Difference between revisions of "DILIGENT Gridsphere and Portal Security patch"

From Gcube Wiki
Jump to: navigation, search
(Install and patch Apache-tomcat 5.5.20)
 
(40 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This page contains a description of some needed steps in order to perform a new installation of DILIGENT Gridsphere Portal.
+
[[Category:TO BE REMOVED]]
 +
 
 +
[[Image:Alert_icon2.gif]] <font size="4" color=red>''This page contains required installation steps for DILIGENT Portal 0.3.0 version''</font>
 +
 
 +
In order to communicate with the VOMS the DILIGENT portal requires an additional component (named in the following "VOMS servlet"). It has to be deployed independently and in a container DIFFERENT from that hosting the DILIGENT portal. This means that you have to install '''TWO''' tomcat containers. The first one (a standard tomcat 5.5.20) will host the VOMS Servlet, while the second (a patched version of tomcat 5.5.20) will hosts the DILIGENT-Gridsphere portal.
 +
 
  
  
 
==Configure properly your host==
 
==Configure properly your host==
If you want to deploy the DILIGENT gridsphere portal there is a number of preliminary steps you have to perform. First of all the host requires a [http://ddwiki.di.uoa.gr/mediawiki/index.php/DHN_Installation DHN installation]. Secondly you need to properly configure security for the node as described in the [[How To Enable Security]] page.
+
There is a number of preliminary steps you have to perform to install the portal.  
 +
First of all the host requires a DHN installation. The DHN must be installed and properly configured as described [http://ddwiki.di.uoa.gr/mediawiki/index.php/DHN_Installation DHN installation] and [http://ddwiki.di.uoa.gr/mediawiki/index.php/How_To_Configure_DHN_Security DHN configure security], but it does not requires to be started. The reason to have it installed is that DILIGENT portlets requires to access and use libraries and configuration files of the local DHN.
  
==Install and patch Apache-tomcat 5.5.20==
+
Please remove servlet.jar and naming-*.jar from your $GLOBUS_LOCATION/lib in the end of this installation.
You can download from ETICS build report the required version of that web application container [https://grids16.eng.it/BuildReport/download?dirName=recent%20builds&configurationName=org_diligentproject_0_2_7&buildName=BUILD_40&moduleName=tomcat_5_5_20&what=tgz tomcat-5.5.20]. Remember to correctly configure the container as described in the [http://www.gridsphere.org/gridsphere/docs/UsersGuide/UsersGuide.html#N1 Gridsphere user's guide].
+
 
 +
Secondly you need to properly configure security for the node as described in the [How To Configure DHN Security] page.
 +
Lastly you need to check the existence of voms-proxy-init command in your host. If not, you can find the necessary rpm on [http://dlib.sns.it BSCW] at /DILIGENT Members / Work packages / Work packages 1x / WP 1.2 / Security / voms-proxy-init rpm.
 +
 
 +
==Install a standard tomcat container==
 +
To host the VOMS servlet you need a separate installation of the [http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.20/bin/apache-tomcat-5.5.20.tar.gz tomcat 5.5.20] container. We suggest to install it using a separate user, to avoid errors in the environment settings (i.e. with the $CATALINA_HOME variable).
 +
Detailed information about tomcat installation can be found in the RUNNING.txt file inside the distribution package.
 +
 
 +
 
 +
 
 +
==Create servlet credentials==
 +
To succesfully contact the VOMS service the VOMS servlet needs valid credentials, registered in the VOMS it needs to contact and associated to the VO-Admin role. This is required as the servlet needs to create users, groups and roles in the VOMS service.
 +
 
 +
These credentials needs to be converted in a PKCS12 format to be loaded by the servlet.
 +
Starting from valid credentials in PEM format (usually host credentials can be used for this purpose) you need to issue this command to convert it to PKCS12 format:
  
Your Tomcat 5.5.20 instance needs a particular configuration to run correctly the Diligent gridsphere portal:
 
You have to set two environment variables:
 
