There are several settings that have to be set correctly in order to make the authentication work. In EDG and most Globus systems most of the settings are correct by default. The settings can be set in command line (AXIS) or by giving a properties class during the call to the relevant method. In both cases the settings can be given as properties or as a filename of a file that contains them (sslConfigFile)
The mandatory settings are:
Attention! Some of the settings have a different name when used in tomcat server.xml as indicated in the table below. When the settings are in a separate file referenced by the server.xml using sslConfigFile, they use the normal non-server.xml format.
These can be set either using PEM encoded private key and certificate pair, by a key store or by a proxy certificate. To set the credentials using a proxy certificate, use the gridProxyFile setting. To set the credentials using private key and certificate use the sslCertfile, sslKey and sslKeyPasswd settings. To set the credentials using a key store, use the sslCertStore, sslCertStoreType and sslCertStorePasswd settings. The key store type can usually be deduced from the file ending (.p12 for "pkcs12" and .jks for "jks").
These can again be set using either PEM encoded certificates or a key store. In globus systems they are usually PEM encoded certificates in the /etc/grid-security/certificates directory with the .0 ending, which is the default setting. To override this setting, use the sslCAFiles setting. To use a key store to set the CA certificates, use the sslCAStore, sslCAStoreType and sslCAStorePasswd settings.
The configuration options that the Trust Manager support are as follows (default values are shown in [brackets]):
Setting name | Name in Server.xml (if different) | Explanation | ||||||
---|---|---|---|---|---|---|---|---|
Credentials | ||||||||
|
|
The location of the SSL/TLS credentials (PEM format). Specifies the file names of the certificate and private key. If the private key file is password protected, sslKeyPasswd must be defined as well. [undefined] | ||||||
|
|
The location of the SSL/TLS credentials (Java format). sslCertStore specifies the file name of the java key store [undefined]. sslCertStoreType defines the keystore format [JKS], and sslCertStorePasswd the protecting password [changeit]. | ||||||
gridProxyFile | |
The location of the SSL/TLS credentials (Grid proxy format)[the grid proxy file in /tmp]. | ||||||
credentialsUpdateInterval | |
The period in which to reload the credentials definition from disk. The syntax is an integer value followed by suffixes 'seconds', 'minutes', 'hours', or 'days' where only the first character matters. [2h] = 2 hours. (also '12 D' = '12d' = '12Days' = '12 days'). | ||||||
CA settings | ||||||||
sslCAFiles | caFiles | Defining the set of trusted CA certificates (PEM style). This is a file pattern, where a wildcard '*' or '?' is allowed in the filename. [/etc/grid-security/certificates/*.0] | ||||||
|
|
Defining the set of trusted CA certificates (Java style). sslCAStore specifies the file name of the java key store [undefined]. sslCAStoreType defines the keystore format [JKS], and sslCAStorePasswd the protecting password [changeit]. | ||||||
CRL settings | ||||||||
crlFiles | |
The location of the CRL files (PEM style). This is a file pattern, where a wildcard '*' or '?' is allowed in the filename. [/etc/grid-security/certificates/*.r0] | ||||||
crlUpdateInterval | |
The period in which to reload the CRL files from disk. (For performance reasons, the revocation information is kept in memory.) The syntax is an integer value followed by suffixes 'seconds', 'minutes', 'hours', or 'days' where only the first character matters. [2h] = 2 hours. (also '12 D' = '12d' = '12Days' = '12 days'). | ||||||
crlEnabled | |
Can be set to "true" or "false". Defines whether the Trust Manager should verify certificates against provided CRLs. [true] | ||||||
crlRequired | |
Can be set to "true" or "false". Defines whether the Trust Manager should require a valid CRL from a CA in order to accept certificates from that CA. When this is set to true and there is no valid CRL for that CA, all certificates from that CA are considered revoked and are rejected. [false] | ||||||
General | ||||||||
sslConfigFile | |
A separate file containing the authentication settings. This is a way to reference a separate configuration file that contains all the necessary settings enabling easier management of the authentication settings. This setting is only menaingful when used in properties class given to ContextWrapper or in the input file for ChangeFactory. [undefined] | ||||||
sslProtocol | protocol | What secure socket protocol to speak. Valid options are SSLv2, SSLv3, TLS. [TLS] | ||||||
logFile | |
The file to put the logs into. | ||||||
log4jConfFile | logConfFile | The log4j configuration file for logginf configuration. | ||||||
sslPort | port | The port for the ssl communication. (Only used in the input file for the ChangeFactory.) | ||||||
Settings to be implemented (depending on need and time) | ||||||||
sslCipher | |
What cipher (algorithm and strength) to use for the symmetric encryption. [(system default)] | ||||||
sslCertStoreAlias | |
The sslCertStoreAlias defines what key in the key store to use [tomcat]. | ||||||
sslCertStoreKeyPasswd | |
The password needed to access the private key in the key store. Used in connection with sslCertStoreAlias in cases when the private key is enctrypted with different password that the keystore |