Difference between revisions of "How to use VOMS api library"

From Gcube Wiki
Jump to: navigation, search
(Installation Procedure)
 
(10 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
[[Category:TO BE REMOVED]]
 +
 
== Package Installation ==
 
== Package Installation ==
  
 
=== Download ===  
 
=== Download ===  
  
The VOMS api library can be downloaded from [https://grids16.eng.it/BuildReport/download?dirName=recent%20builds&configurationName=org_diligentproject_dvos_0_4_0&buildName=BUILD_2&moduleName=org.diligentproject.dvos.voms-api.SERVICEARCHIVE_0_4_0&what=tgz here].
+
The VOMS api library can be downloaded from [https://grids16.eng.it/BuildReport/builds/recent%20builds/org.gcube.HEAD/BUILD_471/org.gcube.vo-management.voms-api.HEAD/tgz here].
  
 
=== Installation Procedure ===
 
=== Installation Procedure ===
 
The following steps have to be performed in order to use this library:
 
The following steps have to be performed in order to use this library:
* uncompress the ''org.diligentproject.dvos.voms-api.SERVICEARCHIVE-0.4.0-0.tar.gz'' file
+
* uncompress the ''org.gcube.vo-management.voms-api-0.0.0-0.tar.gz'' file
* copy dvos.voms-api.jar in a convenient directory
+
* copy ''org.gcube.vomanagement.voms-api.jar'' in a convenient directory
 
* Edit a vomsAPI.properties file based on the template provided in the SA.
 
* Edit a vomsAPI.properties file based on the template provided in the SA.
* Move your vomsAPI.properties in client working directory in order to use the settings chosen.
+
==== VOMS API properties file ====
 +
vomsAPI.properties file is contained in SA and basically is composed of 3 sections:
 +
information about MyProxyCA server
 +
<source lang="xml">
 +
# MyProxy server e.g.:grids04.eng.it
 +
MYPROXY_HOST=YOUR_MYPROXYCA_SERVER
 +
# MyProxy server port, default value is 7512
 +
MYPROXY_PORT=YOUR_MYPROXYCA_SERVER_PORT
  
== Using VOMS API library ==
+
# Information about simpleCA to be used
  
To succesfully contact the VOMS service with VOMS api library you need to use a VOMS servlet.
+
# Certification authority, e.g.: /O=Grid/OU=GlobusTest/OU=simpleCA-gauss.eng.it/CN=Globus Simple CA
 +
SIMPLE_CA=YOUR_CA
  
===Install and configure the VOMS servlet===
+
# Common Name prefix to build a Distinguished Name (DN),
Shutdown tomcat if it is already running.
+
# e.g.: /O=Grid/OU=GlobusTest/OU=simpleCA-gauss.eng.it/OU=eng.it/CN= for a CN=test to obtain a valid DN for the VOMS
Download the new version of [http://grids17.eng.it/engrepository/VOMSServlet/VOMSServlet.war VOMSServlet.war] file from the [http://grids17.eng.it/engrepository/ ENGrepository]. Deploy it in a tomcat container previously installed as described [http://tomcat.apache.org/tomcat-5.5-doc/appdev/deployment.html here].
+
CN_prefix=CN_prefix
 +
</source>
 +
information about VOMS server
 +
<source lang="xml">
 +
# VOMS host
 +
VOMS_HOST=YOUR_VOMS
 +
#VO Name defined in VOMS, e.g: d4science
 +
VO_NAME=YOUR_VO_NAME
 +
# Default voms port is "8443"
 +
VOMS_PORT=8443
 +
# Default voms protocol is "https"
 +
VOMS_PROTOCOL=https
 +
</source>
 +
CLIENT credentials: the credentials to be specified by client to contact VOMS. They should have VO-Admin privileges in VO group.
 +
<source lang="xml">
 +
# CLIENT creds: specify the triple (CLIENT_CERT, CLIENT_KEY, CLIENT_PWD) or CLIENT_PROXY
 +
# e.g: triple (CLIENT_CERT, CLIENT_KEY, CLIENT_PWD)
 +
# Overwrite the .pem certificate of the host, default path is /etc/grid-security/hostpubliccert.pem
 +
# CLIENT_CERT=$HOME/user_cert.pem
 +
# The .pem key of the host, default path is /etc/grid-security/hostprivatekey.pem
 +
# CLIENT_KEY=$HOME/user_key.pem
 +
# The password to decrypt private key
 +
# CLIENT_PWD=
  
Once deployed the servlet needs to be configures to point to the right VOMS installation. You can do this editing the $CATALINA_HOME/webapps/VOMSServlet/WEB-INF/web.xml file. Following parameters must be set:
+
# e.g: CLIENT_PROXY
 +
# client creds as a proxy certifcate, eg $HOME/proxy
 +
# CLIENT_PROXY=
 +
</source>
  
<pre>
+
== Using VOMS API library ==
    <!-- the host name of the VOMS Admin interface -->
+
This VOMS api library version DOESN'T need to use a VOMS servlet.
    <init-param>
+
<param-name>hostName</param-name>
+
<param-value><nowiki>https://grids13.eng.it:8443/voms/diligent/services/VOMSAdmin</nowiki></param-value>
+
    </init-param>
+
 
+
    <!-- the pcks12 certificate -->
+
    <init-param>
+
<param-name>keyStore</param-name>
+
<param-value>output_file.p12</param-value>
+
    </init-param>
+
 
+
    <!-- the keystore type -->
+
    <init-param>
+
<param-name>keyStoreType</param-name>
+
<param-value>PKCS12</param-value>
+
    </init-param>
+
 
