eu.rcauth.pilot-ica/CA/README

This directory contains all the files and scripts needed to setup a Online-CA
backend MyProxy server, where the private key is stored on a SafeNet™ eToken.

PREREQUISITES:
- obtain a copy of the SafenetAuthenticationClient and install it in
    ./safenet
  we are using SafenetAuthenticationClient-9.1.7-0. Other versions might have
  different names for the services: look for SAC in the install script.
- It needs to be installed in combination with a Delegation Service, see this
  same repository ../DS
- make the necessary replacements for your domain in
    ./scripts/install.sh
    ./scripts/mail_notifier.sh
  look for nikhef and optionally for the SafenetAuthenticationClient.
  Also change the sed lines setting the rcauth-related entries in the sysconfig
  file.
- Copy the entire (updated) directory to a USB stick.

------------------------------------------------------------------------
INSTALLATION:
1) install a minimal CentOS7 system:
    - no swap
    - large /var partition
    - preferably an encrypted / partition

2) upon installation and reboot:
    - mount USB stick containing this entire directory on /mnt
    - run /mnt/scripts/install.sh 2>&1 | tee install.log

3) wait till the Delegation Server is installed with CentOS

4) run /mnt/scripts/push_keys.sh

5) continue installing the Delegation Server

6) when the Delegation Server is running (in particular squid):
    - yum update --enablerepo

7) insert eToken

8) run /mnt/scripts/extract_token.sh

9) this step is ONLY NEEDED when the 'cacert' is a Robot certificate and the
   service is supposed to generate Per-User Sub-Proxies (PUSPs):
    - uncomment the line with
        certificate_issuer_subca_certfile
      in the myproxy-server.config.etoken-ca config file
    - restart the myproxy-server:
        systemctl restart myproxy-server

1	This directory contains all the files and scripts needed to setup a Online-CA
2	backend MyProxy server, where the private key is stored on a SafeNet™ eToken.
3
4	PREREQUISITES:
5	- obtain a copy of the SafenetAuthenticationClient and install it in
6	./safenet
7	we are using SafenetAuthenticationClient-9.1.7-0. Other versions might have
8	different names for the services: look for SAC in the install script.
9	- It needs to be installed in combination with a Delegation Service, see this
10	same repository ../DS
11	- make the necessary replacements for your domain in
12	./scripts/install.sh
13	./scripts/mail_notifier.sh
14	look for nikhef and optionally for the SafenetAuthenticationClient.
15	Also change the sed lines setting the rcauth-related entries in the sysconfig
16	file.
17	- Copy the entire (updated) directory to a USB stick.
18
19	------------------------------------------------------------------------
20	INSTALLATION:
21	1) install a minimal CentOS7 system:
22	- no swap
23	- large /var partition
24	- preferably an encrypted / partition
25
26	2) upon installation and reboot:
27	- mount USB stick containing this entire directory on /mnt
28	- run /mnt/scripts/install.sh 2>&1 \| tee install.log
29
30	3) wait till the Delegation Server is installed with CentOS
31
32	4) run /mnt/scripts/push_keys.sh
33
34	5) continue installing the Delegation Server
35
36	6) when the Delegation Server is running (in particular squid):
37	- yum update --enablerepo
38
39	7) insert eToken
40
41	8) run /mnt/scripts/extract_token.sh
42
43	9) this step is ONLY NEEDED when the 'cacert' is a Robot certificate and the
44	service is supposed to generate Per-User Sub-Proxies (PUSPs):
45	- uncomment the line with
46	certificate_issuer_subca_certfile
47	in the myproxy-server.config.etoken-ca config file
48	- restart the myproxy-server:
49	systemctl restart myproxy-server
50
grid.support@nikhef.nl	ViewVC Help
Powered by ViewVC 1.1.28