UFTP AUTHENTICATION SERVICE

Similar documents
UNICORE UFTPD server UNICORE UFTPD SERVER. UNICORE Team

How To - Implement Single Sign On Authentication with Active Directory

LICENSE4J LICENSE ACTIVATION AND VALIDATION PROXY SERVER USER GUIDE

Using LDAP Authentication in a PowerCenter Domain

Secure Messaging Server Console... 2

AklaBox. The Ultimate Document Platform for your Cloud Infrastructure. Installation Guideline

Hadoop Data Warehouse Manual

UFTP High-performance data transfer for UNICORE

McAfee One Time Password

ZeroTurnaround License Server User Manual 1.4.0

Magento Search Extension TECHNICAL DOCUMENTATION

Volume SYSLOG JUNCTION. User s Guide. User s Guide

NSi Mobile Installation Guide. Version 6.2

WWPass External Authentication Solution for IBM Security Access Manager 8.0

OpenLDAP Oracle Enterprise Gateway Integration Guide

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

JobScheduler Web Services Executing JobScheduler commands

TMS Phone Books Troubleshoot Guide

IUCLID 5 Guidance and Support

PHP Integration Kit. Version User Guide

Configuring. Moodle. Chapter 82

UNICORE REGISTRY MANUAL

SOA Software API Gateway Appliance 7.1.x Administration Guide

Axway API Gateway. Version 7.4.1

IBM Campaign and IBM Silverpop Engage Version 1 Release 2 August 31, Integration Guide IBM

Elluminate Live! Access Guide. Page 1 of 7

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

LICENSE4J AUTO LICENSE GENERATION AND ACTIVATION SERVER USER GUIDE

IBM WebSphere Application Server V8.5 lab Basic Liberty profile administration using the job manager

JOINUS AG. PowerPay Checkout. Magento Module User Manual. Support:

RHEV 2.2: REST API INSTALLATION

Introduction Installing the download utility Installing Java(TM) 2 Runtime Environment, Standard Edition

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

1 Reflection ZFE 5. 2 Security Considerations Troubleshooting the Installation 19. Contents 1

Crawl Proxy Installation and Configuration Guide

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

IBM Unica emessage Version 8 Release 6 February 13, Startup and Administrator's Guide

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

GS1 Trade Sync Connectivity guide

IMPLEMENTING DIRECTORY SERVICES INTEGRATION WITH HELIX MEDIA LIBRARY Revision Date: September 2014

Fairsail REST API: Guide for Developers

JMETER - MONITOR TEST PLAN

AmbrosiaMQ-MuleSource ESB Integration

Novell Access Manager

Application Security Policy

Elluminate Live! Access Guide. Page 1 of 7

FireEye App for Splunk Enterprise

Oracle Fusion Middleware 11gR2: Forms, and Reports ( ) Certification with SUSE Linux Enterprise Server 11 SP2 (GM) x86_64

Configuration Guide. BES12 Cloud

USER GUIDE. Snow Inventory Client for Unix Version Release date Document date

SafeNet KMIP and Google Cloud Storage Integration Guide

OneLogin Integration User Guide

Establishing two-factor authentication with Barracuda NG Firewall and HOTPin authentication server from Celestix Networks

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

Tableau Server Trusted Authentication

How to Configure Captive Portal

Remote Access API 2.0

Tableau Server Trusted Authentication

Ellucian Recruiter Installation and Integration. Release 4.1 December 2015

Published. Technical Bulletin: Use and Configuration of Quanterix Database Backup Scripts 1. PURPOSE 2. REFERENCES 3.

SOA Software: Troubleshooting Guide for Agents

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

EMC XDS Repository Connector for ViPR

AdRadionet to IBM Bluemix Connectivity Quickstart User Guide

Active Directory Service. Integration Parameters and Implementation

24x7 Scheduler Multi-platform Edition 5.2

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

escan SBS 2008 Installation Guide

Sample copy. Introduction To WebLogic Server Property of Web 10.3 Age Solutions Inc.

docs.hortonworks.com

Oracle Exam 1z0-102 Oracle Weblogic Server 11g: System Administration I Version: 9.0 [ Total Questions: 111 ]

Configuring User Identification via Active Directory

i2b2: Security Baseline

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

[1]Oracle Communications Billing and Revenue Management Web Services Manager Release 7.5 E

Experian Secure Transport Service

This presentation will discuss how to troubleshoot different types of project creation issues with Information Server DataStage version 8.

GravityLab Multimedia Inc. Windows Media Authentication Administration Guide

Onset Computer Corporation

Cyber-Ark Software. Version 4.5

Stealth OpenVPN and SSH Tunneling Over HTTPS

Application Interface Services Server for Mobile Enterprise Applications Configuration Guide Tools Release 9.2

StreamServe Persuasion SP4

IBM Cloud Manager with OpenStack. REST API Reference, version 4.1

ADFS 2.0 Application Director Blueprint Deployment Guide

Pronestor Room & Catering

a) Install the SDK into a directory of your choice (/opt/java/jdk1.5.0_11, /opt/java/jdk1.6.0_02, or YOUR_JAVA_HOME_DIR)

OnCommand Performance Manager 1.1

RSA SecurID Token User Guide February 12, 2015

Umbraco Courier 2.0. Installation guide. Per Ploug Hansen 5/24/2011

Using sftp in Informatica PowerCenter

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

EMC Clinical Archiving

imhosted Web Hosting Knowledge Base

TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

Process Integrator Deployment on IBM Webspher Application Server Cluster

AdWhirl Open Source Server Setup Instructions

LAE 5.1. Windows Server Installation Guide. Version 1.0

SECURE FTP CONFIGURATION SETUP GUIDE

Transcription:

UFTP Authentication Service UFTP AUTHENTICATION SERVICE UNICORE Team Document Version: 1.1.0 Component Version: 1.1.1 Date: 17 11 2014

UFTP Authentication Service Contents 1 Installation 1 1.1 Prerequisites.................................... 1 1.2 Basic configuration (memory etc)........................ 2 1.3 Starting and stopping the service......................... 2 2 Configuration 2 2.1 User authentication................................ 2 2.2 Configure the UFTPD server(s) to be accessed.................. 4 2.3 Attribute mapping................................. 5 3 Checking the installation 7 4 Installing the Auth server in an existing UNICORE/X server 7

UFTP Authentication Service 1 The UFTP authentication service ("Auth server") is a simple HTTP-based service for authenticating users and initiating UFTP transfers. It is indended to be used with a standalone UFTP client. the Auth server checks the credentials provided by the user, and (if successful) maps the user to a distinguished name (DN). this DN is then assigned further attributes such as the user/group ID used by UFTPD, using the configured UNICORE attribute sources The Auth server is based on the UNICORE Services Environment, and all usual UNICORE features and security configuration options are available as well. For example, the Auth server can be deployed behind a UNICORE Gateway, or it can be configured to use Unity for authenticating users. One Auth server can be used to authenticate transfers for multiple UFTPD servers. This manual focuses on the configuration items specific to the Auth server. If you need more in-depth information on general configuration issues, please refer to the UNICORE/X manual, available via unicore.eu 1 Installation 1.1 Prerequisites The Auth server should be run as a non-root user (e.g. unicore). It requires Java 1.7 UFTPD 2.0 or later The Auth server needs an X.509 certificate and truststore for communicating with UFTPD. Users must be able to access the Auth server s https port. It is possible to deploy the Auth server behind a UNICORE Gateway (7.1 or later). The UFTP Auth service comes with all required scripts and config files to be run standalone. To install, unzip the downloaded package into a directory of your choice. Note You can run the service in an existing UNICORE/X server (version 7.1 or later is required). Please see Section 4 below for details.

