Versions Compared

Old Version 1

changes.mady.by.user Mihály Héder

Saved on

compared with

New Version 2

changes.mady.by.user Mihály Héder

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This way we end up with an offa binary under /opt/offa/bin/offa

6) Prepare log and key directories

In this step we create the certificate and logging directories for offa

mkdir /var/log/offa

mkdir -p /etc/offa/key

7) Write the configuration

We will create the configuration file under the /etc/offa directory:

cat << EOF > /etc/offa/config.yaml
server:
  ip_listen: 127.0.0.1
  port: 15661
logging:
  access:
    dir: /var/log/offa
    stderr: false
  internal:
    dir: /var/log/offa
    level: debug
    stderr: false
    smart:
      enabled: true
sessions:
  ttl: 3600
  cookie_domain: oidfed-appdemo.incubator.geant.org
  cookie_name: offamemcache
  memcached_addr: localhost:11211
  memcached_claims:
        UserName:
            - preferred_username
            - sub
        Groups: groups
        Email: email
        Name: name
        GivenName: given_name
        Provider: iss
        Subject: sub
signing:
  key_storage: /etc/offa/keys
federation:
  entity_id: https://oidfed-appdemo.incubator.geant.org
  trust_anchors:
    - entity_id: https://oidfed-ta-demo.incubator.geant.org
  authority_hints:
    - https://oidfed-ta-demo.incubator.geant.org

8) Startup

since we want to run this service independent from our terminal, so that it keep running after we have signed out, we cannot just start it directly.

We have a few options. 

We can start in screen

screen -S offa /opt/offa/bin/offa

Other options:

  • put the process in the background and disown it
  • create a systemd service out of the system (see below)

X) Other considerations

Key materials

At first startup, offa will create all the signing keys it needs both for OpenID federation (such as metadata) as well as OIDC. You can prevent that by manually creating the keys with commands like this.

cd /etc/offa/keys

openssl ecparam -genkey -name secp521r1 -noout -out federation_ES512.pem

This is really only needed if you want to have different parameters than the default. 

log levels

in the config file above we enabled debug, which is a good way to see what is happening and get a sense of the system in the beginning. After a while you probably want to switch to info instead of debug

Running as systemd service

Monitoring