ADS-SL System Administrator`s Guide
Contents
1. Tomcat PostgreSQL ADS Service Layer ICAT ADS Infrastructure Layer A ICAT E Apache 7 ae mod_ssl T SRB Vault MCAText Front server Back server When installing ICAT without XDMS there is an additional database creation step described below Note that this configuration has not been tested by ARCHER Dependencies These ARCHER components must be installed first ARCHER component Creates Reason required MCAT database i PostgreSQL Provides back end to MCAText web service layer ADS Infrastructure Layer SRB CA Used to generate certificates which are optional used in this installation process MyProxy Used to give MCAText access to SRB server ARCHER Data Services Service Layer System Administrator s Guide v1 0 p fl 30 Sept 2008 age 5 of 15 ICAT Provides back end to ICAT web service database layer PostgreSQL XDMS Tomcat Hosts ICAT and MCAText web applications semi optional application server These components are also required e Apache web server 2 2 or later with mod_ss1 Typically the Apache server is on the same machine as Tomcat but need not be If you have not already installed Apache web server yum install httpd mod_ssl To install Subversion yum install subversion Non standard co2. keys A total of four host certificate key pairs are required ICAT MCAText the server itself and Apache You can use the same certificate key pair for the server and Apache Using three separate pairs assists in fine grained security control This document assumes the same certificate key pair will be used for the server itself and Apache ARCHER Data Services Service Layer System Administrator s Guide v1 0 f 30 Sept 2008 Page 7 of 15 If you are using the ARCHER MyProxy scripts as a CA On the CA machine run cert_too1 as follows cert_tool s c icat server uni edu au e admin uni edu au cert_tool s c mcatext server uni edu au e admin uni edu au cert_tool s c server uni edu au e admin uni edu au In place Of server uni edu au Use the fully qualified domain name of the ICAT host machine The files are generated in a tmp directory which is printed out by the tool The CA certificate file is already present in etc grid security certificates with a name like fd7ecfa4 0 If you are using a different CA You must obtain three certificate and keys as follows plus the CA certificate 1 Host certificate key for CAT Common Name icateserver uni edu au 2 Host certificate key for MCAText Common Name meatext server uni edu au 3 Host certificate key for server itself Common name server uni edu au 4 CA certificate itself Note It is possible to use just one host key certificate for all
3. services In this case you would use a common name like server uni edu au instead Certificate and key files must be provided in pem format If you receive them in a different format you must convert them first Copy these files to the same directory as the installation scripts Rename them as follows Key certificate Rename as Copy to ICAT server certificate icatcert pem ICAT host keys icatkey pem MCAText host certificate mcatextcert pem Sc MCAText host keys mcatextkey pem Certificate for CA itself cacert pem Host certificate hostcert pem httpdcert pem etc grid security on Apache Host key hostkey pem server machine httpdkey pem 1 For documentation on cert_too1 see the ADS Infrastructure Layer System Administrator s Guide cert_tool is installed in usr local sbin ARCHER Data Services Service Layer System Administrator s Guide v1 0 30 Sept 2008 Page 8 of 15 Ensure that all files have appropriate permissions e Key files must not be group or world readable chmod 600 e Certificate files must be world readable chmod 644 e Apache certificate and key httpdcert pem and httpdkey pem must be owned by apache For example assuming certificates provided as icat_certs tgz mcatext_certs tgz and host_certs tgz in your home directory cd usr local archer icat_mcatext tar zxf icat_certs tgz hostcert pem gt icatcert pem tar zxf icat_certs tgz hostkey pem gt ica
4. 3 of 15 Check for SOAP communications between ICAT and MCAText recorded in the catalina out log file If you encounter difficulties configuring Apache SSL you can configure ICAT and MCAText to allow non authenticated connections as follows 1 In the deployed icat xm1 modify the contextconfigLocation parameter to read as follows lt Parameter name contextConfigLocation value WEB INF beans nosecurity xml override false gt 2 Make the same change to the deployed mcatext xml You can now connect to ICAT and MCAText using HTTP on port 8080 or using HTTPS on port 443 Verifying GSI To test that GSI authentication is working use the ARCHER tool Hermes Set it up to use GSI authentication as described in the Hermes user manual Troubleshooting Watching the scaTaLINA_HOME logs catalina out file make a request from a GSI enabled client like Hermes or the Python command line tools Make sure the address starts with https You should see text similar to the following Headers Max Forwards 10 content length 517 accept encoding identity host icatserver 443 SOAPAction http archer edu au services iCATService getInvestigationByld content type text xml charset utf 8 SSL_CLIENT_S_DN C AU O Grid O0U Dev CN username j Look for the ssr_crreNT_s DN reporting the true DN of the connecting user If this is the case ICAT has been correctly set up in Apache If not Apache is not req
5. AT without XDMS Two SQL scripts are required e xdms_icat_ddl sqi creates the ICAT table structure e xdms_icat_dml sql populates it with some default values These files are included in the ICAT source bundle You should edit xdms_icat_dml sqi tweaking the values for your needs On the database machine ARCHER Data Services Service Layer System Administrator s Guide v1 0 p 9 of 1 30 Sept 2008 age 9 of 15 Step Typical command 1 Install PostgreSQL if not already yum install postgresql present 2 Switch to postgres user su postgres 3 Create a user called icat createuser icat pwprompt no superuser no createdb no createrol 4 Create a database called icat createdb icat owner icat 5 Run the DDL script to create the psql dbname icat fil ICAT database structure xdms_icat_ddl sql username icat 6 Run the DML script to populate the psql dbname icat fil ICAT database structure xdms_icat_dml sql username icat Note The ICAT user must have read and write access to all ICAT tables If using a different method to create the database and tables you can grant access with this SQL command GRANT ALL PRIVILEGES ON DATABASE icat to icat 4 Adding PL pgSQL to MCAT MCAText requires the PL pgSQL language for stored procedures to be enabled in the MCAT database MCAT is SRB s metadata database and was installed with SRB On the
6. Verify the contents of the Tomcat context files icat xm1 and mcatext xml Ensure that all variables have been substituted correctly If required modify your variables then re run instal1 sh The actual absolute current directory path is stored rather than a relative path ARCHER Data Services Service Layer System Administrator s Guide v1 0 30 Sept 2008 Page 11 of 15 7 Deploying context files Now that the context files have been generated deploy them to Tomcat 1 Stop Tomcat SCATALINA_HOME bin shutdown sh 2 Copy icat xml and mcatext xm1 to SCATALINA_HOME conf Catalina localhost cp icat xml SCATALINA_HOME conf Catalina localhost cp mcatext xml SCATALINA_HOME conf Catalina localhost 3 If it has not already been done copy the PostgreSQL J DBC to Tomcat s common libs directory For example cd CATALINA_HOME common libs wget http jdbc postgresql org download postgresql 8 3 603 jdbc4 jar 4 Restart Tomcat SCATALINA_HOME bin startup sh Note The context files point to the war files in their current location So do not move these files or update the context files if you do Note Ensure that the tomcat user can read the xm1 files Verifying Tomcat deployment By default MCAText and ICAT are set to only accept authenticated connections so you can t connect to them until Apache is configured However you can verify that they are running as follows 1 Conne
7. archer ARCHER 1 0 australian research Jan environment ARCHER Data Services Service Layer System Administrator s Guide ICAT amp MCAText e Installation e Configuration e Maintenance ARCHER Data Services Service Layer sis ccenssiosscieostsateacscncabonsh teense redadas 1 About ARCHER Data Services Service Layel cccceceeee eee eee eee eee teen eeeeeees 3 OVErVIEW ade ae O E ac 5 PEO 3 BoI peedithiS errare MA e nn A 3 ArcNitectU E sarro ra di 4 Dependenties srscaca ii lesbi 5 Non standard cONTQUFa OS cspicssia ii nenne 6 Installing ICAT and MCAText cosida ias diles ii 7 IMEI sota 7 1 DMESITMINa TINGS cres opa ias 7 2 Obtaining or creating certificates and keyS ocoooccoccccccocnncncnnnnnncncnnnnnnnnns 7 3 Optional Creating CAT databases cccic cacncapeivereonsdadavecneteteavrezansesumeenusens 9 4 Adding PL pgSQL to MCAT isecnicrsanccessneesans iotenrandeieestiececeutebeeeenannsaciesouas 10 5 Set environment variableS csssconecceescciveeaceeeien esens tiron Ecce 10 6 Running the configuration Script s2 c1sddccieenndeeaarersicitcadieessaeeaesestecegueeaceas 11 7 Deploying context THES aseoricasiotoid iii id 12 8 Configuring Apache SL onto sto tspeniagesttoedeiasadiiveseitees avesaidecdieqesuisee eggs 12 Verifying ICAT and MCAText through Apache ooocooccocccncccnnccnncnnncnncnnarnnnnns 13 Verifying GS irriaren EA AA EAEE E AAA AREA E 14 MAINEENANCE scimiani eii ekana enna A E A AEAEE A 15 Stoppin
8. ct to the server using an address like http localhost 8080 icat ws Adjust this address as appropriate 2 Check for a message that reads org acegisecurity AccessDeniedException Access is denied This indicates that ICAT has started up but is rejecting the request due to lack of authentication 3 Repeat steps 1 and 2 for MCAText http localhost 8080 mcatext ws The Tomcat log file also shows the web services starting up See the Maintenance section for details 8 Configuring Apache SSL Now that the keys and certificates are obtained they need to be registered in Apache 3 If you have already installed XDMS on this Tomcat then you have already performed this step ARCHER Data Services Service Layer System Administrator s Guide v1 0 30 Sept 2008 Page 12 of 15 Add six lines to the etc httpd conf d ssl conf just prior to the lt virtualHost gt line as follows Line Purpose SSLCertificateFile etc grid Points to the location of the host certificate security httpdcert pem SSLCACertificateFile etc grid Points to the location of the CA certificate security certificates 1e271185 0 SSLCertificateKeyFile etc grid Points to the location of the host key security httpdkey pem SSLVerifyClient optional Allows client connections to present certificates for verification but does not require it CAT and MCAText themselves require authentication so if they are the only services on this machin
9. e you may wish to use required SSLOptions StdEnvVars Tells Apache to create environment variables Required for the next line RequestHeader add SSL_CLIENT_S_DN Tells Apache to add the distinguished name SSL_CLIENT_S_DN e DN of the client to its HTTP headers There are used by MCAText to determine authorisation Check whether any of these variables were already defined in this file and comment them out if so Then add the following three lines after them These define the external address of the ICAT and MCAText services RewriteEngine on RewriteRule mcatext ajp localhost 8009 mcatext 1 L P RewriteRule icat ajp localhost 8009 icat 1 L P lt VirtualHost gt This allows Apache to serve the Tomcat servlet Add the correct server name for the Tomcat machine Then start Apache service start httpd For more information on these options see e http httpd apache org docs 2 0 mod mod_ssl html e http httpd apache org docs 2 0 mod mod_headers html Verifying ICAT and MCAText through Apache Again using a web browser test the ICAT and MCAText services via Apache e https localhost icat ws should show two services icatService and srbNotifySOAP e https localhost mcatext ws Should show three services srbsyncsoap srbRegisterSOAP and srbAuthzSOAP Troubleshooting ARCHER Data Services Service Layer System Administrator s Guide v1 0 30 Sept 2008 Page 1
10. es Obtain or generate certificates If required Create the ICAT database Add PL pgSQL to the MCAT database Set environment variables for configuration Run the script to generate deployment files Deploy ICAT and MCAText Install and configure Apache a dd BL 1 Obtaining ICAT and MCAText Download the ADS SL bundle from http www archer edu au downloads As the tomcat user unzip it to a permanent location This document assumes usr local archer icat_mcatext mkdir p usr local archer icat_mcatext chown tomcat usr local archer icat_mcatext su tomcat wget http www archer edu au downloads ads sl 1 0 tar gz tar xzf ads sl 1 0 tar gz C usr local archer The distribution contains the following files File Purpose icat war Web archive file for ICAT webservice mcatext war Web archive file for MCAText webservice install sh Script you will run to configure ICAT and MCAText AddCertToKeystore class Used by install script to add certificates to a Java keystore JKS AddCertToKeystore java Source file Not used in installation makekeystore sh Used by install script to create keystore xdms_icat_ddl sql Script to create the ICAT database if XDMS is not present xdms_icat_dml sql Script to populate the ICAT database if XDMS is not present templates Template context files for Tomcat used by the install script 2 Obtaining or creating certificates and
11. g and Start sara tie 15 ARCHER Data Services Service Layer System Administrator s Guide v1 0 p lof1 30 Sept 2008 age 1 of 15 LOGGING SS AS eet thee ade Ned a COLE MUNG lt A eens tence ARCHER Data Services Service Layer System Administrator s Guide v1 0 f 30 Sept 2008 Page 2 of 15 About ADS Service Layer Overview ARCHER Data Services ADS Service Layer is composed of two web applications ICAT and MCAText ICAT is a metadata storage service that implements the CCLRC Scientific Metadata Model version 2 to record information about scientific experiments The data from the experiments itself is stored on the SRB while the metadata is held in the ICAT The ICAT s storage is implemented as a PostgreSQL database which is installed through the Archer XDMS application MCAText is an ARCHER developed web service layer over SRB and its MCAT database It provides a high performance mechanism for other services to lookup authorisation information on content within SRB It provides update notification to other services when content is modified moved or created It is used by certain ARCHER tools including the ICAT service and ARCHER Collaborative Workspace You must install the ADS Infrastructure Layer including SRB and MyProxy before installing ADS Service Layer Do I need this ADS SL is used as follows e ARCHER s Hermes communicates with the ICAT service to browse experiments e ARCHER Collaborative Workspace Pl
12. machine hosting MCAT run these commands su postgres createlang plpgsql MCAT You can verify that this worked as follows createlang 1 MCAT Procedural Languages Name Trusted plpgsql yes 5 Set environment variables The install script uses a number of environment variables If certificates and war files are located as described in this document many of the default values can be used Check the defaults in the table below and set any variables as needed In particular you must set the name of the SRB host and passwords for the two databases For example export SRB_HOSTNAME srb uni edu au export ICAT_DB_PASSWORD xxxx export MCATEXT_DB_PASSWORD xxxx Variable Contains Defaults to CATALINA_HOME Location of Tomcat SRB_HOSTNAME Host name of SRB server ARCHER Data Services Service Layer System Administrator s Guide v1 0 f 30 Sept 2008 Page 10 of 15 XDMS_BASEPATH SRB URL to XDMS project area For example srb srbhost myzone home xdms_project ICAT_CLIENT_CERT Path to ICAT host certificate file icatcert pem ICAT_CLIENT_KEY Path to ICAT host key file icatkey pem MCATEXT_CLIENT_CERT Path to MCAText host certificate file mcatextcert pem MCATEXT_CLIENT_KEY Path to MCAText host key file mcatextkey pem CA_CER Path to CA certificate file cacert pem ICAT_WAR Path
13. nfigurations ICAT and MCAText separate from XDMS It is not strictly necessary that ICAT and MCAText be deployed in the same Tomcat container as XDMS However due to the shared libraries used by the three web applications hosting them on the same machine is a more efficient use of memory To install ADS SL on a separate server from XDMS you must install another instance of Tomcat Obtain Apache Tomcat version 5 5 from http tomcat apache org download 55 cgi Install Tomcat to usr local archer tomcat and run it as a user called tomcat Then download the PostgreSQL J DBC driver and place it in common 1ibs Of your Tomcat installation This driver is found at http jdbc postgresql org Note Installing Tomcat through Yum is not recommended Difficulties were encountered by the ARCHER project ICAT and MCAText separate from each other It is also not strictly necessary that ICAT and MCAText be deployed in the same Tomcat container as each other However to arrange this will require that the installation be carried out twice with some manual configuration This method is not described here as there is no particular benefit to doing this ARCHER Data Services Service Layer System Administrator s Guide v1 0 f 30 Sept 2008 Page 6 of 15 Installing I CAT and MCAText Overview ICAT and MCAText are installed and configured simultaneously The major steps are as follows Obtain the configuration scripts and web service packag
