The Grid Trust Service (GTS) is distributed as standalone project as well as part of other projects such as caGrid. Each of the distributions contains a gts directory herein referred to as GTS_LOCATION. To install and configure the GTS please follow the steps below.
In order to install and run the GTS, it is required that the following prerequisite software is installed:
- Java 1.5 JDK
- Ant 1.6.5
- Globus WS-Core with WS-Enum Support
- (Optional) If you want to deploy services to tomcat, you will need Tomcat 5.0.28
If you have obtained a source release of the GTS you will need to build the GTS. To build the GTS type the following from a command prompt:
|Depending on the GTS distribution it may be required to build the entire project that the GTS is distributed with prior to building the GTS. For example if you have obtained a caGrid source distribution this is required, if you received a the GTS standalone distribution this is not required.|
Deployments leverage the GTS to maintain the trust fabric are effectively delegating their authentication responsibility to the GTS. Therefore it is imperative the GTS instance(s) can be trusted. In order for the GTS to be trusted it must run securely with a host credential (X.509 certificate and private key). It is critical that this host credential be issued by an authority that the entities in the deployment trust. If you already have a host credential or have a means of obtaining one please do so and proceed to the next step, otherwise for the purposes of this guide we will create our own certificate authority and use it to issue a host credential. To create a certificate authority please complete the following steps from a command prompt(illustrated below):
- cd GTS_LOCATION
- Type ant generateCA
- Enter the distinguished name (DN) for the CA (i.e O=xyz,OU=abc,CN=My CA).
- Enter the number of days that the CA will be valid for (i.e 3650)
- Enter a password which will be used to encrypt the CA's private key.
- Enter a file to write the CA private key to.
- Enter a file to write the CA certificate to.
Once we have created a certificate authority we can use it to issue a host credentials. To create host credentials please complete the following steps from a command prompt(illustrated below):
- cd GTS_LOCATION
- Type ant createAndSignHostCertificate
- Enter the location of the CA's private key.
- Enter the password used to encrypt the CA's private key.
- Enter the location of the CA's certificate.
- Enter the name of the host.
- