CILogon Portal Support ====================== The portal application of the DataONE Coordinating Nodes interacts with the CILogon infrastructure to retrieve the client certificate generated by CILogon once a user has authenticated with their identity provider. The portal uses a public key generated from the CN wild card certificate to identify itself when requesting authenticated client certificates from CILogon. The public key is registered with CILogon to produce a *myproxy id* that is recorded with the portal configuration. The following steps should be followed to register an environment with CILogon. This procedure should be repeated whenever the server certificate for the CNs is changed. 1. Find the public key for the certificate used by the server. The ``dataone-cn-portal`` buildout postinst script will create a file based on the public certificate that is configured for the given CN (usually a wildcard for the domain). For our test environments, it is:: /etc/ssl/certs/_.test.dataone.org.crt.publickey It’s the stuff between ``BEGIN/END PUBLIC KEY``. 2. Register this public key with CILogon to get a myproxy id:: https://cilogon.org/oauth/register You should only register with the round-robin hostname (once per environment) and use URLs that are not machine-specific. Here’s an example from SANDBOX2:: Name: DataONE Coordinating Node - Sandbox 2 Home uri: https://cn-sandbox-2.test.dataone.org/portal Failure uri: https://cn-sandbox-2.test.dataone.org/portal/pages/client-error.jsp Creation time: Wed Jan 28 17:37:48 CST 2015 Generated identifier: myproxy:oa4mp,2012:/client/66a303882b6e4bec1e91cbf2ccda1e8 3. Include this myproxy id in the portal configuration file. Config file:: /var/lib/tomcat7/webapps/portal/WEB-INF/client.xml For more permanent CN buildouts (e.g., DEV2), include it in the ``dataone-cn-portal`` postinst script such that the correct myproxy id will be set in the config file on installation in this environment (there is a big condition block for this). 4. By now, CILogon will have reported back to the email address you registered with that the myproxy client registration is active.