Révision 19b58bab
Ajouté par Remy Menard il y a plus de 11 ans
| INSTALL | ||
|---|---|---|
|
Use the provided script to start the application.
|
||
|
|
||
|
|
||
|
### Servlet Container and SSL/TLS
|
||
|
|
||
|
A servlet container need to be installed.
|
||
|
|
||
|
For now, the IoTa-Installer knows only about Apache Tomcat (versions 6 or 7).
|
||
|
The IoTa-Installer can help you install and configure one.
|
||
|
|
||
|
In order to use SSL/TLS as a mutual authentication means for the IoTa web
|
||
|
applications and their clients, an SSL/TLS connector must be configured.
|
||
|
|
||
|
For Apache Tomcat 7, if you don’t use the IoTa-Installer, you need to add a
|
||
|
connector element similar to the following snippet in the file
|
||
|
`${CATALINA_HOME}/conf/server.xml`:
|
||
|
|
||
|
<Connector protocol="HTTP/1.1"
|
||
|
port="8443"
|
||
|
maxThreads="200"
|
||
|
scheme="https"
|
||
|
secure="true"
|
||
|
SSLEnabled="true"
|
||
|
keystoreFile="${catalina.home}/conf/ssl/keystore.jks"
|
||
|
keystorePass="changeit"
|
||
|
keyAlias="if_more_than_one_key_in_keystore"
|
||
|
keyPass="changeit"
|
||
|
truststoreFile="${catalina.home}/conf/ssl/truststore.jks"
|
||
|
truststorePass="changeit"
|
||
|
crlFile="${catalina.home}/conf/ssl/revocations_list.pem"
|
||
|
clientAuth="true"
|
||
|
sslProtocol="TLS"/>
|
||
|
|
||
|
Or, if the Apache Portable Runtime library (APR) is installed and used on the
|
||
|
target system:
|
||
|
|
||
|
<Connector protocol="HTTP/1.1"
|
||
|
port="8443"
|
||
|
maxThreads="200"
|
||
|
scheme="https"
|
||
|
secure="true"
|
||
|
SSLEnabled="true"
|
||
|
SSLCertificateFile="${catalina.home}/conf/ssl/server.crt"
|
||
|
SSLCertificateKeyFile="${catalina.home}/conf/ssl/server.pem"
|
||
|
SSLCACertificatePath="${catalina.home}/conf/ssl/clients/"
|
||
|
SSLCARevocationPath="${catalina.home}/conf/ssl/revocations/"
|
||
|
SSLVerifyClient="require"
|
||
|
SSLProtocol="TLSv1"/>
|
||
|
|
||
|
Add the client's certificates to the Tomcat's truststore, with a command like:
|
||
|
|
||
|
keytool -importcert -storetype "jks" -keystore "truststore.jks" -alias "key" -file "client.cert"
|
||
|
|
||
|
The ETa, OMeGa and EpcisPHi applications need roles in `$CATALINA_HOME/conf/tomcat-users.xml`
|
||
|
to manage identity with TLS:
|
||
|
|
||
|
* for ETa: <role rolename="eta_user"/>
|
||
|
* for OMeGa: <role rolename="omega_user"/>
|
||
|
* for EpcisPHi: <role rolename="ephi_user"/>
|
||
|
|
||
|
The names can be different depending on the configuration of
|
||
|
`<webapp-dir>/WEB-INF/web.xml`.
|
||
|
|
||
|
Each user who wants to request the services of ETa, OMeGa or the web interface
|
||
|
of EpcisPHi must be identified in `$CATALINA_HOME/conf/tomcat-users.xml`
|
||
|
and one or more roles must be attributed.
|
||
|
Each application using these services must be known.
|
||
|
The user (or application) is recognyzed by the Distinguished Name (DN) of
|
||
|
the certificate used to connect to the service.
|
||
|
The user roles (ETa and/or OMeGa and/or EpcisPHi) are determined by the
|
||
|
"roles" attribute and corresponds to the "rolename" above.
|
||
|
|
||
|
To add the ETa, OMeGa and EpcisPHi services to the user whose DN certificate is
|
||
|
"CN=foo", add to the `$CATALINA_HOME/conf/tomcat-users.xml` file:
|
||
|
<user username="CN=foo" password="" roles="eta_user,omega_user"/>
|
||
|
|
||
|
To log to the web interface of Epcis-PHi as "superadmin", who manages the user
|
||
|
accounts, you must use a certificate (generated by IoTa-Installer or keytool).
|
||
|
The DN of this certificate ("UID=superadmin" by default) needs to be similar to
|
||
|
the LDAP directory.
|
||
|
This user must be added to the previous file:
|
||
|
<user username="UID=superadmin" password="" roles="ephi_user"/>
|
||
|
|
||
|
|
||
|
### Web Applications
|
||
|
|
||
|
Get the `<application>-<version>.war` war file for the web application.
|
||
| ... | ... | |
|
recursion no;
|
||
|
|
||
|
|
||
|
### DNSSEC
|
||
|
|
||
|
Enable DNSSEC in bind9 with these options (in the `options` statement of
|
||
|
`named.conf.options`):
|
||
|
|
||
|
dnssec-enable yes;
|
||
|
dnssec-validation auto;
|
||
|
dnssec-lookaside auto;
|
||
|
|
||
|
You can generate keys and sign your zone files with, for example, the program
|
||
|
`zonesigner` from `dnssec-tools`.
|
||
|
|
||
|
|
||
|
### LDAP
|
||
|
|
||
|
Some applications (ETa) need an LDAP server.
|
||
|
Some applications (User) need an LDAP server.
|
||
|
|
||
|
From a fonctionnal LDAP server, the script `ETa/ldap.sh` or the LDAP module of
|
||
|
From a fonctionnal LDAP server, the script `User/ldap.sh` or the LDAP module of
|
||
|
the IoTa-Installer adds a schema, a group and the two users superadmin and
|
||
|
anonymous.
|
||
|
|
||
Formats disponibles : Unified diff
Version 1.9
- use TLS for secured links
- SigMa is now fully functionnal
- completed documention
- a lot of bugs fixed!
- signature creation from the canonical form of the event
- signature creation using ECDSA algorithm
- signature is correctly verified
- manage the extension identifying the owner of the event
- if no identity is provided, the identity of the certificate is used
- access to the web interface of policy management is made by
certificate
- if no identity is provided, the identity of the certificate is used
- create and use certificates for TLS
- configure Apache Tomcat for TLS
- show SigMa library (SigMa-Commons)