Versions Compared

Old Version 30

changes.mady.by.user Robert A Basch

Saved on

compared with

New Version 31

changes.mady.by.user Robert A Basch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
# iptables --list -n --line-numbers
# iptables -I RH-Firewall-1-INPUT 36 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 37 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 3306 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 38 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9510 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 39 -m state --state NEW -m tcp -p tcp -s 18.x.y.z --dport 9530 -j ACCEPT

Installing the CAMS application

We will run the CAMS application in the same Tomcat container as the Shibboleth IdP. Copy the CAMS application war file, cams.war, into /usr/local/tomcat/webapps.

Create a Java keystore containing the application client certificate

The CAMS application uses an application client certificate to authenticate to the Roles web service. The subject CN of the certificate for the production server should be touchstone-cams.app.mit.edu (for the staging server, use touchstone-cams-staging.app.mit.edu). When creating the certificate, make sure that it is an Application Client Certificate, not a standard web server certificate; it should be issued by the MIT Client CA, and must be enabled for client usage.

Once you have the application client certificate, you must convert it to PKCS12 format for importing into a Java keystore. Begin by downloading the MIT Client CA certificate:

No Format

# wget 'http://mv.ezproxy.com.ezproxyberklee.flo.org/mitClient.crt'

To convert to PKCS12 format (assuming the certificate and private key PEM files are in cams-app-cert.pem and cams-app-key.pem, respectively):

No Format

# openssl pkcs12 -in cams-app-cert.pem -inkey cams-app-key.pem -export -out cams-app-cert.p12 -nodes -CAfile mitClient.crt

(Supply the export password as prompted; remember the password for use with the keystore.)

cams-app-cert.p12 now contains the certificate in PKCS12 format. To import it into a keystore, obtain a copy of the ISDA PKCS12Import.jar utility, and invoke it as follows (adjust the JAVA_HOME environment setting as needed):

No Format

# setenv JAVA_HOME /usr/java/jdk1.5.0_13
# $JAVA_HOME/bin/java -jar PKCS12Import.jar cams-app-cert.p12 cams-app.jks PASSWORD

where PASSWORD is replaced by the actual password you supplied above. Install the resulting keystore file into /usr/local/cams/conf. Ensure that it is owned and only readable by the tomcat user.

Next, we need to create a server trust store containing the MIT CA certificates. Begin by copying the standard Java CA certificate store from the Java distribution, e.g.:

No Format

# cp /usr/java/jdk1.5.0_13/jre/lib/security/cacerts /usr/local/cams/conf/serverTrustStore.jks

Download the MIT CA and, if necessary, MIT Client CA certificates (you should already have downloaded the Client CA above), and import them into the trust store:

No Format

# wget 'http://mv.ezproxy.com.ezproxyberklee.flo.org/mitca.crt'
# wget 'http://mv.ezproxy.com.ezproxyberklee.flo.org/mitClient.crt'
# $JAVA_HOME/bin/keytool -import -keystore /usr/local/cams/conf/serverTrustStore.jks -alias mitca -file mitca.crt
# $JAVA_HOME/bin/keytool -import -keystore /usr/local/cams/conf/serverTrustStore.jks -alias mitClient -file mitClient.crt

The password for the server trust store is "changeit". Answer "yes" to the "Trust this certificate?" prompt.

Finally, we set system (global) properties so that the CAMS and IdP applications use these keystores, by adding the following settings to /usr/local/tomcat/conf/catalina.properties:

No Format

javax.net.ssl.keyStore=/usr/local/cams/conf/cams-app.jks
javax.net.ssl.keyStorePassword=PASSWORD
javax.net.ssl.trustStore=/usr/local/cams/conf/serverTrustStore.jks
javax.net.ssl.trustStorePassword=changeit

(Replace PASSWORD with the password you used for the application certificate key store above). Make sure that the catalina.properties file is owned and only readable by the tomcat user.

CAMS application configuration properties

The CAMS configuration.properties file should be installed in /usr/local/cams/conf/configuration.properties. It should be readable only by the tomcat user, as it contains a key for the ReCaptcha service used in account registration. Most of the settings in this file should not need to be changed, but there are two settings which may need to be used to address operational issues, allowing us to disable the creation of new accounts (except by admins), and/or to disable the ReCaptcha service (in case of a problem with the latter). Normally, these settings should be:

No Format

enable.create = 1
enable.recaptcha = 1

Change the setting to 0 and restart tomcat to disable the function. (If ReCaptcha needs to be disabled, it is likely you will also want to disable account creation, to prevent spammer attacks).

Other settings in this file include:

  • moira.server and authz.server are the servers to use for the Moira and AuthZ web services, respectively:
    No Format
    
moira.server=ws.mit.edu
authz.server=authz.mapws.mit.edu
  • The ReCaptcha keys and domain:
    No Format
    
recaptcha.publicKey=XXX
recaptcha.privateKey=XXX
recaptcha.domain=idp.touchstonenetwork.net
  • uploadDir is the directory used for bulk account uploads (used by admins when migrating accounts from old systems):
    No Format
    
uploadDir=/usr/local/cams/uploads
    Create this directory, if necessary, and ensure it is writable by the tomcat user.
  • touchstoneSupportMailAddress is the email address to use for Touchstone Support links in the Cams application:
    No Format
    
touchstoneSupportMailAddress=touchstone-support@mit.edu

You must restart tomcat in order for any changes to this properties file to take effect.