CILogon Portal Support
======================

The portal application of the DataONE Coordinating Nodes interacts with the
CILogon infrastructure to retrieve the client certificate generated by CILogon
once a user has authenticated with their identity provider. The portal uses a
public key generated from the CN wild card certificate to identify itself when
requesting authenticated client certificates from CILogon. The public key is
registered with CILogon to produce a *myproxy id* that is recorded with the
portal configuration.

The following steps should be followed to register an environment with CILogon.
This procedure should be repeated whenever the server certificate for the CNs is
changed.

1. Find the public key for the certificate used by the server. The 
   ``dataone-cn-portal`` buildout postinst script will create a file based on 
   the public certificate that is configured for the given CN (usually a 
   wildcard for the domain). For our test environments, it is::

     /etc/ssl/certs/_.test.dataone.org.crt.publickey

   It’s the stuff between ``BEGIN/END PUBLIC KEY``.

2. Register this public key with CILogon to get a myproxy id::

     https://cilogon.org/oauth/register 

   You should only register with the round-robin hostname (once per environment)
   and use URLs that are not machine-specific. Here’s an example from SANDBOX2::

     Name:          DataONE Coordinating Node - Sandbox 2
     Home uri:      https://cn-sandbox-2.test.dataone.org/portal
     Failure uri:   https://cn-sandbox-2.test.dataone.org/portal/pages/client-error.jsp
     Creation time: Wed Jan 28 17:37:48 CST 2015
     Generated 
     identifier:    myproxy:oa4mp,2012:/client/66a303882b6e4bec1e91cbf2ccda1e8

3. Include this myproxy id in the portal configuration file. Config file::

     /var/lib/tomcat7/webapps/portal/WEB-INF/client.xml

   For more permanent CN buildouts (e.g., DEV2), include it in the 
   ``dataone-cn-portal`` postinst script such that the correct myproxy id will 
   be set in the config file on installation in this environment (there is a 
   big condition block for this).

4. By now, CILogon will have reported back to the email address you registered
   with that the myproxy client registration is active.

