Revision 7254
Added by ben leinfelder over 12 years ago
docs/user/metacat/source/dataone.rst | ||
---|---|---|
175 | 175 |
certificate file. Be sure to protect the certificate file, as it contains the |
176 | 176 |
private key that is used to authenticate this node within DataONE. |
177 | 177 |
|
178 |
.. Note:: |
|
179 |
For Tier 2 deployments and above, the Metacat Member Node must have Apache configured to request |
|
180 |
client certificates. Detailed instructions are included at the end of this chapter. |
|
181 |
|
|
178 | 182 |
The ``Enable DataONE Services`` checkbox allows the administrator to decide whether to |
179 | 183 |
turn on synchronization with the DataONE network. When this box is unchecked, the |
180 | 184 |
DataONE Coordinating Nodes will not attempt to synchronize at all, but when checked, |
... | ... | |
301 | 305 |
or can be set using the `CNReplication.setReplicationPolicy`_ service. |
302 | 306 |
|
303 | 307 |
.. _CNReplication.setReplicationPolicy: http://releases.dataone.org/online/d1-architecture-1.0.0/apis/CN_APIs.html#CNReplication.setReplicationPolicy |
308 |
|
|
309 |
Apache configuration details |
|
310 |
---------------------------- |
|
311 |
These Apache directives are crucial for Metacat to function as a Tier 2+ Member Node |
|
312 |
|
|
313 |
:: |
|
314 |
|
|
315 |
... |
|
316 |
AllowEncodedSlashes On |
|
317 |
AcceptPathInfo On |
|
318 |
JkOptions +ForwardURICompatUnparsed |
|
319 |
SSLEngine on |
|
320 |
SSLOptions +StrictRequire +StdEnvVars +ExportCertData |
|
321 |
SSLVerifyClient optional |
|
322 |
SSLVerifyDepth 10 |
|
323 |
SSLCertificateFile /etc/ssl/certs/<your_server_certificate> |
|
324 |
SSLCertificateKeyFile /etc/ssl/private/<your_server_key> |
|
325 |
SSLCACertificatePath /etc/ssl/certs/ |
|
326 |
... |
|
327 |
|
|
328 |
Where ``<your_server_certificate>`` and ``<your_server_key>`` are the certificate/key pair used by Apache |
|
329 |
to identify the server to clients. The DataONE Certiciate Authority certificate - available from the DataONE administrators - |
|
330 |
will also need to be added to the directory specified by ``SSLCACertificatePath`` |
|
331 |
in order to validate client certificates signed by that authority. |
|
332 |
When these changes have been applied, Apache should be restarted: |
|
333 |
|
|
334 |
:: |
|
335 |
|
|
336 |
cd /etc/ssl/certs |
|
337 |
sudo c_rehash |
|
338 |
sudo /etc/init.d/apache2 restart |
Also available in: Unified diff
Add details for configuring Apache to use client certificate authentication.