This guide assumes that you are using the latest available version of RHEL/CentOS/SL 6 7 - which at the time of writing this guide is 7.6.5.
Install Trust Router
We’re now ready to install the Trust Router software and its required dependencies. Install the software by running the following command:
Configure Trust Router
Next, we need to configure the Trust Router.
First, you will need a copy of a client key and certificate (and appropriate CA) from the APC(s) that your Trust Router serves. Copy them onto the filesystem.
Connection to APC
Next, we need to configure the RadSec configuration for the APC. We do this by creating a file at
Then check the file and the certificates can be read by the Trust Router user:
Your Trust Router will need to have a few core configuration items set. To do this:
Moonshot, you say? Yes, Trust Router uses Moonshot to authenticate and secure all communications between Trust Router clients and servers. So, you will need to configure the trust router user to make use of the Moonshot flatstore (i.e. telling Moonshot that this is a special system account, not a regular user account), and you will need to import a set of credentials for your Trust Router to use.
Shibboleth, you say? Yes, Shibboleth is used by the Moonshot components to be able to deal with incoming SAML. However, this feature typically isn't used in Trust Router, but its logging will appear in your Trust Router's log files. So, to simplify your log files, it is recommended that you silence the Shibboleth logging. To do this:
If your Trust Router is going to run in a wider trust network, then you can configure your Trust Router's default peer - i.e. the Trust Router it sends its clients to when they ask it to locate a Moonshot entity that your Trust Router doesn't know about. To do this:
Configure your Trust Router
A trust router requires a trust configuration to function correctly. See the trust configuration file for more information.
Place an appropriate
Start your Trust Router
You are now ready to restart your Trust Router and test it. To do this:
To test your trust router, you should attempt a TIDC request on a Moonshot service connected to your trust router. If you have defined a default peer, the TIDC request may take a little longer, but it should succeed.
If it fails, please contact us.
At this point, you now have a Trust Router.
Automatically start the software
To automatically start Trust Router, issue the following command (as root):
If this is working correctly, you should see trust_router running as a daemon process.