DILIGENT Gridsphere and Portal Security patch

From Gcube Wiki
Revision as of 16:50, 10 July 2007 by Roccetti (Talk | contribs)

Jump to: navigation, search

This page contains a description of some needed steps in order to perform a new installation of DILIGENT Gridsphere Portal.


Configure properly your host

If you want to deploy the DILIGENT gridsphere portal there is a number of preliminary steps you have to perform. First of all the host requires a DHN installation. Secondly you need to properly configure security for the node as described in the How To Enable Security page.

Install and patch Apache-tomcat 5.5.20

You can download from ETICS build report the required version of that web application container tomcat-5.5.20. Remember to correctly configure the container as described in the Gridsphere user's guide.

Your Tomcat 5.5.20 instance needs a particular configuration to run correctly the Diligent gridsphere portal: You have to set two environment variables:

* GLOBUS_LOCATION
* CATALINA_OPTS=-DGLOBUS_LOCATION=$GLOBUS_LOCATION

and edit the setclasspath.sh (or setclasspath.bat) of $CATALINA_HOME/bin as following:

# Set standard CLASSPATH
if [ "$1" = "debug" -o "$1" = "javac" ] ; then
  CLASSPATH="$CLASSPATH":"$JAVA_HOME"/lib/tools.jar
fi

Download and install Diligent-Gridpsphere

It is a gridsphere-2.2.7 portal patched with the org.diligentproject.portal.security-patch, this patch allows the portal to interoperate with the diligent security mechanism. You can download it from ETICS build report diligent-gridsphere.

Download VOMS servlet

The .war of the VOMSServlet is available at ENGrepository. After deploying the .war in a tomcat instance DIFFERENT from where you install Gridsphere Portal, you need to edit a web.xml file. In the web.xml file you have to specify a number of parameters.

This is an example of web.xml file you have to edit:

     <!-- the host name of the VOMS Admin interface -->
     <init-param>
	<param-name>hostName</param-name>
	<param-value>https://grids03.eng.it:8443/voms/diligent/services/VOMSAdmin</param-value>
     </init-param>
     <!-- the pcks12 host certificate -->
     <init-param>
	<param-name>keyStore</param-name>
	<param-value>path_to_host.p12</param-value>
     </init-param>
     <!-- the default value is pcks12 -->
     <init-param>
	<param-name>keyStoreType</param-name>
	<param-value>PKCS12</param-value>
     </init-param>
     <!-- the password of the specified keyStore --> 
     <init-param>
	<param-name>keyStorePassword</param-name>
	<param-value>password</param-value>
     </init-param>
     <!-- the path to a trustStore --> 
     <init-param>
        <param-name>trustStore</param-name>
        <param-value>path_to_a_trustStore</param-value>
     </init-param>	
     <!-- the password of the specified keyStore --> 
     <init-param>
        <param-name>trustStorePassword</param-name>
        <param-value>tomcat</param-value>
     </init-param>				
     <!-- the default value -->
     <init-param>
         <param-name>trustStoreType</param-name>
         <param-value>JKS</param-value>
     </init-param>

To convert the PEM certificate of your host to the pkcs12 format you can use the following command:

openssl pkcs12 -export -in path_to_the_containercert.pem -inkey path_to_the_containerkey.pem -out file.p12

Here you can find information to obtain a trustStore. It must contain also the certificate of the VOMS you want to interact with. The default current scenario use the VOMS at grids03.eng.it, so you have to store it in your truststore.

The following commands can be useful to manage your trust store:

  • To import the VOMS certificate in your trustStore:
keytool -import -alias [name] -file [path_to_VOMS_cert.pem]  -keystore [path_to_your_trustStore]

for instance your VOMS could be grids03.eng.it.

  • To list the certificates stored in your trustStore:
keytool -list -v -keystore [your_trustStore]

In order to enable interoperation between the servlet enad the VOMS service the certificate used by the servlet (that in pkcs12 format) must be registrered in the VOMS and associated to the VO-Admin role. This is required as the servlet needs to create users, groups and roles in the VOMS service.

Edit PortalSecurity.properties

In the .tgz of diligent-gridpshere you can find a new file called PortalSecurity.properties. You have to edit it before installing the portal in your machine. This operation is really important in order to have a correct installation.

In particular you have to specify a number of parameters belonging to MyProxy host you want to use:

E.g.:MYPROXY_HOST=grids04.eng.it
E.g.:MYPROXY_PORT=7512

and a dir in your filesystem suitable to store temporary generated proxy certificate

E.g.:PROXIES_DIR=/home/user/certs/

Then you have to specify a number of information needed to communicate with the VOMSServlet. This servlet represents a workaround due to communication problem within portal, VOMS host and the all DILIGENT infrastructure. At ENG we develop that servlet that you must deploy in the same Apache tomcat container where you deploy diligent-gridsphere. The following parameters are required:


SERVLET_HOST=localhost
SERVLET_PORT=port_of_your_container
SERVLET_PATH=path_to_the_VOMS_servlet
SERVLET_PROTOCOL=http

An example of configuration is given below:

E.g.:
SERVLET_HOST=grids15.eng.it
SERVLET_PORT=8080
SERVLET_PATH=/VOMSServlet/VOMSServlet
SERVLET_PROTOCOL=http

Deploy the DILIGENT portlet bundle

The portal will be fully operational only once the DILIGENT portlets bundle has been deployed. Please refers to the [[]] to deploy the bundle.