Difference between revisions of "Administrator's Guide: How to set up a gCube infrastructure"

From Gcube Wiki
Jump to: navigation, search
(Secure configuration)
(Secure configuration)
Line 41: Line 41:
 
The steps described for the [[Administrator's_Guide:How_to_set_up_a_gCube_infrastructure#Non-secure_configuration|non-secure configurations]] have to be integrated by the additional actions reported below.
 
The steps described for the [[Administrator's_Guide:How_to_set_up_a_gCube_infrastructure#Non-secure_configuration|non-secure configurations]] have to be integrated by the additional actions reported below.
 
<br>
 
<br>
*Steps 5.2, 6.2 e 7.2 requires the following:
+
*Steps 5.2, 6.2 e 7.1 requires the following:
 
:a) [[How_To_Configure_DHN_Security|configure the Java WS Core container]] running on each DHN to run with host credentials
 
:a) [[How_To_Configure_DHN_Security|configure the Java WS Core container]] running on each DHN to run with host credentials
 
:b) [[DHN_Installation#JNDI_file|configure the HNM Service]] hosted on each DHN to run with the security enabled
 
:b) [[DHN_Installation#JNDI_file|configure the HNM Service]] hosted on each DHN to run with the security enabled

Revision as of 12:49, 5 December 2007

A gCube infrastructure is a set of working nodes (so-called DHNs, DILIGENT Hosting Nodes) glued by the gCube enabling services and able to host gCube services in a cooperative way. When creating a new infrastructure, there are two kinds of configuration: secure configuration and non-secure configuration The setup of the latter is easier than the former, since the secure infrastructures require some additional steps.

Non-secure configuration

Minimal configuration

Perform the following steps to create and configure a non-secure infrastructure:

  1. decide a name for the new infrastructure
  2. decide the VOs hierarchy configuration: at least one root VO and a subVO are required to be there
  3. identify a set of machines to turn on as DHNs (their number may vary depending on the infrastructure needs)
  4. prepare a VO Map file for each VO
  5. setup the root VO
    1. identify two machines to dedicate to the VO management
    2. install the DHN 1.0 bundle in the two machines and copy the VO Map files under the $GLOBUS_LOCATION/etc/org_diligentproject_keeperservice_hnm/VOMaps folder
    3. configure one DHN (named DIS root DHN) as root, join it to the root VO as default VO and install the DIS core services (DIS-IC, DIS-Registry, DIS-Broker) there dedicated to the management of the root VO
    4. configure one DHN (named DLMan root DHN) to join it to the root VO as default VO and
    5. start the container on the DIS root DHN and then on the DLMan root DHN and verify that they work properly
  6. setup the subVO
    1. identify two machines to dedicate to the subVO management
    2. install the DHN 1.0 bundle in the two machines and copy the VO Map files under the $GLOBUS_LOCATION/etc/org_diligentproject_keeperservice_hnm/VOMaps folder
    3. configure one DHN as root, join it to the subVO as default VO and install the DIS core services (DIS-IC, DIS-Registry, DIS-Broker) there dedicated to the subVO (named DIS subVO DHN)
    4. configure one DHN (named DLMan subVO DHN) to join it to the subVO as default VO and install and configure a DL Management Service there
    5. start the container on the DIS subVO DHN and then on the DLMan subVO DHN and verify that they work properly
  7. configure and start generic DHNs
    1. install the DHN 1.0 bundle in each machine and copy the VO Map files under the $GLOBUS_LOCATION/etc/org_diligentproject_keeperservice_hnm/VOMaps folder
    2. configure the DHNs to join the subVO as default VO:
    3. start the container on each machine and verify that the DHN is correctly published both in the root VO and in the subVO DIS
  8. setup the portal by following the DILIGENT Gridsphere and Portal Security patch instructions.
  9. configure one or more VREs by exploiting the Administration user interface capability reported in the User's Guide manual.

Other possible configurations

Alternative configurations can improve the infrastructure performances. In particular:

  • the DIS-Broker can be hosted on a different(and standard, i.e. non-root) DHN with respect to the other two DIS core services
  • the Package Repository can be hosted on a different (and standard, i.e. non-root) DHN with respect to the DL Management service
  • multiple subVOs can be defined
  • more than one DIS can be setup for each VO in order to distribute the load over them

The 'optimal' configuration mainly depends on the number of available DHNs. More DHNs joining the infrastructure means a better distribution of resources and services across them.

Secure configuration

The setup of a secure configuration is a bit more complex with respect to a non-secure one, but it introduces some advantages. In fact, having such a configuration allows sharing of service instances among multiple VREs.
The steps described for the non-secure configurations have to be integrated by the additional actions reported below.

  • Steps 5.2, 6.2 e 7.1 requires the following:
a) configure the Java WS Core container running on each DHN to run with host credentials
b) configure the HNM Service hosted on each DHN to run with the security enabled


  • The setup of the root VO includes this pre-actions:
a) install a MyProxy repository and a MyProxy OnlineCA
b) install a VOMS service
c) install a VOMSServlet on a Tomcat hosting environment
d) identify a further DHN to dedicate to the VO management and configure it (named CR root DHN) as root, join it to the root VO as default VO
e) install an instance of the Credentials Renewal service on the CR root DHN
f) configure each service to use the security
The startup sequence in this case is: start the container on the DIS root DHN, then on the CR root DHN and then on the DLMan root DHN and verify that they work properly

Regarding each gCube service, the steps needed depends on the way the service behaves with respect to the credentials used. It can act by using the service credentials or by using the caller credentials.
Service credentials

a) delegate proxy credentials on the MyProxy for the service stored on the Package Repository
b) create an Account on the Credential Renewal instance for each proxy credentials stored
c) create a Renewal Task (using the appropriate Account Resource) on the Credentials Renewal instance for each Running Instance of a gCube service
  • this operation is performed automatically by the CL services in case of dynamically deployed instances
  • this operation has to be done manually in case of statically deployed instances
d) each running instance has to retrieve its own credentials from the local Delegation Service for the current VRE (extracted from the caller credentials)

Caller credentials

a) each running instance has to retrieve the credentials from the context (delegated from the caller credentials)
b) each running instance must be invoked by using the Full Delegation modality



Manuelesimi 13:45, 5 December 2007 (EET)