Configuring caGrid clients in Proxied Environments

Overview

The caGrid distribution is configured and tested to be fully functional when clients have open access to the Internet (no forward proxy) and when services are not running behind a reverse proxy server. When a client sits in a network environment that uses a forward proxy, it is necessary to perform additional configuration to enable the software to connect through the proxy server. This documentation details the changes necessary to configure caGrid clients to utilize a forward proxy server to connect to non-secure grid services.

Proxy Configuration for Secure Grid Services

Connecting to a secure grid service through a forward proxy connection is not supported by the Globus software that is the foundation of caGrid.

caGrid is built upon the security and networking functionality provided by the JGlobus module of Globus Toolkit (v4.0.3) This software was not written to be compatible with the proxying of secure connections. As a result, caGrid is also not compatible with the proxying of secure connections.

It is highly recommended that users who need to integrate with external, secure grid services should work with their Network Security Team to enable un-proxied, direct connections to select grid services. This will allow the grid client and server to establish encrypted connections over HTTPS.

This network configuration was used to validate the following guide.

Obtaining Proxy Information

In order to configure caGrid to utilize your proxy, you must collect information concerning the proxy host that is used in your institution. There are a couple of ways to determine this information.

Communicate with your Help Desk or IT Support to obtain the proxy hostname, port and some rules about which hosts must use the proxy.
Look at your Internet browser's configuration.
1. IE 8
  1. From the "Tools" menu, select "Internet Options".
  2. Click the "Connections" tab.
  3. Click the "LAN Settings" button.
  4. If "Proxy Server" is selected, copy the Address and Port values.
  5. If "Automatic configuration" -> "use automatic configuration script" is selected, copy the "Address" of the configuration script.
  6. If "Automatic configuration" -> "Automatically detect settings" is selected, contact your Help Desk to obtain the proxy hostname and port.
2. Firefox 3.x
  1. From the "Tools" menu, select "Options...".
  2. Click the "Advanced" icon.
  3. Click the "Network" tab.
  4. Click the "Settings" button.
  5. If "Manual proxy configuration" is selected, copy the "HTTP Proxy" and "Port" values.
  6. If "Automatic proxy configuration URL" is selected, copy the URL of the configuration script.
  7. Otherwise, contact your Help Desk to obtain the proxy hostname and port.
Determine proxy from the automatic proxy configuration URL.
1. In your browser, open the proxy configuration URL to view the contents of the proxy configuration.
  1. Note: in IE you may have to right-click the web page and select "view source" to see the contents.
2. This PAC file should contain a FindProxyForURL function that determines which URLs are proxied and which are not.
3. Your proxy will be identified in return statements like this: "return "PROXY 10.127.20.41:8080";"
4. Pay specific attention to URLs that are NOT proxied. Non-proxied connections are identified by a return statement that indicates "Direct".

System Configuration

Many of the Java applications in caGrid, such as Introduce and GAARDS, are invoked using Ant. Our proxy will be configured in Ant environment variables and then set on Java calls as parameters.

Environment Variables

A single environment variable, ANT_OPTS, can be used to hold the proxy configuration for Ant. Another optional variable, ANT_ARGS, can be used to indicate that Ant should always utilize this configuration.

ANT_OPTS
Contains command-line arguments that should be passed to the JVM. We will use the following options for proxy support.

http.proxyHost - contains hostname or IP address of http proxy.
http.proxyPort - contains the port number of the http proxy.
http.nonProxyHosts - contains a pipe (|) delimited list of hosts that should connect directly, rather than through, the proxy.
http.proxyUser - optional - contains the username required to authenticate with the proxy server.
http.proxyPassword - optional - contains the password required to authenticate with the proxy server.

caGrid 1.4 Configuration

The caGrid 1.4 distribution allows users to configure proxy usage for the following:

caGrid Installer
GAARDS Security User Interface
Introduce Service Development Tool
Synchronization with Trust Fabric

caGrid 1.3 Configuration

caGrid 1.3 was not distributed with the ability to be configured for proxy usage.

Example Configuration

The following steps show how to configure caGrid 1.4 to utilize a proxy.

Example configuration:

Browser configured with a proxy PAC file, proxy.pac, that identifies which URLs must use the proxy.
HTTP Proxy host: 10.127.20.41
HTTP Proxy port: 8080
No user authentication is required at the proxy.
All HTTP traffic must use the proxy.
All HTTPS traffic must bypass the proxy.

Obtain Proxy Information

Open browser and view proxy configuration as specified in the "Obtain Proxy Information" section above.
Download proxy automatic configuration file.
Determine rules in file.

From my proxy.pac file:

Proxy host: 10.127.20.41
Proxy port: 8080
Rules that pertain to caGrid:
1. All http traffic is proxied.
2. All secure training grid URLs fall into a rule that indicates direct connection.

caGrid Installer

caGrid Installer Configuration

Download and extract the caGrid Installer.
Open the appropriate script in a text editor.
1. Windows: install.bat
2. Unix/Mac: install.sh
Find the "HTTP Proxy Settings" line in the file.
1. Remove the "REM" or "#" at the beginning of the subsequent line.
2. After "-Dhttp.proxyHost=", type the proxy hostname or IP.
3. After "-Dhttp.proxyPort=", type the proxy port number.
4. After "-Dhttp.nonProxyHosts=", type the list of HTTPS hosts that must bypass the proxy server.
If proxy authentication is required, find the "Set username" line in the file.
1. Remove the "REM" or "#" at the beginning of the subsequent line.
2. After "-Dhttp.proxyUser=", type your username.
3. After "-Dhttp.proxyPassword=", type your password.

Example Proxy Configuration

This is an example:

REM HTTP proxy settings
set JAVA_OPTS=%JAVA_OPTS% -Dhttp.proxyHost=10.127.20.41 -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts=\"\"

caGrid Installer Execution

Now that the installer script has been configured, run the installer for either an open network or a proxied network.

Open Network:
1. Windows command: install.bat
2. Unix/Mac:
  1. Set execute permission: chmod u+x install.sh
  2. Command: ./install.sh
Firewalled Network:
1. Windows command: install.bat -proxy
2. Unix/Mac:
  1. Set execute permission: chmod u+x install.sh
  2. Command: ./install.sh -proxy

GAARDS-UI, Introduce and syncWithTrustFabric

These three applications will utilize the ANT_OPTS environment variable to hold a common required proxy configuration. This variable, created in this section, will define the proxy configuration for the Training Grid using the example proxy server.

Create the ANT_OPTS Contents

Create the contents of the ANT_OPTS environment variable in a text editor.

Open a new file in a text editor.
Paste the following:
1. ANT_OPTS='-Dhttp.proxyHost= -Dhttp.proxyPort= -Dhttp.nonProxyHosts="localhost"'
Set the proxyHost value to "10.127.20.41".
Set the proxyPort value to "8080".
Because all secure training grid hosts bypass the proxy we must add the hostnames of the services to the "nonProxyHost" list.
1. Set the hostname list to include:
  1. dorian.training.cagrid.org
  2. globalmodelexchange.training.cagrid.org
  3. mastergts.training.cagrid.org
  4. slavegts.training.cagrid.org
  5. grouper.training.cagrid.org
  6. cds.training.cagrid.org
  7. fqp.training.cagrid.org
  8. workflow-scufl.training.cagrid.org
  9. workflow-bpel.training.cagrid.org
  10. cagrid-gme.nci.nih.gov - production server used by Introduce
  11. cadsrapi.nci.nih.gov - production server used by Introduce
2. The final environment variable:
```
ANT_OPTS=-Dhttp.proxyHost=10.127.20.41 -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts="localhost|dorian.training.cagrid.org|globalmodelexchange.training.cagrid.org|mastergts.training.cagrid.org|slavegts.training.cagrid.org|grouper.training.cagrid.org|cds.training.cagrid.org|fqp.training.cagrid.org|workflow-scufl.training.cagrid.org|workflow-bpel.training.cagrid.org|cagrid-gme.nci.nih.gov|cadsrapi.nci.nih.gov"
```

Set the Environment Variable

Now set the environment variable so that it is available for use by Ant.

Unix / Mac
1. Open your initialization file for your shell. This file will be at the root level of your user directory. The file is specific to the shell that you use.
  1. Bourne Shell: ~/.profile
  2. Bash Shell: ~/.bashrc or ~/.profile
  3. C Shell : ~/.cshrc or ~/.login
  4. Korn Shell: ~/.profile or ~/.kshrc
2. Add an entry for your new variable.
  1. export ANT_OPTS=
3. Provide the values for the environment variable.
```
-Dhttp.proxyHost=10.127.20.41 \-Dhttp.proxyPort=8080 \-Dhttp.nonProxyHosts="localhost\|dorian.training.cagrid.org\|globalmodelexchange.training.cagrid.org\|mastergts.training.cagrid.org\|slavegts.training.cagrid.org\|grouper.training.cagrid.org\|cds.training.cagrid.org\|fqp.training.cagrid.org\|workflow-scufl.training.cagrid.org\|workflow-bpel.training.cagrid.org\|cagrid-gme.nci.nih.gov\|cadsrapi.nci.nih.gov"
```
4. Save the file.
5. Open a new terminal.
  1. Echo the new variable to verify it. "echo $ANT_OPTS"
Windows
1. On the Desktop, right-click My Computer, and then click Properties.
2. Click the Advanced tab.
3. Click the Environment Variables button.
4. In the Environment Variables window, under the "Environment Variables for <Usename>", click New.
5. In the New User Variable window:
  1. Variable name: "ANT_OPTS"
  2. Variable value:
    -Dhttp.proxyHost=10.127.20.41 \-Dhttp.proxyPort=8080 \-Dhttp.nonProxyHosts="localhost\|dorian.training.cagrid.org\|globalmodelexchange.training.cagrid.org\|mastergts.training.cagrid.org\|slavegts.training.cagrid.org\|grouper.training.cagrid.org\|cds.training.cagrid.org\|fqp.training.cagrid.org\|workflow-scufl.training.cagrid.org\|workflow-bpel.training.cagrid.org\|cagrid-gme.nci.nih.gov\|cadsrapi.nci.nih.gov"
  3. Click OK.
6. In the Environment Variables window, click OK.
7. In the System Properties window, click OK.
8. Open a new command prompt
  1. Start->Run, type "cmd"
  2. In the command prompt, verify that your variable is set by typing echo %ANT_OPTS%.

Application Execution

Once the environment variable is defined, the caGrid applications can be started and they will automatically be configured with your proxy information when you run the Ant command to start the application.

The "use.proxy" parameter will be used to determine whether the application will be configured to use the proxy configured in ANT_OPTS. When the flag is not present, no proxy configuration will be used.

Open a terminal.
Change directory to caGrid directory.
Introduce
1. ant introduce -Duse.proxy=true
GAARDS UI
1. ant gaardsui -Duse.proxy=true
Synchronize with trust fabric.
1. ant syncWithTrustFabric -Duse.proxy=true

Appendix

Installer Host Dependencies

The caGrid Installer obtains installer files from several servers and provides the ability to use the GAARDS UI to obtain host certificates and to synchronize with the grid trust fabric. For this reason, the installer must access many servers.

Download Servers

http://archive.apache.org : Tomcat and Ant
http://downloads.sourceforge.net : JBoss
http://gforge.nci.nih.gov : caGrid and Globus
ftp://ftp1.nci.nih.gov : caGrid installer properties

Training Grid

Production Grid

Introduce Host Dependencies

Training Grid

Service Creation

Introduce Updates

http://software.cagrid.org

Security

Production Grid

Service Creation

Introduce Updates

http://software.cagrid.org

Security

GAARDS UI Host Dependencies

GAARDS IU provides many security related functions that require access to several secure grid services.

Training Grid

Production Grid

SyncWithTrustFabric Host Dependencies

The syncWithTrustFabric ANT task is used to configure your local caGrid installation to trust a specific grid. This is performed by connecting to the SlaveGTS server to obtain the grid's CA certificates.

Training Grid

https://slavegts.training.cagrid.org:8443

Production Grid

https://cagrid-gts-slave.nci.nih.gov:8443