Project

General

Profile

« Previous | Next » 

Revision 7254

Add details for configuring Apache to use client certificate authentication.

View differences:

docs/user/metacat/source/dataone.rst
175 175
certificate file. Be sure to protect the certificate file, as it contains the
176 176
private key that is used to authenticate this node within DataONE.
177 177

  
178
.. Note:: 
179
For Tier 2 deployments and above, the Metacat Member Node must have Apache configured to request 
180
client certificates. Detailed instructions are included at the end of this chapter.
181

  
178 182
The ``Enable DataONE Services`` checkbox allows the administrator to decide whether to 
179 183
turn on synchronization with the DataONE network.  When this box is unchecked, the 
180 184
DataONE Coordinating Nodes will not attempt to synchronize at all, but when checked, 
......
301 305
or can be set using the `CNReplication.setReplicationPolicy`_ service.
302 306

  
303 307
.. _CNReplication.setReplicationPolicy: http://releases.dataone.org/online/d1-architecture-1.0.0/apis/CN_APIs.html#CNReplication.setReplicationPolicy
308

  
309
Apache configuration details
310
----------------------------
311
These Apache directives are crucial for Metacat to function as a Tier 2+ Member Node
312

  
313
::
314

  
315
  ...
316
  AllowEncodedSlashes On
317
  AcceptPathInfo      On
318
  JkOptions +ForwardURICompatUnparsed
319
  SSLEngine on
320
  SSLOptions +StrictRequire +StdEnvVars +ExportCertData
321
  SSLVerifyClient optional
322
  SSLVerifyDepth 10
323
  SSLCertificateFile /etc/ssl/certs/<your_server_certificate>
324
  SSLCertificateKeyFile /etc/ssl/private/<your_server_key>
325
  SSLCACertificatePath /etc/ssl/certs/
326
  ...
327
  
328
Where ``<your_server_certificate>`` and ``<your_server_key>`` are the certificate/key pair used by Apache 
329
to identify the server to clients. The DataONE Certiciate Authority certificate - available from the DataONE administrators -  
330
will also need to be added to the directory specified by ``SSLCACertificatePath`` 
331
in order to validate client certificates signed by that authority.
332
When these changes have been applied, Apache should be restarted:
333

  
334
::
335

  
336
  cd /etc/ssl/certs
337
  sudo c_rehash
338
  sudo /etc/init.d/apache2 restart

Also available in: Unified diff