Deploy the server webapp:
$ cd $CATALINA_HOME/webapps $ curl -sO https://github.com/ncsa/oa4mp/releases/latest/download/oauth2.war
Next, configure the server.
$ vi $CATALINA_HOME/conf/web.xml # add oa4mp:server.config.file parameter
$ tail -9 $CATALINA_HOME/conf/web.xml
<context-param>
<param-name>oa4mp:oauth2.server.config.file</param-name>
<param-value>/Users/username/oa4mp/server2-cfg.xml</param-value>
</context-param>
<context-param>
<param-name>oa4mp:oauth2.server.config.name</param-name>
<param-value>server2-config</param-value>
</context-param>
</web-app>
$ mkdir -p ~/oa4mp/storage
$ vi ~/oa4mp/server-cfg.xml # set myproxy-server hostname, fileStore path, mail config
$ cat ~/oa4mp/server-cfg.xml # OAuth server on localhost, myproxy-server on myproxy.example.edu
<config>
<service address="https://localhost:8443/oauth2" name="server2-config">
<fileStore path="/users/username/oa4mp/storage2">
<clients/>
<clientApprovals/>
</fileStore>
<myproxy host="myproxy.example.edu" port="7512"/>
<mail enabled="true"
server="smtp.example.edu"
username="username@example.edu"
recipients="username@example.edu">
<messageTemplate>/Users/username/oa4mp/message.txt</messageTemplate>
<subjectTemplate>/Users/username/oa4mp/subject.txt</subjectTemplate>
</mail>
</service>
</config>
$ vi ~/oa4mp/message.txt
$ cat ~/oa4mp/message.txt
# A sample template
A client has requested approval.
Name: ${name}
Contact email: ${email}
Home uri: ${homeUri}
Failure uri:${failureUri}
Creation time: ${creationTime}
Generated identifier: ${identifier}
If you approve this request, you should send a notice
to the contact email and include the generated identifier.
$ vi ~/oa4mp/subject.txt
$ cat ~/oa4mp/subject.txt
Client approval request received for ${name}
$ $CATALINA_HOME/bin/startup.sh # start up the server
Next, registering the client You must submit the web form at https://localhost:8443/oauth2/register (or whatever the address is goign to be) to register the client and get both a client ID and client secret.
Next, configure the client. You must preserve botht he client ID and client secret in the configuration file. Note that the client secret is a single string. Do not add any line breaks or spaces and be aware that some browsers will add these when you copy the secret to the clipboard. A typical example configuration might be
$ vi $CATALINA_HOME/conf/web.xml # add oa4mp:client.config.file parameter $ tail -5 $CATALINA_HOME/conf/web.xml <config> <client name="client2-config"> <callbackUri>https://localhost:8443/client2/ready</callbackUri> <secret>DMfidLiDbA1SfH9in_QoI9tfa48HmOW18ubcOLTPHgMtrJ5G8PnNuq0hQB3E6daRXwSqe9V6O14C7jRwI7KkoM2VSCfTmGrcRJQTRL</secret> <serviceUri>https://localhost:8443/oauth2</serviceUri> <authorizeUri>https://localhost:8443/oauth2/authorize</authorizeUri> <id>myproxy:oa4mp,2012:/client/21653006d3ffb1344480e06e97207578</id> <showRedirectPage>true</showRedirectPage> </client> </config>
Restart Tomcat so the new client configuration takes effect:
$ $CATALINA_HOME/bin/shutdown.sh $ $CATALINA_HOME/bin/startup.sh
Next we need to approve the client registration request with the command-line tool:
$ cd ~/oa4mp $ curl -sO https://github.com/ncsa/oa4mp/releases/latest/download/oa2-cli.jar $ curl -sO https://github.com/ncsa/oa4mp/releases/latest/download/oa2-cli
You will probably need to edit oa2-cli to make the paths work on your system. You will also need to either create a config file or point it at the server config file that you are already using. We recommend the latter.
Edit oa2-cli to point to the right paths for the config file and jar, and make sure that the permission is set to executable. Run the tool, passing in the name of the configuration as a parameter ("server2-config" in the example).
$ ./oa2-cli server2-config
oa2 >use clients
clients >ls
0. (N) myproxy:oa4mp,2012:/client_id/600019ae306de2049a701144df34ccd3 (Test428)
clients >approve 0
approver[(null)]:admin
approve this[n]:y
save this approval record [y/n]?y
approval saved
clients >exit
oa2 >exit
Deploy the client webapp:
$ cd $CATALINA_HOME/webapps $ curl -sO https://github.com/ncsa/oa4mp/releases/latest/download/client2.jar
If everything went well, the example OAuth for MyProxy client should be running at https://localhost:8443/client2/.
<Connector port="9443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
URIEncoding="UTF-8"
keystoreFile="${user.home}/certs/localhost-2020.jks"
keystorePass="XXXXX"
keystoreType="JKS"
truststoreFile="${user.home}/dev/csd/config/ncsa-cacerts"
truststorePass="YYYYY"
truststoreType="JKS"
clientAuth="false" sslProtocol="TLS" />
For the client, you should set atServerDN="localhost" in the client tag, e.g.
<client name="client2-config" atServerDN="localhost">
you should simply add a keystore section to your client configuration (works with all versions of OA4MP) as described here. E.g.
<ssl debug="false"
useJavaTrustStore="true">
<trustStore>
<path>/home/ncsa/certs/localhost-2020.jks</path>
<password><![CDATA[XXXXX]]></password>
<type>JKS</type>
<certDN><![CDATA[CN=localhost]]></certDN>
</trustStore>
</ssl>
This walkthrough assumes unix (CentOS, Unbuntu server). If you wish to try this under Windows or some other more exotic version of unix (such as Solaris) you should bee aware that setting the certs in CATALINA_OPTS will not be read without more tinkering with the Tomcat startup scripts. In that case the easiest thing to do is to simply add a keystore section to your client configuration.