Security Use Server

We have apdapted an OAuth2.0 enabled CAS server (version 3.5.2) for authentication and authorization in OpenIoT. It has been configured to store its data in a LSM-Light server.

In order to modify the configuration of CAS, we use Maven2 war overlay method. This means that the files that we modify will replace the corresponding files in the standard CAS server war.

The security-server module depends on utils.commons and lsm-light.client components. Therefore, it is mandatory to install these components before trying to deploy the security-server module.

Note: In the context of security module, we use the term service to refer to any component that uses the OpenIoT security module for authentication and authorization. For example, in this context, LSM-light.server, SD&UM, Scheduler, and X-GSN are services. Here, the terms service and client are used interchangeably.

Configuring JBoss

Here we assume that JBoss AS7 is used in standalone mode. By $jboss-home we refer to JBoss AS7 directory.

Enabling SSL in JBoss

Assume that you store the required SSL files in a path YOUR_SSL_DIR_PATH (e.g., $jboss-home/standalone/configuration/ssl).

If the directory structure does not exist, run mkdir -p YOUR_SSL_DIR_PATH
Run cd YOUR_SSL_DIR_PATH
Run keytool -genkey -alias jbosskey -keypass <password> -keyalg RSA -keystore server.keystore Use "localhost" as Common Name [as answer to "What is your first and last name?"]. If you are deploying on a server, use the DNS name of the server instead of "localhost". If you are deploying on a server with public IP (no DNS), use ip address as Common Name [as answer to "What is your first and last name?"]. Also add the following command to the keytool -genkey -ext san=ip:10.0.0.1
Run keytool -export -alias jbosskey -keypass <password> -file server.crt -keystore server.keystore
Run keytool -import -alias jbosscert -keypass <password> -file server.crt -keystore server.keystore Ignore the warning!
In $jboss-home/standalone/configuration/standalone.xml add the following connector in <subsystem xmlns="urn:jboss:domain:web:1.1" ..

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="https" key-alias="jbosskey" password=<password> certificate-key-file="YOUR_SSL_DIR_PATH/server.keystore" />
</connector>

Restart JBoss and go to https://localhost:8443 to see if SSL is enabled and works correctly.
Next, you'll have to import this certificate into the java trust-store with the command keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file server.crt -alias incommon. In Linux you will have to do this as root.

JBOSS SSL Troubleshooting

If you encounter the error, unable to load the key (as documented by a bug report here ) follow the below steps

In step 3, 4, and 5 ensure the parameter for keypass and the security store password (requested during command execution in the terminal) are identical.

To remove the previously registered key use the command keytool -delete -noprompt -alias jbosskey -keystore server.keystore

SSL Troubleshooting

If you encounter the following error, follow the steps suggested here.

SunCertPathBuilderException: Unable To Find Valid Certification Path To Requested Target

Also you might find the solution for your ssl-related issues here.

CAS Server

Configuration

Configuration parameters for security-server module (OpenIoT CAS) can be found in OpenIoT global properties file (OpenIoT Commons & Properties).

security.lsm.sparql.endpoint: the LSM SPARQL endpoint
security.lsm.graphURL: the graph in which data will be stored
server.name: the CAS server address
The lifetime of tickets can be configured by two properties: 1) tgt.maxTimeToLiveInSeconds that specifies the maximum time to live of the ticket. After this amount of time, the ticket will expire no matter how many times it has been accessed; 2) tgt.timeToKillInSeconds that determines the the maximum time during which the ticket can remain idle. If no accesses occur after this period, the ticket will expire.
Parameters for exporting initial data into LSM: when the OpenIoT CAS server is deployed for the first time, if its data graph is empty, by default some bootstrapping data will be stored in the graph. This data includes the Administrators user information and its default roles and permissions, as well as the default services. The relevant properties are the following:
- security.automaticServiceSetup: indicates whether or not the bootstrapping should be done if the data graph is empty. The default value is true.
- security.initialize.admin.username: username of the admin user. The default value is admin.
- security.initialize.admin.password: password of the admin user. The default value is secret.
- security.initialize.admin.email: email of the admin user. The default value is admin@openiot.eu.
- security.initialize.lsmserver.username: default username for LSM-light.server. The same property exists for scheduler and sdum modules.
- security.initialize.lsmserver.password: default password for LSM-light.server. The same property exists for scheduler and sdum modules.
- security.initialize.cas.prefix: the prefix for the CAS service. If you are not deploying on localhost, change the address (or port).
- security.initialize.management.prefix: the prefix for the security management console service. If you are not deploying on localhost, change the address (or port).
- security.initialize.management.key: the key for the security management console service.
- security.initialize.management.secret: the secret for the security management console service.
- security.demoWebappServices: the list of web application services that are created for each demo user (if enabled by setting security.automaticServiceSetup to true) upon signing up.
- security.demoServices: the list of all demo services that are enabled for demo users if this feature is activated as mentioned above.

The following services are created in the bootstrapping step:

ServiceManager: This service is required for service management in CAS. The hostname and port in the serviceId column can be changed if required.
HTTP: This service is required for OAuth2.0 support in CAS. The hostname and port in the serviceId column can be changed if required.
lsm-server: This service is defined for the LSM Server.
openiot-security-manager-app: This service corresponds to the management console of the security&privacy module. We will explain how to manage these services later in this documentation.

Deployment

For deploying OpenIoT CAS server war in JBoss, go to security-server module and run mvn jboss-as:deploy. If the deployment is successful, you must be able to see a web application called openiot-cas deployed in JBoss. Go to https://localhost:8443/openiot-cas and log in using the default admin credentials to verify the deployment.

Managing Services in OpenIoT CAS

Each client has to be registered in CAS in order to be recognized for OAuth2.0. The OpenIoT security management console provides a web interface for registering new services and managing the existing ones.

footer

Documentation
Home
Architecture
Scheduler
- Use
- Develop
Service Delivery & Utility Manager
- Use
- Develop
Data Platform (LSM)
- Use
- Develop
X-GSN
- Use
- Develop
Mobile Sensors Management
- CUPUS
  - Use
  - Develop
- QoS Manager
  - Use
  - Develop
Optimizations
- Dynamic Sensor Control
Security
- Use
  - Server
  - Client
  - Console
- Develop
User Interfaces
- IDE Core
  - Use
  - Develop
- Request Definition
  - Use
  - Develop
- Request-Presentation
  - Use
  - Develop
- Sensor Schema Editor
  - Use
  - Develop
- Management, Monitoring & Editors
  - Services Monitoring
    - Use
    - Develop
  - Application Monitoring
    - Use
    - Develop
  - Virtual Sensor Configuration & Monitoring
    - Use
    - Develop
  - Billing
    - Use
    - Develop
OpenIoT Commons & Properties
Standalone Platform Testing tools
- X-GSN Sensor Simulators
Deliverables
Glossary and Terminology
Demos

Provide feedback

Saved searches

Use saved searches to filter your results more quickly