Versions Compared

Old Version 28

changes.mady.by.user trscavo@idp.protectnetwork.org

Saved on

compared with

New Version 29

changes.mady.by.user trscavo@idp.protectnetwork.org

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
h1. GridShib for Globus Toolkit Installation

A lightweight alternative to installing the full Globus Toolkit is to only install the Java WS Core component of GT4, and then install GridShib for GT on top of that.  In fact, this is the only option under Windows, which does not support the full Globus Toolkit.  So the following "Quick Start" guide shows how to layer GridShib for GT on top of Java WS Core on Windows.

This pagetutorial gives detailed instructions for installing, configuring, and using Java WS Core 4.0.4, GridShib for GT v0.6.0, and GridShib SAML Tools v0.1.4 on Windows.  [Software requirements|http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch03.html] include JDK 1.4.2 (or higher) and Ant 1.6 (or higher), which we assume are already installed on Windows.

{style}
  ol {padding-left: 2.5em}
  ol ol {padding-left: 1.5em; list-style-type: lower-alpha}
{style}

{html}
<ol>
  <li>Install the binary version of <a href="http://www.globus.org/toolkit/downloads/4.0.4/#wscore_bin">Java WS Core&nbsp;4.0.4</a> on Windows.
    <blockquote>The binary version of Java WS Core is simplest, but the source version wouldworks work just as well.</blockquote>
    <ol>
      <li>Extract the <a href="http://www-unix.globus.org/toolkit/survey/index.php?download=ws-core-4.0.4-bin.zip">ZIP archive</a> to any folder on your hard drive (say, c:\globus).</li>
      <li>Open a Command Prompt window, change directory to the installation directory, and set the <code>GLOBUS_LOCATION</code> environment variable (which is <em>case sensitive</em>, even on Windows in this case):
<pre>&gt; <b>cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4</b>
&gt; <b>set GLOBUS_LOCATION=%CD%</b>
&gt; <b>echo %GLOBUS_LOCATION%</b></pre></li>
      <li>Add<li>For debugging purposes, add the following line to %GLOBUS_LOCATION%\container-log4j.properties:
<pre>log4j.category.org.globus.gridshib.gt=DEBUG</pre></li>
      <li>As a crude test, start the container (with transport-level security disabled):
<pre>&gt; <b>bin\globus-start-container -nosec</b>
Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/
With the following services:

[1]: http://141.142.251.212:8080/wsrf/services/AdminService
[2]: http://141.142.251.212:8080/wsrf/services/AuthzCalloutTestService
[3]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryEntryService
[4]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryService
[5]: http://141.142.251.212:8080/wsrf/services/CounterService
[6]: http://141.142.251.212:8080/wsrf/services/ManagementService
[7]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerFactoryService
[8]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerService
[9]: http://141.142.251.212:8080/wsrf/services/NotificationTestService
[10]: http://141.142.251.212:8080/wsrf/services/PersistenceTestSubscriptionManager
[11]: http://141.142.251.212:8080/wsrf/services/SampleAuthzService
[12]: http://141.142.251.212:8080/wsrf/services/SecureCounterService
[13]: http://141.142.251.212:8080/wsrf/services/SecurityTestService
[14]: http://141.142.251.212:8080/wsrf/services/ShutdownService
[15]: http://141.142.251.212:8080/wsrf/services/SubscriptionManagerService
[16]: http://141.142.251.212:8080/wsrf/services/TestAuthzService
[17]: http://141.142.251.212:8080/wsrf/services/TestRPCService
[18]: http://141.142.251.212:8080/wsrf/services/TestService
[19]: http://141.142.251.212:8080/wsrf/services/TestServiceRequest
[20]: http://141.142.251.212:8080/wsrf/services/TestServiceWrongWSDL
[21]: http://141.142.251.212:8080/wsrf/services/Version
[22]: http://141.142.251.212:8080/wsrf/services/WidgetNotificationService
[23]: http://141.142.251.212:8080/wsrf/services/WidgetService
[24]: http://141.142.251.212:8080/wsrf/services/gsi/AuthenticationService</pre>
      Press Ctrl-C to abort the container.</li>
    </ol></li>

