Child pages
  • GridShibForGTInstall

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

CSS Stylesheet
  ol {padding-left: 2.5em}
  ol ol {padding-left: 1.5em; list-style-type: lower-alpha}

{html}
Wiki Markup
HTML
<ol>
  <li>Install the binary version of <a href="http://www.globus.org/toolkit/downloads/4.0.4/#wscore_bin">Java WS Core&nbsp;4.0.4</a> on Windows.
    <blockquote>The binary version of Java WS Core is simplest, but the source version works just as well.</blockquote>
    <ol>
      <li>Extract the <a href="http://www-unix.globus.org/toolkit/survey/index.php?download=ws-core-4.0.4-bin.zip">ZIP archive</a> to any folder on your hard drive (say, c:\globus).</li>
      <li>Open a Command Prompt window, change directory to the installation directory, and set the <code>GLOBUS_LOCATION</code> environment variable (which is <em>case sensitive</em>, even on Windows in this case):
<pre>&gt; <b>cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4</b>
&gt; <b>set GLOBUS_LOCATION=%CD%</b>
&gt; <b>echo %GLOBUS_LOCATION%</b></pre></li>
      <li>For debugging purposes, add the following line to %GLOBUS_LOCATION%\container-log4j.properties:
<pre>log4j.category.org.globus.gridshib.gt=DEBUG</pre></li>
      <li>As a crude test, start the container (with transport-level security disabled):
<pre>&gt; <b>bin\globus-start-container -nosec</b>
Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/
With the following services:

[1]: http://141.142.251.212:8080/wsrf/services/AdminService
[2]: http://141.142.251.212:8080/wsrf/services/AuthzCalloutTestService
[3]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryEntryService
[4]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryService
[5]: http://141.142.251.212:8080/wsrf/services/CounterService
[6]: http://141.142.251.212:8080/wsrf/services/ManagementService
[7]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerFactoryService
[8]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerService
[9]: http://141.142.251.212:8080/wsrf/services/NotificationTestService
[10]: http://141.142.251.212:8080/wsrf/services/PersistenceTestSubscriptionManager
[11]: http://141.142.251.212:8080/wsrf/services/SampleAuthzService
[12]: http://141.142.251.212:8080/wsrf/services/SecureCounterService
[13]: http://141.142.251.212:8080/wsrf/services/SecurityTestService
[14]: http://141.142.251.212:8080/wsrf/services/ShutdownService
[15]: http://141.142.251.212:8080/wsrf/services/SubscriptionManagerService
[16]: http://141.142.251.212:8080/wsrf/services/TestAuthzService
[17]: http://141.142.251.212:8080/wsrf/services/TestRPCService
[18]: http://141.142.251.212:8080/wsrf/services/TestService
[19]: http://141.142.251.212:8080/wsrf/services/TestServiceRequest
[20]: http://141.142.251.212:8080/wsrf/services/TestServiceWrongWSDL
[21]: http://141.142.251.212:8080/wsrf/services/Version
[22]: http://141.142.251.212:8080/wsrf/services/WidgetNotificationService
[23]: http://141.142.251.212:8080/wsrf/services/WidgetService
[24]: http://141.142.251.212:8080/wsrf/services/gsi/AuthenticationService</pre>
      Press Ctrl-C to abort the container.</li>
    </ol></li>

  <li>Install a trusted certificate
  <blockquote>In what follows, we will use a GridShib CA-issued end-entity certificate (EEC) to authenticate to GT services.  We will also issue proxy certificates using a GridShib CA-issued EEC.  Thus the container needs to be configured to trust certificates issued by the GridShib CA.</blockquote>
    <ol>
      <li>Download the <a href="http://gridshib.globus.org/downloads/gridshib-ca-cert.zip">public certificate</a> of the GridShib CA.</li>
      <li>Extract the ZIP archive to folder "%USERPROFILE%\.globus\certificates":
<pre>&gt; <b>dir "%USERPROFILE%\.globus\certificates"</b>
...
02/19/2007  10:15 PM             1,667 bfcd1f28.0
02/19/2007  10:15 PM               239 bfcd1f28.signing_policy</pre></li>
    </ol></li>

  <li>Obtain a user certificate and stop the container normally.
    <ol>
      <li>In the previous Command Prompt window, start the container again:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-start-container -nosec</b>
Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/
With the following services...</pre></li>
      <li>Open another Command Prompt window and try to stop the container:
<pre>&gt; <b>cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4</b>
&gt; <b>set GLOBUS_LOCATION=%CD%</b>
&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-stop-container</b>
Error: ; nested exception is:
GSSException: Defective credential detected [Caused by: 
Proxy file (C:\DOCUME~1\TOMSCA~1\LOCALS~1\Temp\x509up_u_tom scavo) not found.]</pre>
      </li>
      <li>Press Ctrl-C to abort the container.</li>
      <li>Obtain a short-term X.509 end-entity credential from the online <a href="https://computer.ncsa.uiuc.edu/gridshib-ca-0.4.0/">GridShib CA</a>.</li>
      <li>In the first Command Prompt window, start the container as before.</li>
      <li>In the second Command Prompt window, try to stop the container again:
<pre>&gt; <b>bin\globus-stop-container</b>
Error: ; nested exception is:
java.net.ConnectException: Connection refused: connect</pre>
      </li>
      <li>Finally, stop the container normally, authenticating with your GridShib CA-issued credential via Secure Message:
<pre>&gt; <b>bin\globus-stop-container -s http://localhost:8080/wsrf/services/ShutdownService -m msg</b></pre>
      </li>
    </ol></li>

  <li>Start and stop a secure container.
    <blockquote>For the rest of this tutorial, we require a secure container.</blockquote>
    <ol>
      <li>In the first Command Prompt window, start the container:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
      <li>In the second Command Prompt window, stop the container:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-stop-container</b></pre></li>
    </ol></li>

  <li>Request the <code>SecureCounterService</code>, authenticating with your EEC via Secure Conversation.
    <ol>
      <li>In the first Command Prompt window, start the container:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
      <li>In the second Command Prompt window, request a service:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\counter-client -m conv -z none 
    -s https://localhost:8443/wsrf/services/SecureCounterService</b>
Got notification with value: 3
Counter has value: 3
Got notification with value: 13</pre></li>
      <li>In the second Command Prompt window, stop the container:
<pre>&gt; <b>bin\globus-stop-container</b></pre></li>
    </ol></li>

  <li>Install <a href="http://gridshib.globus.org/download.html#gridshib-gt">GridShib for GT&nbsp;v0.6.0</a> on Windows.
    <ol>
      <li>Download the GS4GT&nbsp;v0.6.0 source distribution (<a href="http://gridshib.globus.org/downloads/gridshib-gt-0_6_0-tp1-src.zip">ZIP archive</a>) from the GridShib web site. (A <a href="http://gridshib.globus.org/downloads/gridshib-gt-0_6_0-tp1-src.tar.gz">GZIP archive</a> is also available for UNIX users.)</li>
      <li>Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).</li>
      <li>In the second Command Prompt window, type the following commands:
<pre>&gt; <b>cd c:\gridshib\gridshib-gt-0_6_0-src\gridshib-gt-0_6_0</b>
&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>ant deploy</b>
&gt; <b>ant deploy-echoservice</b></pre></li>
    </ol></li>

  <li>Request the <code>ShibEchoService</code>, authenticating with your EEC.
    <blockquote>Note: An EEC obtained from the GridShib CA contains a bound SAML assertion with no attributes.  Thus you will see one "attribute" in the logs, namely, the value of the <code>NameIdentifier</code> element of the assertion.</blockquote>
    <ol>
      <li>In the first Command Prompt window, start the container:
<pre>&gt; <b>echo %GLOBUS_LOCATION%</b>
&gt; <b>bin\globus-start-container</b>
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...</pre></li>
      <li>In the second Command Prompt window, copy your EEC to a preconfigured location and request the service:
<pre>&gt; <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none
    -s https://localhost:8443/wsrf/services/ShibEchoService</b></pre>
      You should receive one attribute in the response.</li>
      <li>In the second Command Prompt window, stop the container.</li>
    </ol></li>

  <li>Install <a href="http://gridshib.globus.org/download.html#saml-tools">GridShib SAML Tools&nbsp;v0.1.4</a> on Windows.  (See the <a href="http://gridshib.globus.org/docs/gridshib-saml-tools/install.html">Installation Notes</a> for detailed information about GridShib SAML Tools.)
    <blockquote>Note: We will configure the SAML Tools to sign proxy certificates using your GridShib CA-issued EEC by default.</blockquote>
    <ol>
      <li>Download the GridShib SAML Tools&nbsp;v0.1.4 source distribution (<a href="http://gridshib.globus.org/downloads/gridshib-saml-tools-0_1_4.zip">ZIP archive</a>) from the GridShib web site. (A <a href="http://gridshib.globus.org/downloads/gridshib-saml-tools-0_1_4.tar.gz">GZIP archive</a> is also available for UNIX users.)</li>
      <li>Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).</li>
      <li>In a third Command Prompt window, type the following commands:
<pre>&gt; <b>cd c:\gridshib\gridshib-saml-tools-0_1_4</b>
&gt; <b>set GRIDSHIB_HOME=%CD%</b>
&gt; <b>ant install</b></pre></li>
      <li>Uncomment the following lines in %GRIDSHIB_HOME%\etc\gridshib\tools\gridshib-saml-issuer.properties:
<pre># an EEC issued by the GridShib CA
certLocation=file:/%TEMP%/x509up_u_%USERNAME%
keyLocation=file:/%TEMP%/x509up_u_%USERNAME%</pre>
      Replace the placeholders <code>%TEMP%</code> and <code>%USERNAME%</code> with their actual values, changing the backslashes to forward slashes for proper URL syntax.</li>
    </ol></li>

  <li>Reconfigure the <code>ShibEchoService</code>.
    <blockquote>By default, the <code>ShibEchoService</code> is configured to accept all attributes (i.e., no authorization).  We now expand the authorization chain to include <em>Attribute Acceptance Policy</em> and <em>Attribute-based Authorization Policy</em>.  These policy checks are enabled by <code>AttributeAcceptancePIP</code> and <code>SAMLAttributePDP</code>, respectively.</blockquote>
    <ol>
      <li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP"/&gt;</pre>
      and uncomment this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
              shibecho:org.globus.gridshib.AttributeAcceptancePIP 
              shibecho:org.globus.gridshib.SAMLAttributePDP"/&gt;</pre>
      This enables <code>AttributeAcceptancePIP</code> and <code>SAMLAttributePDP</code> in the authz chain.</li>
    </ol></li>

  <li>Configure the <code>AttributeAcceptancePIP</code>.
    <blockquote>In the current version of GridShib for GT, Attribute Acceptance Policy boils down to a list of <em>trusted SAML authorities</em>.  Attributes are accepted from a SAML issuer if and only if the issuer's <code>entityID</code> is on this list.  By default, the GridShib CA's <code>entityID</code> is on this list.  We now add a proxy issuer to the list of trusted SAML authorities.</blockquote>
    <ol>
      <li>Obtain the Subject DN of your GridShib CA-issued EEC:
<pre>&gt; <b>%GLOBUS_LOCATION%\bin\rfc2253dn</b></pre></li>
      <li>Add the <em>RFC&nbsp;2253 form</em> of your Subject DN to the trusted SAML authorities file %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\trusted-saml-authorities.txt.</li>
    </ol></li>

  <li>Request the <code>ShibEchoService</code>, authenticating with a level&nbsp;1 proxy credential.
    <blockquote>Since the GridShib SAML Tools issue an assertion with two attributes by default, you will see a total of four (4) attributes in the logs, the <code>NameIdentifier</code> from the assertion bound to the EEC, plus two attributes and a <code>NameIdentifier</code> bound to the level&nbsp;1 proxy.</blockquote>
    <ol>
      <li>In the third Command Prompt window, issue a level&nbsp;1 proxy:
<pre>&gt; <b>%GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo 
    --authn --x509 --outfile c:\temp\testcredential.pem 
    --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255</b></pre></li>
      <li>In the first Command Prompt window, start the container.</li>
      <li>In the second Command Prompt window, set the proxy path and request the service:
<pre>&gt; <b>set X509_USER_PROXY=c:\temp\testcredential.pem</b>
&gt; <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none
    -s https://localhost:8443/wsrf/services/ShibEchoService</b></pre>
      You should receive four attributes in the response.</li>
      <li>In the second Command Prompt window, stop the container.</li>
    </ol></li>

  <li>Reconfigure the <code>ShibEchoService</code>.
    <blockquote>A <em>master PDP</em> controls other PIPs and PDPs.  For example, the <code>GridShibPushPDP</code> is functionally equivalent to the authz chain configured previously.</blockquote>
    <ol>
      <li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
              shibecho:org.globus.gridshib.AttributeAcceptancePIP 
              shibecho:org.globus.gridshib.SAMLAttributePDP"/&gt;</pre>
      and uncomment this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.GridShibPushPDP"/&gt;</pre>
      This enables the master PDP <code>GridShibPushPDP</code>.</li>
    </ol></li>

  <li>Request the <code>ShibEchoService</code>, authenticating with a level&nbsp;1 proxy credential <em>via Secure Message</em>.
    <blockquote>The previous request defaulted to transport-level security.  To pass the SAML assertions at the message level, all that's needed is a simple command-line switch.</blockquote>
    <ol>
      <li>In the first Command Prompt window, start the container.</li>
      <li>In the second Command Prompt window, request the service:
<pre>&gt; <b>%GLOBUS_LOCATION%\bin\shibecho -d -z none -m msg
    -s https://localhost:8443/wsrf/services/ShibEchoService</b></pre>
      You should receive four attributes in the response.</li>
      <li>In the second Command Prompt window, stop the container.</li>
    </ol></li>

  <li>Reconfigure the <code>ShibEchoService</code>.
    <ol>
      <li>In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.GridShibPushPDP"/&gt;</pre>
      and uncomment this line
<pre>&lt;authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
              shibecho:org.globus.gridshib.AttributeAcceptancePIP 
              shibecho1:org.globus.gridshib.SAMLAttributePDP
              shibecho2:org.globus.gridshib.SAMLAttributePDP"/&gt;</pre>
      This enables <code>SAMLAttributePDP</code> <em>twice</em> in the authz chain.  Each invocation of <code>SAMLAttributePDP</code> is associated with its own policy file.  (See %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\server-config.wsdd for the policy file configuration.)</li>
    </ol></li>

  <li>Reconfigure the GridShib SAML Tools.
    <ol>
      <li>Create config file c:\temp\gridshib-saml-issuer.properties with the following lines:
<pre># an emailAddress name identifier
Format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
formatting.template=%PRINCIPAL%@gmail.com
# FriendlyName="mail"
Attribute.EMAIL.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
Attribute.EMAIL.Name=urn:mace:dir:attribute-def:mail
Attribute.EMAIL.Value=trscavo@gmail.com
# a level 1 proxy issued by the GridShib SAML Tools
certLocation=file:/C:/temp/testcredential.pem
keyLocation=file:/C:/temp/testcredential.pem</pre></li>
    </ol></li>

  <li>Request the <code>ShibEchoService</code>, authenticating with a level&nbsp;2 proxy credential.
    <blockquote>In the previous exercise, the GridShib SAML Tools have been configured to issue a level&nbsp;2 proxy signed by a level&nbsp;1 proxy.  The level&nbsp;2 proxy contains one attribute, so you should see a total of six attributes in the logs, three (3) <code>NameIdentifier</code> values and three (3) attribute values.</blockquote>
    <ol>
      <li>In the third Command Prompt window, issue a level&nbsp;2 proxy:
<pre>  &gt; <b>%GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo 
      --authn --x509 --outfile c:\temp\testcredential.pem 
      --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255 
      --config file:/c:/temp/gridshib-saml-issuer.properties</b></pre></li>
      <li>In the first Command Prompt window, start the container.</li>
      <li>In the second Command Prompt window, request the service as before.  You should receive six attributes in the response.</li>
      <li>In the second Command Prompt window, stop the container.</li>
    </ol></li>
</ol>
{html}