Module for managing the OCP attribute authority service

INFN Padova



5,674 latest version

1.9 quality score

Version information

  • 0.0.2 (latest)
  • 0.0.1
released Feb 17th 2017
This version is compatible with:
  • Puppet Enterprise >= 3.0.0 < 2015.4.0
  • Puppet >= 3.0.0 < 5.0.0
  • RedHat

Start using this module


infnpd/ocpattrauth — version 0.0.2 Feb 17th 2017

Puppet module for OCP Attribute Authority

This module installs and configures the OCP Attribute Authority service


Supported OS

  • RedHat, CentOS (version >= 7)
  • Ubuntu (version >= 14.04)


Hiera parameters (mandatory):

  • ocp::aa::db::password: password for accessing the application database
  • ocp::aa::db::root_password: password for msyql administrator
  • ocp::tomcat::keystore::alias: the alias of the service credential inside the keystore file
  • ocp::tomcat::keystore::file: location of the keystore file containing the service credentials (format: PKCS12 or JKS)
  • ocp::tomcat::keystore::password: password protecting the keystore file

Hiera parameters (optional):

  • ocp::aa::entityid: SAML entity id for the application, default <host>:<port>:it.infn.security.saml
  • ocp::aa::host: host name for tomcat installation, default fully qualify host name from facter
  • ocp::aa::port: port for tomcat installation, default 443
  • ocp::aa::contacts: list of contact published via metadata, default empty list
  • ocp::aa::metadata_expiration: metadata lifetime in seconds, default 432000
  • ocp::aa::organization: hash table of the localized organization data, one key per language identifier (such as en), default empty hash
  • ocp::aa::war_file::url: URL of the application war file, default http://igi-01.pd.infn.it/mrepo/OCP/AttributeAuthority/saml2-attribute-authority.war
  • ocp::aa::db::host: host name of the application database, default fully qualify host name from facter
  • ocp::aa::db::name: name of the application database, default saml2aadb
  • ocp::aa::db::port: port of the application database, default 3306
  • ocp::aa::db::user: user for accessing the application database, default srvuser
  • ocp::aa::db::bind_address: bind address for the application database, default
  • ocp::aa::db::max_conn: maximun number of connections allowed for the application database, default 500
  • ocp::tomcat::keystore::type: type of the keystore, default JKS
  • ocp::tomcat::truststore::file: location of the truststore, default /etc/pki/ca-trust/extracted/java/cacerts
  • ocp::tomcat::truststore::password: password for the truststore, default changeit
  • ocp::tomcat::truststore::type: type of the truststore, default JKS

The contact object published via metadata is a hash table with the following keys:

  • type: object type (support, technical, administrative, billing), default support
  • givenname: contact first name, default unknown
  • surname: contact family name, default unknown
  • email: contact email address, default unknown
  • phone: contact phone number, default unknown

The localized organization data is a hash table with the following keys:

  • name: Short name for the organization
  • displayname: Description for the organization
  • url: URL of the organization home page

Example of stand-alone installation and configuration

Puppet setup

Check if the hostname and FQDN is correctly detected by puppet:

facter | grep hostname
facter | grep fqdn

In the following examples the FQHN will be myhost.mydomain

Install the OCP Attribute Authority module for puppet: puppet module install infnpd-ocpattrauth

Create the required directories: mkdir -p /etc/puppet/manifests /var/lib/hiera/node

Edit the file /etc/puppet/manifests/site.pp as:

node 'myhost.mydomain' {
  require ocpattrauth

Edit the file /etc/hiera.yaml as:

  - yaml
  - "node/%{fqdn}"
  :datadir: /var/lib/hiera

Link the hiera configuration to puppet: ln -s /etc/hiera.yaml /etc/puppet/hiera.yaml

Edit the OCP Attribute Authority description file /var/lib/hiera/node/myhost.mydomain.yaml, an example of minimal configuration is:

ocp::aa::port :                    8443
ocp::aa::db::password :            aadb_pa$$word
ocp::aa::db::root_password :       rootdb_pa$$word
ocp::tomcat::keystore::file :      /etc/security/servicekeys.p12
ocp::tomcat::keystore::password :  keystore_pa$$phrase
ocp::tomcat::keystore::alias :     tomcat
ocp::tomcat::keystore::type :      PKCS12

ocp::aa::contacts : [
        givenname : Michael,
        surname :   Knight,
        email :     micheal.night@example.com,
        phone :     +01 54235738543

ocp::aa::organization : {
    en : {
        name :        "OCP",
        displayname : "OpenCityPlatform",
        url : "http://www.opencityplatform.it"