  <li>Install a trusted certificate
  <blockquote>In what follows, we will use a GridShib CA-issued end-entity certificate (EEC) to authenticate to GT services.  We will also issue proxy certificates using a GridShib CA-issued EEC.  Thus the container needs to be configured to trust certificates issued by the GridShib CA.</blockquote>
    <ol>
      <li>Download the <a href="http://gridshib.globus.org/downloads/gridshib-ca-cert.zip">public certificate</a> of the GridShib CA.</li>
      <li>Extract the files from the ZIP archive. to This will yield two files:  bfcd1f28.0 and bfcd1f28.signing_policy.</li>
      <li>Drop these two files in folder "%USERPROFILE%\.globus\certificates".  If this folder does not exist, create it.<folder "%USERPROFILE%\.globus\certificates":
<pre>&gt; <b>dir "%USERPROFILE%\.globus\certificates"</b>
...
02/19/2007  10:15 PM             1,667 bfcd1f28.0
02/19/2007  10:15 PM               239 bfcd1f28.signing_policy</pre></li>
    </ol></li>

  <li>Obtain a user certificate and stop the container normally.
    <ol>
      <li>In the previous Command Prompt window, start the container again:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-start-container -nosec</b>
Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/
With the following services...</pre></li>
      <li>Open another Command Prompt window and try to stop the container:
<pre>&gt; <b>cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4</b>
&gt; <b>set GLOBUS_LOCATION=%CD%</b>
&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-stop-container</b>
Error: ; nested exception is:
GSSException: Defective credential detected [Caused by: 
Proxy file (C:\DOCUME~1\TOMSCA~1\LOCALS~1\Temp\x509up_u_tom scavo) not found.]</pre>
      </li>
      <li>Press Ctrl-C to abort the container.</li>
      <li>Obtain a short-term X.509 end-entity credential from the online <a href="https://computer.ncsa.uiuc.edu/gridshib-ca-0.4.0/">GridShib CA</a>.</li>
      <li>In the first Command Prompt window, start the container as before.</li>
      <li>In the second Command Prompt window, try to stop the container again:
<pre>&gt; <b>bin\globus-stop-container</b>
Error: ; nested exception is:
java.net.ConnectException: Connection refused: connect</pre>
      </li>
      <li>Finally, stop the container normally, authenticating with your GridShib CA-issued credential via Secure Message:
<pre>&gt; <b>bin\globus-stop-container -s http://localhost:8080/wsrf/services/ShutdownService -m msg</b></pre>
      </li>
    </ol></li>

  <li>Start and stop a secure container.
    <ol>
<blockquote>For the rest of this tutorial, <li>Inwe therequire firsta Command Prompt windowsecure container.</blockquote>
    <ol>
      <li>In the first Command Prompt window, start the container:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
      <li>In the second Command Prompt window, stop the container:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-stop-container</b></pre></li>
    </ol></li>

  <li>Request the <code>SecureCounterService</code>, authenticating with your EEC via Secure Conversation.
    <ol>
      <li>In the first Command Prompt window, start the container:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
      <li>In the second Command Prompt window, request a service:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\counter-client -m conv -z none 
    -s https://localhost:8443/wsrf/services/SecureCounterService -m conv -z none<SecureCounterService</b>
Got notification with value: 3
Counter has value: 3
Got notification with value: 13</pre></li>
      <li>In the second Command Prompt window, stop the container:
<pre>&gt; <b>bin\globus-stop-container</b></pre></li>
    </ol></li>

  <li>Install <a href="http://gridshib.globus.org/download.html#gridshib-gt">GridShib for GT&nbsp;v0.6.0</a> on Windows.
    <ol>
      <li>Download the GS4GT&nbsp;v0.6.0 source distribution (<a href="http://gridshib.globus.org/downloads/gridshib-gt-0_6_0-tp1-src.zip">ZIP archive</a>) from the GridShib web site. (A <a href="http://gridshib.globus.org/downloads/gridshib-gt-0_6_0-tp1-src.tar.gz">GZIP archive</a> is also available for UNIX users.)</li>
      <li>Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).</li>
      <li>In the second Command Prompt window, type the following commands:
<pre>&gt; <b>cd c:\gridshib\gridshib-gt-0_6_0-src\gridshib-gt-0_6_0</b>
&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>ant deploy</b>
&gt; <b>ant deploy-echoservice</b></pre></li>
    </ol></li>

