GridShib for Globus Toolkit Installation

A lightweight alternative to installing the full Globus Toolkit is to only install the Java WS Core component of GT4, and then install GridShib for GT on top of that. In fact, this is the only option under Windows, which does not support the full Globus Toolkit. So the following "Quick Start" guide shows how to layer GridShib for GT on top of Java WS Core on Windows.

This page gives detailed instructions for installing Java WS Core and GridShib for GT on Windows. Software requirements include JDK 1.4.2 (or higher) and Ant 1.6 (or higher), which we assume are already installed on Windows.

1. Install the binary version of Java WS Core 4.0.4 on Windows.
   1. Extract the ZIP archive to any folder on your hard drive (say, c:\globus).
   2. Open a Command Prompt window, change directory to the installation directory, and set the GLOBUS_LOCATION environment variable (which is case sensitive, even on Windows in this case):

      > cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4
      > set GLOBUS_LOCATION=%CD%
      > echo %GLOBUS_LOCATION%

   3. Add the following line to %GLOBUS_LOCATION%\container-log4j.properties:

      log4j.category.org.globus.gridshib.gt=DEBUG

   4. As a crude test, start the container (with transport-level security disabled):

      > bin\globus-start-container -nosec
      Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/
      With the following services:
      
      [1]: http://141.142.251.212:8080/wsrf/services/AdminService
      [2]: http://141.142.251.212:8080/wsrf/services/AuthzCalloutTestService
      [3]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryEntryService
      [4]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryService
      [5]: http://141.142.251.212:8080/wsrf/services/CounterService
      [6]: http://141.142.251.212:8080/wsrf/services/ManagementService
      [7]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerFactoryService
      [8]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerService
      [9]: http://141.142.251.212:8080/wsrf/services/NotificationTestService
      [10]: http://141.142.251.212:8080/wsrf/services/PersistenceTestSubscriptionManager
      [11]: http://141.142.251.212:8080/wsrf/services/SampleAuthzService
      [12]: http://141.142.251.212:8080/wsrf/services/SecureCounterService
      [13]: http://141.142.251.212:8080/wsrf/services/SecurityTestService
      [14]: http://141.142.251.212:8080/wsrf/services/ShutdownService
      [15]: http://141.142.251.212:8080/wsrf/services/SubscriptionManagerService
      [16]: http://141.142.251.212:8080/wsrf/services/TestAuthzService
      [17]: http://141.142.251.212:8080/wsrf/services/TestRPCService
      [18]: http://141.142.251.212:8080/wsrf/services/TestService
      [19]: http://141.142.251.212:8080/wsrf/services/TestServiceRequest
      [20]: http://141.142.251.212:8080/wsrf/services/TestServiceWrongWSDL
      [21]: http://141.142.251.212:8080/wsrf/services/Version
      [22]: http://141.142.251.212:8080/wsrf/services/WidgetNotificationService
      [23]: http://141.142.251.212:8080/wsrf/services/WidgetService
      [24]: http://141.142.251.212:8080/wsrf/services/gsi/AuthenticationService

      Press Ctrl-C to abort the container.
2. Obtain a user certificate and stop the container normally
   1. In the previous Command Prompt window, start the container again:

      > echo %GLOBUS_LOCATION%
      > bin\globus-start-container -nosec
      Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/
      With the following services...

   2. Open another Command Prompt window and try to stop the container:

      > cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4
      > set GLOBUS_LOCATION=%CD%
      > echo %GLOBUS_LOCATION%
      > bin\globus-stop-container
      Error: ; nested exception is:
      GSSException: Defective credential detected [Caused by: 
      Proxy file (C:\DOCUME~1\TOMSCA~1\LOCALS~1\Temp\x509up_u_tom scavo) not found.]

   3. Press Ctrl-C to abort the container.
   4. Obtain a short-term X.509 end-entity credential from the GridShib CA.
   5. In the first Command Prompt window, start the container as before.
   6. In the second Command Prompt window, try to stop the container again:

      > bin\globus-stop-container
      Error: ; nested exception is:
      java.net.ConnectException: Connection refused: connect

   7. Finally, stop the container normally, authenticating at the message level using your GridShib CA-issued credential:

      > bin\globus-stop-container -s http://localhost:8080/wsrf/services/ShutdownService -m msg

3. Start and stop a secure container
   1. In the first Command Prompt window, start the container:

      > echo %GLOBUS_LOCATION%
      > bin\globus-start-container
      Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
      With the following services...

   2. In the second Command Prompt window, stop the container:

      > echo %GLOBUS_LOCATION%
      > bin\globus-stop-container

4. Request the SecureCounterService
   1. In the first Command Prompt window, start the container:

      > echo %GLOBUS_LOCATION%
      > bin\globus-start-container
      Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
      With the following services...

