You are here: Home Stock Analysis Application Hydra test set-up installation
Personal tools
Document Actions

Hydra test set-up installation

by Ezio Corso last modified 2008-06-09 16:58

This document describes how to set up a test installation of Hydra key server.

 

 

 

These instructions allow to set up a test installation of the Hydra key server. It is termed a test installation because the multiple Hydra instances are all present in a single host machine. Arguably the major strength of the Hydra approach is to have each instance in different hosts, under the control of different people: no one single adminstrator will have access to the complete key.

So these instructions are provided with the aim of orderly presenting all the installation steps involved.

 

 

System Administration WARNING-1! Problems installing Tomcat5.5 with yum! There is a serious bug/issue when trying to install Tomcat5.5 with yum: in this link you can find the whole story https://zarb.org/pipermail/jpackage-discuss/2008-January/012231.html
The only quick solution is to install apt-get and use that instead of yum!

 

System Administration WARNING-2! Tomcat 6 use for Hydra requires some adjustments to the provided instructions, which have not been documented yet. They are due to the fact that Tomcat6 has a simplified directory structure.

 

 

OS requirements and Hydra documentation:

The machines where we installed Hydra ran SL4/gLite3.1, but we don't see any reason for it not working on SL3/gLite3.0

The most up to date information and use cases can be found here:

https://twiki.cern.ch/twiki/bin/view/EGEE/DMEDS

Old instructions which do not fit properly with current Hydra version, but that may shed some light in some implicit steps probably still present:

http://glite.web.cern.ch/glite/packages/R3.0/R20060502/doc/installation_guide_3.0-2.html#_Toc135537474

 

 

 

Hydra requires its own host certificate and private key:

In order to avoid the red-tape and time involved in requesting the stuff, for quick testing purposes we installed Hydra in a Computing Element. We don't see any problem in installing it also in existing Storage Elements, although we didn't try it.

 

We made a copy of the following original files:

/etc/grid-security/hostcert.pem

/etc/grid-security/hostkey.pem

 

Into:

/etc/grid-security/tomcat-cert.pem

/etc/grid-security/tomcat-key.pem

 

And granted access to those two files only to user:

tomcat

Usual permissions for Certificate/Private-key were granted:

-rw-r--r--   1 tomcat root      1419 May 21 15:56 tomcat-cert.pem
-r--------   1 tomcat root       887 May 21 15:56 tomcat-key.pem

 

 

Tomcat installation:

Using Yum/Apt with the official gLite repositories, we installed Tomcat 5.5. However, we originally installed Tomcat 6 and only later, in an attempt to debug some problems we went back to Tomcat 5.5. The problem, though, was totally unrelated to Tomcat 6. We therefore see no reason why it should not work in Tomcat 6, and will use that in future installations.

 

Make sure that CATALINA_HOME and CATALINA_BASE environment variables are set!

 

 

 

gLite Trustmanager installation:

To run Tomcat over https, the usual steps don't seem to work properly; many attempts and experiments were made to create/use key stores with the host's certificate/private-key. Yet all failed at some point, in many different ways. This package solved the issues: it provides its own implementation of SSL, which Tomcat will use. The name of the rpm package is:

 

glite-security-trustmanager-1.8.11-1 

 

It is then crucial that you configure gLite Trustmanager by running the script in:

/opt/glite/etc/glite-security-trustmanager/configure.sh

The script will copy proper jars in Tomcat server subdirectory!

WARNING! Make sure to edit the config.properties file you find, for example as in the following case:

glite-security-trustmanager.SSLCERTFILE     = /etc/grid-security/tomcat-cert.pem
glite-security-trustmanager.SSLKEY          = /etc/grid-security/tomcat-key.pem
glite-security-trustmanager.CAFILES         = /etc/grid-security/certificates/*.0
glite-security-trustmanager.CRLFILES        = /etc/grid-security/certificates/*.r0
glite-security-trustmanager.LOG4JCONF       = @CATALINA_HOME@/conf/log4j-trustmanager.properties
glite-security-trustmanager.PORT                = 9443

 

Notice the port number which we chose to be 9443, as well as the name of the certificate and key file. 

