CILogon Portal Support

The portal application of the DataONE Coordinating Nodes interacts with the CILogon infrastructure to retrieve the client certificate generated by CILogon once a user has authenticated with their identity provider. The portal uses a public key generated from the CN wild card certificate to identify itself when requesting authenticated client certificates from CILogon. The public key is registered with CILogon to produce a myproxy id that is recorded with the portal configuration.

The following steps should be followed to register an environment with CILogon. This procedure should be repeated whenever the server certificate for the CNs is changed.

  1. Find the public key for the certificate used by the server. The dataone-cn-portal buildout postinst script will create a file based on the public certificate that is configured for the given CN (usually a wildcard for the domain). For our test environments, it is:

    /etc/ssl/certs/_.test.dataone.org.crt.publickey

    It’s the stuff between BEGIN/END PUBLIC KEY.

  2. Register this public key with CILogon to get a myproxy id:

    https://cilogon.org/oauth/register

    You should only register with the round-robin hostname (once per environment) and use URLs that are not machine-specific. Here’s an example from SANDBOX2:

    Name:          DataONE Coordinating Node - Sandbox 2
Home uri:      https://cn-sandbox-2.test.dataone.org/portal
Failure uri:   https://cn-sandbox-2.test.dataone.org/portal/pages/client-error.jsp
Creation time: Wed Jan 28 17:37:48 CST 2015
Generated
identifier:    myproxy:oa4mp,2012:/client/66a303882b6e4bec1e91cbf2ccda1e8

  3. Include this myproxy id in the portal configuration file. Config file:

    /var/lib/tomcat7/webapps/portal/WEB-INF/client.xml

    For more permanent CN buildouts (e.g., DEV2), include it in the dataone-cn-portal postinst script such that the correct myproxy id will be set in the config file on installation in this environment (there is a big condition block for this).

  4. By now, CILogon will have reported back to the email address you registered with that the myproxy client registration is active.

This material is based upon work supported by the National Science Foundation under Grant Numbers 083094 and 1430508.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.