development:security
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
development:security [2016/11/12 03:07] anthonysena |
development:security [2017/05/12 15:10] anthonysena [SSL CONFIGURATION IN TOMCAT] |
||
|---|---|---|---|
| Line 16: | Line 16: | ||
| ==== SECURITY LAYER ==== | ==== SECURITY LAYER ==== | ||
| - | The ''Security'' abstraction makes it easy to maintain different behaviours of security subsystem. There are two implementations are available out of the box. These are ''AtlasSecurity'' and ''DisabledSecurity''. The first handles all the needs of ATLAS application, the latter disables security features. | + | The ''org.ohdsi.webapi.shiro.management.Security'' abstraction makes it easy to maintain different behaviors of security subsystem. There are two implementations are available out of the box. These are ''AtlasSecurity'' and ''DisabledSecurity''. The first handles all the needs of ATLAS application, the latter disables security features. |
| - | Active implementation is annotated with ''@Primary''. To switch security off, just move ''@Primary'' annotation to ''DisabledSecurity''. | + | The default setting in the WebAPI pom.xml is ''<security.enabled>false</security.enabled>'' which turns off security by loading the DisabledSecurity module. If you would like to enable security and load the AtlasSecurity module, this can be done by adding ''<security.enabled>true</security.enabled>'' to the ''<profile>'' section of your settings.xml file as described in the [[documentation:software:webapi:webapi_installation_guide|WebAPI Installation Guide]]. This does require that you rebuild the .war file and redeploy the application. |
| - | + | ||
| - | @Component | + | |
| - | @Primary | + | |
| - | public class DisabledSecurity extends Security { | + | |
| - | ... | + | |
| - | } | + | |
| ==== PATH-BASED SECURITY ==== | ==== PATH-BASED SECURITY ==== | ||
| Line 52: | Line 46: | ||
| === OAUTH SETTINGS === | === OAUTH SETTINGS === | ||
| - | Currently supported providers are Google and Facebook. | + | Currently supported OAuth providers are Google and Facebook. |
| To be able to use API of OAuth service provider you need to obtain API Key and API Secret and put these values into POM file | To be able to use API of OAuth service provider you need to obtain API Key and API Secret and put these values into POM file | ||
| Line 61: | Line 55: | ||
| <security.oauth.facebook.apiSecret>SECRET</security.oauth.facebook.apiSecret> | <security.oauth.facebook.apiSecret>SECRET</security.oauth.facebook.apiSecret> | ||
| - | === ADDING NEW OAUTH PROVIDER === | + | ==== ADDING NEW OAUTH PROVIDER ==== |
| OAuth authentication is handled with [[https://github.com/bujiio/buji-pac4j|buji-pac4j]] [[http://www.pac4j.org/docs/clients/oauth.html|OAuth clients]]. | OAuth authentication is handled with [[https://github.com/bujiio/buji-pac4j|buji-pac4j]] [[http://www.pac4j.org/docs/clients/oauth.html|OAuth clients]]. | ||
| Line 259: | Line 253: | ||
| * Now you need to follow instructions of CA (Certification Authority) of your choice to submit your CSR (for example VeriSign) to obtain the SSL certifiate. Alternatively, you may opt to use [[development:OpenSSL|OpenSSL]] to create a local CA for non-production use. | * Now you need to follow instructions of CA (Certification Authority) of your choice to submit your CSR (for example VeriSign) to obtain the SSL certifiate. Alternatively, you may opt to use [[development:OpenSSL|OpenSSL]] to create a local CA for non-production use. | ||
| - | * When you obtained certificate from CA, you need to import it into your keystore | + | * When you obtained certificate from CA, you need to import the CA’s root and intermediate certificates into a Java keystore file before you import the actual SSL certificate. The steps below outline this process for a Windows machine. |
| + | |||
| + | === Step 1: Retrieving your Root, Intermediate directly from your SSL certificate: === | ||
| + | |||
| + | * Take your SSL certificate with a .cer extension. and double click on it. | ||
| + | * At the certificate popup click on Certification Path. | ||
| + | * {{:development:development:software:security:image001.png?200|}} | ||
| + | * Under Certification Path you will see a tier of three certificates. | ||
| + | * Top certificate = Root | ||
| + | * Middle certificate = Intermediate | ||
| + | * Bottom certificate = SSL certificate for the common name it was issued to. | ||
| + | * {{:development:development:software:security:image002.png?200|}} | ||
| + | * **Double click** on the **top certificate Root** in order to bring up its information. | ||
| + | * {{:development:development:software:security:image003.png?200|}} | ||
| + | * Click **Details.** | ||
| + | * Click **Copy to File...** | ||
| + | * {{:development:development:software:security:image004.png?200|}} | ||
| + | * The Certificate Export Wizard will popup. Click **Next.** | ||
| + | * {{:development:development:software:security:image005.png?200|}} | ||
| + | * Select **Base-64 encoded X.509 (.cer).** | ||
| + | * Click **Next.** | ||
| + | * {{:development:development:software:security:image006.png?200|}} | ||
| + | * On the next screen click **Browse** and specify the filename and path you want to save your Root certificate. Name it whatever you desire. **Example: Root.cer** | ||
| + | * Click **Save.** | ||
| + | * You will be taken back to the previous screen with the location and path of this file specified next to browse. **Click Next.** | ||
| + | * {{:development:development:software:security:image007.png?200|}} | ||
| + | * Complete the export wizard by clicking **Finish**. | ||
| + | |||
| + | === Step 2: Retrieving your Intermediate CA directly from your SSL certificate (Continued) === | ||
| + | |||
| + | //You will perform the same steps as above in step 1 but with the middle certificate (Intermediate).// | ||
| + | |||
| + | * 1. Go back to your SSL certificate under the **Certification Path** tab and **double click** on the Middle Certificate Intermediate in the tier. | ||
| + | * {{:development:development:software:security:image008.png?200|}} | ||
| + | * Click Details. | ||
| + | * Click Copy to File… | ||
| + | * {{:development:development:software:security:image009.png?200|}} | ||
| + | * The Certificate Export Wizard will popup. **Click Next.** | ||
| + | * {{:development:development:software:security:image005.png?200|}} | ||
| + | * Select **Base-64 encoded X.509 (.cer).** | ||
| + | * Click **Next.** | ||
| + | * {{:development:development:software:security:image006.png?200|}} | ||
| + | * On the next screen click Browse and specify the filename and path you want to save your Intermediate certificate. Name it whatever you desire. Example: Intermediate.cer | ||
| + | * Click Save. | ||
| + | * You will be taken back to the previous screen with the location and path of this file specified next to browse. Click Next. | ||
| + | * {{:development:development:software:security:image007.png?200|}} | ||
| + | * Complete the export wizard by clicking Finish. | ||
| + | |||
| + | You should now have three files: | ||
| + | - Your Root Certificate. | ||
| + | - Your Intermediate Certificate. | ||
| + | - Your SSL certificate where both the Root, and Intermediate are derived from. | ||
| + | |||
| + | === Step 3: Step 3: Installing your Root CA, CA Intermediate, and your SSL certificate === | ||
| + | |||
| + | Import the Root Certificate first. You will specify your own alias for this import Example: Root. | ||
| + | |||
| + | keytool -import -alias root -trustcacerts -file C:\path\to\root.cer -keystore C:\path\to\my\keystore.jks | ||
| + | |||
| + | Import the Intermediate CA certificate second. You will specify your own alias for this import. Example: Intermediate. | ||
| + | |||
| + | keytool -import -alias intermediate -trustcacerts -file C:\path\to\intermediate.cer -keystore C:\path\to\my\keystore.jks | ||
| + | |||
| + | Lastly, import the actual SSL certificate into the keystore. | ||
| keytool -importcert -trustcacerts -alias webapi -file C:\path\to\cert\webapi.p7b -keystore C:\path\to\my\keystore.jks | keytool -importcert -trustcacerts -alias webapi -file C:\path\to\cert\webapi.p7b -keystore C:\path\to\my\keystore.jks | ||
| - | Now you can add SSL connector in Tomcat's ''server.xml'' file | + | Now you can add SSL connector in Tomcat's server.xml file |
| - | <Connector | + | <Connector |
| - | port="8443" | + | port="8443" |
| - | protocol="org.apache.coyote.http11.Http11NioProtocol" | + | protocol="org.apache.coyote.http11.Http11NioProtocol" |
| - | maxThreads="200" | + | maxThreads="200" |
| - | scheme="https" | + | scheme="https" |
| - | secure="true" | + | secure="true" |
| - | SSLEnabled="true" | + | SSLEnabled="true" |
| - | keyAlias="webapi" | + | keyAlias="webapi" |
| - | keystoreFile="C:\path\to\my\keystore.jks" | + | keystoreFile="C:\path\to\my\keystore.jks" |
| - | keystorePass="{Your keystore password}" | + | keystorePass="{Your keystore password}" |
| - | clientAuth="false" | + | clientAuth="false" |
| - | sslProtocol="TLS"/> | + | sslProtocol="TLS"/> |
| [[https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html|Here]] you may find more details on SSL configuration in Tomcat. | [[https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html|Here]] you may find more details on SSL configuration in Tomcat. | ||
development/security.txt · Last modified: 2018/03/20 13:33 by anthonysena
Page Tools
