Administration:CVRG Deployment Instructions

From CVRG Wiki

Jump to: navigation, search

The document describes a process for deploying CVRG.


Contents

Deployment Planning

Select the services you want to deploy, and identify the hosts for them. This document describes deploying all the core services, and uses 6 different hosts, with multiple different containers on each host (note the port differences in the table). The simplest way to run multiple containers on the same host is to just use different user accounts for each (that isn't strictly necessary, but you must be sure to separate the environment variables and directory structures appropriately if you don't).

Please use as many machines and containers as are specified in the following instructions. You don't absolutely need to have the same number of machines, but differing from the proposed setup can cause problems. Here are some things for you to consider:

In general, you can deploy as many core services in the same container as you like, but you should be aware of the performance and security ramifications of doing so. That is, as we are using host credentials for secure containers, each service in the container shares the same "identity." Some services are awarded administrative rights to other services (e.g. Dorian is an admin on GTS, to publish CRLs), so you'll likely at least want to separate the security services from one another. At a bare minimum, try to run Dorian and the GTSs in their own containers. Some services, like the Index Service, may have a large memory footprint in some scenarios, so you'll want to keep that in mind as well. The maximum flexibility is achieved by running each service in its own container, but that is not always necessary or possible.


The following is a matrix of the nodes we are using, and which services are deployed on them:

Host:Port

Shutdown Port

https

Index

GME

caDSR

EVS

FQP

Workflow

Dorian

GTS

SyncGTS

Grid Grouper

Authentication

CDS

HL7AECG

QTViIni

QTViNumericalOutput

ImageData

QTViAnalysis

SNP caCORE Tomcat

SNP data service

AutoQRS Data Service

AutoQRS Analysis Service

WFDB Data Service

Openclinica tomcat

OpenClinica caCORE Tomcat

OpenClinica data service

cvrg01.bmi.ohio-state.edu:9442

9002

YES

cvrg01.bmi.ohio-state.edu:9443

9003

YES

cvrg01.bmi.ohio-state.edu:9080

NO

cvrg02-dev.bmi.ohio-state.edu:9442

9002

YES

@

cvrg02-dev.bmi.ohio-state.edu:9444

9004

YES

@

cvrg02-dev.bmi.ohio-state.edu:9447

9007

YES

@

cvrg02-dev.bmi.ohio-state.edu:9448

9008

YES

@

cvrg02-dev.bmi.ohio-state.edu:9445

9005

YES

@

cvrg02-dev.bmi.ohio-state.edu:9446

9006

YES

@

cvrg02-dev.bmi.ohio-state.edu:9443

9003

YES

cvrg02-dev.bmi.ohio-state.edu:9080

NO

cvrg02-dev.bmi.ohio-state.edu:9081

9018

NO

@

cvrg02-dev.bmi.ohio-state.edu:9449

9009

YES

@

cvrg02-dev.bmi.ohio-state.edu:9450

9010

YES

@

cvrg02-dev.bmi.ohio-state.edu:9451

9011

YES

@

cvrg02-dev.bmi.ohio-state.edu:9452

9012

YES

@

cvrg02-dev.bmi.ohio-state.edu:9453

9013

YES

@

cvrg02-dev.bmi.ohio-state.edu:9454

9014

YES

@

cvrg02-dev.bmi.ohio-state.edu:9455

9015

YES

@

cvrg03.bmi.ohio-state.edu:9442

9002

YES

cvrg03.bmi.ohio-state.edu:9443

9003

YES

@

@

cvrg03.bmi.ohio-state.edu:9080

9000

NO

@

@

cvrg04.bmi.ohio-state.edu:9442

9002

YES

S

cvrg04.bmi.ohio-state.edu:9443

9003

YES

cvrg04.bmi.ohio-state.edu:9080

NO

cvrg05.bmi.ohio-state.edu:9442

9002

YES

M

@

cvrg05.bmi.ohio-state.edu:9443

9003

YES

cvrg05.bmi.ohio-state.edu:9080

NO

dorian.bmi.ohio-state.edu:9443

9003

YES

@

@


The following is a listing of the service URLs for this deployment:

Authentication Service CONSTANT_NOT_DEFINED
caDSR http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/CaDSRService
Dorian https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian
EVS http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/cagrid/EVSGridService
FQP https://cvrg02.bmi.ohio-state.edu:9443/wsrf/services/cagrid/FederatedQueryProcessor
GME http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/GlobalModelExchange
Grid Grouper https://cvrg03.bmi.ohio-state.edu:9443/wsrf/services/cagrid/GridGrouper
GTS (Master) https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS
GTS (Slave) https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS
Index http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService
Workflow https://cvrg02.bmi.ohio-state.edu:9443/wsrf/services/cagrid/WorkflowFactoryService


After completion of this section, you should record the following information for future use:
  1. Tables similar to the examples shown above

Hardware Security Module (HSM) Setup

NOTE: This section is optional, and is for those which will be generating CAs on a Hardware Security Module.

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

(*** Using the HSM with Dorian REQUIRES that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (Java 5 be installed into your JVM ***)

From the machine which houses the HSM:

SafeNet Protect Server Gold HSM utilities]].
  • Decompress the downloaded file, eracom-utils.tgz as follows:
 
%> tar xvzf eracom-utils.tgz
  • Run the HSM administration tool as follows:
 
%> cd eracom-utils
%> ant adminEracomHSM
  • If this is the first time you have run the HSM admin tool, you will be required to initialize the HSM. This will require creating a pin for both a Security Officer and User.
  • After the HSM is initialized you will be asked to authenticate, select the User radio button and enter your the User pin in the pin text field and click the Ok button.
  • Next we must set the Security Mode of the HSM to FIPS 140-2. To do so from the Edit menu select Security Mode. This will bring up the Modify Security Mode window. Select the following: (1) the FIPS 140-2 radio button, (2) the Tamper on Upgrade check box, and (3) the Mode Locked checkbox. Click the Ok button, this will reset the security mode and may require to re-authenticate.
  • Now we must create slots or locations to store the CA keys and certificates. We will create two slots, one for the GTS CA, and one for the Dorian CA. To create the two slots from the File drop down select Create Slots, this will bring up a small window with a single text field, enter the number 2 in the text field and click Ok. This will create two slots on the cards, once create you will be required to re-authenticate to the HSM admin tool.
  • Next we must initialize each of the slots we created in the last step:
  • Complete the following to initialize the GTS Slot:
    • From the Edit drop down select Tokens...., this will bring up the Manage Tokens window. From the Slot drop down select the first slot that is labeled (uninitialized token). The number associated with slot will be the slot number for the GTS CA. Click the Initialise button, this will bring up the Initialise Token window.
    • In the Token Label text field enter gts-cvrg

.

    • Create and verify a Security Officer pin for this slot.
    • Create and verfiy a User pin for this slot.
    • Click the Ok button, this will initialize the GTS Slot
  • Complete the following to initialize the Dorian Slot:
    • From the Edit drop down select Tokens...., this will bring up the Manage Tokens window. From the Slot drop down select the first slot that is labeled (uninitialized token). The number associated with slot will be the slot number for the Dorian CA. Click the Initialise button, this will bring up the Initialise Token window.
    • In the Token Label text field enter dorian-cvrg

.

    • Create and verify a Security Officer pin for this slot.
    • Create and verfiy a User pin for this slot.
    • Click the Ok button, this will initialize the Dorian Slot

Note: in the future you may want to reset the slots (if re-installing security infrastructure for example):

Clearing Dorian HSM slots

ant adminEracomCA Select slot and Manage tokens Click “Reset” button and enter proper PINs
After completion of this section, you should record the following information for future use:
  1. HSM Security Officer PIN
  2. HSM User PIN
  3. 'gts-cvrg

' slot number

  1. 'gts-cvrg

' slot Security Officer PIN

  1. 'gts-cvrg

' slot User PIN

  1. 'dorian-cvrg

' slot number

  1. 'dorian-cvrg

' slot Security Officer PIN

  1. 'dorian-cvrg

' slot User PIN

Security Bootstrapping

In order for a caGrid release to be configured to point to this deployment, somethings need to be known before attempting to deploy the software. We will use a [http://gforge.nci.nih.gov/frs/download.php/2215/caGrid-1.1-gridca-bin.zip

binary build of the 'gridca' project] from a checkout of the release branch in order to create the GTS CA and credentials.  Then, the 'target grid' will be created, and the release candidate will be cut.  The remainder of the process will use the installer and code from the release candidate.  Anyone else following these instructions could just use the actual caGrid release for these steps.

Generate GTS CA

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

the binary release of the gridca project] and save it to USER_HOME/ext.
  • Unzip the downloaded zip file (this should create the directory USER_HOME/ext/gridca).
%> unzip caGrid-1.1-gridca-bin.zip
and save it to USER_HOME/ext/gridca_globus.
  • Unzip the downloaded zip file (this should create the directory USER_HOME/ext/gridca_globus/ws-core-4.0.3).
%> unzip ws-core-enum-4.0.3.zip
  • To generate the GTS CA run the following from the gridca directory (USER_HOME/ext/gridca), specifying the GLOBUS_LOCATION as an argument (or you could just set the GLOBUS_LOCATION environment variable, but we will later be installing Globus elsewhere):
    • NOTE: When running the commands, be sure to replace USER_HOME with your home directory (or ~).
%> cd USER_HOME/ext/gridca
%> ant -Denv.GLOBUS_LOCATION=USER_HOME/ext/gridca_globus/ws-core-4.0.3 generateEracomCA

Note: you can use "generateCA" as the target above if you're not using an HSM.

This will run a command line program that will prompt you for the following:

  1. An alias of name for the CA, enter the following:gtsca
  2. The Distinguished Name (DN) of the CA, enter the following: O=CVRG,OU=Trust Fabric,CN=CVRG Trust Fabric CA

  1. The number of days that the certificate authority should be valid for. Enter the following: 3650.
  2. The slot number on the HSM where the CA should be created. You should enter the number of the slot you initialized for the GTS CA earlier; refer to your notes.
  3. Enter the password for the HSM. You should enter the User pin you created for the GTS slot when you initialized it earlier; refer to your notes.
  4. Finally enter a directory where you would like the program to write out the CA certificate for the GTS CA.

Below is an example output of running the program just described:

%> ant generateEracomCA
Buildfile: build.xml

generateEracomCA:
   [input] Please enter an alias for the new CA (ex. gtsca):
gtsca
   [input] Please enter the DN for the new CA (ex. O=osu,OU=bmi,CN=Some CA):
O=CVRG,OU=Trust Fabric,CN=CVRG Trust Fabric CA
   [input] Please enter the number of days the new CA will be valid for:
3650
   [input] Please enter a slot number on the HSM to store the CA:
0
   [input] Please enter the password for the HSM:
mypassword
   [input] Please enter a directory to write the CA certificate to:
.
    [java] Successfully created the CA certificate:
    [java] O=CVRG,OU=Trust Fabric,CN=CVRG Trust Fabric CA
    [java] CA certificate valid till:
    [java] Thu Jul 20 15:03:52 EDT 2017
    [java] The CA certificate and private key were written to slot 4 on the HSM.
    [java] The CA certificate was written to the file: /home/grid/projects/caGrid-1.1/projects/gridca/./68907d53.0
    [java] The CA signing policy was written to the file: /home/grid/projects/caGrid-1.1/projects/gridca/./68907d53.signing_policy

BUILD SUCCESSFUL
Total time: 8 minutes 29 seconds


After completion of this section, you should record the following information for future use:
  1. The location of the generated CA Certificate and CA Signing Policy files

Backup the CA to a Smart Card

SafeNet Protect Server Gold HSM utilities]].
  • Decompress the downloaded file, eracom-utils.tgz as follows:
 
%> tar xvzf eracom-utils.tgz
  • Run the HSM key management tool as follows:
 
%> cd eracom-utils
%> ant manageEracomKeys

This will bring up the Safenet, Inc. Key Management Utility, to back up the GTS CA keys using this utility complete the following steps:

  1. Insert a SafeNet Protect Host / Protect Server (FW V2.02 and Later) Smartcard into the HSM smart card reader.
  2. From the Select a Token drop down, select the slot containing the GTS CA private key and certificate.
  3. In the Enter Pin dialog, enter the user pin for the slot selected, and click the Ok button.
  4. Holding the Ctrl button left click the CA private key and certificate such that but the CA private key and certificate are selected.
  5. Right click on the selected items and select Export from the right click menu. This will launch the Export Key(s) window.
  6. Select the Write to smart card(s) option.
  7. In the Batch Name text box enter gtsca.
  8. In the No. Custodians text box enter 2.
  9. Click the Ok button. This will bring up the Exporting window.
  10. In the Username text box enter a username. In the Smartcard Pin text box enter a pin or password. In the Re Enter Pin text box, re-enter the pin. The username and pin selected will apply to the first of two smart cards that the CA key(s) and certificate will be written to. You will need this username and pin to restore the CA key and certificate to the HSM.
  11. Click the Ok button. This will bring up a Please Confirm dialog.
  12. Click the Ok button. This will bring up another dialog asking you to enter the HSM administrative pin, enter it and click Ok. At this point the HSM will begin to write to the first smart card, this may take several minutes. When this has completed a dialog will appear asking you to insert another smart card.
  13. Remove the first smart card and insert a second smard card and click the Ok button. This will bring up the Exporting dialog.
  14. In the Username text box enter a username. In the Smartcard Pin text box enter a pin or password. In the Re Enter Pin text box, re-enter the pin. The username and pin selected will apply to the second of two smart cards that the CA key(s) and certificate will be written to. You will need this username and pin to restore the CA key and certificate to the HSM.
  15. Click the Ok button. This will bring up a Please Confirm dialog.
  16. Click the Ok button. At this point the HSM will begin to write to the second smart card, this may take several minutes. When this has completed a dialog will appear with a message Export Successful, at this point you have succesfully backed up the GTS CA onto smart cards.
After completion of this section, you note the following:
  1. The username and pin for each of the two smartcards in which the GTS CA is backed up across.
  2. You should label each of the two smart cards and place them in a safe place, both smart cards will be required for restoring the GTS CA.

Create GTS (Master) Credentials

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

In order to run a GTS we need to obtain host credentials signed by the GTS certificate authority. This can be accomplished by running a command line utility supplied by the gridca package. Since the GTS CA key exists in a HSM we must run this utility from the machine that the HSM resides on. To create the host credentials for the Master GTS please run the following from the gridca directory (USER_HOME/ext/gridca), which you created from [http://gforge.nci.nih.gov/frs/download.php/2215/caGrid-1.1-gridca-bin.zip

the download] earlier.  We will be specifying the GLOBUS_LOCATION as an argument (or you could just set the GLOBUS_LOCATION environment variable, but we will later be installing Globus elsewhere):
    • NOTE: When running the commands, be sure to replace USER_HOME with your home directory (or ~).
%> cd USER_HOME/ext/gridca
%> ant -Denv.GLOBUS_LOCATION=USER_HOME/ext/gridca_globus/ws-core-4.0.3 createAndSignEracomHostCertificate

This program will prompt you for the following:

  1. The alias of the GTS CA, enter gtsca.
  2. The slot number on the HSM in which the GTS CA is stored. You should enter the number of the slot you initialized earlier for the GTS CA.
  3. Enter the password for the HSM. You should enter the User pin you created for the GTS slot when you initialized it earlier.
  4. Enter the host name of the host that will run the Master GTS. Enter: cvrg05.bmi.ohio-state.edu

  1. Enter the number of days that the host credential will be valid. Enter: 1825
  2. Enter the location to write the host's private key to. Enter cvrg05.bmi.ohio-state.edu

-trust-key.pem.

  1. Enter the location to write the host's certificate to. Enter cvrg05.bmi.ohio-state.edu

-trust-cert.pem.

Below is an example output of running the program just described:

%> ant createAndSignEracomHostCertificate
Buildfile: build.xml 

createAndSignEracomHostCertificate:
   [input] Please enter an alias for the new CA (ex. gtsca):
gtsca
   [input] Please enter a slot number on the HSM where the CA is stored:
0
   [input] Please enter the password for the HSM:
mypassword
   [input] Please enter the Hostname [dorian.bmi.ohio-state.edu]:
cvrg05.bmi.ohio-state.edu
   [input] Please enter the number of days the host certificate will be valid for:
1825
   [input] Please enter a location to write the host key:
cvrg05.bmi.ohio-state.edu

-trust-key.pem

   [input] Please enter a location to write the host certificate:
cvrg05.bmi.ohio-state.edu

-trust-cert.pem

    [java] Successfully created the host certificate:
    [java] O=CVRG,OU=Trust Fabric

,CN=host/cvrg05.bmi.ohio-state.edu

    [java] Host certificate issued by:
    [java] O=CVRG,OU=Trust Fabric,CN=CVRG Trust Fabric CA
    [java] Host certificate valid till:
    [java] Sat Jul 21 15:37:10 EDT 2012
    [java] Host private key written to:
    [java] cvrg05.bmi.ohio-state.edu

-trust-key.pem

    [java] Host certificate written to:
    [java] cvrg05.bmi.ohio-state.edu

-trust-cert.pem

BUILD SUCCESSFUL
Total time: 2 minutes 24 seconds

(*** The host certificate and private key generated should be securely moved to the host that will run the Master GTS, and deleted from the local system ***)

After completion of this section, you should record the following information for future use:
  1. The location of the generated certificate and private key on the machine you copied them to (which will run the Master GTS service)

Create GTS (Slave) Credentials

Note: the Slave credentials differ from the master due to different host for the slave

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

In order to run a GTS we need to obtain host credentials signed by the GTS certificate authority. This can be accomplished by running a command line utility supplied by the gridca package. Since the GTS CA key exists in a HSM we must run this utility from the machine that the HSM resides on. To create the host credentials for the Master GTS please run the following from the gridca directory (USER_HOME/ext/gridca), which you created from [http://gforge.nci.nih.gov/frs/download.php/2215/caGrid-1.1-gridca-bin.zip

the download] earlier.  We will be specifying the GLOBUS_LOCATION as an argument (or you could just set the GLOBUS_LOCATION environment variable, but we will later be installing Globus elsewhere):
    • NOTE: When running the commands, be sure to replace USER_HOME with your home directory (or ~).
%> cd USER_HOME/ext/gridca
%> ant -Denv.GLOBUS_LOCATION=USER_HOME/ext/gridca_globus/ws-core-4.0.3 createAndSignEracomHostCertificate

This program will prompt you for the following:

  1. The alias of the GTS CA, enter gtsca.
  2. The slot number on the HSM in which the GTS CA is stored. You should enter the number of the slot you initialized earlier for the GTS CA.
  3. Enter the password for the HSM. You should enter the User pin you created for the GTS slot when you initialized it earlier.
  4. Enter the host name of the host that will run the Slave GTS. Enter: cvrg04.bmi.ohio-state.edu

  1. Enter the number of days that the host credential will be valid. Enter: 1825
  2. Enter the location to write the host's private key to. Enter cvrg04.bmi.ohio-state.edu

-trust-key.pem.

  1. Enter the location to write the host's certificate to. Enter cvrg04.bmi.ohio-state.edu

-trust-cert.pem.

Below is an example output of running the program just described:

%> ant createAndSignEracomHostCertificate
Buildfile: build.xml

createAndSignEracomHostCertificate:
   [input] Please enter an alias for the new CA (ex. gtsca):
gtsca
   [input] Please enter a slot number on the HSM where the CA is stored:
0
   [input] Please enter the password for the HSM:
mypassword
   [input] Please enter the Hostname [dorian.bmi.ohio-state.edu]:
cvrg04.bmi.ohio-state.edu
   [input] Please enter the number of days the host certificate will be valid for:
1825
   [input] Please enter a location to write the host key:
cvrg04.bmi.ohio-state.edu

-trust-key.pem

   [input] Please enter a location to write the host certificate:
cvrg04.bmi.ohio-state.edu

-trust-cert.pem

    [java] Successfully created the host certificate:
    [java] O=CVRG,OU=Trust Fabric

,CN=host/cvrg04.bmi.ohio-state.edu

    [java] Host certificate issued by:
    [java] O=CVRG,OU=Trust Fabric,CN=CVRG Trust Fabric CA
    [java] Host certificate valid till:
    [java] Sat Jul 21 15:37:10 EDT 2012
    [java] Host private key written to:
    [java] cvrg04.bmi.ohio-state.edu

-trust-key.pem

    [java] Host certificate written to:
    [java] cvrg04.bmi.ohio-state.edu

-trust-cert.pem

BUILD SUCCESSFUL
Total time: 2 minutes 24 seconds

(*** The host certificate and private key generated should be securely moved to the host that will run the Slave GTS, and deleted from the local system ***)

After completion of this section, you should record the following information for future use:
  1. The location of the generated certificate and private key on the machine you copied them to (which will run the Slave GTS service)

Release bootstrapping

NOTE: This section is only necessary if you are deploying a grid which will be present as a target grid in a release of caGrid. (i.e. unless you are redistributing caGrid, or making the actual caGrid release, you likely don't need to do this)

In caGrid/share/resources/target_grids/ configure the appropriate, or add a new target grid (by copying an existing one).

For the CVRG grid, there are various files in caGrid/share/resources/target_grids/cvrg, which need to be edited.

  1. Examine each file for Service URLs, and replace the values appropriately with those to be used in this deployment as planned above(the properties files and XML files should contain such values). Generally you will just need to replace the hostname, port, and protocol (http/https) in the files that are already present.
  2. Place the GTS CA public certificate (the .0 file) and signing policy file (the .signing_policy file), generated above, in the certificates directory of the target grid. (caGrid/share/resources/target_grids/cvrg/certificates).

The caGrid release process should be followed at this point to generate a release, and create the caGrid installer. This configured release is what the rest of the deployment should use.

Core Security Services

Dorian

Dorian Installation

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

  • If it exists delete the directory: USER_HOME/.globus/certificates.
  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox. Select the Install caGrid Services checkbox. De-select all other check boxes. Click the Next button.
  • Select the "Dorian" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • Next you will be asked to specify a directory in which to install Ant. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next
  • Next you will be asked to specify a directory in which to install Tomcat. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install Globus. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install caGrid. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have caGrid installed...
      • You will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
      • You will then be asked if you would like to reconfigure caGrid for another target grid; choose Yes if you would like to reconfigure it. Press Next.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Click the Start button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
    • NOTE: this step may take a while to download and extract all the files, and build caGrid. Image:BreakTime.png
  • Once the tasks have finished, click the Next button.
  • In the Hostname text field, enter the name of the host (dorian.bmi.ohio-state.edu) that will run the service and click the Next button.
  • In the Shutdown port text field enter '9003'. In the "HTTPS" Port text field enter 9443.
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • In the next screen, Dorian Standard Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • In the next screen, edit the database connection information specifying the Database Hostname, Database Port, Database Name, Database Username, and Database Password. Click the Next button.
    • NOTE: this will validate the JDBC connection settings (as they are needed later). If you get an error, be sure MySQL is installed and running with a username and password matching your specifications.
  • The next screen allows for the configuration of the Dorian IdP. Please complete the following steps:
  1. In the IdP Name field enter Dorian.
  2. From the Registration Policy drop down, select Automatic Registration.
  3. Click the Next button.
  • The next screen allows for the configuration of the federation properties of Dorian. Please complete the following steps:
  1. In the Credential Lifetime Years text field enter 5.
  2. In the GTS URL text field enter, https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

.

  1. Click the Next button.
  • The next screen asks you which Dorian Ceritifcate Authority type to use, from the CA Type drop down select EracomHybrid. Click the Next button.
  • The next screen allows for the configuration of the Dorian Certificate Authority. To configure the Dorian CA complete the following steps:
  1. In the CA Password text field enter the User PIN you created above for the Dorian CA Slot on the HSM.
  2. If the Dorian CA will have an OID enter the OID in the OID text field. For NCICB Production, the OID is 2.16.840.1.113883.3.26.3.2
  3. In the Credential Auto-renew Years text field enter 5.
  4. In the Certificate Subject text field enter O=CVRG,OU=LOA1,CN=CVRG LOA1 CA

.

  1. In the Lifetime Years text field enter 25.
  2. In the Eracom Slot Number text field enter the slot number of the Dorian CA Slot (created above) on the HSM.
  3. Click the Next button.
  • The next screen faciliates the creation of host credentials for the Tomcat container running Dorian. To obtain the credentials complete the following steps:
  1. In the Hostname text field enter the hostname of the host (dorian.bmi.ohio-state.edu

) that will run Dorian, from your plan above.

  1. In the Directory text field specify a location to write those credentials to.
  2. Click the Next button.
  • Click the Start button to install Dorian as configured.
  • Once Dorian has finished installing click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.
  • During installation a copy of the Dorian CA certificate was place in the directory, USER_HOME/.globus/certificates. Assuming you deleted this directory before installation there should be only two files in the directory:
  1. The CA certificate which has a file prefix containing a hash code of the CA and a extention of .0, for example 68907d53.0.
  2. The CA Signing policy which has a file prefix containing a hash code of the CA and a extention of .signing_policy, for example 68907d53.signing_policy.

It is important that you make a copy of the Dorian CA certificate, the file with the .0 extension. Please be sure to place the copy in a safe location as we will refer to it later in this guide.


After completion of this section, you should record the following information for future use:
  1. The location of the Dorian CA Certificate.

Starting Dorian

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

To start Dorian complete the following steps:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Initial Service Administration

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

When first run Dorian comes configured with a default user account, the dorian user. For security reasons the first thing we want to do is register a second user. The second user should be considered a "real user" or bound to a "real person". Once we have created this user we will assign this user administrative rights and then remove the dorian or default user. The GAARDS Admin UI (distributed with caGrid) provides a mechanism for administrating Dorian. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

Register User

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

Through the UI we can create a second user account as follows:

  1. From the Account Management menu, select the Local Accounts sub menu, then select Registration. This will open a Registration window.
  2. Complete the entire Registration form.
  3. Click the Apply button.
After completion of this section, you should record the following information for future use:
  1. The username you selected for your account
  2. The password you selected for your account

Approve User and Make IdP Administrator

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).


Once the account is submitted we must approve the account (if needed, meaning auto-approve was not enabled on Dorian) and make this new user an administrator of the Dorian Identity Provider. To do this complete the following:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian

.

  1. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian

.

  1. In the User Id text field enter dorian.
  2. In the Password text field enter DorianAdmin$1.
  3. Click the Authenticate button. This will authenticate you to Dorian using the default account and launch the Proxy Manager window, click the Set Default button and close the window.
  4. From the Account Management menu, select the Local Accounts sub menu, then select Local Account Management. This will open a Local Account Management window.
  5. Click the Find Users' button.
  6. Select the user you just registered and click the Manage User button. This will launch the Manage User window for the user selected.
  7. Click the Account Information tab.
  8. If not already selected, from the User Status drop down select Active.
  9. From the User Role drop down select Administrator.
  10. Click the Update User button.
  11. Close all windows (with exception of the security UI itself).

Test User Login

Image:Apply.png These steps will verify we can login as the user we just created.

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).


Now that we have activated the local account we should test that we can login. Complete the following steps to login into the Grid:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, DO NOT click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
After completion of this section, you should record the following information for future use:
  1. Your "Grid Identity" from the Proxy Manager window, for future use.

Add User as a Grid Account Administrator

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).


Now that we have verified that the account has been created we need to make the newly created user a grid account administrator. To do so complete the following steps:

  1. From the Account Management menu, select the Grid Account Management sub menu, then select Administrators. This will open the Administrators window.
  2. Click the Add Admin button. This will launch the Add Admin window.
  3. Click the Find button. This will launch the Find Users window.
  4. Click the Find Users button, this will list all the users with Grid Accounts on Dorian.
  5. Select the user you just created above and click the Select Users button. This will return you to the Add Admin window populating the Grid Identity text field with the user just selected.
  6. Click the Add Admin button. This will add the selected user as a grid account administrator.
  7. To verify click the List Administrators in the Administrators window, this should list all the users that are grid account administrators for Dorian. You should see the grid identity for the user you just added.

Bind Existing Host Credentials to User

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).


When we installed Dorian we created host credentials for the host running Dorian. Dorian binds all host credentials to a grid user account, if a grid user account is suspended or removed the same is true of all host credentials bound to their account. The host credentials we created for the host running Dorian were by default bound to the dorian account. Thus before removing the dorian we must bind Dorian's host credentials to the new admin user. This can be completed as follows:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu
9443

/wsrf/services/cagrid/Dorian.

  1. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu
9443

/wsrf/services/cagrid/Dorian.

  1. In the User Id text field enter the username for the account just created earlier.
  2. In the Password text field enter the password for the account just created earlier.
  3. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  4. Close the window.
  5. From the Account Management menu, select the Grid Account Management sub menu, then select Host Certificate Management. This will open the Host Certificate Management window.
  6. Click the "Find Host Certificates button. This will list all the host certificates issued by this Dorian, at this point there should most likely be one (the one for Dorian itself).
  7. Select the host certificate for the host running Dorian and click the View/Update Host Certificate button. This will launch the Host Certificate window for the selected host certificate.
  8. Record the Host Grid Identity for future use; this is the Identity of the host credential the Dorian service is running with.
  9. Click the Find button next to the Owner text field, this will launch the Find Users window.
  10. Click the Find Users button, this will list all the users with Grid Accounts on Dorian.
  11. Select the user you created above and click the Select Users button. This will return you to the Host Certificate window populating the Owner text field with the grid identity of the user just selected.
  12. Click the Update Certificate button.
  13. To verify that this change was successfully made, from the Host Certificate Management window, click the "Find Host Certificates button. This will list all the host certificates issued by this Dorian, at this point there should most likely be one (the one for Dorian itself).
  14. Select the host certificate for the host running Dorian and click the View/Update Host Certificate button. This will launch the Host Certificate window for the selected host certificate. Double check that the Owner text field contains the grid identity of the user created above. Close all windows with exception the security UI itself (the main application).
After completion of this section, you should record the following information for future use:
  1. The "Host Grid Identity" of the Dorian Service

Remove Default User Account

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).


At this point we are ready to remove the default Dorian account, before doing so make sure that you have completed the steps above, specifically 1) registered new user, 2) approved new user and made them an administrator of the Dorian IdP, 3) Added the new user as a grid account administrator, and 4) Bound the Dorian host credentials to the new user. Once you are confident that you completed the above steps, remove the default user account as follows:

  1. From the Account Management menu, select the Local Accounts sub menu, then select Local Account Management. This will open a Local Account Management window.
  2. Click the Find Users' button.
  3. Select the dorian user and click the Remove User button.

NOTE: After this is done, you will no longer be able to administer Dorian using the default user, and must be sure you remember the username and password for the new administrative account you created above.

Backup the CA to a Smart Card

SafeNet Protect Server Gold HSM utilities]].
  • Decompress the downloaded file, eracom-utils.tgz as follows:
 
%> tar xvzf eracom-utils.tgz
  • Run the HSM key management tool as follows:
 
%> cd eracom-utils
%> ant manageEracomKeys

This will bring up the Safenet, Inc. Key Management Utility, to back up the Dorian keys using this utility complete the following steps:

  1. Insert a SafeNet Protect Host / Protect Server (FW V2.02 and Later) Smartcard into the HSM smart card reader.
  2. From the Select a Token drop down, select the slot containing the Dorian CA private key, certificate, and wrapping key.
  3. In the Enter Pin dialog, enter the user pin for the slot selected, and click the Ok button.
  4. Holding the Ctrl button left click the CA private key, certificate, and wrapping key such that the CA private key, certificate, and wrapping key are selected.
  5. Right click on the selected items and select Export from the right click menu. This will launch the Export Key(s) window.
  6. Select the Write to smart card(s) option.
  7. In the Batch Name text box enter dorianca.
  8. In the No. Custodians text box enter 2.
  9. Click the Ok button. This will bring up the Exporting window.
  10. In the Username text box enter a username. In the Smartcard Pin text box enter a pin or password. In the Re Enter Pin text box, re-enter the pin. The username and pin selected will apply to the first of two smart cards that the CA key(s) and certificate will be written to. You will need this username and pin to restore the CA key and certificate to the HSM.
  11. Click the Ok button. This will bring up a Please Confirm dialog.
  12. Click the Ok button. This will bring up another dialog asking you to enter the HSM administrative pin, enter it and click Ok. At this point the HSM will begin to write to the first smart card, this may take several minutes. When this has completed a dialog will appear asking you to insert another smart card.
  13. Remove the first smart card and insert a second smard card and click the Ok button. This will bring up the Exporting dialog.
  14. In the Username text box enter a username. In the Smartcard Pin text box enter a pin or password. In the Re Enter Pin text box, re-enter the pin. The username and pin selected will apply to the second of two smart cards that the CA key(s) and certificate will be written to. You will need this username and pin to restore the CA key and certificate to the HSM.
  15. Click the Ok button. This will bring up a Please Confirm dialog.
  16. Click the Ok button. At this point the HSM will begin to write to the second smart card, this may take several minutes. When this has completed a dialog will appear with a message Export Successful, at this point you have succesfully backed up the Dorian CA onto smart cards.
After completion of this section, you note the following:
  1. The username and pin for each of the two smartcards in which the Dorian CA is backed up across.
  2. You should label each of the two smart cards and place them in a safe place, both smart cards will be required for restoring the Dorian CA.

GTS (Master)

Master GTS Installation

Image:Mycomputer.png You should run the following commands from the machine (cvrg05.bmi.ohio-state.edu).

  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox. Select the Install caGrid Services checkbox. De-select all other check boxes. Click the Next button.
  • Select the "GTS" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • Next you will be asked to specify a directory in which to install Ant. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next
  • Next you will be asked to specify a directory in which to install Tomcat. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install Globus. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install caGrid. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have caGrid installed...
      • You will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
      • You will then be asked if you would like to reconfigure caGrid for another target grid; choose Yes if you would like to reconfigure it. Press Next.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Click the Start button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
    • NOTE: this step may take a while to download and extract all the files, and build caGrid. Image:BreakTime.png
  • Once the tasks have finished, click the Next button.
  • In the Hostname text field, enter the name of the host (cvrg05.bmi.ohio-state.edu) that will run the service and click the Next button.
  • In the Shutdown port text field enter '9002'. In the "HTTPS" Port text field enter 9442.
  • Next the installer will ask if server credentials are present, select the Yes check box and click next.
  • In the Certificate Path text field browse to the certificate created here.
  • In the Certificate Key text field browse to the private key created here.
  • Click the Next button.
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • In the next screen, GTS Standard Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • In the next screen, edit the database connection information specifying the Database Hostname, Database Port, Database Name, Database Username, and Database Password. Click the Next button.
    • NOTE: this will validate the JDBC connection settings (as they are needed later). If you get an error, be sure MySQL is installed and running with a username and password matching your specifications.
  • If a database with the same name exists in the database service, the next panel will indicate that the existing database will be destroyed. Press Next.
  • The next screen prompts you for an initial administrator for the GTS. In the Identity text field enter the Grid Identity for the user your created, and logged on as here.
  • Click the Next button.
  • Click the Start button to install the GTS as configured.
  • Once the GTS has finished installing click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.

Starting the Master GTS

Image:Mycomputer.png You should run the following commands from the machine (cvrg05.bmi.ohio-state.edu).

To start the GTS complete the following steps:

  • If it does not exist, create the directory: USER_HOME/.globus/certificates.
  • Copy the GTS CA certificate (Created Here) to the directory, USER_HOME/.globus/certificates. The file should be named with a .digit[0-9] extension, for example gtsca.0.
  • Copy the Dorian CA certificate (Created Here) to the directory, USER_HOME/.globus/certificates. The file should be named with a .digit[0-9] extension, for example dorianca.0.
  • Start Tomcat

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Create Trust Levels

Image:Mycomputer.png You should run the following commands from the machine (cvrg05.bmi.ohio-state.edu).

A level of assurance or trust level specifies the level of confidence with which a given certificate authority is trusted in the Grid. The GAARDS Admin UI provides a mechanism for administrating the GTS, this includes creating trust levels.

Before you can make constructive use of the GAARDS Admin UI, you will need to tell it to trust the dorian service that you set up earlier. When you did that you were told to make a copy of dorian's CA (certificate authority) certificate. Copy that file to the host that the master GTS is running on in the directory $HOME/.globus/certificates

To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To add a trust level to the GTS using the GAARDS UI complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. From the Trust Fabric menu, select Levels of Assurance, this will launch the Levels of Assurance window.
  9. Click the Add Trust Level button, this will launch the Add Trust Level window.
  10. In the Service drop down select https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

.

  1. In the Name text box enter CVRG

.

  1. In the Description text box enter This trust level maintains a grouping of CVRG Certificate Authorities.

  1. Click the Add Trust Level button, this will add the trust level to the GTS.

Image:Apply.png To verify that the trust level was successfully added complete the following steps:

  1. From the Trust Fabric menu, select Levels of Assurance, this will launch the Levels of Assurance window.
  2. In the Service drop down select https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

.

  1. Click the List Trust Levels button, this should list all the trust levels for the selected GTS in the table.

'If the CVRG trust level appears in the table then it was successfully added.'

Add Dorian to the Trust Fabric

Image:Mycomputer.png You should run the following commands from the machine (cvrg05.bmi.ohio-state.edu).

The GAARDS Admin UI provides a mechanism for administrating the GTS, this includes add certificate authorities to the GTS. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To add the Dorian CA to the GTS using the GAARDS UI complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. From the Trust Fabric menu select Certificate Authorities, this will launch the Certificate Authorities window.
  9. Click the Add Trusted Authority button, this will launch the Add Certificate Authority window.
  10. In the Service drop down select https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

.

  1. Click the Import Certificate button, this will bring up a file browser. Browse to the file containing the Dorian CA Certificate (Created Here) and click the Open button. This will import the certificate into the UI.
  2. Click on the Trust Levels tab.
  3. Select the check box for the CVRG

trust level.

  1. Click the Add Trusted Authority button, this will add the Dorian CA to the GTS.

Image:Apply.png To verify that the Dorian Certificate Authority was successfully added complete the following steps:

  1. From the Trust Fabric menu select Certificate Authorities, this will launch the Certificate Authorities window.
  2. In the Service drop down select https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

.

  1. Click the Find Trusted Authorities button, this should list all the certificate authorities registered with GTS in the table.

If the Dorian CA is listed in the table then it was successfully added.

Grant Dorian Rights Publish its CRL

Image:Mycomputer.png You should run the following commands from the machine (cvrg05.bmi.ohio-state.edu).

The GAARDS Admin UI provides a mechanism for administrating the GTS, this includes granting permission on administrating the GTS. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To grant Dorian right to publish its CRL to the GTS using the GAARDS UI complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. From the Trust Fabric menu select Permissions, this will launch the Permission window.
  9. Click the Add Permission button, this will launch the Add Permission Window.
  10. From the Service drop down select https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

.

  1. In the Grid Identity text box enter: /O=CVRG/OU=LOA1/OU=Services/CN=host/dorian.bmi.ohio-state.edu

  1. From the Trusted Authority drop down select: O=CVRG,OU=LOA1,CN=CVRG LOA1 CA

  1. From the Role drop down select: TrustAuthorityManager.
  2. Click the Add Permission button. This will grant Dorian the ability to publish its CRL to the GTS.

Image:Apply.png To verify that Dorian was successfully granted rights to publish its CRL complete the following steps:

  1. From the Trust Fabric menu select Permissions, this will launch the Permission window.
  2. From the Service drop down select https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

.

  1. Click the List Permissions button.

This will list all the rights granted on the GTS in the table. If Dorian was successfully granted rights to publish its CRL you will see a listing as follows:

  • Grid Identity - /O=CVRG/OU=LOA1/OU=Services/CN=host/dorian.bmi.ohio-state.edu

  • Trusted Authority - O=CVRG,OU=LOA1,CN=CVRG LOA1 CA

  • Role - TrustAuthorityManager

Deploy SyncGTS to GTS (Master) Container

Image:Mycomputer.png You should run the following commands from the machine (cvrg05.bmi.ohio-state.edu).

  • Shut down Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> shutdown.bat
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • De-select the Install caGrid check box.
  • Select the Install caGrid Services check box.
  • De-select all other check boxes.
  • Click the Next button.
  • Select the "SyncGTS" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • The installer will then ask whether or not you want to re-install Ant. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Tomcat. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Globus. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install caGrid. Make sure the Yes button is NOT selected and click Next.
  • If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the Yes check box is NOT selected. Press Next.
  • Click the Start button.
  • Click the Next button.
  • The installer will ask if you want to redeploy Globus to Tomcat, deselect Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • The installer will ask if you want to the container to be secure, select Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS.
  2. In the Expiration Hours text box enter 12.
  3. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg05.bmi.ohio-state.edu.
  4. Unselect the Perform First Sync? check box.
  5. Click the Next button.
  6. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  7. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Click the Start button. The installer will install SyncGTS, when the installation is finished click the Next button.
  • Click the Finished button.
  • Close the installer.
  • Startup Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


GTS (Slave)

Slave GTS/SyncGTS Installation

Image:Mycomputer.png You should run the following commands from the machine (cvrg04.bmi.ohio-state.edu).

  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox. Select the Install caGrid Services checkbox. De-select all other check boxes. Click the Next button.
  • Select the SyncGTS check box.
  • Select the "GTS" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • Next you will be asked to specify a directory in which to install Ant. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next
  • Next you will be asked to specify a directory in which to install Tomcat. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install Globus. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install caGrid. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have caGrid installed...
      • You will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
      • You will then be asked if you would like to reconfigure caGrid for another target grid; choose Yes if you would like to reconfigure it. Press Next.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Click the Start button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
    • NOTE: this step may take a while to download and extract all the files, and build caGrid. Image:BreakTime.png
  • Once the tasks have finished, click the Next button.
  • In the Hostname text field, enter the name of the host (cvrg04.bmi.ohio-state.edu) that will run the service and click the Next button.
  • In the Shutdown port text field enter '9002'. In the "HTTPS" Port text field enter 9442.
  • Next the installer will ask if server credentials are present, select the Yes check box and click next.
  • In the Certificate Path text field browse to the certificate created here.
  • In the Certificate Key text field browse to the private key created here.
  • Click the Next button.
  • Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS.
  2. In the Expiration Hours text box enter 12.
  3. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg05.bmi.ohio-state.edu.
  4. Select the Perform First Sync? check box.
  5. Click the Next button.
  6. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  7. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • In the next screen, GTS Standard Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • In the next screen, edit the database connection information specifying the Database Hostname, Database Port, Database Name, Database Username, and Database Password. Click the Next button.
    • NOTE: this will validate the JDBC connection settings (as they are needed later). If you get an error, be sure MySQL is installed and running with a username and password matching your specifications.
  • If a database with the same name exists in the database service, the next panel will indicate that the database will be destroyed. Press Next.
  • The next screen prompts you for an initial administrator for the GTS. In the Identity text field enter the Grid Identity for the user you recorded here.
  • Click the Next button.
  • Click the Start button to install the GTS as configured.
  • Once the GTS has finished installing click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.

Starting the Slave GTS

Image:Mycomputer.png You should run the following commands from the machine (cvrg04.bmi.ohio-state.edu).

To start the GTS you need to start Tomcat as follows: On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Add Master GTS as an Authority to the Slave GTS

Image:Mycomputer.png You should run the following commands from the machine (cvrg04.bmi.ohio-state.edu).

The GAARDS Admin UI provides a mechanism for administrating the GTS, this includes adding authorities to a GTS. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To add the Master GTS as an authority of the Slave GTS using the GAARDS UI complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. From the Trust Fabric menu select Trust Federation, this will launch the Trust Federation window.
  9. Click the Add Authority button, this will launch the Add Authority window.
  10. In the Service drop down select https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

. This is the GTS you are administering.

  1. In the GTS URI text box enter https://cvrg05.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

. This is the GTS you are adding as an Authority to the GTS you are administering.

  1. From the Perform Authorization drop down, select True.
  2. In the Authorization Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg05.bmi.ohio-state.edu
  1. From the Hours drop down select 4.
  2. Click the Add Authority button, this will add the master GTS to the slave GTS as an authority.

To verify that the Master GTS was successfully added as an authority to the Slave GTS completed the following steps:

  1. From the Trust Fabric menu select Certificate Authorities, this will launch the Certificate Authorities window.
  2. In the Service drop down select https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS
  1. Click the Find Trusted Authorities button.

This will list all the trusted certificate authorities for the Slave GTS. If the Master GTS was succesfully added to the Slave GTS as an authority you should see the Dorian CA listed.

(It may take a few minutes for the Slave GTS to sync with the Master GTS, if you do not see the Dorian CA listed immediately, click the Find Trusted Authorities button again in a few minutes.)

Deploy SyncGTS to Dorian Container

Image:Mycomputer.png You should run the following commands from the machine (dorian.bmi.ohio-state.edu).

  • Shut down Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> shutdown.bat
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • De-select the Install caGrid check box.
  • Select the Install caGrid Services check box.
  • De-select all other check boxes.
  • Click the Next button.
  • Select the "SyncGTS" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • The installer will then ask whether or not you want to re-install Ant. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Tomcat. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Globus. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install caGrid. Make sure the Yes button is NOT selected and click Next.
  • If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the Yes check box is NOT selected. Press Next.
  • Click the Start button.
  • Click the Next button.
  • The installer will ask if you want to redeploy Globus to Tomcat, deselect Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • The installer will ask if you want to the container to be secure, select Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS.
  2. In the Expiration Hours text box enter 12.
  3. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg04.bmi.ohio-state.edu.
  4. Select the Perform First Sync? check box.
  5. Click the Next button.
  6. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  7. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Click the Start button. The installer will install SyncGTS, when the installation is finished click the Next button.
  • Click the Finished button.
  • Close the installer.
  • Startup Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Metadata Services

Index Service

Install Index Service

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox. Select the Install caGrid Services checkbox. De-select all other check boxes. Click the Next button.
  • Select the "Index Service" and "SyncGTS" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • Next you will be asked to specify a directory in which to install Ant. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next
  • Next you will be asked to specify a directory in which to install Tomcat. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install Globus. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install caGrid. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have caGrid installed...
      • You will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
      • You will then be asked if you would like to reconfigure caGrid for another target grid; choose Yes if you would like to reconfigure it. Press Next.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Click the Start button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
    • NOTE: this step may take a while to download and extract all the files, and build caGrid. Image:BreakTime.png
  • Once the tasks have finished, click the Next button.
  • The installer will ask if you want to the container to be secure, you don't, so DO NOT select Yes and click the next button.
  • In the Hostname text field, enter the name of the host (cvrg03.bmi.ohio-state.edu) that will run the service and click the Next button.
  • In the Shutdown port text field enter '9000'. In the "HTTP" Port text field enter 9080.
  • Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS.
  2. In the Expiration Hours text box enter 12.
  3. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg04.bmi.ohio-state.edu.
  4. Select the Perform First Sync? check box.
  5. Click the Next button.
  6. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  7. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Click the Start button to install the services as configured.
  • Once the services have finished installing click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.

Starting the Index Service

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validating the Index Service

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

Now we will validate that the Index Service is running, and responding to queries. Type the following command:

$GLOBUS_LOCATION/bin/wsrf-query -a -z none -s http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService
/

Image:Apply.png You should see a bunch of XML printed to the screen, this is the contents of the Index Service.

Next we will print out the URLs of the services which are currently registered to the Index Service. Type the following command:

$GLOBUS_LOCATION/bin/wsrf-query -a -z none -s http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService
"/*/*/*[local-name()='MemberServiceEPR']/*[local-name ( )='Address']/text()"

Image:Apply.png You may see the URLs of one of more of the services we have already deployed. As we just started the Index Service (and services which have been trying to register may not have tried again yet), it may not be a complete list for at least 10 minutes. We will come back later and check that it is complete.

Finally, we will verify the Index Service using the DiscoveryClient provided with caGrid.

cd USER_HOME/ext/caGrid/projects/discovery
ant runClient

Image:Apply.png You should see output indicating the Index Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService

is being queried, and the resulting services will be output.

Global Model Exchange (GME)

Install GME

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox. Select the Install caGrid Services checkbox. De-select all other check boxes. Click the Next button.
  • Select the "GME" and "SyncGTS" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • Next you will be asked to specify a directory in which to install Ant. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next
  • Next you will be asked to specify a directory in which to install Tomcat. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install Globus. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install caGrid. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have caGrid installed...
      • You will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
      • You will then be asked if you would like to reconfigure caGrid for another target grid; choose Yes if you would like to reconfigure it. Press Next.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Click the Start button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
    • NOTE: this step may take a while to download and extract all the files, and build caGrid. Image:BreakTime.png
  • Once the tasks have finished, click the Next button.
  • The installer will ask if you want to the container to be secure, you don't, so DO NOT select Yes and click the next button.
  • In the Hostname text field, enter the name of the host (cvrg02.bmi.ohio-state.edu) that will run the service and click the Next button.
  • In the Shutdown port text field enter '9000'. In the "HTTP" Port text field enter 9080.
  • Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS.
  2. In the Expiration Hours text box enter 12.
  3. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg04.bmi.ohio-state.edu.
  4. Select the Perform First Sync? check box.
  5. Click the Next button.
  6. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  7. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • In the next screen, edit the database connection information specifying the Database Hostname, Database Port, Database Name, Database Username, and Database Password. Click the Next button.
    • NOTE: this will validate the JDBC connection settings (as they are needed later). If you get an error, be sure MySQL is installed and running with a username and password matching your specifications.
    • NOTE: Be sure to pick a unique name for the database if you are using the same database server as other services.
  • If there is a database with the same name in the database server, the next panel will indicate that the database will be destroyed. Press Next.
  • In the next screen, GME Standard Properties edit (NOTE: These are important! If they don't match your deployment, the GME won't work properly):
    • the service.deployment.host and set it to the host running GME (cvrg02.bmi.ohio-state.edu

)

    • the service.deployment.port and set it to the port running GME (9080

)

    • the service.deployment.protocol and set it to the protocol for the GME (http

)

    • then click the Next button.
  • Click the Start button to install the services as configured.
  • Once the services have finished installing click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.


After completion of this section, you should record the following information for future use (if you plan to import existing data into the new GME):
  1. Database Hostname
  2. Database Port
  3. Database Name
  4. Database Username
  5. Database Password

Importing Data into GME

This step is optional, and allows us to import data from an existing GME installation. If you don't have an existing GME deployment which you want to extract data from, you can skip this section.

The scripts provided, and detailed below, make some assumption about your database environment. Explicitly, when used as is, they assume the mysql user is root and you are running them from the physical machine which is running the database. If this is not the case for your environment you can either edit the scripts appropriately (such as to include host, port, etc information), or use your existing database backup/restore mechanisms.

Export Data

NOTE: You must, run these steps from a node which has access to the existing GME database. In this example, the current GME deployment host does have such access. If you are in a situation where it does not, you may need to additionally install caGrid on a host which does, or just copy the relevant scripts (used below) to that host.

1) We will use some scripts provided with caGrid to extract the data from the existing GME database.

%> cd USER_HOME/ext/caGrid/projects/gme/tools/move
%> ./gmeExportDB.sh <LEGACY GME DATABASE NAME> <LEGACY GME DATABASE PASSWORD>

NOTE: The <LEGACY GME DATABASE NAME> <LEGACY GME DATABASE PASSWORD> should respectively be the database name and password of your existing GME deployment. By default, the <LEGACY GME DATABASE NAME> is GlobusGME.

NOTE: If you are running these scripts on a unix-like system, and you have problems executing them, you may need to fix the permissions and line return characters by first running the command:

dos2unix *.sh

When running the command, you should see information like the following printed out:

Starting to backup databases
GME_REGISTRY.sql.gz
SCHEMA_STORE.sql.gz
SCHEMA_CACHE.sql.gz
Finished backing up databases into file gmeDBExport.tar

2) Copy the file gmeDBExport.tar to the host where the new GME is being deployed, if this is not the same host.

Import Data

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

1) We will use some scripts provided with caGrid to import the data extracted from the existing GME database.

%> cd USER_HOME/ext/caGrid/projects/gme/tools/move
%> ./gmeImportDB.sh <NEW GME DATABASE NAME> gmeDBExport.tar <NEW GME DATABASE PASSWORD>

NOTE: The <NEW GME DATABASE NAME> <NEW GME DATABASE PASSWORD> should respectively be the database name and password of your new GME deployment, which you recorded in the GME installation process.

NOTE: If you are running these scripts on a unix-like system, and you have problems executing them, you may need to fix the permissions and line return characters by first running the command:

dos2unix *.sh

When running the command, you should see information like the following printed out:

GME_REGISTRY.sql.gz
SCHEMA_STORE.sql.gz
SCHEMA_CACHE.sql.gz
Importing gme database table data into GME_REGISTRY
Importing gme database table data into GME_SCHEMA_STORE
Importing gme database table data into GME_SCHEMA_CACHE
Finished Importing databases

2) Next we will modify the ownership of the old schemas to point to the new service. This step is NOT REQUIRED if you are running the new GME with the same service URL as the old GME, in which case, you can skip this step.

Again, we will use a script provided by caGrid.

 %> cd USER_HOME/ext/caGrid/projects/gme/tools/move
 %> ./gmeChangeURL.sh <NEW GME DATABASE NAME> <LEGACY GME SERVICE URL> http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/GlobalModelExchange
<NEW GME DATABASE PASSWORD>

NOTE: The <NEW GME DATABASE NAME> <NEW GME DATABASE PASSWORD> should respectively be the database name and password of your new GME deployment, which you recorded in the GME installation process. The <LEGACY GME SERVICE URL> should be the existing service URL of the GME which you exported the database from.

When running the command, you should see information like the following printed out:

Changing hostname to http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/GlobalModelExchange
Finished Modifying Databases

Starting the GME Service

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validate GME

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

Validate GME (Discovery)

First, we will verify the GME service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.

cd USER_HOME/ext/caGrid/projects/discovery
ant runClient

Image:Apply.png You should see output indicating the Index Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService

is being queried, and see in the results, the GME Service running at http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/GlobalModelExchange

, from the appropriate hosting information.

Validate GME (Extract)

Next, we will verify the GME service is able to return us appropriate schemas. To do this, we will execute an ant target provided by GME to extract some schemas we know to be present.

cd USER_HOME/ext/caGrid/projects/gme
ant gmeExtract
  1. When prompted for a directory, enter: extract_testing
  2. When prompted for a the service url of the GME, enter: http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/GlobalModelExchange
  1. When prompted for a comma separated list of schema uris to retrieve, enter: gme://caGrid.caBIG/1.0/gov.nih.nci.cagrid.metadata

Image:Apply.png This script should then contact the GME and download several schemas into the extract_testing directory; you should see results similar to the output example shown below. You can open each to ensure its contents are valid (i.e. non-empty). You can then delete the extract_testing directory if desired, although leaving it there will not hurt anything either.

Example result of running script:

%> ant gmeExtract
Buildfile: build.xml

promptDirectory:
   [input] Please enter the directory place the schema files. [./]:
extract_testing

promptService:
   [input] Please enter the service url of the GME. [http://localhost:8080/wsrf/services/cagrid/GlobalModelExchange]:
http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/GlobalModelExchange


promptURIs:
    [input] Please enter a comma separated list of schema uris to retrieve. :
gme://caGrid.caBIG/1.0/gov.nih.nci.cagrid.metadata 

gmeExtract:
    [java] Need to locate schema for namespace Domain = caGrid.caBIG, Name = 1.0/gov.nih.nci.cagrid.metadata
    [java] Need to locate schema for namespace Domain = caGrid.caBIG, Name = 1.0/gov.nih.nci.cagrid.metadata
    [java] Writting file extract_testing\caGrid.caBIG-1.0_gov.nih.nci.cagrid.metadata.common.xsd
    [java] Writting file extract_testing\caGrid.caBIG-1.0_gov.nih.nci.cagrid.metadata.common.xsd
    [java] Writting file extract_testing\caGrid.caBIG-1.0_gov.nih.nci.cagrid.metadata.service.xsd
    [java] Writting file extract_testing\caGrid.caBIG-1.0_gov.nih.nci.cagrid.metadata.xsd
    [java] Writting file extract_testing\namespace2package.mappings

BUILD SUCCESSFUL
Total time: 24 seconds

Validate GME (Introduce)

We will verify the GME using the Introduce capability to browse schemas in the GME.

cd USER_HOME/ext/caGrid
ant introduce
  1. Click the Browse Data Types button on the top menu bar. This should open a Discovery Tools window.
  2. Select the Global Model Exchange tab.
  3. Verify there are values in the Namespace and Name combo boxes, and that the Schema Text changes accordingly when you change the combo box selections.

Image:Apply.png You should see the schemas listed

EVS Grid Service

Install EVS

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).


  • Shut down Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> shutdown.bat
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • De-select the Install caGrid check box.
  • Select the Install caGrid Services check box.
  • De-select all other check boxes.
  • Click the Next button.
  • Select the "EVS" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • The installer will then ask whether or not you want to re-install Ant. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Tomcat. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Globus. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install caGrid. Make sure the Yes button is NOT selected and click Next.
  • If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the Yes check box is NOT selected. Press Next.
  • Click the Start button.
  • Click the Next button.
  • The installer will ask if you want to redeploy Globus to Tomcat, deselect Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • The installer will ask if you want to the container to be secure, you do not, so unselect Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • In the next screen, EVS Standard Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • Click the Start button. The installer will install EVS, when the installation is finished click the Next button.
  • Click the Finished button.
  • Close the installer.

Starting the EVS Service

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validate EVS

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

Validate EVS (Discovery)

First, we will verify the EVS service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.

cd USER_HOME/ext/caGrid/projects/discovery
ant runClient

Image:Apply.png You should see output indicating the Index Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService

is being queried, and see in the results, the EVS Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/cagrid/EVSGridService

, from the appropriate hosting information.

Validate EVS (client)

We will verify the EVS using the client provided with caGrid.

cd USER_HOME/ext/caGrid/projects/evs
ant -Dservice.url=http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/cagrid/EVSGridService
runClient

Image:Apply.png You should see output indicating some results of calling the client.

caDSR Grid Service

Install caDSR

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).


  • Shut down Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> shutdown.bat
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • De-select the Install caGrid check box.
  • Select the Install caGrid Services check box.
  • De-select all other check boxes.
  • Click the Next button.
  • Select the "caDSR" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • The installer will then ask whether or not you want to re-install Ant. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Tomcat. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Globus. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install caGrid. Make sure the Yes button is NOT selected and click Next.
  • If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the Yes check box is NOT selected. Press Next.
  • Click the Start button.
  • Click the Next button.
  • The installer will ask if you want to redeploy Globus to Tomcat, deselect Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • The installer will ask if you want to the container to be secure, you do not, so unselect Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • In the next screen, caDSR Standard Deploy-time Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • In the next screen, caDSR Standard Run-time Properties you DO NOT need to edit anything, just click the Next button.
  • Click the Start button. The installer will install caDSR, when the installation is finished click the Next button.
  • Click the Finished button.
  • Close the installer.

Starting the caDSR Service

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validate caDSR

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

Validate caDSR (Discovery)

First, we will verify the caDSR service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.

cd USER_HOME/ext/caGrid/projects/discovery
ant runClient

Image:Apply.png You should see output indicating the Index Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService

is being queried, and see in the results, the caDSR Service running at http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/CaDSRService

, from the appropriate hosting information.

Validate caDSR (client)

We will verify the caDSR using the client provided with caGrid.

cd USER_HOME/ext/caGrid/projects/cadsr
ant -Dservice.url=http://cvrg02.bmi.ohio-state.edu:9080/wsrf/services/cagrid/CaDSRService
runClient

Image:Apply.png You should see output indicating some results of calling the client.

Other Security Services

GridGrouper

Install caGrid

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

If you have already installed caGrid in the account cvrg_s on the host cvrg03.bmi.ohio-state.edu you may proceed to the next section, otherwise follow the instructions below to install caGrid.

  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox. Unselect the Install caGrid Services checkbox. De-select all other check boxes. Click the Next button.
  • From the Container Type drop down select Tomcat and click Next.
  • Next you will be asked to specify a directory in which to install Ant. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next
  • Next you will be asked to specify a directory in which to install Tomcat. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install Globus. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install caGrid. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have caGrid installed...
      • You will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
      • You will then be asked if you would like to reconfigure caGrid for another target grid; choose Yes if you would like to reconfigure it. Press Next.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Click the Start button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
    • NOTE: this step may take a while to download and extract all the files, and build caGrid. Image:BreakTime.png
  • Once the tasks have finished, click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.

Request Host Credentials

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

If you have already obtained host credentials from Dorian for the host cvrg03.bmi.ohio-state.edu you may proceed to the next section, otherwise follow the instructions below to request host credentials from Dorian.


The GAARDS Admin UI provides a mechanism for requesting host credentials from Dorian. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To request host credentials from Dorian using the GAARDS UI please complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. From the MyAccount select Request a Host Certificate, this will launch the Request Host Certificate window.
  9. Select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian from the Service URI drop down.
  10. In the Host text box enter cvrg03.bmi.ohio-state.edu.
  11. In the Specify Directory to Write Credentials text box enter or browse to the directory: Template:Switch:host cred dir (You may need to created this directory if it does not exist.
  12. Click the Request Host Certificate button.
  13. This will request a host certificate from Dorian, and an informational window will then detail the results, telling you where the credentials were created. Record this information, and press the Close button.

If you followed the instructions above, the host certificate and private key will be written to out as follows:

After completion of this section, you should record the location of the host certificate and private key. The installer will ask you for these when you configure your secure container.

Install Grid Grouper/SyncGTS

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • De-select the Install caGrid check box.
  • Select the Install caGrid Services check box.
  • De-select all other check boxes.
  • Click the Next button.
  • Select the "SyncGTS" and "GridGrouper" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • The installer will will now ask you for the information it needs to install or re-install the following dependencies: Ant, Tomcat, and Globus
  • Indicate if/where each should be installed.
  • The installer will also ask if caGrid should be re-installed. Do NOT check the Yes check box.
  • Then the installer will ask if you want to reconfigure caGrid. Again, do NOT check the Yes check box.
  • Press Next
  • Press Start

The installer will now download and install whatever components you indicated should be (re)installed.

  • Once the installer is finished downloading/copying the selected components, press Next.
  • In the Hostname text field, enter the name of the host (cvrg03.bmi.ohio-state.edu) that will run the service and click the Next button.
  • In the Shutdown port text field enter '9003'. In the "HTTPS" Port text field enter 9443.
  • Next the installer will ask if server credentials are present, select the Yes check box and click next.
  • In the Certificate Path text field enter USER_HOME/certificates

/cvrg03.bmi.ohio-state.edu -cert.pem

  • In the Certificate Key text field enter USER_HOME/certificates

/cvrg03.bmi.ohio-state.edu -key.pem

  • Click the Next button.
  • Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS.
  2. In the Expiration Hours text box enter 12.
  3. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg04.bmi.ohio-state.edu.
  4. Select the Perform First Sync? check box.
  5. Click the Next button.
  6. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  7. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • Next the installer will ask you to configure GridGrouper. To configure GridGrouper complete the following steps:
  1. In the Administrator Identity text box enter the Grid Identity for the user your created, and logged on as here.
  2. In the JDBC URL text box make any necessary changes to the default value such that the value contains the JDBC URL needed for interacting with you MySQL database.
  3. In the RDBMS Username text box enter the username of a user on you MySQL database. (This user should have right to create databases.)
  4. In the RDBMS Password text box enter the password for the user entered in the RDBMS Username text box.
  5. Click the Next button.
  • If there is a database with the same name in the database server, the next panel will indicate that this database will be destroyed. Press Next.
  • In the next screen, Grid Grouper Standard Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • Click the Start button to install Grid Grouper/SyncGTS as configured.
  • Once the installation has completed click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.

Start Grid Grouper

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

To start Grid Grouper, start tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Testing Grid Grouper

Image:Mycomputer.png You should run the following commands from the machine (cvrg03.bmi.ohio-state.edu).

The GAARDS Admin UI provides a mechanism for administrating the Grid Grouper. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To test that Grid Grouper has been installed and configure successfully, complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. Click the MyGroups button, this will launch the MyGroups window.

Image:Apply.png When the MyGroups window launches, the UI will connect to Grid Grouper and obtain all the groups that you are a member of. If Grid Grouper was successfully installed you should see that you are a member of the Grid Grouper Administrators group on the Grid Grouper https://cvrg03.bmi.ohio-state.edu:9443/wsrf/services/cagrid/GridGrouper .


Authentication Service

Install caGrid

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

If you have already installed caGrid in the account '''CONSTANT_NOT_DEFINED''' on the host '''CONSTANT_NOT_DEFINED''' you may proceed to the next section, otherwise follow the instructions below to install caGrid.

  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox, and de-select all other checkboxes.

Since Ant and Globus are dependencies of caGrid, you'll be prompted for where to install these. If you have already installed one or both of then, the installer will ask if you'd like to re-install them.

  • Once you have indicated where/if to install Ant, Globus, and caGrid, you'll be presented with the Select Target Grid panel.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Press the Start button.

The installer will download and install caGrid (and perhaps Ant and Globus). It could take quite a while to download and install all of these components. A panel at the bottom of the screen indicates the installer progress.

  • Once these components have been installed, the Next button will be activate. Click Next.
  • The following page will indicate the these environment variable should be set: ANT_HOME, GLOBUS_LOCATION.
  • Set these environment variables now.
  • Click Finish and then Close to close the installer.

Request Host Credentials

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

If you have already obtained host credentials from Dorian for the host '''CONSTANT_NOT_DEFINED''' you may proceed to the next section, otherwise follow the instructions below to request host credentials from Dorian.


The GAARDS Admin UI provides a mechanism for requesting host credentials from Dorian. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To request host credentials from Dorian using the GAARDS UI please complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. From the MyAccount select Request a Host Certificate, this will launch the Request Host Certificate window.
  9. Select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian from the Service URI drop down.
  10. In the Host text box enter CONSTANT_NOT_DEFINED.
  11. In the Specify Directory to Write Credentials text box enter or browse to the directory: Template:Switch:host cred dir (You may need to created this directory if it does not exist.
  12. Click the Request Host Certificate button.
  13. This will request a host certificate from Dorian, and an informational window will then detail the results, telling you where the credentials were created. Record this information, and press the Close button.

If you followed the instructions above, the host certificate and private key will be written to out as follows:

After completion of this section, you should record the location of the host certificate and private key. The installer will ask you for these when you configure your secure container.


Install Authentication Service

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • Select the Install caGrid Services check box.
  • De-select all other check boxes.
  • Click the Next button.
  • Select the "SyncGTS" and "Authentication Service" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • The installer will will now ask you for the information it needs to install or re-install the following dependencies: Ant, Tomcat, and Globus
  • Indicate if/where each should be installed.
  • The installer will also ask if caGrid should be re-installed. Do NOT check the Yes check box.
  • Then the installer will ask if you want to reconfigure caGrid. Again, do NOT check the Yes check box.
  • Press Next
  • Press Start

The installer will now download and install whatever components you indicated should be (re)installed.

  • Once the installer is finished downloading/copying the selected components, press Next.
  • In the Hostname text field, enter the name of the host (CONSTANT_NOT_DEFINED) that will run the service and click the Next button.
  • In the Shutdown port text field enter 'CONSTANT_NOT_DEFINED'. In the "HTTPS" Port text field enter CONSTANT_NOT_DEFINED.
  • Next the installer will ask if server credentials are present, select the Yes check box and click next.
  • In the Certificate Path text field enter USER_HOME/certificates

/CONSTANT_NOT_DEFINED -cert.pem

  • In the Certificate Key text field enter USER_HOME/certificates

/CONSTANT_NOT_DEFINED -key.pem

  • Click the Next button.
  • Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS.
  2. In the Expiration Hours text box enter 12.
  3. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg04.bmi.ohio-state.edu.
  4. Select the Perform First Sync? check box.
  5. Click the Next button.
  6. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  7. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • Next the installer will ask you if the service credentials should be used to sign SAML assertions. Select the Yes check box.
  • If the installer locates JAAS configuration file at HOME/.java.login.config, it will ask you if it should append to, or overwrite that configuration. Select Overwrite from the drop-down list. Press Next.
  • Select LDAP from the Credential Provider Type drop-down list. Press Next.
  • In the AuthenticationService LDAP Credential Provider panel, provide the following values:
    • CSM Context Name: AUTHNSVC
    • Host Name: Any of the following values will work in QA
      • ldaps://ncids4a.nci.nih.gov:636
      • ldaps://ncids1b.nci.nih.gov:636
      • ldaps://ncids5a.nci.nih.gov:636
    • Search Base: ou=nci,o=nih
    • Login ID Attribute: cn
    • First Name Attribute: givenName
    • Last Name Attribute: sn
    • Email ID Attribute: mail
  • Press Next.
  • In the next screen, Edit AuthenticationService Standard Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • Click the Start button to install AuthenticationService/SyncGTS as configured.
  • Once the installation has completed click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.


Add AuthenticationService as Trusted Identity Provider (IdP) to Dorian

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

The certificate which matches the key that the AuthenticationService is using to sign SAML assertions must be registered with Dorian as a trusted IdP.

To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security
  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, DO NOT click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. Click the Account Management menu.
  9. Select Grid Account Management > Trusted Identity Provider(s).
  10. Select the proxy of the user you created above.
  11. Press the Add Trusted IdP button.
  12. Select the Certificate tab.
  13. Press the Import Certificate button.
  14. Navigate to, and select the certificate at USER_HOME/certificates

/CONSTANT_NOT_DEFINED -cert.pem

  1. Press the Open button.
  2. Select the IdP Information tab.
  3. Enter the name NCICB AuthnSvc IdP into the Name field.
  4. Select Active as the Status.
  5. Select Auto Approval / Auto Renewal as the User Policy.
  6. Check the Password check box in the Accepted Authentication Methods group.
  7. Press the Add button.
  8. Press Find Trusted Identity Providers. You should see NCICB AuthnSvc IdP in the list.

Starting the Authentication Service

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validate the Authentication Service

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

Validate Authentication Service(Discovery)

First, we will verify the Authentication Service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.

cd USER_HOME/ext/caGrid/projects/discovery
ant runClient

Image:Apply.png You should see output indicating the Index Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService

is being queried, and see in the results, the Authentication Service running at CONSTANT_NOT_DEFINED

, from the appropriate hosting information.


Validate Authentication Service (Login)

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

Verify that we can retrieve a proxy from Dorian using the AuthenticationService as the IdP.

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian

.

  1. From the Authentication Service drop down select CONSTANT_NOT_DEFINED

.

  1. In the User Id text field enter the username for your NCI account.
  2. In the Password text field enter the password for this account.
  3. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, do not click the Set Default button.
  4. Close the window.

Other Services

Federated Query Processor (FQP)

Install caGrid

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

If you have already installed caGrid in the account cvrg_s on the host cvrg02.bmi.ohio-state.edu you may proceed to the next section, otherwise follow the instructions below to install caGrid.

  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox. Unselect the Install caGrid Services checkbox. De-select all other check boxes. Click the Next button.
  • From the Container Type drop down select Tomcat and click Next.
  • Next you will be asked to specify a directory in which to install Ant. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next
  • Next you will be asked to specify a directory in which to install Tomcat. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install Globus. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
  • Next you will be asked to specify a directory in which to install caGrid. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have caGrid installed...
      • You will be prompted if you want to reinstall it; choose Yes if you would like to replace it. Press Next.
      • You will then be asked if you would like to reconfigure caGrid for another target grid; choose Yes if you would like to reconfigure it. Press Next.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Click the Start button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
    • NOTE: this step may take a while to download and extract all the files, and build caGrid. Image:BreakTime.png
  • Once the tasks have finished, click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.

Request Host Credentials

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

If you have already obtained host credentials from Dorian for the host cvrg02.bmi.ohio-state.edu you may proceed to the next section, otherwise follow the instructions below to request host credentials from Dorian.


The GAARDS Admin UI provides a mechanism for requesting host credentials from Dorian. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To request host credentials from Dorian using the GAARDS UI please complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. From the MyAccount select Request a Host Certificate, this will launch the Request Host Certificate window.
  9. Select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian from the Service URI drop down.
  10. In the Host text box enter cvrg02.bmi.ohio-state.edu.
  11. In the Specify Directory to Write Credentials text box enter or browse to the directory: Template:Switch:host cred dir (You may need to created this directory if it does not exist.
  12. Click the Request Host Certificate button.
  13. This will request a host certificate from Dorian, and an informational window will then detail the results, telling you where the credentials were created. Record this information, and press the Close button.

If you followed the instructions above, the host certificate and private key will be written to out as follows:

After completion of this section, you should record the location of the host certificate and private key. The installer will ask you for these when you configure your secure container.

Install FQP/SyncGTS

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • De-select the Install caGrid check box.
  • Select the Install caGrid Services check box.
  • De-select all other check boxes.
  • Click the Next button.
  • Select the "SyncGTS" and "FQP" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • The installer will then ask whether or not you want to re-install Ant. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Tomcat. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Globus. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install caGrid. Make sure the Yes button is NOT selected and click Next.
  • If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the Yes check box is NOT selected. Press Next.
  • Click the Start button.
  • Click the Next button.
  • The installer will ask if you want to redeploy Globus to Tomcat, deselect Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • The installer will ask if you want to the container to be secure, select Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • In the Hostname text field, enter the name of the host (cvrg02.bmi.ohio-state.edu) that will run the service and click the Next button.
  • In the Shutdown port text field enter '9003'. In the "HTTPS" Port text field enter 9443.
  • Next the installer will ask if server credentials are present, select the Yes check box and click next.
  • In the Certificate Path text field enter USER_HOME/certificates

/cvrg02.bmi.ohio-state.edu -cert.pem

  • In the Certificate Key text field enter USER_HOME/certificates

/cvrg02.bmi.ohio-state.edu -key.pem

  • Click the Next button.
  • Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS.
  2. In the Expiration Hours text box enter 12.
  3. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg04.bmi.ohio-state.edu.
  4. Select the Perform First Sync? check box.
  5. Click the Next button.
  6. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  7. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  1. Click the Next button.
  • In the next screen, Federated Query Processor Service Properties you DO NOT need to edit anything, just click the Next button.
  • In the next screen, Federated Query Processor Standard Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • Click the Start button to install FQP/SyncGTS as configured.
  • Once the installation has completed click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.

Start FQP

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

To start FQP, start tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validate FQP

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

Validate FQP (Discovery)

First, we will verify the FQP service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.

cd USER_HOME/ext/caGrid/projects/discovery
ant runClient

Image:Apply.png You should see output indicating the Index Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService

is being queried, and see in the results, the FQP Service running at https://cvrg02.bmi.ohio-state.edu:9443/wsrf/services/cagrid/FederatedQueryProcessor

, from the appropriate hosting information.

Validate FQP (client)

We will verify the FQP using the client provided with caGrid. By default this will invoke a federated query against the caBIO data service.

cd USER_HOME/ext/caGrid/projects/fqp
ant -Dservice.url=https://cvrg02.bmi.ohio-state.edu:9443/wsrf/services/cagrid/FederatedQueryProcessor
runClient

Image:Apply.png You should see output indicating some results of calling the client.

Workflow

Install Workflow Service

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

  • Shut down Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> shutdown.bat
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • De-select the Install caGrid check box.
  • Select the Install caGrid Services check box.
  • De-select all other check boxes.
  • Click the Next button.
  • Select the "Workflow" check box and click Next.
  • From the Container Type drop down select "Tomcat" and click Next.
  • The installer will then ask whether or not you want to re-install Ant. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Tomcat. Make sure the Yes button is NOT selected and click Next.
  • The installer will then ask whether or not you want to re-install Globus. Make sure the Yes button is NOT selected and click Next.
  • Next you will be asked to specify a directory in which to install ActiveBPEL. In the Directory text field enter USER_HOME/ext and click the Next button.
    • If you already have ActiveBPEL installed (with the ACTIVEBPEL_HOME environment variable set), you will be prompted if you want to reinstall it; choose yes if you don't have the proper version or would like to replace it.
  • The installer will then ask whether or not you want to re-install caGrid. Make sure the Yes button is NOT selected and click Next.
  • Click the Start button.
  • Click the Next button.
  • The installer will ask if you want to redeploy Globus to Tomcat, deselect Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • The installer will ask if you want to the container to be secure, select Yes and click the next button. (The Installer will not always ask this, if it does not proceed to the next step)
  • Edit the service metadata for your deployment. Be sure to provide:
    • Appropriate Research Center Metadata (including the Address, etc)
    • Appropriate Research Center Points of Contact (including a point of contact for support questions)
  • Click the Next button.
  • In the next screen, Workflow Service Properties you DO need to edit the abEndPoint property to make sure the port and protocol are correct for how you are deploying the service (i.e, edit http to https and 8080 to 9443

, then click the Next button.

  • In the next screen, Workflow Standard Run-time Properties you DO NOT need to edit anything, just click the Next button.
    • You should verify that perform.index.service.registration is true and index.service.url is set appropriately based on your plan above.
  • The installer will then ask you for a Username and Password and Role for the BPEL Administrative application. This will secure the ActiveBPEL administrative web application. You should enter and remember a Username and Password, and leave the Role as admin.
  • Click the Start button. The installer will install the Workflow Service, when the installation is finished click the Next button.
  • Click the Finished button.
  • Close the installer.
After completion of this section, you should record the following information for future use:
  1. The Username and Password and Role for the BPEL Administrative application. You won't need this for future deployment steps, but should keep it for potential future reference (so the Administrative application can be used).

Start Workflow Service

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

To start the Workflow Service, start tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validate Workflow

Image:Mycomputer.png You should run the following commands from the machine (cvrg02.bmi.ohio-state.edu).

Validate Workflow (Discovery)

First, we will verify the Workflow service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.

cd USER_HOME/ext/caGrid/projects/discovery
ant runClient

Image:Apply.png You should see output indicating the Index Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService

is being queried, and see in the results, the WorkflowService running at https://cvrg02.bmi.ohio-state.edu:9443/wsrf/services/cagrid/WorkflowFactoryService

, from the appropriate hosting information.

Web Applications

Portal

Install caGrid

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

If you have already installed caGrid in the account '''CONSTANT_NOT_DEFINED''' on the host '''CONSTANT_NOT_DEFINED''' you may proceed to the next section, otherwise follow the instructions below to install caGrid.

  • Click here to download the Installer.
  • Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.

The following is provided as an example:

 
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • If you have not already installed caGrid select the Install caGrid checkbox, and de-select all other checkboxes.

Since Ant and Globus are dependencies of caGrid, you'll be prompted for where to install these. If you have already installed one or both of then, the installer will ask if you'd like to re-install them.

  • Once you have indicated where/if to install Ant, Globus, and caGrid, you'll be presented with the Select Target Grid panel.
  • Select the CVRG Grid from the Target Grid drop down and click Next.
  • Press the Start button.

The installer will download and install caGrid (and perhaps Ant and Globus). It could take quite a while to download and install all of these components. A panel at the bottom of the screen indicates the installer progress.

  • Once these components have been installed, the Next button will be activate. Click Next.
  • The following page will indicate the these environment variable should be set: ANT_HOME, GLOBUS_LOCATION.
  • Set these environment variables now.
  • Click Finish and then Close to close the installer.

Request Host Credentials

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

If you have already obtained host credentials from Dorian for the host '''CONSTANT_NOT_DEFINED''' you may proceed to the next section, otherwise follow the instructions below to request host credentials from Dorian.


The GAARDS Admin UI provides a mechanism for requesting host credentials from Dorian. To launch the GAARDS UI complete the following:

 
%> cd USER_HOME/ext/caGrid
%> ant security

To request host credentials from Dorian using the GAARDS UI please complete the following steps:

  1. Click the Login button. This will launch the Login window.
  2. From the Dorian Service drop down, select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  3. From the Authentication Service drop down select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian.
  4. In the User Id text field enter the username for the account just created earlier.
  5. In the Password text field enter the password for the account just created earlier.
  6. Click the Authenticate button. This will authenticate you to Dorian using the account just created and launch the Proxy Manager window, click the Set Default button.
    1. If you have not yet done so, take note of your Grid Identity; this is the grid wide unique identifier for this user, which authorization policies can be set against.
  7. Close the window.
  8. From the MyAccount select Request a Host Certificate, this will launch the Request Host Certificate window.
  9. Select https://dorian.bmi.ohio-state.edu:9443/wsrf/services/cagrid/Dorian from the Service URI drop down.
  10. In the Host text box enter CONSTANT_NOT_DEFINED.
  11. In the Specify Directory to Write Credentials text box enter or browse to the directory: Template:Switch:host cred dir (You may need to created this directory if it does not exist.
  12. Click the Request Host Certificate button.
  13. This will request a host certificate from Dorian, and an informational window will then detail the results, telling you where the credentials were created. Record this information, and press the Close button.

If you followed the instructions above, the host certificate and private key will be written to out as follows:

After completion of this section, you should record the location of the host certificate and private key. The installer will ask you for these when you configure your secure container.

Obtain Google Maps API Key

Go here to sign up for a Google Maps API Key. You will have to create an account.

Obtain Yahoo! Application ID

Go here: here and apply for a Yahoo! application ID. You'll have to create an account.

in the Web Application URL field. (NOTE: Yahoo will not validate the URL if you use HTTPS. It doesn't matter that the URL is not correct.)

  • Select the Generic, No user authentication required radio button.
  • Click Continue.
  • Save your new application id for future use.

Install Portal

  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • Select Install caGrid Portal and de-select everything else.
  • The installer will will now ask you for the information it needs to install or re-install the following dependencies: Ant, Tomcat, and Globus
  • Indicate if/where each should be installed.
  • The installer will also ask if caGrid should be re-installed. Do NOT check the Yes check box.
  • Then the installer will ask if you want to reconfigure caGrid. Again, do NOT check the Yes check box.
  • Press Next
  • Press Start

The installer will now download and install whatever components you indicated should be (re)installed.

  • Once the installer is finished downloading/copying the selected components, press Next.
  • On the Secure Deployment panel, select the Yes check box. Press Next.
  • In the Hostname text field, enter the name of the host (CONSTANT_NOT_DEFINED) that will run the service and click the Next button.
  • In the Shutdown port text field enter 'CONSTANT_NOT_DEFINED'. In the "HTTPS" Port text field enter CONSTANT_NOT_DEFINED.
  • Next the installer will ask if server credentials are present, select the Yes check box and click next.
  • In the Certificate Path text field enter USER_HOME/certificates

/CONSTANT_NOT_DEFINED -cert.pem

  • In the Certificate Key text field enter USER_HOME/certificates

/CONSTANT_NOT_DEFINED -key.pem

  • Click the Next button.


  • On the Configure Portal Database panel, provide the appropriate values for each field. Press Next.
  • If the installer displays an error message, go back and check that you have specified the correct values.
  • If an database already exists in with the name you gave in the previous step, the installer will ask if it should destroy that

database. Select the Yes check box. Press Next.

in the Index Service URLs list.

  • Press Next
  • Next the installer will ask you to configure SyncGTS. To configure the Portal SyncGTS complete the following steps:
  1. In the GTS Service URI text box enter https://cvrg04.bmi.ohio-state.edu:9442/wsrf/services/cagrid/GTS

.

  1. In the Expiration Hours text box enter 12.
  2. In the GTS Identity text box enter /O=CVRG/OU=Trust Fabric/CN=host/cvrg04.bmi.ohio-state.edu

.

  1. Click the Next button.
  2. In the next screen, SyncGTS Standard Properties you DO NOT need to edit anything, just click the Next button.
  3. Next the installer ask if you want to replace the "Default GTS CA". Make sure that the Yes check box is NOT selected and click the Next button.
  • Click the Start button to install the portal as configured.
  • Once the installation has completed click the Next button.
  • The installer will instruct you set the following environment variables: ANT_HOME, GLOBUS_LOCATION, and CATALINA_HOME. Set these environment variables now.
  • Click the Finish button and the click the Close button to close the installer.

Starting the Portal

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validate the Portal

  • In your browser, go to CONSTANT_NOT_DEFINED

.

  • Click the Maps tab.
  • Click the Services sub tab.
  • Ensure that the map renders and displays all of the deployed services (except the index service, of course).

Browser

Install caGrid Browser

Image:Mycomputer.png You should run the following commands from the machine (CONSTANT_NOT_DEFINED).

  • Shut down Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> shutdown.bat
  • Launch the installer:

It can be run from wherever you downloaded it. From our instructions earlier that would be:

 
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
  • Accept the caGrid license and click Next.
  • Select Install caGrid Browser and de-select everything else.
  • The installer will will now ask you for the information it needs to install or re-install the following Ant, Tomcat, Globus, and caGrid.
  • Do NOT check yes on any of these panels.
  • Finally, the installer will ask where caGrid Browser should be installed. Provide the path, and press Next.
  • Press Start

The installer will now download and install caGrid Browser.

    • IdP URL 1: CONSTANT_NOT_DEFINED
  • Press Next.
  • Press the Start button.
  • When the installer finishes, press Next, Finish, Close.

Since the cagrid-browser logging configuration assumes that Tomcat will be started from CATALINA_HOME, you need to modify that configuration (i.e. because these deployment procedures indicate that Tomcat should be started from CATALINA_HOME/bin). To do that, edit the log4j.appender.browser.File property in CATALINA_HOME/webapps/cagrid-browser/classes/log4j.properties to look like this:

log4j.appender.browser.File=<CATALINA_HOME>/logs/cagrid-browser-log4j.log

...replacing <CATALINA_HOME> with the full path to the Tomcat installation directory.

  • Startup Tomcat as follows:

On Unix-based Systems

 
%> cd $CATALINA_HOME/bin
%> ./startup.sh

NOTE: You may need to set execute permissions on the script, to be able to run it.


On Windows-based Systems:

 
%> cd $CATALINA_HOME\bin
%> startup.bat


Image:Apply.png Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.


Validate caGrid Browser

  • In your browser, go to CONSTANT_NOT_DEFINED
  • Login using your NCI credentials.
  • Select the Discovery tab.
  • Press the Discovery Services button.
  • Verify that all deployed services show up.

Post Deployment Validation

Discover Services

cd USER_HOME/ext/caGrid/projects/discovery
ant runClient

Image:Apply.png You should see output indicating the Index Service running at http://cvrg03.bmi.ohio-state.edu:9080/wsrf/services/DefaultIndexService

is being queried, and the resulting services will be output.  At this point we should see all the services listed in the Service Table above, and they should indicate the are from the appropriate provider (as supplied during service deployment steps).
Personal tools
Project Infrastructures