Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

On this page you will find instructions on how to set up a Trust Router on Debian 7.

Contents

Unable to render {include} The included page could not be found.

1. Install Trust Router

We’re now ready to install the Trust Router software and its required dependencies. Install the software by running the following command:

$ apt-get install moonshot-trust-router moonshot-ui

2. Configure Trust Router

Next, we need to configure the Trust Router.

2.1. RadSec

2.1.1. APC TLS

First, you will need a copy of a client key and certificate (and appropriate CA) from the APC(s) that your Trust Router serves. Copy them onto the filesystem of your Trust Router.

You can put these files anywhere on the file system, but this guide assumes you put them in /etc/pki/tls. If you place them in a different location you will need to change the locations below as appropriate.

2.1.2. Connection to APC

Next, we need to configure the RadSec configuration for the APC. We do this by creating a file at /etc/radsec.conf with the following:

realm gss-eap {
	type = "TLS"
	cacertfile = "/etc/pki/tls/tr-ca.crt"
	certfile = "/etc/pki/tls/tr-client.pem"
	certkeyfile = "/etc/pki/tls/tr-client.key"
	disable_hostname_check = yes
	server {
		hostname = "apc.moonshot.ja.net"
		service = "2083"
		secret = "radsec"
	}
}

2.2. Trust Router

2.2.1. Moonshot Configuration

Moonshot, you say? Yes, Trust Router uses Moonshot to authenticate and secure all communications between Trust Router clients and servers. So, you will need to configure the trust router user to make use of the Moonshot flatstore (i.e. telling Moonshot that this is a special system account, not a regular user account), and you will need to import a set of credentials for your Trust Router to use.

  1. Enable the trustrouter user to use the Moonshot UI flatstore:

    $ echo "trustrouter" >> /etc/moonshot/flatstore-users
  2. Import it using the moonshot-webp command (as the trustrouter user):

    $ su --shell /bin/bash trustrouter
    $ unset DISPLAY
    $ moonshot-webp [path to credential file]

    The credentials file will be given to you by the administrator of the APC.

2.2.2. Shibboleth

Shibboleth, you say? Yes, Shibboleth is used by the Moonshot components to be able to deal with incoming SAML. However, this feature typically isn't used in Trust Router, but its logging will appear in your Trust Router's log files. So, to simplify your log files, it is recommended that you silence the Shibboleth logging. To do this:

  1. Open /etc/shibboleth/console.logger for editing.
  2. Change WARN to NONE on the first line, i.e.

    log4j.rootCategory=NONE, console

2.2.3. Default Peer

If your Trust Router is going to run in its own, standalone, trust network, then you can skip this step. If it is going to run in a wider trust network, then you can configure your Trust Router's default peer - i.e. the Trust Router it sends its clients to when they ask it to locate a Moonshot entity that your Trust Router doesn't know about. To do this:

 

  1. Open /etc/trust_router/conf.d/default/peering.cfg for editing. Change the content as follows:

    {
    "default_servers": [
     "[hostname of trust router]"
     ]
    }

    If the /etc/trust_router directory does not exist, you may need to create it yourself, along with the subdirectories mentioned.

    Example

    If you were configuring your default Trust Router peer to be Janet's Trust Router at tr1.moonshot.ja.net, its peering.cfg file would look like this:

    {
    "default_servers": [
     "tr1.moonshot.ja.net"
     ]
    }
  2. Place an appropriate trusts.cfg file info the /etc/trust_router/ and symbolically link it into the default configuration directory:

    # cd /etc/trust_router/conf.d/default
    # ln -s ../../trusts.cfg
  3. Place an appropriate main.cfg file into /etc/trust_router/conf.d/default/
    main.cfg sets up a few internal variables, including the hostname that the trust router is running on.

2.2.4. Start your Trust Router

You are now ready to start your Trust Router and test it. To do this:

  1. As trustrouter user, change to the constart the Trust Router :

    $ trust_router

    Debian currently has no initscript for trust_router so it needs to be run manually. We hope to fix this in the near future.

     

     

3. Testing

Default should work, tr-test shouldn't.

4. Next Steps

At this point, you now have a Trust Router. Blimey.

/etc/trust_router/trusts.cfg with trust config

 

  • No labels