middleware:Gat/adaptors

From Dgiref
Jump to: navigation, search

Globus Toolkit

To use the GAT Globus Tookit adaptors, do the following:

  1. locate the personnel certificates files userkey.pem and usercert.pem in the directory $HOME/.globus
  2. locate the host certificates of the Grid hosts you like to access in the directory $HOME/.globus/certificates.
  3. create a proxy certificate with $GAT LOCATION/bin/grid-proxy-init.
  4. The dataset $HOME/.globus/cog.properties should exists and to be like: 


cat $HOME/.globus/cog.properties
 
#Java CoG Kit Configuration File
#usercert: The path to the file containing your dgrid certificate.
usercert=/home/dgdt0000/.globus/usercert.pem
# userkey: The path to the file containing your Grid key.
userkey=/home/dgdt0000/.globus/userkey.pem
# proxy: The name under which your proxy certificate which you create with grid-proxy-init is stored.
proxy=/tmp/x509up_u1000
#cacert: The path of the directory, which contains the host certificates.
#cacert=/etc/grid-security/certificates
cacert=/home/dgdt0000/.globus/cog-certificates

gLite

Regarding security, the gLite adaptor behaves mostly like Globus. The difference between Globus Tookit and gLite, is that instead of an entirely self-signed proxy, gLite uses so-called VOMS proxies for authentication and authorization.

  1. locate the personnel certificates files userkey.pem and usercert.pem in the directory $HOME/.globus
  2. locate the host certificates of the Grid hosts you like to access in the directory $HOME/.globus/certificates.
  3. The dataset $HOME/.globus/cog.properties should exists and to be like: 
cat $HOME/.globus/cog.properties
 
#Java CoG Kit Configuration File
#usercert: The path to the file containing your dgrid certificate.
usercert=/home/dgdt0000/.globus/usercert.pem
# userkey: The path to the file containing your Grid key.
userkey=/home/dgdt0000/.globus/userkey.pem
# proxy: The name under which your proxy certificate which you create with grid-proxy-init is stored.
proxy=/tmp/x509up_u1000
#cacert: The path of the directory, which contains the host certificates.
#cacert=/etc/grid-security/certificates
cacert=/home/dgdt0000/.globus/cog-certificates

To be able to make the VOMS-proxy request on behalf of the user, the gLite adaptor needs to know a few additional pieces of data:

  1. The name of the VO for which the user wants to obtain a credential (e.g. dgtest)
  2. The endpoint of the VOMS server webservice (this address is usually different to the URL at which the VOMS admin can be accessed with a browser)
  3. The port at which the VOMS server is listening to requests
  4. The distinguished name (DN) of the VOMS Host. If you are unsure about this, you can usually find the information on the "Configuration" page in the VOMS admin server application.

An example configuration of all the necessary parameters for the gLite adaptor could look as follows: 

GATContext context = new GATContext();
CertificateSecurityContext secContext =
        new CertificateSecurityContext(
                   new URI("/home/dgdt0000/.globus/userkey.pem"),
                   new URI("/home/dgdt0000/.globus/usercert.pem"),
                   "mysupersecretpwd");
Preferences globalPrefs = new Preferences();
globalPrefs.put("vomsServerURL", "skurut19.cesnet.cz");
globalPrefs.put("vomsServerPort", "7001");
globalPrefs.put("vomsHostDN", "/DC=cz/DC=cesnet-ca/O=CESNET/CN=skurut19.cesnet.cz");
globalPrefs.put("VirtualOrganisation", "voce");
context.addPreferences(globalPrefs);
context.addSecurityContext(secContext);

Unicore

The JavaGAT Unicore adaptor is based on HilA Therefore some HiLA specific configuration is necessary.


The path to this configuration file must be added as a definition while calling the Java VM with the -D flag, e.g.: 

java -D/home/dgdt0000/unicore6.xml

Some notes to unicore6.xml:

  • The outcomeDirectory defines the directory where all the results are stored. The default is $HOME/.hila
  • The hila:registryconfig ag defines the security to be used (here d-grid.security), and the default registryURL: https://zam461.zam.kfa-juelich.de:9117/AWARE-GROW/services/Registry?res=default_registry
  • Under the bean name d-grid.security the security issues are defined. The constructor-arg value tag describes where security configuration can be found. This configuration file might look as follows: 
unicore.wsrflite.ssl.keystore = /home/dgdt0000/certdir/alicert.jks
unicore.wsrflite.ssl.keypass = ******
unicore.wsrflite.ssl.keyalias = alip12cert

Example of the unicore6.xml configuration: 

<?xml version="1.0" encoding="UTF-8"?>
<!-- This is the default unicore6.xml. HiLAFactory will
look for it on the classpath, if all else fails. -->
<!-- Use this file as an example unicore6.xml. -->
<beans xmlns:hila="http://www.unicore.eu/hila-unicore6">
<hila:unicore6grid id="grid" outcomeDirectory="file:${user.home}/.hila/data" config="#config" />
<hila-common:compositeconfig id="config" xmlns:hila-common="http://www.unicore.eu/hila-common">
<constructor-arg>
<list>
<hila:registryconfig
registryURL="https://zam461.zam.kfa-juelich.de:9117/AWARE-GROW/services/Registry?res=default_registry" grid="#grid"
securityProperties="#d-grid.security" />
</list>
</constructor-arg>
</hila-common:compositeconfig>
<bean name="d-grid.security" class="de.fzj.hila.implementation.unicore6.Unicore6SecurityProperties">
<constructor-arg value="/home/dgdt0000/.hila/d-grid.security" />
</bean>
</beans>
Retrieved from "http://dgiref.d-grid.de/wiki/middleware:Gat/adaptors"
Personal tools