Installing

From Begrid Wiki
Revision as of 09:12, 9 June 2021 by Maintenance script (talk | contribs) (Created page with " == Installing PGrade Grid Portal == === Portal installation === 1 - download the latest version from PGrade portal website: http://portal.p-grade.hu/ The installation...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Installing PGrade Grid Portal

Portal installation

1 - download the latest version from PGrade portal website: http://portal.p-grade.hu/

The installation is explained in the (really small) documentation available on the website. It could be described as

2 - create a new user account pgportal

3 - switch to user account pgportal (su pgportal)

4 - extract the archive downloaded from PGrade portal website in the home directory of the user

5 - edit the file portal_config.txt to match to your site:

      • DEFAULT_PORT
      • DEFAULT_SECURE_PORT
      • DEFAULT_VO
      • MYPROXY_HOSTNAME and MYPROXY_PORT
      • ...

6 - as root, execute

gpt-build --nosrc gcc32dbg gcc32dbgpthr
to build required headers for GridFTP

7 - run inst_check.pl and don't worry if you get some mistakes

8 - run install.sh

Running the portal

To run the portal, as pgportal, you simply need to run the script portalstart.sh. To stop the portal, run portalstop.sh.

Portal configuration

Key and certificate managment for Tomcat

Because users has to upload private key, using the HTTP connection to the portal is not really secure. In order to get Tomcat up and running using SSL port, we need a private key and a certificate in the java keystore of the user running the portal (pgportal in our case). The default location for a user keystore is ~/.keystore.

The java keystore could be manipulated using keytool but this tool didn't permit to add a private key in a keystore. So, we need to use a small piece of software coming from the internet (http://www.agentbob.info/agentbob/79-AB.html).

To do the job,

1 - look in the installation directory of pgportal at the file located in ./apache-tomcat-5.5.25/conf/server.xml. The intersting part is the following one:

 <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned.  Each Connector passes requests on to the
         associated "Container" (normally an Engine) for processing.

         By default, a non-SSL HTTP/1.1 Connector is established on port 8080.
         You can also enable an SSL HTTP/1.1 Connector on port 8443 by
         following the instructions below and uncommenting the second Connector
         entry.  SSL support requires the following steps (see the SSL Config
         HOWTO in the Tomcat 5 documentation bundle for more detailed
         instructions):
*****If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or
           later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".
*****Execute:
             %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
             $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA  (Unix)
           with a password value of "changeit" for both the certificate and
           the keystore itself.

         By default, DNS lookups are enabled when a web application calls
         request.getRemoteHost().  This can have an adverse impact on
         performance, so you can disable it by setting the
         "enableLookups" attribute to "false".  When DNS lookups are disabled,
         request.getRemoteHost() will return the String version of the
         IP address of the remote client.
    -->

    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />
    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="8443" minProcessors="5" maxProcessors="75" sSLImplementation="org.apache.tomcat.util.net.jsse.J
SSEImplementation"
	       enableLookups="true" disableUploadTimeout="true"
	       acceptCount="100" debug="0" scheme="https" secure="true"
	       clientAuth="false" sslProtocol="TLS" keystorePass="sec12PgGportal65">
    </Connector>

In this section, we found the password to use for the keystore (sec12PgGportal65) and the alias (tomcat). Notice that for security reasons, it's a could idea to desactivate listenning port 8080.

2 - compile the java file:

javac ImportKey.java

3 - transform server .pem files to .der files (we suppose that the server has a certificate valid for the grid and stored in /etc/grid-security

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

4 - AS pgportal user (otherwise you will import key and certificate for another user), import the key and the certificate in the keystore:

java ImportKey key.der cert.der

5 - If your user keystore is empty (check with keystore -list), simply move the newly created keystore to .keystore

mv KeyStore.importkey .keystore

6 - duplicate key store on alias "importkey" to alias "tomcat" and remove the alias "importkey" (the password is "importkey")

keytool -keyclone -alias importkey -dest tomcat
keytool -delete importkey

7 - change passwords for keystore and certificate

keytool -storepasswd
keytool -keypasswd -alias tomcat

8 - restart the portal and enjoy :-D.

Jar signing

Two jars need to be signed with the key in order to be accepted by web browser. The signature must be valid compared to the certificated exposed by Tomcat. Because we have change the Tomcat key and certificate, we need to sign the applets with the private key of Tomcat.

The two jar could be signed with the following commands:

/var/home/pgportal/pgportal/portal_config.txt
jarsigner -storepass $KEYSTORE_PASS -keystore ~/.keystore ~/pgportal/tomcat/webapps/szupergrid/jsp/pgrade/workflow.jar tomcat
jarsigner -storepass $KEYSTORE_PASS -keystore ~/.keystore ~/pgportal/tomcat/webapps/szupergrid/jsp/pgrade/jdl.jar tomcat

$KEYSTORE_PASS could be replace by the keystore password as defined in the portal configuration stored in portal_config.txt. Running portal_config.txt is only to set the environment.

Port fowarding

The PGrade portal is running as a standard user. So, it's impossible to connect Tomcat to port 80 for HTTP and 443 for HTTPS. The easiest way to get it running on these port is to redirect any request on port 80 to port 8080 and any request on port 443 to port 8443. For doing the job, we can use iptables with the following rules:

iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8443

Connection to bdii

  • Name: BEgrid
  • Type: LCG2
  • Host: bdii02.begrid.be
  • Port: 2170
  • BaseDN: mds-vo-name=local,o=grid

Customizing themes

Template:TracNotice