SmarterApp Logo
Permissions Installation Checklist
2024-03-26 14:03:06 -0400 |

Overview

Item Description
Purpose Provide component and role authorization settings for TDS components
Communicates With ProgMan
ART
Proctor
Teacher Hand-Scoring System
TestSpecBank
Repository Location https://github.com/SmarterApp/SS_Permissions
Additional Documentation Permissions DTD
Permissions API
Permissions Database Design
Permissions User Guide
Permissions High-Level Design
Permissions Roles to Components Map

Instructions

Create AWS MySQL Instance


#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port        = 3306
socket      = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket      = /var/run/mysqld/mysqld.sock
nice        = 0

[mysqld]
#
# * Basic Settings
#
user        = mysql
pid-file    = /var/run/mysqld/mysqld.pid
socket      = /var/run/mysqld/mysqld.sock
port        = 3306
#basedir        = /opt/mysql/server-5.6
basedir     = /usr
datadir     = /var/lib/mysql
tmpdir      = /var/tmp/mysql
#lc-messages-dir    = /opt/mysql/server-5.6/share
lc-messages-dir = /usr/share/mysql/english
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address       = 127.0.0.1
#
# * Fine Tuning
#
key_buffer      = 16M
max_allowed_packet  = 16M
thread_stack        = 192K
thread_cache_size       = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover         = BACKUP
#max_connections        = 100
#table_cache            = 64
#thread_concurrency     = 10
#
# * Query Cache Configuration
#
query_cache_limit   = 1M
query_cache_size        = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Here you can see queries with especially long duration
#log_slow_queries   = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id      = 1
#log_bin            = /var/log/mysql/mysql-bin.log
expire_logs_days    = 10
max_binlog_size         = 100M
#binlog_do_db       = include_database_name
#binlog_ignore_db   = include_database_name
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem



[mysqldump]
quick
quote-names
max_allowed_packet  = 16M

[mysql]
#no-auto-rehash # faster start of mysql but no tab completition

[isamchk]
key_buffer      = 16M

#
# * IMPORTANT: Additional settings that can override those from this file!
#   The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d/

Create Remote User Account

IMPORTANT: This is definitely not secure and should not be done for a production system!

Create Permissions Database

ubuntu@perm-db-deploy:~$ ls -alh
total 44K
drwxr-xr-x  6 ubuntu ubuntu 4.0K Apr 11 04:25 .
drwxr-xr-x  3 root   root   4.0K Apr 10 18:08 ..
-rw-r--r--  1 ubuntu ubuntu  220 Apr  9  2014 .bash_logout
-rw-r--r--  1 ubuntu ubuntu 3.6K Apr 11 03:22 .bashrc
drwx------  2 ubuntu ubuntu 4.0K Apr 11 03:22 .cache
-rw-------  1 ubuntu ubuntu  193 Apr 11 04:20 .mysql_history
drwxrwxr-x  5 ubuntu ubuntu 4.0K Apr 11 04:25 SS_Permissions
-rw-r--r--  1 ubuntu ubuntu  675 Apr  9  2014 .profile
drwx------  2 ubuntu ubuntu 4.0K Apr 11 04:09 .ssh
drwxrwxr-x 13 ubuntu ubuntu 4.0K Apr 11 04:16 TDS_Build
-rw-------  1 ubuntu ubuntu 4.0K Apr 11 04:16 .viminfo

Verify the Permissions Database Schema Was Created and Populated With Seed Data

+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| permissions_db     |
+--------------------+

+--------------------------+
| Tables_in_permissions_db |
+--------------------------+
| component                |
| entitytype               |
| permission               |
| permission_role          |
| role                     |
| role_entity              |
+--------------------------+

+----------+
| count(*) |
+----------+
|      416 |
+----------+

Create AWS Web Application Instance

Permissions Setup

Set Up Tomcat Server


     <Connector port="8080" protocol="HTTP/1.1"
          connectionTimeout="20000"
          URIEncoding="UTF-8"
          redirectPort="8443"
          maxHttpHeaderSize="65536" />

Set Up a Keystore

-----BEGIN CERTIFICATE-----
// This is where the certificate content is
-----END CERTIFICATE-----

sudo keytool -genkey -alias progman-saml-sp -keyalg RSA -keystore ./resources/security/samlKeystore.jks  -keysize 2048
Enter keystore password:
What is your first and last name?
  [Unknown]:  ProgMan Component
What is the name of your organizational unit?
  [Unknown]:  sbac
What is the name of your organization?
  [Unknown]:  SBAC
What is the name of your City or Locality?
  [Unknown]:  San Diego
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=ProgMan Component, OU=sbac, O=SBAC, L=San Diego, ST=California, C=US correct?
  [no]:  yes

Verify Keystore Contents

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

sbtdsorg, Apr 6, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): D6:06:FA:33:AB:E4:27:26:D5:E1:B2:AB:1E:1D:FF:1E:7E:C0:21:4F
progman-saml-sp, Apr 6, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 8D:3A:66:1D:0C:7B:0A:40:96:B7:A6:8F:13:27:AB:E8:05:7D:8D:3A

Additional Notes

Configure Permissions in ProgMan

datasource.url=jdbc:mysql://54.191.75.254:3306/permissions_db
datasource.username=remoteuser
datasource.password=[redacted]
datasource.driverClassName=com.mysql.jdbc.Driver
datasource.minPoolSize=5
datasource.acquireIncrement=5
datasource.maxPoolSize=20
datasource.checkoutTimeout=60000
datasource.maxConnectionAge=0
datasource.acquireRetryAttempts=5
permission.uri=http://54.213.111.234:8080/rest
permission.security.profile=Development
component.name=Permissions
permission.security.idp=https://sso-deployment.sbtds.org/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac
permission.webapp.saml.metadata.filename=perm-saml-sp.xml
permission.security.saml.keystore.pass=[redacted]
permission.security.dir=file:////var/lib/tomcat7/resources/security
permission.security.saml.keystore.cert=perm-saml-sp
permission.security.saml.alias=permissions_web
oauth.tsb.client=tsb
oauth.access.url=https://sso-deployment.sbtds.org/auth/oauth2/access_token?realm=/sbac
oauth.tsb.client.secret=[redacted]
permission.oauth.resource.client.secret=[redacted]
permission.oauth.resource.client.id=pm
permission.oauth.checktoken.endpoint=https://sso-deployment.sbtds.org/auth/oauth2/tokeninfo?realm=/sbac

Deploy Permissions Components

Configure Tomcat

JAVA_OPTS="-Djava.awt.headless=true\
 -XX:+UseConcMarkSweepGC\
 -Xms[initial amount of memory that can be allocated to the JVM heap]\
 -Xmx[maximum amount of memory that can be allocated to the JVM heap]\
 -XX:PermSize=[initial amount of memory that can be used for PermGen]\
 -XX:MaxPermSize=[maximum amount of memory that can be used for PermGen]\
 -DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
 -Dspring.profiles.active=progman.client.impl.integration,mna.client.null,server.singleinstance\
 -Dprogman.baseUri=http://[URL to the ProgMan REST component]/rest/\
 -Dprogman.locator=[name of component in ProgMan],[name of Component's environment in ProgMan]"

JAVA_OPTS="-Djava.awt.headless=true\
 -XX:+UseConcMarkSweepGC\
 -Xms512m\
 -Xmx1024m\
 -XX:PermSize=512m\
 -XX:MaxPermSize=512m\
 -DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
 -Dspring.profiles.active=progman.client.impl.integration,mna.client.null\
 -Dprogman.baseUri=http://52.34.140.123:8080/rest/\
 -Dprogman.locator=permissions,Development"</code>

Install MySQL Connector in Tomcat

Download War File

oauth.access.url=https://[FQDN or IP address of OpenAM server]/auth/oauth2/access_token?realm=/sbac
pm.oauth.client.id=[OAuth client id from OpenAM]
pm.oauth.client.secret=[OAuth client secret from OpenAM]
pm.oauth.batch.account=[User account in OpenDJ]
pm.oauth.batch.password=[Password for OpenDJ user account]

oauth.access.url=https://sso-dev.sbtds.org/auth/oauth2/access_token?realm=/sbac
pm.oauth.client.id=pm
pm.oauth.client.secret=[redacted]
pm.oauth.batch.account=prime.user@example.com
pm.oauth.batch.password=[redacted]

SAML (Security Assertion Markup Language) Setup and Configuration

Configure Automatic Metadata Generation

Create SAML Metadata File For the Component

Update the securityContext.xml File for Automatic Metadata Generation

<security:http entry-point-ref="delegatingAuthenticationEntryPoint" use-expressions="true">
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
    <security:custom-filter ref="oauth2ProviderFilter" before="PRE_AUTH_FILTER" />
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
    <security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
</security:http>

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
</bean>

<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="[name of component]"/>
</bean>

NOTE: The component name should not have spaces.

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
</bean>

<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="progman_rest"/>
</bean>

Verify SAML Metadata Setup

SAML Pre-Configured Metadata Configuration

Verify SAML Metadata Setup

Additional Notes

SAML Service Provider Registration

Verify the Service Provider is Configured

Update ProgMan Properties Configuration

back to Deployment Checklists

As of Fall 2018 the Smarter Balanced Test Delivery System (TDS) is no longer supported.

The code base and documentation for the TDS is available within the Smarter Balanced GitHub repository.
Creative Commons License Unless stated otherwise, all content on SmarterApp.org is licensed under a Creative Commons Attribution 4.0 International License.