Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

On this page you will find instructions on how to set up a Trust Router on RedHat, CentOS, or Scientific Linux 6.

Contents

This guide assumes that you are using the latest available version of RHEL/CentOS/SL 6 - which at the time of writing this guide is 6.5.

1. System Preparation

1.1. Install RHEL/CentOS/SL 6

The first thing that is required is a RHEL/CentOS/SL 6 machine - this can be physical or virtual.

  1. Install the operating system via usual mechanism (e.g net boot CD, ISO in VMware/VirtualBox or the DVD image).
  2. Choose the following server install options: "Basic server”.
  3. Create/choose a secure root password and an initial system user account.
  4. Once installed, make sure you run an yum makecache and yum update to ensure your system is fully up to date.

Tip

We would recommend using LVM when disk partitioning to allow easier partition/disk expansion on a live system.

Warning

After install, you will want to secure/lockdown the server as best practice dictates - for both the server and any extra software installed. This is beyond the remit of this guide but there are many guides available, e.g. for securing CentOS, and SSH servers.

1.2. Configure CentOS 6

Next, there are a few CentOS configuration options that need to be set in advance.

1.2.1. Networking configuration

For production deployments, it is recommended that the Trust Router be assigned a static IP address.

For CentOS networking information please refer to the CentOS documentation: https://www.centos.org/docs/5/html/5.1/Deployment_Guide/ch-network-config.html

1.2.2. Firewall configuration

The following ports are required to be accessible from the outside world, both in local firewall and in any external firewalls:

  • 2083/tcp (for RadSec connections to other Moonshot entities)
  • 12309/tcp (for Trust Router client connections - if using the Trust Router to broker trust relationships between entities)

1.3. Add the Required Repositories

Trust Router requires two yum repositories to be added to the system - EPEL (home of some required dependencies), and the Moonshot repository.

  1. Install EPEL by, running the following command:

    $ rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
  2. Install the Moonshot repository by creating a new file at /etc/yum.repos.d/moonshot.repo with the following content:

    [Moonshot]
    name=Moonshot
    baseurl=http://repository.project-moonshot.org/rpms/centos6/
    failovermethod=priority
    gpgcheck=1
    gpgkey=/etc/pki/rpm-gpg/Moonshot
  3. Install the Moonshot GPG key:

    $ wget -O /etc/pki/rpm-gpg/Moonshot http://repository.project-moonshot.org/rpms/centos6/moonshot.key

2. Install Trust Router

We’re now ready to install the Trust Router software and its required dependencies. Install the software by running the following command:

$ yum install trust_router

3. Configure Trust Router

Next, we need to configure the Trust Router.

3.1. RadSec

3.1.1. APC TLS

First, you will need a copy of a client key and certificate (and appropriate CA) from the APC(s) that your Trust Router serves. Copy them onto the filesystem of your Trust Route.r

You can put these files anywhere on the file system, but this guide assumes you put them in /etc/pki/tls. If you place them in a different location you will need to change the locations below as appropriate.

3.1.2. Connection to APC

Next, we need to configure the RadSec configuration for the APC. We do this by creating a file at /etc/radsec.conf with the following:

realm gss-eap {
	type = "TLS"
	cacertfile = "/etc/pki/tls/tr-ca.crt"
	certfile = "/etc/pki/tls/tr-client.pem"
	certkeyfile = "/etc/pki/tls/tr-client.key"
	disable_hostname_check = yes
	server {
		hostname = "apc.moonshot.ja.net"
		service = "2083"
		secret = "radsec"
	}
}

3.2. Trust Router

3.2.1. Daemon Configuration

Various

/etc/sysconfig/trust_router change defaults

/etc/trust_router/conf.d/main.cfg change hostname

3.2.2. Moonshot Configuration

Moonshot, you say? Yes, Trust Router uses Moonshot to authenticate and secure all communications between Trust Router clients and servers. So, you will need to configure the trust router user to make use of the Moonshot flatstore (i.e. telling Moonshot that this is a special system account, not a regular user account), and you will need to import a set of credentials for your Trust Router to use.

  1. Enable the trustrouter user to use the Moonshot UI flatstore:

    $ echo "trustrouter" >> /etc/moonshot/flatstore-users
  2. Import it using the moonshot-webp command (as the trustrouter user):

    $ su --shell /bin/bash trustrouter
    $ unset DISPLAY
    $ moonshot-webp [path to credential file]

    The credentials file will be given to you by the administrator of the APC.

3.2.3. Shibboleth

Shibboleth, you say? Yes, Shibboleth is used by the Moonshot components to be able to deal with incoming SAML. However, this feature typically isn't used in Trust Router, but its logging will appear in your Trust Router's log files. So, to simplify your log files, it is recommended that you silence the Shibboleth logging. To do this:

  1. Open /etc/shibboleth/console.logger for editing.
  2. Change WARN to NONE on the first line, i.e.

    log4j.rootCategory=NONE, console

3.2.4. Default Peer

Configure TR peering.

If it can't find a target identity realm in its db, it'll forward the request to it's configure default trust router peer.

conf.d/peering.cfg:

{
"default_servers": [
"tr1.moonshot.ja.net"
]
}

/etc/trust_router/trusts.cfg with trust config

service trust_router restart

 

4. Testing

service trustrouter status. Defualt should work, tr-test shouldn't.

5. Next Steps

At this point, you now have a Trust Router. Blimey.

 

  • No labels