| Include Page |
|---|
| TEM:_SystemPrep_RHEL |
|---|
| TEM:_SystemPrep_RHEL |
|---|
|
Install Trust RouterWe’re now ready to install the Trust Router software and its required dependencies. Install the software by running the following command: | Code Block |
|---|
| $ yum install trust_router moonshot-ui |
Next, we need to configure the Trust Router. RadSecAPC TLSFirst, you will need a copy of a client key and certificate (and appropriate CA) from the APC(s) that your Trust Router serves. Copy them onto the filesystem. | Note |
|---|
You can put these files anywhere on the file system, but this guide assumes you put them in /etc/pki/tls. If you place them in a different location you will need to change the locations below as appropriate. |
Connection to APCNext, we need to configure the RadSec configuration for the APC. We do this by creating a file at /etc/radsec.conf with the following: | Code Block |
|---|
| realm gss-eap {
type = "TLS"
cacertfile = "/etc/pki/tls/tr-ca.pem"
certfile = "/etc/pki/tls/tr-client.pem"
certkeyfile = "/etc/pki/tls/tr-client.key"
disable_hostname_check = yes
server {
hostname = "apc.moonshot.ja.netYOUR_APC_HOSTNAME"
service = "2083"
secret = "radsec"
}
} |
Trust RouterDaemon ConfigurationYour Trust Router will need to have a few core configuration items set. To do this: - Open the default instance's main configuration file at
/etc/trust_router/conf.d/default/main.cfg for editing.
- Change the hostname to the (fully qualified) hostname of your Trust Router.
- Change the port that it runs on, if necessary.
- Open the
/etc/sysconfig/trust_router file for editing. Make sure the configuration items are correct. Items you will most likely have to change are:TR_DEFAULT_TEST_ACCEPTOR - this will need to be set to the (fully qualified) hostname of your Trust Router. TR_DEFAULT_TEST_RPREALM - this will need to be set to the (fully qualified) hostname for your APC. TR_DEFAULT_TEST_COMMUNITY - this will need to be set to the (fully qualified) hostname for your APC. TR_DEFAULT_TEST_REALM - this will need to be set to the (fully qualified) hostname for your APC.
Moonshot ConfigurationMoonshot, you say? Yes, Trust Router uses Moonshot to authenticate and secure all communications between Trust Router clients and servers. So, you will need to configure the trust router user to make use of the Moonshot flatstore (i.e. telling Moonshot that this is a special system account, not a regular user account), and you will need to import a set of credentials for your Trust Router to use. Enable the trustrouter user to use the Moonshot UI flatstore: | Code Block |
|---|
| $ echo "trustrouter" >> /etc/moonshot/flatstore-users |
Import it using the moonshot-webp command (as the trustrouter user): | Note |
|---|
There is currently an error in the home directory for the trustrouter user in /etc/passwd. Edit the file and change the home directory from /var/lib/trustrouter to /var/lib/trust_router before executing the below commands. |
| Code Block |
|---|
| $ su - --shell=/bin/bash trustrouter
$ unset DISPLAY
$ moonshot-webp -f [path to credential file] |
| Info |
|---|
The credentials file will be given to you by the administrator of the APC. |
ShibbolethShibboleth, you say? Yes, Shibboleth is used by the Moonshot components to be able to deal with incoming SAML. However, this feature typically isn't used in Trust Router, but its logging will appear in your Trust Router's log files. So, to simplify your log files, it is recommended that you silence the Shibboleth logging. To do this: - Open
/etc/shibboleth/console.logger for editing. Change WARN to NONE on the first line, i.e. | Code Block |
|---|
| log4j.rootCategory=NONE, console |
Default Peer| Info |
|---|
| If your Trust Router is going to run in its own, standalone, trust network, then you can skip this step. |
If your Trust Router is going to run in a wider trust network, then you can configure your Trust Router's default peer - i.e. the Trust Router it sends its clients to when they ask it to locate a Moonshot entity that your Trust Router doesn't know about. To do this: Open /etc/trust_router/conf.d/default/peering.cfg for editing. Change the content as follows: | Code Block |
|---|
| {
"default_servers": [
"[hostname of trust router]"
]
} |
| Note |
|---|
If the /etc/trust_router directory does not exist, you may need to create it yourself, along with the subdirectories mentioned. |
| Tip |
|---|
| If you were configuring your default Trust Router peer to be Janet's Trust Router at tr1.moonshot.ja.net, its peering.cfg file would look like this: | Code Block |
|---|
| {
"default_servers": [
"tr1.moonshot.ja.net"
]
} |
|
A trust router requires a trust configuration to function correctly. See the trust configuration file for more information. Place an appropriate trusts.cfg file info the /etc/trust_router directory and symbolically link it into the default configuration directory: | Code Block |
|---|
| # cd /etc/trust_router/conf.d/default
# ln -s ../../trusts.cfg |
Restart your Trust RouterYou are now ready to restart your Trust Router and test it. To do this: As root, restart the Trust Router daemon: | Code Block |
|---|
| $ service trust_router restart |
TestingTo test your trust router, you should attempt a TIDC request on a Moonshot service connected to your trust router. The TIDC request will take a little longer, but it should succeed. If it fails, please contact us. Next StepsAt this point, you now have a Trust Router. Blimey. |