   2. In the second Command Prompt window, request a service:

      > echo %GLOBUS_LOCATION%
      > bin\counter-client -s https://localhost:8443/wsrf/services/SecureCounterService -m conv -z none
      Got notification with value: 3
      Counter has value: 3
      Got notification with value: 13

   3. In the second Command Prompt window, stop the container:

      > bin\globus-stop-container

5. Install GridShib for GT v0.6.0 on Windows.
   1. Download the GS4GT v0.6.0 source distribution (ZIP archive) from the GridShib web site. (A GZIP archive is also available.)
   2. Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).
   3. In the second Command Prompt window, type the following commands:

      > cd c:\gridshib\gridshib-gt-0_6_0-src\gridshib-gt-0_6_0
      > echo %GLOBUS_LOCATION%
      > ant deploy
      > ant deploy-echoservice

6. Request the ShibEchoService, authenticating with your EEC.

   Note: An EEC obtained from the GridShib CA contains a bound SAML assertion but the assertion contains no attributes. Thus you will see one "attribute" in the logs, namely, the value of the NameIdentifier element of the assertion.

   1. In the first Command Prompt window, start the container:

      > echo %GLOBUS_LOCATION%
      > bin\globus-start-container
      Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
      With the following services...

   2. In the second Command Prompt window, copy your EEC to a preconfigured location and request the service:

      > copy "%TEMP%\x509up_u_%USERNAME%" c:\temp\testcredential.pem
      > %GLOBUS_LOCATION%\bin\shibecho -d 
          -s https://localhost:8443/wsrf/services/ShibEchoService 
          -f %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-client-security-descriptor.xml

   3. In the second Command Prompt window, stop the container.
7. Install GridShib SAML Tools v0.1.4 on Windows.

   Note: We will configure the SAML Tools to sign proxy certificates using your GridShib CA-issued EEC by default.

   1. Download the GS-ST v0.1.4 source distribution (ZIP archive) from the GridShib web site. (A GZIP archive is also available.)
   2. Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).
   3. In a third Command Prompt window, type the following commands:

      > cd c:\gridshib\gridshib-saml-tools-0_1_4
      > set GRIDSHIB_HOME=%CD%
      > ant install

   4. Uncomment the following lines in %GRIDSHIB_HOME%\etc\gridshib\tools\gridshib-saml-issuer.properties:

      # an EEC issued by the GridShib CA
      certLocation=file:/%TEMP%/x509up_u_%USERNAME%
      keyLocation=file:/%TEMP%/x509up_u_%USERNAME%

      Replace the placeholders %TEMP% and %USERNAME% with their actual values, changing the backslashes to forward slashes for proper URL syntax.
8. In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line

   <authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
                 shibecho:org.globus.gridshib.AttributeAcceptancePIP"/>

   and uncomment this line

   <authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
                 shibecho:org.globus.gridshib.AttributeAcceptancePIP 
                 shibecho1:org.globus.gridshib.SAMLAttributePDP"/>

   This enables SAMLAttributePDP in the authz chain.
9. Request the ShibEchoService, authenticating with a level 1 proxy credential.

   Since the GridShib SAML Tools issues an assertion with two attributes by default, you will see a total of four (4) attributes in the logs, the NameIdentifier from the assertion bound to the EEC, plus two attributes and a NameIdentifier bound to the level 1 proxy.

   1. In the third Command Prompt window, issue a level 1 proxy:

      > %GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo 
          --authn --x509 --outfile c:\temp\testcredential.pem 
          --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255

   2. In the first Command Prompt window, start the container.
   3. In the second Command Prompt window, request the service as before.
   4. In the second Command Prompt window, stop the container.
10. In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line

    <authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
                  shibecho:org.globus.gridshib.AttributeAcceptancePIP 
                  shibecho1:org.globus.gridshib.SAMLAttributePDP"/>

    and uncomment this line

    <authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP 
                  shibecho:org.globus.gridshib.AttributeAcceptancePIP 
                  shibecho1:org.globus.gridshib.SAMLAttributePDP
                  shibecho2:org.globus.gridshib.SAMLAttributePDP"/>

    This enables SAMLAttributePDP twice in the authz chain, each invocation having its own policy file.
11. Request the ShibEchoService, authenticating with a level 2 proxy credential.

    We will configure the GridShib SAML Tools to issue a level 2 proxy signed by the level 1 proxy. The level 2 proxy contains one attribute, so you should see a total of six attributes in the logs, three (3) NameIdentifier values and three (3) attribute values.

    1. Create config file c:\temp\gridshib-saml-issuer.properties with the following lines:

       Format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
       formatting.template=%PRINCIPAL%@gmail.com
       # FriendlyName="mail"
       Attribute.EMAIL.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
       Attribute.EMAIL.Name=urn:mace:dir:attribute-def:mail
       Attribute.EMAIL.Value=trscavo@gmail.com
       # an EEC issued by the GridShib CA
       certLocation=file:/C:/temp/testcredential.pem
       keyLocation=file:/C:/temp/testcredential.pem

    2. In the third Command Prompt window, issue a level 2 proxy:

         > %GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo 
             --authn --x509 --outfile c:\temp\testcredential.pem 
             --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255 
             --config file:/c:/temp/gridshib-saml-issuer.properties

    3. In the first Command Prompt window, start the container.
    4. In the second Command Prompt window, request the service as before.
    5. In the second Command Prompt window, stop the container.