TWiki> EGEE Web>Egee3Jra1>AuthorizationFrameworkArchive>AuthZPEPGSIConfig (2016-07-05, MaartenLitmaath) EditAttachPDF

Argus GSI PEP Callout Configuration

Manual Configuration

To configure the GSI PEP Callout module, you first have to configure the Globus Authorization Callouts framework to use the GSI PEP Callout library to do the authorization and mapping. Then the GSI PEP Callout module must be configured.

Globus Authorization Callouts Configuration

Configuration file and configuration directives for the Globus Authorization Callouts to enable the GSI PEP Callout module.

Configuration File

The Globus Authorization Callouts framework uses the following locations (in order) for the callout configurations file:

  • $GSI_AUTHZ_CONF (Environment variable)
  • /etc/grid-security/gsi-authz.conf
  • $GLOBUS_LOCATION/etc/gsi-authz.conf
  • $HOME/.gsi-authz.conf

EMI-1 Configuration Directives

Content of the Globus Authorization Callouts configuration file to enable the GSI Argus PEP Callout function argus_pep_callout for EMI: 

# Globus authorization and mapping callout to the ARGUS GSI PEP Callout module
# format: globus_mapping <library_path> <function_name>
globus_mapping /usr/lib64/libgsi_pep_callout.so argus_pep_callout

For EMI the Argus PEP GSI callout library is installed in the /usr/lib64 directory.

gLite 3.2 Configuration Directives

Content of the Globus Authorization Callouts configuration file to enable the GSI PEP Callout function authz_pep_callout for gLite: 

# Globus authorization and mapping callout to the ARGUS GSI PEP Callout module
# format: globus_mapping <library_path> <function_name>
globus_mapping /opt/glite/lib/libgsi_pep_callout_gcc32dbg.so authz_pep_callout

For gLite .32, nn x86_64 architecture like SL4 and SL5 the library path is /opt/glite/lib64/libgsi_pep_callout_gcc64dbg.so

GSI PEP Callout Configuration

Configuration file and configuration directives for the GSI PEP Callout module.

Configuration File

The GSI PEP Callout module uses the following locations (in order) for the configurations file:

  • $GSI_PEP_CALLOUT_CONF (Environment variable)
  • /etc/grid-security/gsi-pep-callout.conf

Configuration Directives

The configuration directives for the GSI PEP Callout are single name value lines. Lines with comments # are allowed.

Directive Description Mandatory? Default Value Example Since
pep_url The endpoint URL of the PEP daemon. Yes   pep_url https://pepd.example.org:8154/authz 1.0
xacml_resourceid XACML request resource-id value Yes   xacml_resourceid x-urn:example.org:resource:ce:gridftp 1.0
xacml_actionid XACML request action-id value. Define this parameter to overwrite the service name passed to the module by the application No   xacml_actionid http://glite.org/xacml/action/access 1.0
xacml_profileid XACML request profile-id value. Define this parameter to overwrite the default profile id No http://glite.org/xacml/profile/grid-wn/1.0 xacml_profileid http://glite.org/xacml/profile/grid-ce/1.0 1.2
pep_timeout Connection timeout in seconds No 30 pep_timeout 60 1.0
pep_ssl_validation Enable SSL validation of the PEP daemon endpoint URL (HTTPS) No true pep_ssl_validation false 1.0
pep_ssl_server_capath CA directory path for the HTTPS validation of the PEP daemon endpoint URL No /etc/grid-security/certificates pep_ssl_server_capath /etc/grid-security/certificates 1.0
pep_ssl_server_cert Certificate file for the HTTPS validation of the PEP daemon endpoint URL No   pep_ssl_server_cert /etc/grid-security/pepdcert.pem 1.0
pep_ssl_client_cert Client certificate file for the TLS client authentication on the PEP daemon endpoint URL No /etc/grid-security/hostcert.pem pep_ssl_client_cert /etc/ssl/mycert.pem 1.0
pep_ssl_client_key Client private key file for the TLS client authentication on the PEP daemon endpoint URL No /etc/grid-security/hostkey.pem pep_ssl_server_key /etc/ssl/mykey.pem 1.0
pep_ssl_client_keypasswd Client private key password Only if pep_ssl_client_key is encrypted   pep_ssl_server_keypasswd mykeypassword 1.0

Configuration Example

Example of a valid configuration file for the GSI PEP Callout module: 

#
# GSI PEP Callout configuration example
#
pep_url   https://chaos.switch.ch:8154/authz
xacml_resourceid http://ce.example.org/cream/gridftp

YAIM Configuration

The yaim-core (>= 4.0.12) the function config_lcas_lcmaps_gt4 is now able to configure the Argus GSI PEP callout module.

In your site-info.def set the following variables: 

USE_ARGUS=yes
ARGUS_PEPD_ENDPOINTS="<Argus_URL> ..."
CREAM_PEPC_RESOURCEID=<CreamCE_XACML_resouce_id>

where Argus_URL is the Argus PEP daemon endpoint URL. e.g. ARGUS_PEPD_ENDPOINTS=https://argus.example.org:8154/authz

where CreamCE_XACML_resouce_id is the XACML resource identifier for this cream CE. e.g. CREAM_PEPC_RESOURCEID=http://glite.org/xacml/resource/cream-ce

Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r11 - 2016-07-05 - MaartenLitmaath
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback