...
Info |
---|
This guide assumes that you are using the latest available version of RHEL/CentOS/SL 6 - which at the time of writing this guide is 6.5. |
Numberedheadings |
---|
System PreparationInstall RHEL/CentOS/SL 6The first thing that is required is a RHEL/CentOS/SL 6 machine - this can be physical or virtual.
We would recommend using LVM when disk partitioning to allow easier partition/disk expansion on a live system. After install, you will want to secure/lockdown the server as best practice dictates - for both the server and any extra software installed. This is beyond the remit of this guide but there are many guides available, e.g. for securing CentOS, and SSH servers. Configure CentOS 6Next, there are a few CentOS configuration options that need to be set in advance. Networking configurationFor production deployments, it is recommended that the Trust Router be assigned a static IP address. Firewall configurationThe following ports are required to be accessible from the outside world, both in local firewall and in any external firewalls:
Add the Required RepositoriesTrust Router requires two yum repositories to be added to the system - EPEL (home of some required dependencies), and the Moonshot repository. Install EPEL by, running the following command: Install the Moonshot repository by creating a new file at Install the Moonshot GPG key: bashInstall Trust RouterWe’re now ready to install the Trust Router software and its required dependencies. Install the software by running the following command: Configure Trust RouterNext, we need to configure the Trust Router. RadSecAPC TLSFirst, you will need a copy of a client key and certificate (and appropriate CA) from the APC(s) that your Trust Router serves. Copy them onto the filesystem. You can put these files anywhere on the file system, but this guide assumes you put them in Connection to APCNext, we need to configure the RadSec configuration for the APC. We do this by creating a file at Trust RouterDaemon ConfigurationYour Trust Router will need to have a few core configuration items set. To do this:
Moonshot ConfigurationMoonshot, you say? Yes, Trust Router uses Moonshot to authenticate and secure all communications between Trust Router clients and servers. So, you will need to configure the trust router user to make use of the Moonshot flatstore (i.e. telling Moonshot that this is a special system account, not a regular user account), and you will need to import a set of credentials for your Trust Router to use.
ShibbolethShibboleth, you say? Yes, Shibboleth is used by the Moonshot components to be able to deal with incoming SAML. However, this feature typically isn't used in Trust Router, but its logging will appear in your Trust Router's log files. So, to simplify your log files, it is recommended that you silence the Shibboleth logging. To do this:
Default PeerIf your Trust Router is going to run in its own, standalone, trust network, then you can skip this step. If it is going to run in a wider trust network, then you can configure your Trust Router's default peer - i.e. the Trust Router it sends its clients to when they ask it to locate a Moonshot entity that your Trust Router doesn't know about. To do this:
Restart your Trust RouterYou are now ready to restart your Trust Router and test it. To do this:
Testingservice trustrouter status. Default should work, tr-test shouldn't. Next StepsAt this point, you now have a Trust Router. Blimey. /etc/trust_router/trusts.cfg with trust config
|