Commit 2cfe957c authored by Staiger, Christine's avatar Staiger, Christine
Browse files

Typos

parent b2bb50d6
......@@ -10,7 +10,9 @@ https://github.com/sara-nl/iRODS-UIs-APIs/blob/master/Davrods_install_guide.md
https://docs.irods.org/4.2.7/plugins/pluggable_authentication/#pam-pluggable-authentication-module
## SSL encryption
To setup secure connection between clients and the iRODS server we set up SSL encryption on the iRODS server. *Please note:* If your iRODS server is part of a federation *all* iRODS servers have then to be enabled with SSL encryption.
To setup secure connection between clients and the iRODS server we set up SSL encryption on the iRODS server.
**Please note:** If your iRODS server is part of a federation and you are using SSL encryption *all other* iRODS servers have to be enabled with SSL encryption, too.
### Generate certificates
......@@ -22,12 +24,12 @@ To setup secure connection between clients and the iRODS server we set up SSL en
openssl genrsa -out irods.key 2048
chmod 600 irods.key
openssl req -new -x509 -key irods.key -out irods.crt -days 3650
```
```
You are asked to provide some details.
```sh
Country Name (2 letter code) [XX]:XX
Country Name (2 letter code) [XX]:XX
State or Province Name (full name) []:<your state>
Locality Name (eg, city) [Default City]:<your city>
Organization Name (eg, company) [Default Company Ltd]:<company>
......@@ -35,27 +37,28 @@ Organizational Unit Name (eg, section) []:<group>
Common Name (eg, your name or your server's hostname) []:<ip address or fqdn>
Email Address []:<email>
```
The common name that you set here will also be used by all user clients and Davrods to address the iRODS server. It should correspond to the fqdn or the hostname you set in the */etc/hosts* file.
You might also have to adjust the */etc/irods/hosts_config.json* to match the fqdn in te certificate.
The common name that you set here will also be used by all user clients and Davrods to address the iRODS server. It should correspond to the fqdn or the hostname you set in the */etc/hosts* file.
You might also have to adjust the */etc/irods/hosts_config.json* to match the fqdn in the certificate.
```sh
openssl dhparam -2 -out dhparams.pem 2048
```
2. **Adjust the /etc/irods/core.re** with
```sh
acPreConnect(*OUT) { *OUT="CS_NEG_REQUIRE"; }
```
3. **Adjust the environment-json for the irods service account.**
You need to set the server certificate (*irods.crt*) and its corresponding key (*irods.key*) and the certfificate from the "Certificate Authority" (here we use again *irods.crt* (usually you would have a *chain.pem*), if you use a different authority make sure all machines that run clients have this file installed). We also need to set the file defining how keys are exchanged (*dhparams.pem*). Finally we need to tell iRODS that we are using ssll verification by certificate.
The irods environment file for the unix service account can be in several locations, please check what is applicable to you:
You need to set the server certificate (*irods.crt*) and its corresponding key (*irods.key*) and the certfificate from the "Certificate Authority" (here we use again *irods.crt* (usually you would have a *chain.pem*), if you use a different authority make sure all machines that run clients have this file installed). We also need to set the file defining how keys are exchanged (*dhparams.pem*). Finally we need to tell iRODS that we are using ssll verification by certificate.
The irods environment file for the unix service account can be in several locations, please check what is applicable to you:
```sh
vi /var/lib/irods/.irods/irods_environment.json # default
vi /home/irods/.irods/irods_environment.json # if irods service account has a home
```
``` sh
"irods_client_server_policy": "CS_NEG_REQUIRE",
"irods_ssl_certificate_chain_file": "/etc/irods/ssl/irods.crt",
......@@ -66,16 +69,16 @@ Email Address []:<email>
```
Make sure common name of the server in the certificate and the *irods_host* in the environment json file match.
Then try as the user 'irods' whether you can login:
```sh
iinit
ils
```
4. **Enabling other user clients with SSL.**
Clients on other servers need to have a copy of the chain of trust pem-file (here the *irods.crt*) file.
All your iRODS users need to extend their *irods_environment.json* with
Clients on other servers need to have a copy of the chain of trust pem-file (here the *irods.crt*) file.
All your iRODS users need to extend their *irods_environment.json* with
```sh
"irods_client_server_negotiation": "request_server_negotiation",
"irods_client_server_policy": "CS_NEG_REQUIRE",
......@@ -96,15 +99,15 @@ If the iRODS client specifies that authentication should take place through PAM,
sudo su - root -c 'echo "auth sufficient pam_permit.so" > /etc/pam.d/irods'
```
And check with
And check with
```
/usr/sbin/irodsPamAuthCheck bob
<some password string>
Authenticated
```
whether iRODS uses the pam module.
whether iRODS uses the pam module.
2. For common linux servers the following chain in the iRODS PAM module are sufficient:
2. For common linux servers the following chain in the iRODS PAM module is sufficient:
```sh
cat /etc/pam.d/irods
auth required pam_env.so
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment