Navigation
Log in


Forgot your password?
 
You are here: Home ezio Hydra Installation Notes
Personal tools
Document Actions

Hydra Installation Notes

by Ezio Corso last modified 2008-05-16 16:28

Notes on the experimental installation of Hydra key server.

 

 

RPMs can be obtained from here:

The RPMs are ready. Given the latest GFAL-client on the UI 
you also need the following on the client side:
http://eticssoft.web.cern.ch/eticssoft/repository/org.glite/org.glite.data.hydra-cli/3.1.0/
http://eticssoft.web.cern.ch/eticssoft/repository/org.glite/org.glite.security.ssss/1.0.0/

and this on the server side:
http://eticssoft.web.cern.ch/eticssoft/repository/org.glite/org.glite.data.hydra-service/1.3.0/

 

Once the client rpms are installed, there will be glite-eds-* clients available.

 

On the server side you need as pre-requisite:

 

MySQL

 

Tomcat

 

By installing the rpm, you will get a .war file in:

/opt/glite/share/java/glite-data-hydra-service.war

 

Also, the following directory structure will be created:

/opt/glite/etc/glite-data-hydra-service

 

This directory is important because it contains the scripts and configuration for Hydra isntallation.

 

To install Hydra, just drop the war file in tomcat webapps directory: it will auto deploy as usual.

 

Connect to tomcat to test the installation was successful:

http://egrid-ui.egrid.it:8080/glite-data-hydra-service

 

To configure Hydra:

 

Edit:

/opt/glite/etc/glite-data-hydra-service/config.properties

 

Export CATALINA_BASE:

export CATALINA_BASE=/usr/share/tomcat6/

 

Launch the config script:

./configure --withpass MYSQL_ROOT_PASSWORD --values /opt/glite/etc/glite-data-hydra-service/config.properties

 

BEWARE!!! There is a bug!!! BEFORE DOING ANY OF THE ABOVE, DO THIS:

> (1) I don't know if it is the correct procedure, but once I dropped the
> war in tomcat, I then tried to launch the following script:
> 
> /opt/glite/etc/glite-data-hydra-service/configure --withpass XXXXX
> --values /opt/glite/etc/glite-data-hydra-service/config.properties
> 
> The script however has some problems because it attempts to run
> /opt/glite/etc/glite-data-hydra-service/schema/mysql/mysql-schema.sql
> but the rpms did not install it.

Indeed. This is a bug. I have to update the RPM to include that file!
Hmmmm, according to the build.xml file it should be there...
http://glite.cvs.cern.ch:8180/cgi-bin/glite.cgi/org.glite.data.hydra-service/config/schema/mysql/mysql-schema.sql?revision=1.5

 

 

 

Old instructions which do not fit properly on current Hydra can be found here:

http://glite.web.cern.ch/glite/packages/R3.0/R20060502/doc/installation_guide_3.0-2.html#_Toc135537474

It is useful for some implicit steps that may still be present in the newer version! For example, the isntalaltion of certificates for the service!

 

 

The most up to date instructions and use cases, are here:

https://twiki.cern.ch/twiki/bin/view/EGEE/DMEDS

 

To enable HTTPS on Tomcat, here are the instructions:

http://users.skynet.be/pascalbotte/art/book1.htm

 

Create a p12 file from both .pem files you find in /etc/grid-security:

openssl pkcs12 -export -out keystore.pkcs12 -in www.crt -inkey www.key

 

 

 

 Java keystore generation for enabling https in tomcat:

follow instructions in here: http://users.skynet.be/pascalbotte/art/server-cert.htm

get jar in here: http://www.docjar.com/jars/org.mortbay.jetty-5.1.10-2006-01-05.jar

 

follow instructions in here: http://www.docjar.com/docs/api/org/mortbay/util/PKCS12Import.html

and in here:

http://www.omii.ac.uk/docs/2.0.0/omii_2_user_guide/security/non-omii/ukes_keystore_generation.htm

to run the construciotn of java key store:

java -cp ./org.mortbay.jetty-5.1.10-2006-01-05.jar  org.mortbay.util.PKCS12Import server.p12 server.ks

remember to add the CA certificates, as explained in the second instructions link!

 

To find the certificate of the CA, dothis:

 

Establish the CA of your certificte.pem:

openssl x509 -in /etc/grid-security/hostcert.pem -noout -issuer

 

it may return for example:

issuer= /C=IT/O=INFN/CN=INFN CA

 

Now look for the CA certificate in /etc/grid-security/certificates

[root@ictpgrid-ce-1 certificates]# grep INFN *policy -l
2f3fadf6.signing_policy

Now confirm it by doing:

[root@ictpgrid-ce-1 certificates]# openssl x509 -in  2f3fadf6.0 -subject -noout
subject= /C=IT/O=INFN/CN=INFN CA

 

 

Add the CA certificate to the keystore:

keytool -import -keystore server.ks -file ./certificates/2f3fadf6.0

 

Uncomment in tomcat's server.xml the section about https; make sure it looks like :

    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="/etc/grid-security/server.ks" keystorePass="XXXXXX"
               clientAuth="false" sslProtocol="TLS" />

Make sure the path to the keystore and the keystore-password are correct!

 

 REMEMBER TO SET PERMISSIONS ON THE KEYSTORE AND ON THE P12 SO THAT ONLY THE SERVICE CAN READ IT AND ROOT!

 

NOTE2: IT COULD BE POSSIBLE TO USE P12 FILE DIRECTLY, BUT IT HAS TO BE CONFIRMED!

 

 

 

Client side configuration:

/opt/glite/etc/service.xml must be changed to add the following section:

 

    <service name="hydra-1">
        <parameters>
            <endpoint>https://ictpgrid-ce-1.ictp.it:8443/1/glite-data-hydra-service/services/Hydra</endpoint>
            <type>org.glite.Metadata</type>
            <version>1.3.1</version>
            <volist><vo>euindia</vo></volist>
        </parameters>
        <associatedservices>
            <name>hydra-2</name>
            <name>hydra-3</name>
        </associatedservices>
    </service>

    <service name="hydra-2">
        <parameters>
            <endpoint>https://ictpgrid-ce-1.ictp.it:8443/2/glite-data-hydra-service/services/Hydra</endpoint>
            <type>org.glite.Metadata</type>
            <version>1.3.1</version>
            <volist><vo>euindia</vo></volist>
        </parameters>
        <associatedservices>
            <name>hydra-1</name>
            <name>hydra-3</name>
        </associatedservices>
    </service>

    <service name="hydra-3">
        <parameters>
            <endpoint>https://ictpgrid-ce-1.ictp.it:8443/3/glite-data-hydra-service/services/Hydra</endpoint>
            <type>org.glite.Metadata</type>
            <version>1.3.1</version>
            <volist><vo>euindia</vo></volist>
        </parameters>
        <associatedservices>
            <name>hydra-1</name>
            <name>hydra-2</name>
        </associatedservices>
    </service>

 

Export the following variables:

export GLITE_SD_PLUGIN=file

 export GLITE_SD_SERVICES_XML=/opt/glite/etc/services.xml

 

 

ADD THE MYSQL-JCONNECTOR JAR in tomcat! Drop the jar in

/usr/share/tomcat5/common/lib

 

 

 

ATTENTION!

To allow tomcat to work with security, adn make use of all the certificates and CRL and VOMS, etc., you MUST use GLite implementationfor SSL:

 

Install rpm:

glite-security-trustmanager-1.8.11-1

 

 

The following is a script used for FTS:

 

#
# Yaim configuration for secure tomcat.
#
# Copyright: CERN 2008.
# Licence: Apache2
#
# Authors:
#   Akos.Frohner@cern.ch
#

config_tomcat() {

GLITE_LOCATION=${GLITE_LOCATION:-/opt/glite}

#
# Find tomcat
#

# system default
[ -r /etc/tomcat5/tomcat5.conf ] && source /etc/tomcat5/tomcat5.conf
# RedHat settings
[ -r /etc/sysconfig/tomcat5 ] && source /etc/sysconfig/tomcat5
# Debian settings
[ -r /etc/default/tomcat5 ] && source /etc/default/tomcat5

# Find Tomcat's webapps dir
if [ ! -d "${CATALINA_BASE}/conf" ]; then
    CATALINA_BASE=${CATALINA_HOME}
fi
if [ ! -d "${CATALINA_BASE}/conf" ]; then
    CATALINA_BASE="/var/tomcat5"
fi
if [ ! -d "${CATALINA_BASE}/conf" ]; then
    CATALINA_BASE="/var/lib/tomcat5"
fi
if [ ! -d "${CATALINA_BASE}/conf" ]; then
    yaimlog ABORT "ERROR: Could not find CATALINA_BASE"
    exit 1
fi
if [ ! -d "$CATALINA_BASE/conf/Catalina/localhost" ]; then
    yaimlog ABORT "ERROR: non default Tomcat installation, where the webapp "
    yaimlog ABORT " configuration directory does not exists: "
    yaimlog ABORT " $CATALINA_BASE/conf/Catalina/localhost"
    exit 1
fi


#
# Check hostcert exists
#
if [ ! -r /etc/grid-security/hostcert.pem ]; then
   yaimlog ABORT "ERROR: Cannot read /etc/grid-security/hostcert.pem."
   yaimlog ABORT "       Tomcat web-service requires a host certificate/key pair."
   exit 1
fi
if [ ! -r /etc/grid-security/hostkey.pem ]; then
   yaimlog ABORT "ERROR: Cannot read /etc/grid-security/hostkey.pem."
   yaimlog ABORT "       Tomcat web-service requires a host certificate/key pair."
   exit 1
fi

# Check it's not expired
openssl x509 -checkend 0 -in /etc/grid-security/hostcert.pem > /dev/null 2>&1
if [ $? -eq 1 ]; then
   openssl x509 -text -in /etc/grid-security/hostcert.pem
   yaimlog ABORT "ERROR: Hostcert has expired!"
   exit 1
fi

# tomcat user could be set to something else:
TOMCAT_USER=${TOMCAT_USER:-tomcat}

id -u $TOMCAT_USER > /dev/null 2>&1
if [ $? -ne 0 ] ; then
   yaimlog ABORT "Tomcat configured to use user $TOMCAT_USER but user does not
exist!"
   exit -1
fi
                        
# Copy them to the correct place
yaimlog INFO "Copying hostcert to /etc/grid-security/tomcat-cert.pem for
$TOMCAT_USER:root......"
cp -f /etc/grid-security/hostcert.pem /etc/grid-security/tomcat-cert.pem
yaimlog INFO "Copying hostkey to /etc/grid-security/tomcat-key.pem for
$TOMCAT_USER:root..."
cp -f /etc/grid-security/hostkey.pem /etc/grid-security/tomcat-key.pem
chown $TOMCAT_USER:root /etc/grid-security/tomcat-cert.pem
chown $TOMCAT_USER:root /etc/grid-security/tomcat-key.pem
chmod 644 /etc/grid-security/tomcat-cert.pem
chmod 400 /etc/grid-security/tomcat-key.pem

#
# Configure the tomcat server itself
#

# Replace server.xml with the one defining the secure connector
if [ -e /etc/tomcat5/server.xml.original.glite.backup ]; then
   yaimlog INFO "Assuming /etc/tomcat5/server.xml is already configured.."
else
   yaimlog INFO "Replacing the tomcat5 /etc/tomcat5/server.xml..."
   cp -f /etc/tomcat5/server.xml /etc/tomcat5/server.xml.original.glite.backup
   cat > /etc/tomcat5/server.xml << EOT
<Server port="8005" shutdown="SHUTDOWN">
  <Service name="Catalina">

    <Connector port="8443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               sSLImplementation="org.glite.security.trustmanager.tomcat.TMSSLImplementation"
               sslCAFiles="/etc/grid-security/certificates/*.0"
               crlFiles="/etc/grid-security/certificates/*.r0"
               sslCertFile="/etc/grid-security/tomcat-cert.pem"
               sslKey="/etc/grid-security/tomcat-key.pem"
               log4jConfFile="/etc/tomcat5/log4j-trustmanager.properties"
               clientAuth="true" sslProtocol="TLS" />

    <Engine name="Catalina" defaultHost="localhost">
      <Host name="localhost" appBase="webapps" />
    </Engine>
  </Service>
</Server>
EOT
chown $TOMCAT_USER:$TOMCAT_USER /etc/tomcat5/server.xml
fi

# Copy log4j-trustmanager.properties into place
cp -f /opt/glite/etc/glite-security-trustmanager/log4j-trustmanager.properties
/etc/tomcat5/
chown $TOMCAT_USER:$TOMCAT_USER /etc/tomcat5/log4j-trustmanager.properties

yaimlog INFO "Copying trustmanager deps to tomcat server lib directory.." 
# log4j
build-jar-repository /var/lib/tomcat5/server/lib log4j
# bouncy castle
ln -fs /usr/share/java-ext/bouncycastle-jdk1.5/bcprov.jar
/var/lib/tomcat5/server/lib/bcprov.jar
ln -fs ${GLITE_LOCATION}/share/java/glite-security-util-java.jar
/var/lib/tomcat5/server/lib/
ln -fs ${GLITE_LOCATION}/share/java/glite-security-trustmanager.jar
/var/lib/tomcat5/server/lib/
}

 

 

The important things to notice are:

 <Connector port="8443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               sSLImplementation="org.glite.security.trustmanager.tomcat.TMSSLImplementation"
               sslCAFiles="/etc/grid-security/certificates/*.0"
               crlFiles="/etc/grid-security/certificates/*.r0"
               sslCertFile="/etc/grid-security/tomcat-cert.pem"
               sslKey="/etc/grid-security/tomcat-key.pem"
               log4jConfFile="/etc/tomcat5/log4j-trustmanager.properties"
               clientAuth="true" sslProtocol="TLS" /

 

 Notice it makes use of file tomcat-cert.pem and tomcat-key.pem which you create from the originals!

Notice also that it supplies its own implementation for SSL! org.glite.security.trustmanager.tomcat.TMSSLImplementation

 The implementation allows for CA files, crlFiles, etc.!

IT IS CRUCIAL THAT YOU CONFIGURE gLITE TRUSTMANAGER!!! You must run the script in:

/opt/glite/etc/glite-security-trustmanager/configure.sh

 

it will copy proper jars in tomcat server subdirectory!

 

 

 

 apt-get update
[14.29.36] Antonio Messina scrive:apt-get upgrade
[14.30.07] Antonio Messina scrive:yum update
[14.30.41] Antonio Messina scrive:/etc/cron.d/fetch-crl
[14.30.47] Antonio Messina scrive:/opt/glite/libexec/fetch-crl.sh >> /var/log/fetch-crl-cron.log
[14.35.16] Antonio Messina scrive:/var/log/fetch-crl-cron.log
[14.35.29] Antonio Messina scrive:File /etc/grid-security/certificates//12a1d8c2.r0 valid: yes
[14.36.48] Antonio Messina scrive:openssl verify -CApath /etc/grid-security/certificates/ /etc/grid-security/vomsdir/voms-01.pd.infn.it.pem
[14.37.13] Antonio Messina scrive:[root@ictpgrid-ce-1 vomsdir]# openssl verify -CApath /etc/grid-security/certificates/ *pem
cert-voms-01.cnaf.infn.it.pem: OK
grid12.lal.in2p3.fr.pem: OK
mu4.matrix.sara.nl.pem: /O=dutchgrid/O=hosts/OU=sara.nl/CN=mu4.matrix.sara.nl
error 10 at 0 depth lookup:certificate has expired
OK
voms-01.pd.infn.it.pem: OK
voms-02.pd.infn.it.pem: OK
voms2.cnaf.infn.it.pem: OK
voms.cnaf.infn.it.pem: OK
voms.gridpp.ac.uk.pem: OK
voms.grid.sara.nl.pem: /O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl
error 10 at 0 depth lookup:certificate has expired
OK

 

 

 

 

openssl pkcs12 -export -out signcertificato.p12 -inkey signprivkey.pem -in signcert.pem -name 'id di massimo sponza a infn' -CAfile /etc/grid-security/certificates/49f18420.0 -caname root -chain

[12.33.50] Massimo Sponza scrive:openssl pkcs12 -export -out signcertificato.p12 -inkey signprivkey.pem -in signcert.pem -name 'id di massimo sponza a infn'  -certfile /etc/grid-security/certificates/49f18420.0

 

 

 Adjust the UI so that it autmatically exports hydra client variables:

[13.29.37] Antonio Messina scrive:basta creare un file in /etc/profile.d/
[13.29.42] Antonio Messina scrive:che abbia estensione ".sh"
[13.29.46] ecorso2005 scrive:ok
[13.29.48] ecorso2005 scrive:grazie
[13.29.48] Antonio Messina scrive:e metterci quello che mi hai copiat
[13.30.13] Antonio Messina scrive:se vedi in /etc/profile.d/glite-hydra.sh c'e' esattamente il copia&incolla di quello che mi hai detto tu

 

 

 

 

 

 

Hi Ezio,

On Wed, 2008-04-30 14:01:50 +0200, Corso Ezio wrote:
[...]
> HYDRA_CREATE_1=/euindia
[...]
> attribute : /euindia/Role=NULL/Capability=NULL
> timeleft  : 11:38:11
> 
> 
> 
> So the command should work, right? Because I specified that /euindia can
> create: correct?
> 
> Any suggestions?

Please try to change the configuration to 
    HYDRA_CREATE_1=/euindia/Role=NULL/Capability=NULL

legacy problems. Hopefully will go away sometime.

To change the configuration of running instances:

/usr/share/tomcat5//conf/Catalina/localhost/3#glite-data-hydra-service.xml

in each installed instance!

 

 

 
« January 2021 »
Su Mo Tu We Th Fr Sa
12
3456789
10111213141516
17181920212223
24252627282930
31
 
Powered by Plone This site conforms to the following standards: