{html}
<ol>
<li>Install the binary version of <a href="http://www.globus.org/toolkit/downloads/4.0.4/#wscore_bin">Java WS Core 4.0.4</a> on Windows.
<blockquote>The binary version of Java WS Core is simplest, but the source version works just as well.</blockquote>
<ol>
<li>Extract the <a href="http://www-unix.globus.org/toolkit/survey/index.php?download=ws-core-4.0.4-bin.zip">ZIP archive</a> to any folder on your hard drive (say, c:\globus).</li>
<li>Open a Command Prompt window, change directory to the installation directory, and set the <code>GLOBUS_LOCATION</code> environment variable (which is <em>case sensitive</em>, even on Windows in this case):
<pre>> <b>cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4</b>
> <b>set GLOBUS_LOCATION=%CD%</b>
> <b>echo %GLOBUS_LOCATION%</b></pre></li>
<li>For debugging purposes, add the following line to %GLOBUS_LOCATION%\container-log4j.properties:
<pre>log4j.category.org.globus.gridshib.gt=DEBUG</pre></li>
<li>As a crude test, start the container (with transport-level security disabled):
<pre>> <b>bin\globus-start-container -nosec</b>
Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/
With the following services:
[1]: http://141.142.251.212:8080/wsrf/services/AdminService
[2]: http://141.142.251.212:8080/wsrf/services/AuthzCalloutTestService
[3]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryEntryService
[4]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryService
[5]: http://141.142.251.212:8080/wsrf/services/CounterService
[6]: http://141.142.251.212:8080/wsrf/services/ManagementService
[7]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerFactoryService
[8]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerService
[9]: http://141.142.251.212:8080/wsrf/services/NotificationTestService
[10]: http://141.142.251.212:8080/wsrf/services/PersistenceTestSubscriptionManager
[11]: http://141.142.251.212:8080/wsrf/services/SampleAuthzService
[12]: http://141.142.251.212:8080/wsrf/services/SecureCounterService
[13]: http://141.142.251.212:8080/wsrf/services/SecurityTestService
[14]: http://141.142.251.212:8080/wsrf/services/ShutdownService
[15]: http://141.142.251.212:8080/wsrf/services/SubscriptionManagerService
[16]: http://141.142.251.212:8080/wsrf/services/TestAuthzService
[17]: http://141.142.251.212:8080/wsrf/services/TestRPCService
[18]: http://141.142.251.212:8080/wsrf/services/TestService
[19]: http://141.142.251.212:8080/wsrf/services/TestServiceRequest
[20]: http://141.142.251.212:8080/wsrf/services/TestServiceWrongWSDL
[21]: http://141.142.251.212:8080/wsrf/services/Version
[22]: http://141.142.251.212:8080/wsrf/services/WidgetNotificationService
[23]: http://141.142.251.212:8080/wsrf/services/WidgetService
[24]: http://141.142.251.212:8080/wsrf/services/gsi/AuthenticationService</pre>
Press Ctrl-C to abort the container.</li>
</ol></li>
<li>Install a trusted certificate
<blockquote>In what follows, we will use a GridShib CA-issued end-entity certificate (EEC) to authenticate to GT services. We will also issue proxy certificates using a GridShib CA-issued EEC. Thus the container needs to be configured to trust certificates issued by the GridShib CA.</blockquote>
<ol>
<li>Download the <a href="http://gridshib.globus.org/downloads/gridshib-ca-cert.zip">public certificate</a> of the GridShib CA.</li>
<li>Extract the ZIP archive to folder "%USERPROFILE%\.globus\certificates":
<pre>> <b>dir "%USERPROFILE%\.globus\certificates"</b>
...
02/19/2007 10:15 PM 1,667 bfcd1f28.0
02/19/2007 10:15 PM 239 bfcd1f28.signing_policy</pre></li>
</ol></li>
<li>Obtain a user certificate and stop the container normally.
<ol>
<li>In the previous Command Prompt window, start the container again:
<pre>> <b>echo %GLOBUS_LOCATION%</b>
> <b>bin\globus-start-container -nosec</b>
Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/
With the following services...</pre></li>
<li>Open another Command Prompt window and try to stop the container:
<pre>> <b>cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4</b>
> <b>set GLOBUS_LOCATION=%CD%</b>
> <b>echo %GLOBUS_LOCATION%</b>
> <b>bin\globus-stop-container</b>
Error: ; nested exception is:
GSSException: Defective credential detected [Caused by:
Proxy file (C:\DOCUME~1\TOMSCA~1\LOCALS~1\Temp\x509up_u_tom scavo) not found.]</pre>
</li>
<li>Press Ctrl-C to abort the container.</li>
<li>Obtain a short-term X.509 end-entity credential from the online <a href="https://computer.ncsa.uiuc.edu/gridshib-ca-0.4.0/">GridShib CA</a>.</li>
<li>In the first Command Prompt window, start the container as before.</li>
<li>In the second Command Prompt window, try to stop the container again:
<pre>> <b>bin\globus-stop-container</b>
Error: ; nested exception is:
java.net.ConnectException: Connection refused: connect</pre>
</li>
<li>Finally, stop the container normally, authenticating with your GridShib CA-issued credential via Secure Message:
<pre>> <b>bin\globus-stop-container -s http://localhost:8080/wsrf/services/ShutdownService -m msg</b></pre>
</li>
</ol></li>
<li>Start and stop a secure container.
<blockquote>For the rest of this tutorial, we require a secure container.</blockquote>
<ol>
<li>In the first Command Prompt window, start the container:
<pre>> <b>echo %GLOBUS_LOCATION%</b>
> <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
<li>In the second Command Prompt window, stop the container:
<pre>> <b>echo %GLOBUS_LOCATION%</b>
> <b>bin\globus-stop-container</b></pre></li>
</ol></li>
<li>Request the <code>SecureCounterService</code>, authenticating with your EEC via Secure Conversation.
<ol>
<li>In the first Command Prompt window, start the container:
<pre>> <b>echo %GLOBUS_LOCATION%</b>
> <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
<li>In the second Command Prompt window, request a service:
<pre>> <b>echo %GLOBUS_LOCATION%</b>
> <b>bin\counter-client -m conv -z none
-s https://localhost:8443/wsrf/services/SecureCounterService</b>
Got notification with value: 3
Counter has value: 3
Got notification with value: 13</pre></li>
<li>In the second Command Prompt window, stop the container:
<pre>> <b>bin\globus-stop-container</b></pre></li>
</ol></li>
<li>Install <a href="http://gridshib.globus.org/download.html#gridshib-gt">GridShib for GT v0.6.0</a> on Windows.
<ol>
<li>Download the GS4GT v0.6.0 source distribution (<a href="http://gridshib.globus.org/downloads/gridshib-gt-0_6_0-tp1-src.zip">ZIP archive</a>) from the GridShib web site. (A <a href="http://gridshib.globus.org/downloads/gridshib-gt-0_6_0-tp1-src.tar.gz">GZIP archive</a> is also available for UNIX users.)</li>
<li>Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).</li>
<li>In the second Command Prompt window, type the following commands:
<pre>> <b>cd c:\gridshib\gridshib-gt-0_6_0-src\gridshib-gt-0_6_0</b>
> <b>echo %GLOBUS_LOCATION%</b>
> <b>ant deploy</b>
> <b>ant deploy-echoservice</b></pre></li>
</ol></li>
<li>Request the <code>ShibEchoService</code>, authenticating with your EEC.
<blockquote>Note: An EEC obtained from the GridShib CA contains a bound SAML assertion with no attributes. Thus you will see one "attribute" in the logs, namely, the value of the <code>NameIdentifier</code> element of the assertion.</blockquote>
<ol>
<li>In the first Command Prompt window, start the container:
<pre>> <b>echo %GLOBUS_LOCATION%</b>
> <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
<li>In the second Command Prompt window, copy your EEC to a preconfigured location and request the service:
<pre>> <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none
-s https://localhost:8443/wsrf/services/ShibEchoService</b></pre>
You should receive one attribute in the response.</li>
<li>In the second Command Prompt window, stop the container.</li>
</ol></li>
<li>Install <a href="http://gridshib.globus.org/download.html#saml-tools">GridShib SAML Tools v0.1.4</a> on Windows. (See the <a href="http://gridshib.globus.org/docs/gridshib-saml-tools/install.html">Installation Notes</a> for detailed information about GridShib SAML Tools.)
<blockquote>Note: We will configure the SAML Tools to sign proxy certificates using your GridShib CA-issued EEC by default.</blockquote>
<ol>
<li>Download the GridShib SAML Tools v0.1.4 source distribution (<a href="http://gridshib.globus.org/downloads/gridshib-saml-tools-0_1_4.zip">ZIP archive</a>) from the GridShib web site. (A <a href="http://gridshib.globus.org/downloads/gridshib-saml-tools-0_1_4.tar.gz">GZIP archive</a> is also available for UNIX users.)</li>
<li>Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).</li>
<li>In a third Command Prompt window, type the following commands:
<pre>> <b>cd c:\gridshib\gridshib-saml-tools-0_1_4</b>
> <b>set GRIDSHIB_HOME=%CD%</b>
> <b>ant install</b></pre></li>
<li>Uncomment the following lines in %GRIDSHIB_HOME%\etc\gridshib\tools\gridshib-saml-issuer.properties:
<pre># an EEC issued by the GridShib CA
certLocation=file:/%TEMP%/x509up_u_%USERNAME%
keyLocation=file:/%TEMP%/x509up_u_%USERNAME%</pre>
Replace the placeholders <code>%TEMP%</code> and <code>%USERNAME%</code> with their actual values, changing the backslashes to forward slashes for proper URL syntax.</li>
</ol></li>
<li>Reconfigure the <code>ShibEchoService</code>.
<blockquote>By default, the <code>ShibEchoService</code> is configured to accept all attributes (i.e., no authorization). We now expand the authorization chain to include <em>Attribute Acceptance Policy</em> and <em>Attribute-based Authorization Policy</em>. These policy checks are enabled by <code>AttributeAcceptancePIP</code> and <code>SAMLAttributePDP</code>, respectively.</blockquote>
<ol>
<li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre><authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP"/></pre>
and uncomment this line
<pre><authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP
shibecho:org.globus.gridshib.AttributeAcceptancePIP
shibecho:org.globus.gridshib.SAMLAttributePDP"/></pre>
This enables <code>AttributeAcceptancePIP</code> and <code>SAMLAttributePDP</code> in the authz chain.</li>
</ol></li>
<li>Configure the <code>AttributeAcceptancePIP</code>.
<blockquote>In the current version of GridShib for GT, Attribute Acceptance Policy boils down to a list of <em>trusted SAML authorities</em>. Attributes are accepted from a SAML issuer if and only if the issuer's <code>entityID</code> is on this list. By default, the GridShib CA's <code>entityID</code> is on this list. We now add a proxy issuer to the list of trusted SAML authorities.</blockquote>
<ol>
<li>Obtain the Subject DN of your GridShib CA-issued EEC:
<pre>> <b>%GLOBUS_LOCATION%\bin\rfc2253dn</b></pre></li>
<li>Add the <em>RFC 2253 form</em> of your Subject DN to the trusted SAML authorities file %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\trusted-saml-authorities.txt.</li>
</ol></li>
<li>Request the <code>ShibEchoService</code>, authenticating with a level 1 proxy credential.
<blockquote>Since the GridShib SAML Tools issue an assertion with two attributes by default, you will see a total of four (4) attributes in the logs, the <code>NameIdentifier</code> from the assertion bound to the EEC, plus two attributes and a <code>NameIdentifier</code> bound to the level 1 proxy.</blockquote>
<ol>
<li>In the third Command Prompt window, issue a level 1 proxy:
<pre>> <b>%GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo
--authn --x509 --outfile c:\temp\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255</b></pre></li>
<li>In the first Command Prompt window, start the container.</li>
<li>In the second Command Prompt window, set the proxy path and request the service:
<pre>> <b>set X509_USER_PROXY=c:\temp\testcredential.pem</b>
> <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none
-s https://localhost:8443/wsrf/services/ShibEchoService</b></pre>
You should receive four attributes in the response.</li>
<li>In the second Command Prompt window, stop the container.</li>
</ol></li>
<li>Reconfigure the <code>ShibEchoService</code>.
<blockquote>A <em>master PDP</em> controls other PIPs and PDPs. For example, the <code>GridShibPushPDP</code> is functionally equivalent to the authz chain configured previously.</blockquote>
<ol>
<li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre><authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP
shibecho:org.globus.gridshib.AttributeAcceptancePIP
shibecho:org.globus.gridshib.SAMLAttributePDP"/></pre>
and uncomment this line
<pre><authz value="shibecho:org.globus.gridshib.GridShibPushPDP"/></pre>
This enables the master PDP <code>GridShibPushPDP</code>.</li>
</ol></li>
<li>Request the <code>ShibEchoService</code>, authenticating with a level 1 proxy credential <em>via Secure Message</em>.
<blockquote>The previous request defaulted to transport-level security. To pass the SAML assertions at the message level, all that's needed is a simple command-line switch.</blockquote>
<ol>
<li>In the first Command Prompt window, start the container.</li>
<li>In the second Command Prompt window, request the service:
<pre>> <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none -m msg
-s https://localhost:8443/wsrf/services/ShibEchoService</b></pre>
You should receive four attributes in the response.</li>
<li>In the second Command Prompt window, stop the container.</li>
</ol></li>
<li>Reconfigure the <code>ShibEchoService</code>.
<ol>
<li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre><authz value="shibecho:org.globus.gridshib.GridShibPushPDP"/></pre>
and uncomment this line
<pre><authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP
shibecho:org.globus.gridshib.AttributeAcceptancePIP
shibecho1:org.globus.gridshib.SAMLAttributePDP
shibecho2:org.globus.gridshib.SAMLAttributePDP"/></pre>
This enables <code>SAMLAttributePDP</code> <em>twice</em> in the authz chain. Each invocation of <code>SAMLAttributePDP</code> is associated with its own policy file. (See %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\server-config.wsdd for the policy file configuration.)</li>
</ol></li>
<li>Reconfigure the GridShib SAML Tools.
<ol>
<li>Create config file c:\temp\gridshib-saml-issuer.properties with the following lines:
<pre># an emailAddress name identifier
Format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
formatting.template=%PRINCIPAL%@gmail.com
# FriendlyName="mail"
Attribute.EMAIL.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
Attribute.EMAIL.Name=urn:mace:dir:attribute-def:mail
Attribute.EMAIL.Value=trscavo@gmail.com
# a level 1 proxy issued by the GridShib SAML Tools
certLocation=file:/C:/temp/testcredential.pem
keyLocation=file:/C:/temp/testcredential.pem</pre></li>
</ol></li>
<li>Request the <code>ShibEchoService</code>, authenticating with a level 2 proxy credential.
<blockquote>In the previous exercise, the GridShib SAML Tools have been configured to issue a level 2 proxy signed by a level 1 proxy. The level 2 proxy contains one attribute, so you should see a total of six attributes in the logs, three (3) <code>NameIdentifier</code> values and three (3) attribute values.</blockquote>
<ol>
<li>In the third Command Prompt window, issue a level 2 proxy:
<pre> > <b>%GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo
--authn --x509 --outfile c:\temp\testcredential.pem
--authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255
--config file:/c:/temp/gridshib-saml-issuer.properties</b></pre></li>
<li>In the first Command Prompt window, start the container.</li>
<li>In the second Command Prompt window, request the service as before. You should receive six attributes in the response.</li>
<li>In the second Command Prompt window, stop the container.</li>
</ol></li>
</ol>
{html} |