+
    <!-- the password of the specified keyStore -->
+
    <init-param>
+
<param-name>keyStorePassword</param-name>
+
<param-value>pkcs12_password</param-value>
+
    </init-param>
+
 
+
    <!-- the path to a trustStore -->
+
    <init-param>
+
        <param-name>trustStore</param-name>
+
        <param-value>path_to_your_trustStore_file</param-value>
+
    </init-param>
+
 
+
    <!-- the password of the specified keyStore -->
+
    <init-param>
+
        <param-name>trustStorePassword</param-name>
+
        <param-value>truststore_password</param-value>
+
    </init-param>
+
+
    <!-- the truststore type -->
+
    <init-param>
+
        <param-name>trustStoreType</param-name>
+
        <param-value>JKS</param-value>
+
    </init-param>
+
</pre>
+
 
+
In order to enable interoperation between the VOMS servlet and the VOMS service the certificate used by the servlet (that in pkcs12 format) must be registrered in the VOMS and associated to the VO-Admin role. This is required as the servlet needs to create users, groups and roles in the VOMS service.
+
 
+
To correctly create VOMS servlet credentials, please read carefully the next section.
+
 
+
===Create servlet credentials===
+
VOMS servlet needs valid credentials, registered in the VOMS and associated to the VO-Admin role. This is required as the servlet needs to create users, groups and roles in the VOMS service.
+
 
+
These credentials needs to be converted in a PKCS12 format to be loaded by the servlet.
+
Starting from valid credentials in PEM format (usually host credentials can be used for this purpose) you need to issue this command to convert it to PKCS12 format:
+
 
+
<pre>
+
openssl pkcs12 -export -in <path_to_the_hostcert.pem> -inkey <path_to_the_hostkey.pem> -out <output_file.p12>
+
</pre>
+
 
+
This will create a new (password protected) file containing both the certificate and the private key.
+
We'll use the file and the password later in the service configuration.
+
 
+
The servlet also needs to trust the certificate of the VOMS service, to this purpose a Java truststore containing the VOMS certificate must be created. To create one you can simply issue this command:
+
 
+
<pre>
+
keytool -import -alias <name> -file <path_to_VOMS_cert.pem>  -keystore <path_to_your_trustStore_file>
+
</pre>
+
 
+
The alias is simply a string to identify the certificate you're importing in the truststore. If the trsustore file does not exists it will be created. For instance if you want to import the grids13.eng.it certificate in the trsutstore you have to issue:
+
 
+
<pre>
+
keytool -import -alias grids13 -file /etc/grid-security/vomsdir/grids03.eng.it-diligent.pem  -keystore certs/VOMSServlet.trustStore
+
</pre>
+
 
+
To list certificates stored in the trustStore:
+
<pre>
+
keytool -list -v -keystore <path_to_your_trustStore_file>
+
</pre>
+
 
+
[http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html Here] you can find further information to manage a trustStore.
+

Latest revision as of 19:59, 6 July 2016


Package Installation

Download

The VOMS api library can be downloaded from here.

Installation Procedure

The following steps have to be performed in order to use this library:

  • uncompress the org.gcube.vo-management.voms-api-0.0.0-0.tar.gz file
  • copy org.gcube.vomanagement.voms-api.jar in a convenient directory
  • Edit a vomsAPI.properties file based on the template provided in the SA.

VOMS API properties file

vomsAPI.properties file is contained in SA and basically is composed of 3 sections: information about MyProxyCA server 

# MyProxy server e.g.:grids04.eng.it
MYPROXY_HOST=YOUR_MYPROXYCA_SERVER
# MyProxy server port, default value is 7512
MYPROXY_PORT=YOUR_MYPROXYCA_SERVER_PORT
 
# Information about simpleCA to be used
 
# Certification authority, e.g.: /O=Grid/OU=GlobusTest/OU=simpleCA-gauss.eng.it/CN=Globus Simple CA
SIMPLE_CA=YOUR_CA
 
# Common Name prefix to build a Distinguished Name (DN), 
# e.g.: /O=Grid/OU=GlobusTest/OU=simpleCA-gauss.eng.it/OU=eng.it/CN= for a CN=test to obtain a valid DN for the VOMS
CN_prefix=CN_prefix

information about VOMS server 

# VOMS host 
VOMS_HOST=YOUR_VOMS
 #VO Name defined in VOMS, e.g: d4science
VO_NAME=YOUR_VO_NAME
# Default voms port is "8443"
VOMS_PORT=8443
# Default voms protocol is "https"
VOMS_PROTOCOL=https

CLIENT credentials: the credentials to be specified by client to contact VOMS. They should have VO-Admin privileges in VO group. 

# CLIENT creds: specify the triple (CLIENT_CERT, CLIENT_KEY, CLIENT_PWD) or CLIENT_PROXY
# e.g: triple (CLIENT_CERT, CLIENT_KEY, CLIENT_PWD)
# Overwrite the .pem certificate of the host, default path is /etc/grid-security/hostpubliccert.pem
# CLIENT_CERT=$HOME/user_cert.pem
# The .pem key of the host, default path is /etc/grid-security/hostprivatekey.pem
# CLIENT_KEY=$HOME/user_key.pem
# The password to decrypt private key
# CLIENT_PWD=
 
# e.g: CLIENT_PROXY
# client creds as a proxy certifcate, eg $HOME/proxy
# CLIENT_PROXY=

Using VOMS API library

This VOMS api library version DOESN'T need to use a VOMS servlet.

Retrieved from "https://wiki.gcube-system.org/index.php?title=How_to_use_VOMS_api_library&oldid=25277"