 

WARNING! THERE COULD BE A BUG DURING INSTALLATION! The script tries to copy  /opt/glite/share/glite-security-trustmanager/bcprov-jdk14-*.jar into /usr/share/tomcat5/server/lib/bcprov-jdk14-*.jar and fails! This is because the correct filename to copy is:

cp /opt/glite/share/glite-security-trustmanager/bcprov* /usr/share/tomcat5/server/lib/

 

 

 

 

Tomcat server.xml editing:

Edit server.xml to add a new connector; add the following code:

<Connector port="9443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               sSLImplementation="org.glite.security.trustmanager.tomcat.TMSSLImplementation"
               sslCAFiles="/etc/grid-security/certificates/*.0"
               crlFiles="/etc/grid-security/certificates/*.r0"
               sslCertFile="/etc/grid-security/tomcat-cert.pem"
               sslKey="/etc/grid-security/tomcat-key.pem"
               log4jConfFile="/etc/tomcat5/log4j-trustmanager.properties"
               clientAuth="true" sslProtocol="TLS" />

WARNING! The configuration script you ran previously, may actually overwrite the whole server.xml file and specify a connector just for the secure port. If that's reasonable for you, you may leave things as are; or simply use the original file and add the previous section. Notice that the script makes a copy of the original server.xml file.

 

 

 

MySQL ConnectorJ installation:

Install MySQL ConnecorJ JDBC driver in Tomcat: fetch the latest one from MySQL site and put the jar in:

/usr/share/tomcat5/common/lib

 

 

MySQL RDBMS installation:

 Using Yum/Apt install MySQL

 

 

Hydra installation:

Fetch the rpm from:

http://eticssoft.web.cern.ch/eticssoft/repository/org.glite/org.glite.data.hydra-service/1.3.0/

 

By installing the rpm, you will get a .war file in:

/opt/glite/share/java/glite-data-hydra-service.war

 

Also, the following directory structure will be created:

/opt/glite/etc/glite-data-hydra-service

This directory is important because it contains the scripts for configuring the Hydra instances!

 

BEWARE! There is a bug with the RPM, though: a subdirectory structure and a file are missing. Create them manually with the following two steps:

  • Create:  /opt/glite/etc/glite-data-hydra-service/schema/mysql/
  • Copy in there the file:   mysql-schema.sql

The file can be downloaded from:

http://glite.cvs.cern.ch:8180/cgi-bin/glite.cgi/org.glite.data.hydra-service/config/schema/mysql/mysql-schema.sql?revision=1.5

 

 

To install Hydra in Tomcat, just drop the war file in tomcat webapps directory: it will auto deploy as usual.

 

Connect to tomcat to test this preliminary step was successful:

https://ictpgrid-ce-1.ictp.it:9443/glite-data-hydra-service

 

 

Hydra configuration:

  • Edit:

/opt/glite/etc/glite-data-hydra-service/config.properties

 

  • Keep in mind the following:

Should voms-proxy-info --all show a line like:  

attribute : /euindia/Role=NULL/Capability=NULL

Then the corresponding section in config.properties should be something similar to:

HYDRA_CREATE_1=/euindia/Role=NULL/Capability=NULL

 

 

  • Make sure the environment has CATALINA_BASE exported; if not, export it.

 

  • Launch the config script:

./configure --withpass  --values /opt/glite/etc/glite-data-hydra-service/config.properties

BEWARE! There is a bug in the script! Edit and add single quotes around the user name and password of the SQL grant statements:

    # DB initialization
    $DRYRUN mysql -u root $WITHPASS -e "CREATE DATABASE ${!ref_DBNAME};
    grant ALL PRIVILEGES on ${!ref_DBNAME}.* to '${!ref_DBUSER}' identified by '${!ref_DBPASSWORD}';
    grant ALL PRIVILEGES on ${!ref_DBNAME}.* to '${!ref_DBUSER}'@
'$HOSTNAME' identified by '${!ref_DBPASSWORD}';
    grant ALL PRIVILEGES on ${!ref_DBNAME}.* to
'${!ref_DBUSER}'@'localhost' identified by '${!ref_DBPASSWORD}';
 

 

  • The DB will be created, as well as all Hydra instances  which you can check in $CATALINA_BASE/webapps/ as progressive integer numbers.
BEWARE! Restart the MySQL server: otherwise the user and password addition are not effective!

 

 

  • Check $CATALINA_BASE/logs/catalina.out for any Tomcat error.

 

  • Should you want to un-install Hydra, just run the un-install script in /opt/glite/etc/glite-data-hydra-service: the DB and all instaces will be removed.

 

  • Should you want to change a configuration of an already installed instance, edit the corresponding file in /usr/share/tomcat5//conf/Catalina/localhost/

For example to edit the third instance, edit the file 3#glite-data-hydra-service.xml which will be there!

 

 

 

Hydra Client installation and configuration:

  • Fetch and install in the UI, the following rpms:
http://eticssoft.web.cern.ch/eticssoft/repository/org.glite/org.glite.data.hydra-cli/3.1.0/
http://eticssoft.web.cern.ch/eticssoft/repository/org.glite/org.glite.security.ssss/1.0.0/

Once the client rpms are installed, there will be glite-eds-* clients available, as well as other ssss commands. There may be a bug, in that the clients may complain about a missing link to a library. Manually create the link:

/opt/glite/lib/libglite_security_ssss.so.0 ->

/opt/glite/lib/libglite_security_ssss.so

 

 

  • /opt/glite/etc/service.xml must be changed to contain also the following highlighted section:

<?xml version="1.0" encoding="UTF-8"?>
<services>

   <service name="hydra-1">
        <parameters>
            <endpoint>https://ictpgrid-ce-1.ictp.it:8443/1/glite-data-hydra-service/services/Hydra</endpoint>
            <type>org.glite.Metadata</type>
            <version>1.3.1</version>
            <volist><vo>euindia</vo></volist>
        </parameters>
        <associatedservices>
            <name>hydra-2</name>
            <name>hydra-3</name>
        </associatedservices>
    </service>

    <service name="hydra-2">
        <parameters>
            <endpoint>https://ictpgrid-ce-1.ictp.it:8443/2/glite-data-hydra-service/services/Hydra</endpoint>
            <type>org.glite.Metadata</type>
            <version>1.3.1</version>
            <volist><vo>euindia</vo></volist>
        </parameters>
        <associatedservices>
            <name>hydra-1</name>
            <name>hydra-3</name>
        </associatedservices>
    </service>

    <service name="hydra-3">
        <parameters>
            <endpoint>https://ictpgrid-ce-1.ictp.it:8443/3/glite-data-hydra-service/services/Hydra</endpoint>
            <type>org.glite.Metadata</type>
            <version>1.3.1</version>
            <volist><vo>euindia</vo></volist>
        </parameters>
        <associatedservices>
            <name>hydra-1</name>
            <name>hydra-2</name>
        </associatedservices>
    </service>

</services> 

 

  • Make sure the following variables are always exported upon user login:

export GLITE_SD_PLUGIN=file

export GLITE_SD_SERVICES_XML=/opt/glite/etc/services.xml

 

 

Hydra client usage example:

  • Creating a key in Hydra, split among the three instances, and calling it ezio-id:

 glite-eds-key-register -v ezio-id

 

  • Encrypting a local file:

glite-eds-encrypt ezio-id ./file.clear-text ./file.encrypted

 

  • Decrypting a local file:

 glite-eds-decrypt ezio-id ./file.encrypted ./file.clear-text

 

  • Granting a specific DN the ability to read a key we created:

glite-eds-setacl ezio-id -m '/C=IT/O=INFN/OU=Personal Certificate/L=ICTP/CN=Antonio Messina':rg

 

  • To check which ACLs are in place for a given key:

glite-eds-getacl ezio-id

 

« August 2017 »
Su Mo Tu We Th Fr Sa
12345
6789101112
13141516171819
20212223242526
2728293031
 

Powered by Plone This site conforms to the following standards: