GridShib for Globus Toolkit Installation
A lightweight alternative to installing the full Globus Toolkit is to only install the Java WS Core component of GT4, and then install GridShib for GT on top of that. In fact, this is the only option under Windows, which does not support the full Globus Toolkit. So the following "Quick Start" guide shows how to layer GridShib for GT on top of Java WS Core on Windows.
This page gives detailed instructions for installing Java WS Core and GridShib for GT on Windows. Software requirements include JDK 1.4.2 (or higher) and Ant 1.6 (or higher), which we assume are already installed on Windows.
ol
ol ol
- Install the binary version of Java WS Core 4.0.4 on Windows.
- Extract the ZIP archive to any folder on your hard drive (say, c:\globus).
- Open a Command Prompt window, change directory to the installation directory, and set the
GLOBUS_LOCATION
environment variable (which is case sensitive, even on Windows in this case):> cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4 > set GLOBUS_LOCATION=%CD% > echo %GLOBUS_LOCATION%
- Add the following line to %GLOBUS_LOCATION%\container-log4j.properties:
log4j.category.org.globus.gridshib.gt=DEBUG
- As a crude test, start the container (with transport-level security disabled):
> bin\globus-start-container -nosec Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/ With the following services: [1]: http://141.142.251.212:8080/wsrf/services/AdminService [2]: http://141.142.251.212:8080/wsrf/services/AuthzCalloutTestService [3]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryEntryService [4]: http://141.142.251.212:8080/wsrf/services/ContainerRegistryService [5]: http://141.142.251.212:8080/wsrf/services/CounterService [6]: http://141.142.251.212:8080/wsrf/services/ManagementService [7]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerFactoryService [8]: http://141.142.251.212:8080/wsrf/services/NotificationConsumerService [9]: http://141.142.251.212:8080/wsrf/services/NotificationTestService [10]: http://141.142.251.212:8080/wsrf/services/PersistenceTestSubscriptionManager [11]: http://141.142.251.212:8080/wsrf/services/SampleAuthzService [12]: http://141.142.251.212:8080/wsrf/services/SecureCounterService [13]: http://141.142.251.212:8080/wsrf/services/SecurityTestService [14]: http://141.142.251.212:8080/wsrf/services/ShutdownService [15]: http://141.142.251.212:8080/wsrf/services/SubscriptionManagerService [16]: http://141.142.251.212:8080/wsrf/services/TestAuthzService [17]: http://141.142.251.212:8080/wsrf/services/TestRPCService [18]: http://141.142.251.212:8080/wsrf/services/TestService [19]: http://141.142.251.212:8080/wsrf/services/TestServiceRequest [20]: http://141.142.251.212:8080/wsrf/services/TestServiceWrongWSDL [21]: http://141.142.251.212:8080/wsrf/services/Version [22]: http://141.142.251.212:8080/wsrf/services/WidgetNotificationService [23]: http://141.142.251.212:8080/wsrf/services/WidgetService [24]: http://141.142.251.212:8080/wsrf/services/gsi/AuthenticationService
Press Ctrl-C to abort the container.
- Obtain a user certificate and stop the container normally
- In the previous Command Prompt window, start the container again:
> echo %GLOBUS_LOCATION% > bin\globus-start-container -nosec Starting SOAP server at: http://141.142.251.212:8080/wsrf/services/ With the following services...
- Open another Command Prompt window and try to stop the container:
> cd c:\globus\ws-core-4.0.4-bin\ws-core-4.0.4 > set GLOBUS_LOCATION=%CD% > echo %GLOBUS_LOCATION% > bin\globus-stop-container Error: ; nested exception is: GSSException: Defective credential detected [Caused by: Proxy file (C:\DOCUME~1\TOMSCA~1\LOCALS~1\Temp\x509up_u_tom scavo) not found.]
- Press Ctrl-C to abort the container.
- Obtain a short-term X.509 end-entity credential from the GridShib CA.
- In the first Command Prompt window, start the container as before.
- In the second Command Prompt window, try to stop the container again:
> bin\globus-stop-container Error: ; nested exception is: java.net.ConnectException: Connection refused: connect
- Finally, stop the container normally, authenticating at the message level using your GridShib CA-issued credential:
> bin\globus-stop-container -s http://localhost:8080/wsrf/services/ShutdownService -m msg
- In the previous Command Prompt window, start the container again:
- Start and stop a secure container
- In the first Command Prompt window, start the container:
> echo %GLOBUS_LOCATION% > bin\globus-start-container Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/ With the following services...
- In the second Command Prompt window, stop the container:
> echo %GLOBUS_LOCATION% > bin\globus-stop-container
- In the first Command Prompt window, start the container:
- Request the
SecureCounterService
- In the first Command Prompt window, start the container:
> echo %GLOBUS_LOCATION% > bin\globus-start-container Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/ With the following services...
- In the second Command Prompt window, request a service:
> echo %GLOBUS_LOCATION% > bin\counter-client -s https://localhost:8443/wsrf/services/SecureCounterService -m conv -z none Got notification with value: 3 Counter has value: 3 Got notification with value: 13
- In the second Command Prompt window, stop the container:
> bin\globus-stop-container
- In the first Command Prompt window, start the container:
- Install GridShib for GT v0.6.0 on Windows.
- Download the GS4GT v0.6.0 source distribution (ZIP archive) from the GridShib web site. (A GZIP archive is also available.)
- Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).
- In the second Command Prompt window, type the following commands:
> cd c:\gridshib\gridshib-gt-0_6_0-src\gridshib-gt-0_6_0 > echo %GLOBUS_LOCATION% > ant deploy > ant deploy-echoservice
- Request the
ShibEchoService
, authenticating with your EEC.Note: An EEC obtained from the GridShib CA contains a bound SAML assertion but the assertion contains no attributes. Thus you will see one "attribute" in the logs, namely, the value of the
NameIdentifier
element of the assertion.- In the first Command Prompt window, start the container:
> echo %GLOBUS_LOCATION% > bin\globus-start-container Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/ With the following services...
- In the second Command Prompt window, copy your EEC to a preconfigured location and request the service:
> copy "%TEMP%\x509up_u_%USERNAME%" c:\temp\testcredential.pem > %GLOBUS_LOCATION%\bin\shibecho -d -s https://localhost:8443/wsrf/services/ShibEchoService -f %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-client-security-descriptor.xml
- In the second Command Prompt window, stop the container.
- In the first Command Prompt window, start the container:
- Install GridShib SAML Tools v0.1.4 on Windows.
Note: We will configure the SAML Tools to sign proxy certificates using your GridShib CA-issued EEC by default.
- Download the GS-ST v0.1.4 source distribution (ZIP archive) from the GridShib web site. (A GZIP archive is also available.)
- Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).
- In a third Command Prompt window, type the following commands:
> cd c:\gridshib\gridshib-saml-tools-0_1_4 > set GRIDSHIB_HOME=%CD% > ant install
- Uncomment the following lines in %GRIDSHIB_HOME%\etc\gridshib\tools\gridshib-saml-issuer.properties:
# an EEC issued by the GridShib CA certLocation=file:/%TEMP%/x509up_u_%USERNAME% keyLocation=file:/%TEMP%/x509up_u_%USERNAME%
Replace the placeholders%TEMP%
and%USERNAME%
with their actual values, changing the backslashes to forward slashes for proper URL syntax.
- In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP shibecho:org.globus.gridshib.AttributeAcceptancePIP"/>
and uncomment this line<authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP shibecho:org.globus.gridshib.AttributeAcceptancePIP shibecho1:org.globus.gridshib.SAMLAttributePDP"/>
This enablesSAMLAttributePDP
in the authz chain. - Request the
ShibEchoService
, authenticating with a level 1 proxy credential.Since the GridShib SAML Tools issues an assertion with two attributes by default, you will see a total of four (4) attributes in the logs, the
NameIdentifier
from the assertion bound to the EEC, plus two attributes and aNameIdentifier
bound to the level 1 proxy.- In the third Command Prompt window, issue a level 1 proxy:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo --authn --x509 --outfile c:\temp\testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255
- In the first Command Prompt window, start the container.
- In the second Command Prompt window, request the service as before.
- In the second Command Prompt window, stop the container.
- In the third Command Prompt window, issue a level 1 proxy:
- In %GLOBUS_LOCATION%\etc\gridshib-gt-echo-0_6_0\echo-service-security-descriptor.xml, comment out this line
<authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP shibecho:org.globus.gridshib.AttributeAcceptancePIP shibecho1:org.globus.gridshib.SAMLAttributePDP"/>
and uncomment this line<authz value="shibecho:org.globus.gridshib.SAMLAssertionPushPIP shibecho:org.globus.gridshib.AttributeAcceptancePIP shibecho1:org.globus.gridshib.SAMLAttributePDP shibecho2:org.globus.gridshib.SAMLAttributePDP"/>
This enablesSAMLAttributePDP
twice in the authz chain, each invocation having its own policy file. - Request the
ShibEchoService
, authenticating with a level 2 proxy credential.We will configure the GridShib SAML Tools to issue a level 2 proxy signed by the level 1 proxy. The level 2 proxy contains one attribute, so you should see a total of six attributes in the logs, three (3)
NameIdentifier
values and three (3) attribute values.- Create config file c:\temp\gridshib-saml-issuer.properties with the following lines:
Format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress formatting.template=%PRINCIPAL%@gmail.com # FriendlyName="mail" Attribute.EMAIL.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri Attribute.EMAIL.Name=urn:mace:dir:attribute-def:mail Attribute.EMAIL.Value=trscavo@gmail.com # an EEC issued by the GridShib CA certLocation=file:/C:/temp/testcredential.pem keyLocation=file:/C:/temp/testcredential.pem
- In the third Command Prompt window, issue a level 2 proxy:
> %GRIDSHIB_HOME%\bin\gridshib-saml-issuer --user trscavo --authn --x509 --outfile c:\temp\testcredential.pem --authnMethod urn:oasis:names:tc:SAML:1.0:am:password --address 255.255.255.255 --config file:/c:/temp/gridshib-saml-issuer.properties
- In the first Command Prompt window, start the container.
- In the second Command Prompt window, request the service as before.
- In the second Command Prompt window, stop the container.
- Create config file c:\temp\gridshib-saml-issuer.properties with the following lines: