WorldCat Navigator: EZproxy Configuration Guide



Similar documents
Please return this document to when complete.

How To Authenticate With Ezproxy On A University Campus (For A Non Profit)

F-Secure Messaging Security Gateway. Deployment Guide

Secure Messaging Server Console... 2

Sonian Getting Started Guide October 2008

Configuring User Identification via Active Directory

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

PayPal PRO Sandbox Testing

escan SBS 2008 Installation Guide

EZproxy Reference Manual [Draft]

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

PineApp Surf-SeCure Quick

Setting Up Scan to SMB on TaskALFA series MFP s.

Embedded Web Server Security

1. How do I access my VPS control panel?

CA Unified Infrastructure Management Server

VoIPon Tel: +44 (0) Fax: +44 (0)

F-SECURE MESSAGING SECURITY GATEWAY

IP Configuration Manual

Configuration Manual

OnCommand Performance Manager 1.1

Quadro Configuration Console User's Guide. Table of Contents. Table of Contents

Deploying F5 to Replace Microsoft TMG or ISA Server

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Managing Qualys Scanners

CA Performance Center

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Introduction to Mobile Access Gateway Installation

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

IDENTIKEY Appliance Administrator Guide

LifeSize Transit Deployment Guide June 2011

SSL User Authentication with the HTTP Security Server

NSi Mobile Installation Guide. Version 6.2

Using LDAP for User Authentication

System Administration Training Guide. S100 Installation and Site Management

nexvortex Setup Guide

Nevepoint Access Manager 1.2 BETA Documentation

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g

MadCap Software. Upgrading Guide. Pulse

NETWRIX EVENT LOG MANAGER

4 - TexShare and HARLiC CARDS ( Online Application Form) 5 REMOTE ACCESS TO DATABASES

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Soft Solutions, Inc. 4-Sight FAX 7.5. Getting Started. Soft Solutions, Inc.

Secure Web Appliance. SSL Intercept

Sophos Mobile Control SaaS startup guide. Product version: 6

Introduction to Google Apps for Business Integration

Getting Started with Clearlogin A Guide for Administrators V1.01

SchoolBooking LDAP Integration Guide

Centrify Cloud Connector Deployment Guide

Authentication Methods

HP Device Manager 4.7

Xerox DocuShare Security Features. Security White Paper

Using LifeSize Systems with Microsoft Office Communications Server 2007

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Cisco TrustSec How-To Guide: Guest Services

BMC Remedy Integration Guide

How To Configure SSL VPN in Cyberoam

How to move to your account with MAC Mail

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

TIGERPAW EXCHANGE INTEGRATOR SETUP GUIDE V3.6.0 August 26, 2015

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Electronic Questionnaires for Investigations Processing (e-qip)

WorldCat Local. May Install Notice

Installing Management Applications on VNX for File

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

vcloud Director User's Guide

Plesk 11 Manual. Fasthosts Customer Support

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuration Information

EVault Software. Course 361 Protecting Linux and UNIX with EVault

IBM Security QRadar Vulnerability Manager Version User Guide

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Introduction to Directory Services

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

Getting Started with PRTG Network Monitor 2012 Paessler AG

Phone Inventory 1.0 (1000) Installation and Administration Guide

Connecting an Android to a FortiGate with SSL VPN

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Copyright 2013 Trend Micro Incorporated. All rights reserved.

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

NEFSIS DEDICATED SERVER

Configuring Sponsor Authentication

JPMorgan Chase Treasury Workstation. Certification Setup Guide Version 2.0

Remote Management Reference

Avalanche Remote Control User Guide. Version 4.1.3

Sametime 9 Meetings deployment Open Mic July 23rd 2014

1.6 HOW-TO GUIDELINES

Migration Manual (For Outlook 2010)

Flexible Identity. LDAP Synchronization Agent guide. Bronze. version 1.2

CYAN SECURE WEB HOWTO. NTLM Authentication

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

McAfee SMC Installation Guide 5.7. Security Management Center

Revolution R Enterprise DeployR 7.1 Enterprise Security Guide. Authentication, Authorization, and Access Controls

Transcription:

WorldCat Navigator: EZproxy Configuration Guide Contents 1. Introduction 2. Obtaining an EZproxy license 3. The EZproxy userobject 4. Configuring EZproxy to allow userobject 5a. Configuring EZproxy for Innovative Interfaces, Inc. 5b. Configuring EZproxy for LDAP 5c. Configuring EZproxy for Shibboleth 5d. Configuring EZproxy for multiple sources 6. Configuring an SSL certificate 7. Testing the EZproxy configuration Appendix A: Custom EZproxy config.txt contents Appendix B: userobject attributes list Page 1

WorldCat Navigator EZproxy Configuration Guide I. Introduction This document describes authentication and session management operations within WorldCat Navigator. Included are instructions for configuring your downloaded EZproxy to allow session management via OCLC s userobject API, plus detailed instructions on how to configure EZproxy to allow proxied authentication between a library s remote user authentication systems (III, LDAP, and Shibboleth) and the Master EZproxy server. About the process If you already have EZproxy installed and running on your system, you should begin with Section 4, Configuring EZproxy to Allow userobject. If you do not yet have EZproxy installed in your system, you will follow a 4 step process: 1) Obtain an EZproxy license as described in Section 2 below. 2) Once you have obtained your license, download and install EZproxy, following instructions at: http://www.oclc.org/us/en/support/documentation/ezproxy/setup.htm. 3) When EZproxy installation is complete, follow the instructions at: http://www.oclc.org/us/en/support/documentation/ezproxy/usr/ to enable basic authentication for your existing authentication method. 4) When initial authentication is enabled, follow the instructions in Section 4, Configuring EZproxy to Allow userobject and Section 5 (for your authentication method). Things you should know About Firewalls Please allow traffic through your firewall: To these URLs on port 443 o masternavezp.idm.oclc.org o proxy.vdxhost.com From the above URLs for the port on which your EZproxy server listens Page 2

About SSL In order to ensure the integrity of the small amount of patron data sent from your institution s EZproxy server to Navigator, Navigator requires Secure Socket Layer (SSL) encryption of this data between your institution and Navigator. In order to activate SSL, an SSL certificate is required. See Section 6 of this document for more information. About IP Address Changes You should notify OCLC Support (support@oclc.org ) if at any time you change the IP address or domain name of your EZproxy server. If you fail to notify OCLC of this change, Navigator will cease to work for your system. Warning: If you have identified your interface via an IP address (rather than a DNS name), you must also update Interface <xxx.xxx.xxx> in config.txt. About Home Library Locations To ensure proper handling of ILL requests, the patron s home library should be specified when requesting is done by more than one library within an institution. Please contact your OCLC Implementation Manager for more information. About E Mail Addresses The e mail addresses used to send notifications to users may be stored in two separate places, depending upon how they are submitted to Navigator. Authentication Process: When submitted as part of the authentication process (patron loads, EZproxy authentication), the e mail address becomes part of the user record in the OCLC Navigator database. Patron Request: When submitted as part of the Navigator Request form, the e mail address becomes part of the request. If an e mail address is available in both the database and the request, the address from the request is used. If your institution does not implement user notification, there is no need to store the e mail address in the user record (Navigator database). Page 3

2. Obtaining an EZproxy license Navigator Request Engine users who do not already own a license may obtain a no cost license by e mailing exproxy@oclc.org to receive an order form (.pdf format). When you complete the form: 1. Leave the PRICE QUOTE and QUOTED BY areas empty. 2. Enter WorldCat Navigator Participant No Charge in the COMMENTS area at the bottom of the form. Print the completed form and return it via: Mail: OCLC 6565 Kilgour Place Dublin, OH 43017 3395 Fax: 1 888 339 3921 You will receive a welcome letter containing your license key. The licensing agreement is included in the form. This agreement indicates the valid uses of EZproxy, including under what circumstances multiple copies of EZproxy can be used and also the valid use of EZproxy on multiple servers. 3. The EZproxy userobject The EZproxy userobject is a data structure used to pass patron information among the various components of the Navigator system. Your local EZproxy must be configured to map data from your institution s authentication system into the userobject. The EZproxy userobject consists of 42 attributes. Of these, the ten shown below provide primary data for Navigator operation. The full list of userobject attributes is given in Appendix B, EZproxy UserObject. Attribute Name Description Required? uid patron barcode Always or unique ID forename Patron first or No (but recommended) given name surname Patron last or family name No (barcode will be used if not provided) Page 4

emailaddress Patron e mail No (but recommended) address category Patron type No (but recommended) location Home library Yes, when applicable location joindate Join or No registration date expirydate Expiration date No (requesting is not allowed after this date if a date is supplied) bannedinremotecirculation User privileges No (but recommended) revoked 4. Configuring EZproxy to allow userobject Once you have installed (or upgraded to) EZproxy 5.1c or later, you must manually edit the config.txt file to allow userobject support. Before you begin You must contact your OCLC Implementation Manager at WorldCatLocalIM@oclc.org to obtain your pre assigned value for MYWSKEY (used in: LocalWSKey MYWSKEY). Configure server for userobject Step Action 1 Open the config.txt file with a text editor. 2 Provide the DNS resolvable name of your local EZproxy server. Change: Name ezproxy.hostname.edu To: Name <yourfullyqualifieddomainname> 3 Provide the DNS resolvable name or IP address of the local EZproxy server. Change: Interface ezproxy.hostname.edu To: Interface <yourfullyqualifieddomainname> OR Interface <youripaddress> OR Interface ANY [binds to all IP addresses of your local EZproxy server] 4 To provide the SSL login port to be used in production: Page 5

Change: LoginPortSSL 443 To: LoginPortSSL <yourportnumber> 5 To provide your pre assigned WSKey: Change: LocalWSKey MYWSKEY To: LocalWSKey <from your Implementation Manager> 6 Optional (for Linux and Solaris only; Windows environments skip this step). To assign a RunAs user value (Linux and Solaris only): Change: ##RunAs nobody:nobody To: RunAs nobody:nobody 7 Optional. To replace the admin console login port: Change: LoginPort 2048 To: LoginPort <yourportnumber> 8 Save and close config.txt, then re start EZproxy 9 Edit the user.txt file of your EZproxy server according to the instructions in Section 5 of this document. For example usr.txt files for various authentication systems, see: http://wcn.oclc.org/index.php/ezproxy_configuration_for_use_with_navigator 5a. Configuring EZproxy for Innovative Interfaces, Inc. Note: This requires the III Patron API Module. Mandatory. In your EZproxy user.txt file you must set the following: Directive: Set session:uid = login:user Result: Sets userobject Unique ID to user ID/barcode Directive*: Set session:location = auth:p53 Result: Sets userobject Home Library Location to user s home library * when applicable, otherwise Recommended Directive: Set session:groupnumber = NNNNN Result: Sets userobject groupnumber to your consortium s Group Number Directive: Set session:instnumber = NNNNN Result: Sets userobject institutionnumber to your library s WorldCat Registry ID Recommended. In your EZproxy user.txt file you should set the following: Directive: Set ParseName(auth:pn, S,F,M,X, session ) Page 6

S = surname F = first name M = middle name X = prefix Note: Name entry is based on local practice so SFMX should be arranged with commas to match your local convention. Result: Allows EZproxy to derive userobject name values Directive: Set session:category = auth:p47 Result: Sets userobject Patron Category to local patron type Directive: Set session:emailaddress = auth:pz Result: Sets userobject emailaddress to user s e mail address Optional. In your EZproxy user.txt file you may set the following: Directive: Set session:dateformat = MM DD YY Result: Sets userobject date format Directive: Set session:joindate = auth:p83 Result: Sets userobject Registration date to the user s registration date Directive: Set session:expirydate = auth:p43 Result: Sets userobject Expiration date to your library s assigned expiration date (if any). Note: If a date is provided, requesting is blocked after this date. Local blocking. Your library may want to block based on local conditions derived from III authentication. Implementing this type of blocking requires two steps: 1. Block all circulation 2. Unblock circulation based on the selected condition(s) Example: 1. Block circulation: Set session:bannedinremotecirculation = Y 2. Unblock circulation only if there are no message blocks (p56): If auth:p56 eq {Set session:bannedinremotecirculation = N } Or Page 7

Unblock if there are no message blocks (p56) and if the patron type is valid: If auth:p56 eq && auth:p47 =~ /^(2 3 4 5 6 15 16 )$/ {Set session:bannedinremotecirculation = N } 5b. Configuring EZproxy for LDAP Mandatory. In your EZproxy user.txt file you must set the following: Directive: Set session:uid = login:user Result: Sets userobject Unique ID to user ID/barcode Directive: Set session:groupnumber = NNNNN Result: Sets userobject groupnumber to your consortium s Group Number Directive: Set session:instnumber = NNNNN Result: Sets userobject institutionnumber to your library s WorldCat Registry ID Recommended. In your EZproxy user.txt file you should set the following: Directive: Set session:forename = auth:givenname Result: Sets userobject forename to patron first/given name Directive: Set session:surname = auth:sn Result: Sets userobject surname to patron surname/last name Directive: Set session:middlename = auth:initials Result: Sets userobject middlename to patron middle initial(s) Directive: Set session:emailaddress = auth:email Result: Sets userobject emailaddress to user s e mail address Local blocking. Your library may want to block based on local conditions derived from LDAP authentication. Implementing this type of blocking requires two steps: 1. Block all circulation 2. Unblock circulation based on the selected condition(s) Example: Page 8

1. Block circulation: Set session:bannedinremotecirculation = Y 2. Unblock circulation if the user has at least one educational affiliation [Count] and that affiliation is not alum. If Count (auth:edupersonaffiliation) >=1 &&! All (auth:edupersonaffiliation, alum ) {Set session:bannedinremotecirculation = N } 5c. Configuring EZproxy for Shibboleth Mandatory. In your EZproxy shibuser.txt file you must set the following: Directive: Set session:uid = auth:urn:mace:dir:attribute def:uid Result: Sets userobject Unique ID to user ID/barcode Recommended. In your EZproxy shibuser.txt file you should set the following: Directive: Set session:forename = auth:urn:mace:dir:attribute def:givenname Result: Sets userobject forename to patron first/given name Directive: Set session:surname = auth:urn:mace:dir:attribute def:sn Result: Sets userobject surname to patron surname/last name Local blocking. Your library may want to block based on local conditions derived from Shibboleth authentication. Implementing this type of blocking requires two steps: 1. Block all circulation. 2. Unblock circulation based on the selected condition(s). Example: 1. Block circulation: Set session:bannedinremotecirculation = Y 2. Unblock circulation if the user has at least one educational affiliation [Count] and that arffiliation is not alum. Page 9

If Count (auth:urn:mace:dir:attribute def:edupersonaffiliation) >=1 &&! All (auth:urn:mace:dir:attribute def:edupersonaffiliation, alum ) {Set session:bannedinremotecirculation = N } 5d. Configuring EZproxy for Multiple Sources It might be necessary to use more than one source to construct a viable userobject. You can configure the user.txt file to account for this scenario. It is possible to do field swapping as necessary in order to ensure that the userobject has session:uid set to how the user is known to both the local ILS and to Navigator. These values must match. This combination mainly works with III, LDAP and SIP, as those are the most robust sources of data. Example: This example also requires creating a secondary file called iii.txt which will be called to perform specific Innovative Interfaces API information harvesting. ::LDAP BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org BindPassword verysecret URL ldap://ldapserv.yourlib.org/cn=users,dc=yourlib,dc=org? samwaccountname?sub?(objectclass=person) IfUnauthenticated; Stop If auth:barcode ne { Set saveuser = login:user Set login:user = auth:barcode #Preserve provided login username #Switch to barcode from LDAP #Call to external file iii.txt If UserFile ( iii.txt ) { #Logic to perform if III authentication successful } Set login:user = saveuser } /LDAP Create a file called iii.txt and enter this code: ::III Password None III iii.yourlib.org IfUnauthenticated; Stop Set session:uid = login:user Set ParseName(auth:pn, S,FM,X, session ) /III #Switch back to provided username Page 10