 
<pre>
 
<pre>
* GLOBUS_LOCATION
+
openssl pkcs12 -export -in <path_to_the_hostcert.pem> -inkey <path_to_the_hostkey.pem> -out <output_file.p12>
* CATALINA_OPTS=-DGLOBUS_LOCATION=$GLOBUS_LOCATION
+
 
</pre>
 
</pre>
and edit the setclasspath.sh (or setclasspath.bat) of $CATALINA_HOME/bin as following:
+
 
 +
This will create a new (password protected) file containing both the certificate and the private key.
 +
We'll use the file and the password later in the service configuration.
 +
 
 +
The servlet also needs to trust the certificate of the VOMS service, to this purpose a Java truststore containing the VOMS certificate must be created. To create one you can simply issue this command:
 +
 
 
<pre>
 
<pre>
# Set standard CLASSPATH
+
keytool -import -alias <name> -file <path_to_VOMS_cert.pem>  -keystore <path_to_your_trustStore_file>
if [ "$1" = "debug" -o "$1" = "javac" ] ; then
+
  CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar
+
fi
+
 
</pre>
 
</pre>
  
==Download and install Diligent-Gridpsphere==
+
The alias is simply a string to identify the certificate you're importing in the truststore. If the trsustore file does not exists it will be created. For instance if you want to import the grids13.eng.it certificate in the trsutstore you have to issue:
It is a gridsphere-2.2.7 portal patched with org.diligentproject.portal.security-patch, that introduce the diligent security mechanisms in the gridsphere portal. You can download it from ETICS build report [https://grids16.eng.it/BuildReport/download?dirName=recent%20builds&configurationName=org_diligentproject_0_2_7&buildName=BUILD_40&moduleName=org.diligentproject.portal.diligent-gridsphere.HEAD&what=tgz diligent-gridsphere].
+
 
+
  
 +
<pre>
 +
keytool -import -alias grids13 -file /etc/grid-security/vomsdir/grids03.eng.it-diligent.pem  -keystore certs/VOMSServlet.trustStore
 +
</pre>
  
==Download VOMS servlet==
+
To list certificates stored in the trustStore:
The .war of the VOMSServlet is available at [http://grids17.eng.it/engrepository/VOMSServlet/ ENGrepository].
+
After deploying the .war in a tomcat instance DIFFERENT from where you install Gridsphere Portal, you need to edit a web.xml file.
+
In the web.xml file you have to specify a number of parameters. To obtain a pkcs12 certificate of your host, if you don't have one, you can use the following command:
+
 
<pre>
 
<pre>
openssl pkcs12 -export -in path_to_the_containercert.pem -inkey path_to_the_containerkey.pem -out file.p12
+
keytool -list -v -keystore <path_to_your_trustStore_file>
 
</pre>
 
</pre>
  
This is an example of web.xml file you have to edit:
+
[http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html Here] you can find further information to manage a trustStore.
 +
 
 +
==Install and configure the VOMS servlet==
 +
Shutdown tomcat if it is already running.
 +
Download the [http://grids17.eng.it/engrepository/VOMSServlet/VOMSServlet.war VOMSServlet.war] file from the [http://grids17.eng.it/engrepository/ ENGrepository]. Deploy it in the tomcat container previously installed as described [http://tomcat.apache.org/tomcat-5.5-doc/appdev/deployment.html here].
 +
 
 +
Once deployed the servlet needs to be configures to point to the right VOMS installation. You can do this editing the $CATALINA_HOME/webapps/VOMSServlet/WEB-INF/web.xml file. Following parameters must be set:
 +
 
 
<pre>
 
<pre>
 
     <!-- the host name of the VOMS Admin interface -->
 
     <!-- the host name of the VOMS Admin interface -->
 
     <init-param>
 
     <init-param>
 
<param-name>hostName</param-name>
 
<param-name>hostName</param-name>
<param-value><nowiki>https://grids03.eng.it:8443/voms/diligent/services/VOMSAdmin</nowiki></param-value>
+
<param-value><nowiki>https://grids13.eng.it:8443/voms/diligent/services/VOMSAdmin</nowiki></param-value>
 