14. one communicates with MCAText to browse the SRB e ARCHER development and testing identified that a future version of XDMS could use the ICAT service rather than accessing the ICAT database directly ARCHER Data Services Service Layer System Administrator s Guide v1 0 f 30 Sept 2008 Page 3 of 15 Applications Archer Data Services Service Layer Archer Data Services Infrastructure Layer Architecture XDMS MCAText ICAT ICAT Applications depending on ADS SL ICAT consists of a web application and the ICAT PostgreSQL database created by XDMS MCAText consists of a web application which uses the MCAT database already created as part of SRB Both web applications are hosted by Tomcat and are generally accessed through an Apache server In the standard configuration that was tested by the ARCHER project e The XDMS ICAT and MCAText web applications are hosted by the same Tomcat e The ICAT and MCAT databases are hosted by the same PostgreSQL e Tomcat and Apache are on the same front server e PostgreSQL and SRB are on the same back server ARCHER Data Services Service Layer System Administrator s Guide v1 0 30 Sept 2008 Page 4 of 15 With XDMS This is configuration tested by ARCHER Key ADS Infrastructure Layer Back server Without XDMS ICAT can be installed without XDMS present as follows
15. tkey pem tar zxf mcatext_certs tgz hostcert pem gt mcatextcert pem tar zxf mcatext_certs tgz hostkey pem gt mcatextkey pem chmod 600 key pem chmod 644 cert pem Assuming Apache is on this machine cd etc grid security tar zxf host_certs tgz hostcert pem gt hostcert pem tar zxf host_certs tgz hostkey pem gt hostkey pem cp hostcert pem httpdcert pem cp hostkey pem httpdkey pem chmod 600 key pem chmod 644 cert pem chown apache httpd pem ls 1 etc grid security pem usr local archer icat_mcatext pem rw r r 1 root root etc grid security hostcert pem IW 1 root root etc grid security hostkey pem rw r r 1 apache root etc grid security httpdcert pem IW 1 apache root etc grid security httpdkey pem rw r r 1 root root etc grid security req pem rw r r 1 root root usr local archer icat_mcatext cacert pem EwN p E 1 Fook root usr local archer icat_mcatext icatcert pem IW 1 root root usr local archer icat_mcatext icatkey pem rw r r 1 root root usr local archer icat_mcatext mcatextcert pem IW 1 root root usr local archer icat_mcatext mcatextkey pem rw r r 1 root root usr local archer icat_mcatext req pem 3 Optional Creating ICAT database If you have XDMS installed skip to step 4 The ARCHER project tested ICAT installed using the same database as XDMS However it is theoretically possible though untested to install IC
16. to ICAT war file icat webservice 1 0 war MCATEXT_WAR Path to MCAText war file mcatext webservice 1 0 war ICAT_DB_HOSTNAME Host of PostgreSQL for ICAT localhost ICAT_DB_DBNAME Name of ICAT database icat ICAT_DB_USERNAME Username password for ICAT database xdms ICAT_DB_PASSWORD MCATEXT_DB_HOSTNAME Host of PostgreSQL DB for MCAT SSRB_HOSTNAME MCATEXT_DB_DBNAME Name of MCAT database mcat MCATEXT_DB_USERNAME MCATEXT_DB_PASSWORD Username password for MCAT database srb 6 Running the configuration script The configuration script uses the environment variables you have set to create two Tomcat context files two Java keystores and a whitelist for MCAText Run it as follows install sh If any required environment variables have not been set you will be advised and the script will stop The script generates these files in the current directory Filename Contains icat jks Java keystore for ICAT containing the provided keys and certificates mcatext jks Java keystore for MCAText containing the provided keys and certificates mcatext whitelist Whitelist for MCAText containing I CAT This file tells MCAText which hosts to allow connections from icat xml Tomcat context file for ICAT mcatext xml Tomcat context file for MCAText
17. uesting peer verification or bringing the SSL variables into scope in its configuration file or is not setting the HTTP headers See the Apache section above ARCHER Data Services Service Layer System Administrator s Guide v1 0 30 Sept 2008 Page 14 of 15 Maintenance Stopping and starting To stop Tomcat STOMCAT_HOME bin shutdown sh To start Tomcat STOMCAT_HOME bin startup sh To remove just one of the applications stop Tomcat then delete the context file and corresponding webapps directory from Tomcat rm rf STOMCAT_HOME webapps icat rm TOMCAT_HOME conf Catalina localhost icat xml To stop Apache service httpd stop To start Apache service httpd start Logging The Tomcat log files are found in stomcat_HoME logs Catalina out Apache s log files are in etc httpd logs Configuring To reconfigure ICAT or MCAText either 1 Repeat the steps to generate the context files and redeploy them or 2 Directly modify the deployed context files Some settings in these files are not documented ARCHER Data Services Service Layer System Administrator s Guide v1 0 30 Sept 2008 Page 15 of 15
Download Pdf Manuals
Related Search