird.org myproxy.port.1=7512 myproxy.lifetime.1=2
myproxy.host.2= myproxy.port.2=7512 myproxy.lifetime.2=2
Grid Single Sign-on
If the portal is installed on your local system point your browser to http://localhost:8080/gridsphere. Before you can perform single sign-on grid authentication you need to create a portal user account. The username should be chosen such that it's the same as the username that you've used to delegate proxies to MyProxy or the same as the username you named your certificate and key after in the GridPort repository.
Create A New Portal User
To create a portal account login to the portal using the username root and no password (assuming you haven't changed the root password for the portal). Once authenticated, click on the Administration tab and then the Users subtab. Next, click on the Create a New User link, fill out the form with the desired username, password and other information and click Save user. Finally, logout of the portal.
Authenticate
To perform a single sign-on login simply enter the username of the portal account you just created and a password that corresponds to either one of your proxies delegated to MyProxy or the certificate you placed in the GridPort repsository. If single sign-on grid authentication is successful you will be logged in and you should see a DN added to your list of proxies in the Proxy Manager portlet.
NOTE: you can still login to GridSphere without grid authentication by providing the password you used when you created your portal account.
