Installing
Installing PGrade Grid Portal
Portal installation
1 - download the latest version from PGrade portal website: http://portal.p-grade.hu/
The installation is explained in the (really small) documentation available on the website. It could be described as
2 - create a new user account pgportal
3 - switch to user account pgportal (su pgportal)
4 - extract the archive downloaded from PGrade portal website in the home directory of the user
5 - edit the file portal_config.txt to match to your site:
- DEFAULT_PORT
- DEFAULT_SECURE_PORT
- DEFAULT_VO
- MYPROXY_HOSTNAME and MYPROXY_PORT
- ...
6 - as root, execute
gpt-build --nosrc gcc32dbg gcc32dbgpthr
to build required headers for GridFTP
7 - run inst_check.pl and don't worry if you get some mistakes
8 - run install.sh
Running the portal
To run the portal, as pgportal, you simply need to run the script portalstart.sh. To stop the portal, run portalstop.sh.
Portal configuration
Key and certificate managment for Tomcat
Because users has to upload private key, using the HTTP connection to the portal is not really secure. In order to get Tomcat up and running using SSL port, we need a private key and a certificate in the java keystore of the user running the portal (pgportal in our case). The default location for a user keystore is ~/.keystore.
The java keystore could be manipulated using keytool but this tool didn't permit to add a private key in a keystore. So, we need to use a small piece of software coming from the internet (http://www.agentbob.info/agentbob/79-AB.html).
To do the job,
1 - look in the installation directory of pgportal at the file located in ./apache-tomcat-5.5.25/conf/server.xml. The intersting part is the following one:
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Each Connector passes requests on to the
associated "Container" (normally an Engine) for processing.
By default, a non-SSL HTTP/1.1 Connector is established on port 8080.
You can also enable an SSL HTTP/1.1 Connector on port 8443 by
following the instructions below and uncommenting the second Connector
entry. SSL support requires the following steps (see the SSL Config
HOWTO in the Tomcat 5 documentation bundle for more detailed
instructions):
*****If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or
later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
*****Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
with a password value of "changeit" for both the certificate and
the keystore itself.
By default, DNS lookups are enabled when a web application calls
request.getRemoteHost(). This can have an adverse impact on
performance, so you can disable it by setting the
"enableLookups" attribute to "false". When DNS lookups are disabled,
request.getRemoteHost() will return the String version of the
IP address of the remote client.
-->
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" minProcessors="5" maxProcessors="75" sSLImplementation="org.apache.tomcat.util.net.jsse.J
SSEImplementation"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass="sec12PgGportal65">
</Connector>
In this section, we found the password to use for the keystore (sec12PgGportal65) and the alias (tomcat). Notice that for security reasons, it's a could idea to desactivate listenning port 8080.
2 - compile the java file:
javac ImportKey.java
3 - transform server .pem files to .der files (we suppose that the server has a certificate valid for the grid and stored in /etc/grid-security
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
4 - AS pgportal user (otherwise you will import key and certificate for another user), import the key and the certificate in the keystore:
java ImportKey key.der cert.der
5 - If your user keystore is empty (check with keystore -list), simply move the newly created keystore to .keystore
mv KeyStore.importkey .keystore
6 - duplicate key store on alias "importkey" to alias "tomcat" and remove the alias "importkey" (the password is "importkey")
keytool -keyclone -alias importkey -dest tomcat keytool -delete importkey
7 - change passwords for keystore and certificate
keytool -storepasswd keytool -keypasswd -alias tomcat
8 - restart the portal and enjoy :-D.
Jar signing
Two jars need to be signed with the key in order to be accepted by web browser. The signature must be valid compared to the certificated exposed by Tomcat. Because we have change the Tomcat key and certificate, we need to sign the applets with the private key of Tomcat.
The two jar could be signed with the following commands:
/var/home/pgportal/pgportal/portal_config.txt jarsigner -storepass $KEYSTORE_PASS -keystore ~/.keystore ~/pgportal/tomcat/webapps/szupergrid/jsp/pgrade/workflow.jar tomcat jarsigner -storepass $KEYSTORE_PASS -keystore ~/.keystore ~/pgportal/tomcat/webapps/szupergrid/jsp/pgrade/jdl.jar tomcat
$KEYSTORE_PASS could be replace by the keystore password as defined in the portal configuration stored in portal_config.txt. Running portal_config.txt is only to set the environment.
Port fowarding
The PGrade portal is running as a standard user. So, it's impossible to connect Tomcat to port 80 for HTTP and 443 for HTTPS. The easiest way to get it running on these port is to redirect any request on port 80 to port 8080 and any request on port 443 to port 8443. For doing the job, we can use iptables with the following rules:
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8443
Connection to bdii
- Name: BEgrid
- Type: LCG2
- Host: bdii02.begrid.be
- Port: 2170
- BaseDN: mds-vo-name=local,o=grid