  <li>Request the <code>ShibEchoService</code>, authenticating with your EEC.
    <blockquote>Note: An EEC obtained from the GridShib CA contains a bound SAML assertion with no attributes.  Thus you will see one "attribute" in the logs, namely, the value of the <code>NameIdentifier</code> element of the assertion.</blockquote>
    <ol>
      <li>In the first Command Prompt window, start the container:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
      <li>In the second Command Prompt window, copy your EEC to a preconfigured location and request the service:
<pre>&gt; <b>copy "%TEMP%\x509up_u_%USERNAME%" c:\temp\testcredential.pem</b>
&gt; <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none
    -s https://localhost:8443/wsrf/services/ShibEchoService 
    -f %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-client-security-descriptor.xml<ShibEchoService</b></pre>
      You should receive one attribute in the response.</li>
      <li>In the second Command Prompt window, stop the container.</li>
    </ol></li>

  <li>Install <a href="http://gridshib.globus.org/download.html#saml-tools">GridShib SAML Tools&nbsp;v0.1.4</a> on Windows.  (See the <a href="http://gridshib.globus.org/docs/gridshib-saml-tools/install.html">Installation Notes</a> for detailed information about GridShib SAML Tools.)
    <blockquote>Note: We will configure the SAML Tools to sign proxy certificates using your GridShib CA-issued EEC by default.</blockquote>
    <ol>
      <li>Download the GridShib SAML Tools&nbsp;v0.1.4 source distribution (<a href="http://gridshib.globus.org/downloads/gridshib-saml-tools-0_1_4.zip">ZIP archive</a>) from the GridShib web site. (A <a href="http://gridshib.globus.org/downloads/gridshib-saml-tools-0_1_4.tar.gz">GZIP archive</a> is also available for UNIX users.)</li>
      <li>Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).</li>
      <li>In a third Command Prompt window, type the following commands:
<pre>&gt; <b>cd c:\gridshib\gridshib-saml-tools-0_1_4</b>
&gt; <b>set GRIDSHIB_HOME=%CD%</b>
&gt; <b>ant install</b></pre></li>
      <li>Uncomment the following lines in %GRIDSHIB_HOME%\etc\gridshib\tools\gridshib-saml-issuer.properties:
<pre># an EEC issued by the GridShib CA
certLocation=file:/%TEMP%/x509up_u_%USERNAME%
keyLocation=file:/%TEMP%/x509up_u_%USERNAME%</pre>
      Replace the placeholders <code>%TEMP%</code> and <code>%USERNAME%</code> with their actual values, changing the backslashes to forward slashes for proper URL syntax.</li>
    </ol></li>

  <li>Reconfigure the <code>ShibEchoService</code>.
    <blockquote>By default, the <code>ShibEchoService</code> is configured to accept all attributes (i.e., no authorization).  We now expand the authorization chain to include <em>Attribute Acceptance Policy</em> and <em>Attribute-based Authorization Policy</em>.  These policy checks are enabled by <code>AttributeAcceptancePIP</code> and <code>SAMLAttributePDP</code>, respectively.</blockquote>
    <ol>
      <li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP"/&gt;</pre>
      and uncomment this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
              shibecho:org.globus.gridshib.AttributeAcceptancePIP 
              shibecho:org.globus.gridshib.SAMLAttributePDP"/&gt;</pre>
      This enables <code>AttributeAcceptancePIP</code> and <code>SAMLAttributePDP</code> in the authz chain.</li>
    </ol></li>

  <li>Configure the <code>AttributeAcceptancePIP</code>.
    <blockquote>In the current version of GridShib for GT, Attribute Acceptance Policy boils down to a list of <em>trusted SAML authorities</em>.  Attributes are accepted from a SAML issuer if and only if the issuer's <code>entityID</code> is on this list.  By default, the GridShib CA's <code>entityID</code> is on this list.  We now add a proxy issuer to the list of trusted SAML authorities.</blockquote>
    <ol>
      <li>Obtain the Subject DN of your GridShib CA-issued EEC:
<pre>&gt; <b>%GLOBUS_LOCATION%\bin\rfc2253dn</b></pre></li>
      <li>Add the RFC<em>RFC&nbsp;2253 formform</em> of your Subject DN to the trusted SAML authorities file (%GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\trusted-saml-authorities.txt).</li>
    </ol></li>

  <li>Request the <code>ShibEchoService</code>, authenticating with a level&nbsp;1 proxy credential.
    <blockquote>Since the GridShib SAML Tools issue an assertion with two attributes by default, you will see a total of four (4) attributes in the logs, the <code>NameIdentifier</code> from the assertion bound to the EEC, plus two attributes and a <code>NameIdentifier</code> bound to the level&nbsp;1 proxy.</blockquote>
    <ol>
      <li>In the third Command Prompt window, issue a level&nbsp;1 proxy:
<pre>&gt; <b>%GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo 
    --authn --x509 --outfile c:\temp\testcredential.pem 
    --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255</b></pre></li>
      <li>In the first Command Prompt window, start the container.</li>
      <li>In the second Command Prompt window, requestset the serviceproxy aspath before.and request You should receive four attributes in the service:
<pre>&gt; <b>set X509_USER_PROXY=c:\temp\testcredential.pem</b>
&gt; <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none
    -s https://localhost:8443/wsrf/services/ShibEchoService</b></pre>
      You should receive four attributes in the response.</li>
      <li>In the second Command Prompt window, stop the container.</li>
    </ol></li>

  <li>Reconfigure the <code>ShibEchoService</code>.
    <blockquote>A <em>master PDP</em> controls other PIPs and PDPs.  For example, the <code>GridShibPushPDP</code> is functionally equivalent to the authz chain configured previously.</blockquote>
    <ol>
      <li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
              shibecho:org.globus.gridshib.AttributeAcceptancePIP 
              shibecho:org.globus.gridshib.SAMLAttributePDP"/&gt;</pre>
      and uncomment this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.GridShibPushPDP"/&gt;</pre>
      This enables the master PDP <code>GridShibPushPDP</code> enables the master PDP <code>GridShibPushPDP</code>.</li>
    </ol></li>

  <li>Request the <code>ShibEchoService</code>, authenticating with a level&nbsp;1 proxy credential <em>via Secure Message</em>.
    <blockquote>The previous request defaulted to transport-level security.  To pass the SAML assertions at the message level, all that's needed is a simple command-line switch.</blockquote>
    <ol>
      <li>In the first Command Prompt window, start the container.</li>
      <li>In the second Command Prompt window, request the service:
<pre>&gt; <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none -m msg
    -s https://localhost:8443/wsrf/services/ShibEchoService</b></pre>
      You should receive four attributes in the response.</li>
      <li>Repeat<li>In the second Command previousPrompt experimentwindow, withstop the same results<container.</li>
    </ol></li>

  <li>Reconfigure the <code>ShibEchoService</code>.
    <ol>
      <li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.GridShibPushPDP"/&gt;</pre>
      and uncomment this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
              shibecho:org.globus.gridshib.AttributeAcceptancePIP 
              shibecho1:org.globus.gridshib.SAMLAttributePDP
              shibecho2:org.globus.gridshib.SAMLAttributePDP"/&gt;</pre>
      This enables <code>SAMLAttributePDP</code> <em>twice</em> in the authz chain.  Each invocation of <code>SAMLAttributePDP</code> is associated with its own policy file.  (See %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\server-config.wsdd for the policy file configuration.)</li>
    </ol></li>

  <li>Reconfigure the GridShib SAML Tools.
    <ol>
      <li>Create config file c:\temp\gridshib-saml-issuer.properties with the following lines:
<pre># an emailAddress name identifier
Format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
formatting.template=%PRINCIPAL%@gmail.com
# FriendlyName="mail"
Attribute.EMAIL.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
Attribute.EMAIL.Name=urn:mace:dir:attribute-def:mail
Attribute.EMAIL.Value=trscavo@gmail.com
# a level 1 proxy issued by the GridShib SAML Tools
certLocation=file:/C:/temp/testcredential.pem
keyLocation=file:/C:/temp/testcredential.pem</pre></li>
    </ol></li>

  <li>Request the <code>ShibEchoService</code>, authenticating with a level&nbsp;2 proxy credential.
    <blockquote>In the previous exercise, <blockquote>Thethe GridShib SAML Tools have been configured to issue a level&nbsp;2 proxy signed by thea level&nbsp;1 proxy.  The level&nbsp;2 proxy contains one attribute, so you should see a total of six attributes in the logs, three (3) <code>NameIdentifier</code> values and three (3) attribute values.</blockquote>
    <ol>
      <li>In the third Command Prompt window, issue a level&nbsp;2 proxy:
<pre>  &gt; <b>%GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo 
      --authn --x509 --outfile c:\temp\testcredential.pem 
      --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255 
      --config file:/c:/temp/gridshib-saml-issuer.properties</b></pre></li>
      <li>In the first Command Prompt window, start the container.</li>
      <li>In the second Command Prompt window, request the service as before.  You should receive six attributes in the response.</li>
      <li>In the second Command Prompt window, stop the container.</li>
    </ol></li>
</ol>
{html}