NCSA CyberSecurity

Projects and Software

Note: For printing purposes, you can SHOW ALL or HIDE ALL instructions.

Author: Kevin J. Price (kjprice@ncsa.uiuc.edu)
Last Update: December 21, 2006

Introduction

This document explains how to configure a Scientific Annotation Middleware (SAM) installation to query a MyProxy server for authentication.

This page does not cover how to configure MyProxy. Please see Using MyProxy To Create Session Passwords for more details on MyProxy server configuration with web services.

Installation Overview

These instructions assume you have an existing SAM installation running under Apache Tomcat 5.0, and installed at $CATALINA_HOME/webapps/sam.

Class Installation

  1. Download myproxy-jaas.jar from the Myproxy JAAS Interface page, and save the file in $CATALINA_HOME/common/lib/.
    Detailed Instructions...
  2. Download SAMWrapperLoginModule.class from the Miscellaneous Security Tools Repository page, and save the file in $CATALINA_HOME/common/classes/.
    Detailed Instructions...
  3. Install the cog-jglobus by downloading cog-jglobus 1.4 from http://wiki.cogkit.org/index.php/Table. Unzip the binary package, and copy cog-jglobus-1.4/lib/*.jar into $CATALIMA_HOME/common/lib/.
    Detailed Instructions...
  4. OPTIONAL: Download jaas-scache.jar from the Miscellaneous Security Tools Repository page, and save the file in $CATALINA_HOME/common/lib/.
    Detailed Instructions...

JAAS Configuration

  1. Add the following lines to the end of $CATALINA_HOME/webapps/sam/WEB-INF/classes/jaas.config, replacing myproxy-server.domain.edu with your MyProxy server's domain name: 
    SAM_MyProxy {
    edu.uiuc.ncsa.jaas.SessionCacheLoginModule sufficient
        cacheLocation = "/tmp/scache"
        mode = "read";
    org.scidac.sam.security.authenticate.SlideLoginModule sufficient
        namespace = "sam"
        digest = "none"
        timeout = "15";
    edu.uiuc.ncsa.myproxy.jaas.MyProxyLoginModule requisite
        host = "myproxy-server.domain.edu"
        saveSharedState = "true";
    SAMWrapperLoginModule optional
        defaultRoles = "user";
    edu.uiuc.ncsa.jaas.SessionCacheLoginModule optional
        cacheLocation = "/tmp/scache"
        mode = "write";
    };

    The text in green allows users to authenticate using the default SAM authentication mechanism in addition to the MyProxy authentication mechanism, and is especially useful in server configuration (by authenticating as 'root'). If you do not require this functionality, you can safely omit these lines.

    The text in blue defines a space-separated list of default roles to be assigned to users authenticated using the MyProxy mechanism. You may need to alter this list to fit your server configuration. It is not currently possible to assign roles on a user-by-user basis.

    The optional text in red defines a session caching module that will cache copies of user credentials on the local machine. This will cut down on network traffic, but at the expense of some CPU time as the credentials are encrypted when stored. The cache location can be changed to any good temporary directory. This module can only be used if you installed jaas-scache.jar per the installation instructions above.

  2. Modify the file $CATALINA_HOME/webapps/sam/WEB_INF/web.xml. Find the lines under the heading 
    <!-- Authentcation Filter Setup -->
    and replace: 
            <init-param>
            <param-name>app-name</param-name>
            <param-value>SAM_Slide</param-value>
        </init-param>
    with: 
            <init-param>
            <param-name>app-name</param-name>
            <param-value>SAM_MyProxy</param-value>
        </init-param>
Building a trustworthy, national-scale cyberinfrastructure for researchers.
All rights reserved. ©2015 Board of Trustees of the University of Illinois.