UFTP Authentication Service 2 1.2 Basic configuration (memory etc) The startup.properties configuration file contains basic settings such as the Java command, JVM memory etc. Please review it. The Auth server host and port are configured in the wsrflite.xml configuration file: <!-- example host and port --> <property name="container.host" value="uftp.yoursite.com"/> <property name="container.port" value="9000"/> Also in the wsrflite.xml configuration file, the server s X.509 private key and the truststore settings need to be configured. 1.3 Starting and stopping the service Use the shell scripts in the bin folder to start or stop the service. 2 Configuration The following items need to be configured: user authentication: configure the Auth server to authenticate users using username/password, ssh key or via Unity UFTPD server(s) to be accessed 2.1 User authentication The enabled authentication options and their order are configured in wsrflite.xml (or uas.config), here we use the XML syntax of wsrflite.xml. <property name="container.security.rest.authentication.order" value="file SSHKEY UNITY"/> The available options can be combined! 2.1.1 Username-password file To use a file containing username, password and the DN,

UFTP Authentication Service 3 <property name="container.security.rest.authentication.order" value="file"/> <property name="container.security.rest.authentication.file.class" value="eu.unicore.services.rest.security. FilebasedAuthenticator"/> <property name="container.security.rest.authentication.file.file" value="conf/rest-users.txt"/> This configures to use the file conf/rest-users.txt. The file format is # # on each line: # username:hash:salt:dn # demouser:<...>:<...>:cn=demo User, O=UNICORE, C=EU i.e. each line gives the username, the hashed password, the salt and the user s DN, separated by colons. To generate entries, i.e. to hash the password correctly, the md5sum utility can be used. For example, if your intended password is test123, you could do $> SALT=$(tr -dc A-Za-z0-9_ < /dev/urandom head -c 16 xargs) $> echo "Salt is ${SALT}" $> echo -n "${SALT}test123" md5sum which will output the salted and hashed password. Here we generate a random string as the salt. Enter these together with the username, and the DN of the user into the password file. 2.1.2 Unity authentication You can also hook up with Unity, passing on the username/password and retrieving an authentication assertion. <property name="container.security.rest.authentication.order" value="unity"/> <!-- Unity settings --> <property name="container.security.rest.authentication.unity.class" value="eu.unicore.services.rest.security. UnitySAMLAuthenticator"/> <property name="container.security.rest.authentication.unity. address" value="https://localhost:2443/unicore-soapidp/ saml2unicoreidp-soap/authenticationservice"/> <!-- validate the received assertions? --> <property name="container.security.rest.authentication.unity. validate" value="true"/>

UFTP Authentication Service 4 2.1.3 SSH Key validation This authentication option is based on the validation of a token using the user s public SSH key. The token will be checked, and if successful, the user will be assigned a distinguished name for later authorisation. To use this option, you need to configure the REST authentication accordingly: <!-- authn --> <property name="container.security.rest.authentication.order" value="sshkey"/> <!-- SSH key settings --> <property name="container.security.rest.authentication.sshkey.class " value="eu.unicore.uftp.authserver.authenticate. SSHKeyAuthenticator"/> <property name="container.security.rest.authentication.sshkey.file" value="conf/ssh-users.txt"/> A file is required (in the example above we use conf/ssh-users.txt) which contains the mappings and the ssh public keys in a simple format: # Example SSH users file used with the SSHKEY authentication method # #format: username:sshkey:dn # demouser:ssh-rsa keydata_was_omitted testkey:cn=demo User, O= UNICORE, C=EU The SSH key is in the same one-line format used in the.ssh/authorized_keys file. You can enter multiple lines per username, to accommodate the case that a user has different SSH keys available. For example # Example SSH users file with multiple keys per user demouser:ssh-rsa <...omitted keydata...>:cn=demo User, O=UNICORE, C =EU demouser:ssh-dss <...omitted keydata...>:cn=demo User, O=UNICORE, C =EU otheruser:ssh-rsa <...omitted keydata...>:cn=other User, O=UNICORE, C=DE 2.2 Configure the UFTPD server(s) to be accessed For each UFTPD server you wish to authenticate users for, you ll need to configure the relevant properties in your container config file

UFTP Authentication Service 5 The authservice.servers property is a list of server names. These should be meaningful, since users will need to use them, too. The other properties are used to configure the UFTPD command address and the UFTPD listen address. Please refer to the UFTPD configuration and manual for details. For example, we want to configure two UFTPD servers named "CLUSTER" and "TEST": <!-- configured UFTPD server(s) --> <property name="authservice.servers" value="cluster TEST"/> <property name="authservice.server.cluster.host" value="cluster. your.org"/> <property name="authservice.server.cluster.port" value="64433"/> <property name="authservice.server.cluster.commandhost" value=" cluster.your.org"/> <property name="authservice.server.cluster.commandport" value ="64434"/> <property name="authservice.server.cluster.ssl" value="true"/> <property name="authservice.server.cluster.description" value=" Production UFTPD server on CLUSTER"/> <property name="authservice.server.test.host" value="localhost"/> <property name="authservice.server.test.port" value="64433"/> <property name="authservice.server.test.commandhost" value=" localhost"/> <property name="authservice.server.test.commandport" value ="64434"/> <property name="authservice.server.test.ssl" value="false"/> <property name="authservice.server.test.description" value="test UFTPD server"/> To allow the Auth server access to the command port of UFTPD, you need to add an entry to UFTPD s ACL file. This is explained in the UFTPD manual. 2.3 Attribute mapping After successful authentication, the user is assigned attributes such as the Unix account and group which is used for file access. The Unix account and group are taken from the configured attribute sources (e.g. XUUDB). Since it is possible to access multiple UFTPD servers using a single Auth server, it may be required to configure different attributes for different UFTPD servers. This is easily possible using the file attribute source (map file). It is also possible to control which directories and files that a user can access. This is done by configuring the allowed and/or the forbidden file path patterns. The following map file entry gives a full example. <entry key="cn=demo User,O=UNICORE,C=EU"> <attribute name="role">

UFTP Authentication Service 6 <value>user</value> <!-- default Unix account and group --> <attribute name="xlogin"> <value>somebody</value> <attribute name="group"> <value>users</value> <!-- UFTP specific attributes --> <attribute name="uftp.cluster.xlogin"> <value>user1</value> <attribute name="uftp.cluster.group"> <value>hpc</value> <!-- optional rate limit (bytes per second) --> <attribute name="uftp.cluster.ratelimit"> <value>10m</value> <!-- optional includes --> <attribute name="uftp.cluster.includes"> <value>/tmp/*:/work/*</value> <!-- optional excludes --> <attribute name="uftp.cluster.excludes"> <value>/home/*:/etc/*</value> </entry> Here, the "CLUSTER" must match a configured UFTPD server, see also Section 2.2. Available attributes are role: the UNICORE role, usually this will be user xlogin, group: Unix account and group to be used for this user ratelimit: the number of bytes per second (per transfer) can be limited. You can use the units "K", "M", and "G" for kilo, mega or gigabytes, respectively. includes: file path patterns (separated by ":") that are allowed. If not given, all the user s files can be accessed. excludes: file path patterns (separated by ":") that are forbidden. If not given, no files are explicitely excluded.

UFTP Authentication Service 7 3 Checking the installation You can check that the server works using a simple HTTP client such as curl to access the Auth server s base URL, provided you have configured username/password authentication. The command $> curl -k https://<host:port>/rest/auth \ -H "Accept: application/json" \ -u username:password should produce a JSON document containing information about the configured UFTPD servers, such as {"TEST": { "description": "Default UFTPD server for testing", "gid": "users", "href": "https://localhost:9000/rest/auth/test", "uid": "somebody" }} Note If you do not get any output, try adding the "-i" option to the curl command, most probably the username/password is incorrect. 4 Installing the Auth server in an existing UNICORE/X server This option is interesting if you are already running a UNICORE installation and want to allow your users a simpler way of transferring files using the standalone UFTP client. This requires UNICORE/X version 7.1 or later! copy the jar files to the lib directory of UNICORE/X copy the XACML policy file 30uftpAuthService.xml to the conf/xacml2policies directory edit wsrflite.xml (or uas.config) and setup user authentication and UFTPD details as described above if you want to place the Auth server behind a UNICORE gateway for easy firewall transversal, you need to configure an entry in the Gateway connections config file, and set the container base URL property in the Auth servers wsrflite.xml

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information