6. Configuring an SSL certificate Obtaining an SSL certificate is a three step process: 1. Generate a Certificate Request in your library s EZproxy. 2. Submit the Certificate Request to the Certificate Authority of your choice. 3. Import the received SSL Certificate into your EZproxy. Before you begin. 1. You must have obtained a valid EZproxy license key and successfully installed EZproxy on your server. 2. You must have the following information available to complete the Create New SSL Certificate form: a) Server name: b) Key size: (select from drop down) c) Country: (two letter country code) d) *State or Province: (do not abbreviate; ;use Ohio, not OH) e) *City or Locality: f) Organization: g) *Organization Unit: h) Administrator email: i) Expiration : (self signed only; select from drop down) * = optional field 3) You must choose a Certificate Authority from which to purchase a certificate, and locate the appropriate area of the Authority s Web site. You must also have a payment method that the Authority will accept. Procedure For the procedure to configure an SSL certificate for EZproxy, see: http://www.oclc.org/support/documentation/exproxy/cfg/ssl/. Page 11

7. Testing your EZproxy configuration You can test your EZproxy by configuring your EZproxy server to return the results of an authentication attempt in a userobjectresponse. Step Action 1 Open the config.txt file with a text editor. 2 Add the following: Option UserObjectTestMode 3 Save and close the file. 4 Re start EZproxy. 5 After re start, send a URL in this form to your server: https://<yourfullyqualifieddomainname>/userobject?service=gettoken 6 Enter your User Name and Password. Result: A userobjectresponse similar to the one shown below is displayed, populated with your data. Example: Fully populated userobjectresponse: <userobjectresponse> <servicestatus>ok</servicestatus> <userdocument> <lastauthenticated>2009 01 23T17:16:13Z</lastAuthenticated> <groupnumber>nnnnn</groupnumber> <instnumber>nnnnn</instnumber> <uid>999999</uid> <location>plxc</location> <category>11</category> <forename>jane</forename> <surname>smith</surname> <emailaddress>jane.smith@oclc.org</emailaddress> <dateformat>mm DD YY</dateFormat> <joindate>01 21 09</joinDate> <expirydate>03 03 09</expiryDate> <bannedinremotecirculation>n</bannedinremotecirculation> <userdocument> </userobjectresponse> Page 12

Appendix A: Custom EZproxy config.txt ############################################### ################## # The DNS resolvable name of the local EZproxy server Name ezproxy.hostname.edu # Either the DNS resolvable name or an IP address of the local EZproxy server # or the value "ANY" which will bind to all IP addresses of the host server Interface ezproxy.hostname.edu # Initial login port to be able to access the /admin console LoginPort 2048 # Force high encryption Option DisableSSL40bit # SSL Port which should be used in production LoginPortSSL 443 # ForceHTTPSLogin to enable it once SSL certificates are in place Option ForceHTTPSLogin # start as root then drop privileges uncomment for Unix # systems ##RunAs nobody:nobody # Required to allow the use of userobjects Option UserObject # Uncomment UserObjectTestMode to be able to view the # raw userobject during testing by sending this URL to the # EZproxy server # https://ezproxy.hostname.edu/userobject?service=gettoken #Option UserObjectTestMode # Insert the pre-assigned WSKey below - must be 80 characters in length LocalWSKey MYWSKEY # Allow the Master EZproxy server Option RedirectSafe oclc.org ############################################################# Page 13

Appendix B: EZproxy userobject The EZproxy userobject contains these 42 attributes: session:groupnumber session:note1 session:groupsymbol session:note2 session:instnumber session:note3 session:instsymbol session:note4 session:uid session:note5 session:location session:note6 session:category session:note7 session:title session:note8 session:forename session:note9 session:middlename session:note10 session:surname session:addressee session:namesuffix session:bulding session:emailaddress session:street session:dateformat session:district session:joindate session:city session:expirydate session:region session:usergroups session:country session:bannedinremotecirculation session:pobox session:canrequestifbanned session:postcode session:clientpresignedcopyright session:phonenumber session:attributes session:faxnumber Page 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information