     </init-param>
 
     </init-param>
     <!-- the pcks12 host certificate -->
+
 
 +
     <!-- the pcks12 certificate -->
 
     <init-param>
 
     <init-param>
 
<param-name>keyStore</param-name>
 
<param-name>keyStore</param-name>
<param-value>path_to_host.p12</param-value>
+
<param-value>output_file.p12</param-value>
 
     </init-param>
 
     </init-param>
     <!-- the default value is pcks12 -->
+
 
 +
     <!-- the keystore type -->
 
     <init-param>
 
     <init-param>
 
<param-name>keyStoreType</param-name>
 
<param-name>keyStoreType</param-name>
 
<param-value>PKCS12</param-value>
 
<param-value>PKCS12</param-value>
 
     </init-param>
 
     </init-param>
 +
 
     <!-- the password of the specified keyStore -->  
 
     <!-- the password of the specified keyStore -->  
 
     <init-param>
 
     <init-param>
 
<param-name>keyStorePassword</param-name>
 
<param-name>keyStorePassword</param-name>
<param-value>password</param-value>
+
<param-value>pkcs12_password</param-value>
 
     </init-param>
 
     </init-param>
 +
 
     <!-- the path to a trustStore -->  
 
     <!-- the path to a trustStore -->  
 
     <init-param>
 
     <init-param>
 
         <param-name>trustStore</param-name>
 
         <param-name>trustStore</param-name>
         <param-value>path_to_a_trustStore</param-value>
+
         <param-value>path_to_your_trustStore_file</param-value>
 
     </init-param>
 
     </init-param>
 +
 
     <!-- the password of the specified keyStore -->  
 
     <!-- the password of the specified keyStore -->  
 
     <init-param>
 
     <init-param>
 
         <param-name>trustStorePassword</param-name>
 
         <param-name>trustStorePassword</param-name>
         <param-value>tomcat</param-value>
+
         <param-value>truststore_password</param-value>
     </init-param>
+
     </init-param>
     <!-- the default value -->
+
 +
     <!-- the truststore type -->
 
     <init-param>
 
     <init-param>
 
         <param-name>trustStoreType</param-name>
 
         <param-name>trustStoreType</param-name>
Line 74: Line 104:
 
</pre>
 
</pre>
  
You can find information [http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html here] to obtain a trustStore. It must contain also the VOMS certificate you want to use. The default current scenario use the VOMS at grids03.eng.it, so you have to store it in your truststore.
+
At this point the servlet should be properly configured. Then start the tomcat container.
  
The following commands can be useful to manage your trust store:
+
In order to enable interoperation between the VOMS servlet and the VOMS service the certificate used by the servlet (that in pkcs12 format) must be registrered in the VOMS and associated to the VO-Admin role. This is required as the servlet needs to create users, groups and roles in the VOMS service.
* To import the VOMS certificate in your trustStore:
+
<pre>
+
keytool -import -alias [name] -file [path_to_VOMS_cert.pem]  -keystore [path_to_your_trustStore]
+
</pre>
+
for instance your VOMS could be grids03.eng.it.
+
  
* To list the certificates stored in your trustStore:
+
Please be carefull that the user's CLASSPATH that is running the container don't import GLOBUS_LOCATION: otherwise you could have an exception like that org.apache.axis.types.URI$MalformedURIException: Cannot initialize URI with empty parameters.
<pre>
+
 
keytool -list -v -keystore [your_trustStore]
+
 
</pre>
+
[[Image:Info.gif]] ''This step ends the first part of the installation, the second part should be performed as a different user, to avoid interferences with what you did until now.''
 +
 
 +
==Install the Gridsphere portal==
 +
To properly install the DILIGENT portal you need to use patched version of tomcat and Gridsphere. You can download them from the DILIGENT BuildReport following these links:
 +
* [https://grids16.eng.it//repository_Beta/org_diligentproject_0_2_7/BUILD_63/tomcat_5_5_20/apache-tomcat-5.5.20.tar.gz tomcat-5.5.20]
 +
* [https://grids16.eng.it//repository_Beta/org_diligentproject_0_2_7/BUILD_63/org.diligentproject.portal.diligent-gridsphere.0_2_0/org.diligentproject.portal.diligent-gridsphere-0.2.0-0.tar.gz DILIGENT-Gridsphere].
 +
 
 +
First of all untar the DILIGENT-Gridsphere package in a local directory (in the following named GRIDSPHERE_LOCATION). Then you have to configure a number of parameters to enable interoperation between the portal and the VOMS servlet. To do this editing the file GRIDSPHERE_LOCATION/webapps/gridsphere/WEB-INF/classes/PortalSecurity.properties.
  
==Edit PortalSecurity.properties==
+
In particular you have to specify parameters of the MyProxy service you want to use:
In the .tgz of diligent-gridpshere you can find a new file called PortalSecurity.properties.
+
You have to edit it before installing the portal in your machine. This operation is really important in order to have a correct installation.
+
  
In particular you have to specify a number of parameters belonging to MyProxy host you want to use:
 
 
<pre>
 
<pre>
 
E.g.:MYPROXY_HOST=grids04.eng.it
 
E.g.:MYPROXY_HOST=grids04.eng.it
 
E.g.:MYPROXY_PORT=7512
 
E.g.:MYPROXY_PORT=7512
 
</pre>
 
</pre>
and a  dir in your filesystem suitable to store temporary generated proxy certificate
+
 
 +
and an existing directory in your filesystem where to store temporary generated proxy certificates
 +
 
 
<pre>
 
<pre>
 
E.g.:PROXIES_DIR=/home/user/certs/
 
E.g.:PROXIES_DIR=/home/user/certs/
 
</pre>
 
</pre>
Then you have to specify a number of information needed to communicate with the VOMSServlet.
+
 
This servlet represents a workaround due to communication problem within portal, VOMS host and the all DILIGENT infrastructure. At ENG we develop that servlet that you must deploy in the same Apache tomcat container where you deploy diligent-gridsphere. The following parameters are required:
+
Then you have to specify a number of information needed to communicate with the VOMSServlet:
 +
 
 
<pre>
 
<pre>
 
SERVLET_HOST=localhost
 
SERVLET_HOST=localhost
 
SERVLET_PORT=port_of_your_container
 
SERVLET_PORT=port_of_your_container
SERVLET_PATH=the_/VOMSServlet/VOMSServlet
+
SERVLET_PATH=path_to_the_VOMS_servlet
 
SERVLET_PROTOCOL=http
 
SERVLET_PROTOCOL=http
 
</pre>
 
</pre>
 +
 +
These parameters must point to the servlt you deployed in the first part of this installation. An example of configuration is given below:
 +
 +
<pre>
 +
E.g.:
 +
SERVLET_HOST=grids15.eng.it
 +
SERVLET_PORT=8080
 +
SERVLET_PATH=/VOMSServlet/VOMSServlet
 +
SERVLET_PROTOCOL=http
 +
</pre>
 +
 +
You have then to follows standard steps to install the Gridsphere portal as described [http://www.gridsphere.org/gridsphere/docs/UsersGuide/UsersGuide.html here]. Instead of download the tomcat core container from the website use the patched one. Please notice that the additional packages required for tomcat can be downloaded following these links:
 +
 +
* [http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.20/bin/apache-tomcat-5.5.20-admin.tar.gz apache-tomcat-5.5.20-admin.tar.gz]
 +
* [http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.20/bin/apache-tomcat-5.5.20-deployer.tar.gz apache-tomcat-5.5.20-deployer.tar.gz]
 +
* [http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.20/bin/apache-tomcat-5.5.20-compat.tar.gz apache-tomcat-5.5.20-compat.tar.gz]
 +
 +
==Patch the Tomcat installation==
 +
Your Tomcat 5.5.20 instance needs a particular configuration to run correctly the DILIGENT-Gridsphere portal:
 +
 +
You have to set two environment variables:
 +
 +
<pre>
 +
* GLOBUS_LOCATION
 +
* CATALINA_OPTS=-DGLOBUS_LOCATION=$GLOBUS_LOCATION
 +
</pre>
 +
 +
and edit the setclasspath.sh (or setclasspath.bat) file in the $CATALINA_HOME/bin as following:
 +
 +
<pre>
 +
# Set standard CLASSPATH
 +
if [ "$1" = "debug" -o "$1" = "javac" ] ; then
 +
  CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar
 +
fi
 +
</pre>
 +
 +
This concludes the installation of the DILIGENT-Gridsphere portal. You have just to startup the tomcat container.
 +
 +
[[Image:Info.gif]] ''The portal will be fully operational only once the DILIGENT portlets bundle has been deployed. Refers to the [[Gridsphere Bundle Deployment]] to deploy the bundle containing all DILIGENT portlets.''

Latest revision as of 18:57, 6 July 2016

Alert icon2.gif This page contains required installation steps for DILIGENT Portal 0.3.0 version

In order to communicate with the VOMS the DILIGENT portal requires an additional component (named in the following "VOMS servlet"). It has to be deployed independently and in a container DIFFERENT from that hosting the DILIGENT portal. This means that you have to install TWO tomcat containers. The first one (a standard tomcat 5.5.20) will host the VOMS Servlet, while the second (a patched version of tomcat 5.5.20) will hosts the DILIGENT-Gridsphere portal.


Configure properly your host

There is a number of preliminary steps you have to perform to install the portal. First of all the host requires a DHN installation. The DHN must be installed and properly configured as described DHN installation and DHN configure security, but it does not requires to be started. The reason to have it installed is that DILIGENT portlets requires to access and use libraries and configuration files of the local DHN.

Please remove servlet.jar and naming-*.jar from your $GLOBUS_LOCATION/lib in the end of this installation.

Secondly you need to properly configure security for the node as described in the [How To Configure DHN Security] page. Lastly you need to check the existence of voms-proxy-init command in your host. If not, you can find the necessary rpm on BSCW at /DILIGENT Members / Work packages / Work packages 1x / WP 1.2 / Security / voms-proxy-init rpm.

Install a standard tomcat container

To host the VOMS servlet you need a separate installation of the tomcat 5.5.20 container. We suggest to install it using a separate user, to avoid errors in the environment settings (i.e. with the $CATALINA_HOME variable). Detailed information about tomcat installation can be found in the RUNNING.txt file inside the distribution package.


Create servlet credentials

To succesfully contact the VOMS service the VOMS servlet needs valid credentials, registered in the VOMS it needs to contact and associated to the VO-Admin role. This is required as the servlet needs to create users, groups and roles in the VOMS service.

These credentials needs to be converted in a PKCS12 format to be loaded by the servlet. Starting from valid credentials in PEM format (usually host credentials can be used for this purpose) you need to issue this command to convert it to PKCS12 format:

openssl pkcs12 -export -in <path_to_the_hostcert.pem> -inkey <path_to_the_hostkey.pem> -out <output_file.p12>

This will create a new (password protected) file containing both the certificate and the private key. We'll use the file and the password later in the service configuration.

The servlet also needs to trust the certificate of the VOMS service, to this purpose a Java truststore containing the VOMS certificate must be created. To create one you can simply issue this command:

keytool -import -alias <name> -file <path_to_VOMS_cert.pem>  -keystore <path_to_your_trustStore_file>

The alias is simply a string to identify the certificate you're importing in the truststore. If the trsustore file does not exists it will be created. For instance if you want to import the grids13.eng.it certificate in the trsutstore you have to issue:

keytool -import -alias grids13 -file /etc/grid-security/vomsdir/grids03.eng.it-diligent.pem  -keystore certs/VOMSServlet.trustStore

To list certificates stored in the trustStore:

keytool -list -v -keystore <path_to_your_trustStore_file>

Here you can find further information to manage a trustStore.

Install and configure the VOMS servlet

Shutdown tomcat if it is already running. Download the VOMSServlet.war file from the ENGrepository. Deploy it in the tomcat container previously installed as described here.

Once deployed the servlet needs to be configures to point to the right VOMS installation. You can do this editing the $CATALINA_HOME/webapps/VOMSServlet/WEB-INF/web.xml file. Following parameters must be set:

     <!-- the host name of the VOMS Admin interface -->
     <init-param>
	<param-name>hostName</param-name>
	<param-value>https://grids13.eng.it:8443/voms/diligent/services/VOMSAdmin</param-value>
     </init-param>

     <!-- the pcks12 certificate -->
     <init-param>
	<param-name>keyStore</param-name>
	<param-value>output_file.p12</param-value>
     </init-param>

     <!-- the keystore type -->
     <init-param>
	<param-name>keyStoreType</param-name>
	<param-value>PKCS12</param-value>
     </init-param>

     <!-- the password of the specified keyStore --> 
     <init-param>
	<param-name>keyStorePassword</param-name>
	<param-value>pkcs12_password</param-value>
     </init-param>

     <!-- the path to a trustStore --> 
     <init-param>
        <param-name>trustStore</param-name>
        <param-value>path_to_your_trustStore_file</param-value>
     </init-param>	

     <!-- the password of the specified keyStore --> 
     <init-param>
        <param-name>trustStorePassword</param-name>
        <param-value>truststore_password</param-value>
     </init-param>	
	
     <!-- the truststore type -->		
     <init-param>
         <param-name>trustStoreType</param-name>
         <param-value>JKS</param-value>
     </init-param>

At this point the servlet should be properly configured. Then start the tomcat container.

In order to enable interoperation between the VOMS servlet and the VOMS service the certificate used by the servlet (that in pkcs12 format) must be registrered in the VOMS and associated to the VO-Admin role. This is required as the servlet needs to create users, groups and roles in the VOMS service.

Please be carefull that the user's CLASSPATH that is running the container don't import GLOBUS_LOCATION: otherwise you could have an exception like that org.apache.axis.types.URI$MalformedURIException: Cannot initialize URI with empty parameters.


Info.gif This step ends the first part of the installation, the second part should be performed as a different user, to avoid interferences with what you did until now.

Install the Gridsphere portal

To properly install the DILIGENT portal you need to use patched version of tomcat and Gridsphere. You can download them from the DILIGENT BuildReport following these links:

First of all untar the DILIGENT-Gridsphere package in a local directory (in the following named GRIDSPHERE_LOCATION). Then you have to configure a number of parameters to enable interoperation between the portal and the VOMS servlet. To do this editing the file GRIDSPHERE_LOCATION/webapps/gridsphere/WEB-INF/classes/PortalSecurity.properties.

In particular you have to specify parameters of the MyProxy service you want to use:

E.g.:MYPROXY_HOST=grids04.eng.it
E.g.:MYPROXY_PORT=7512

and an existing directory in your filesystem where to store temporary generated proxy certificates

E.g.:PROXIES_DIR=/home/user/certs/

Then you have to specify a number of information needed to communicate with the VOMSServlet:

SERVLET_HOST=localhost
SERVLET_PORT=port_of_your_container
SERVLET_PATH=path_to_the_VOMS_servlet
SERVLET_PROTOCOL=http

These parameters must point to the servlt you deployed in the first part of this installation. An example of configuration is given below:

E.g.:
SERVLET_HOST=grids15.eng.it
SERVLET_PORT=8080
SERVLET_PATH=/VOMSServlet/VOMSServlet
SERVLET_PROTOCOL=http

You have then to follows standard steps to install the Gridsphere portal as described here. Instead of download the tomcat core container from the website use the patched one. Please notice that the additional packages required for tomcat can be downloaded following these links:

Patch the Tomcat installation

Your Tomcat 5.5.20 instance needs a particular configuration to run correctly the DILIGENT-Gridsphere portal:

You have to set two environment variables:

* GLOBUS_LOCATION
* CATALINA_OPTS=-DGLOBUS_LOCATION=$GLOBUS_LOCATION

and edit the setclasspath.sh (or setclasspath.bat) file in the $CATALINA_HOME/bin as following:

# Set standard CLASSPATH
if [ "$1" = "debug" -o "$1" = "javac" ] ; then
  CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar
fi

This concludes the installation of the DILIGENT-Gridsphere portal. You have just to startup the tomcat container.

Info.gif The portal will be fully operational only once the DILIGENT portlets bundle has been deployed. Refers to the Gridsphere Bundle Deployment to deploy the bundle containing all DILIGENT portlets.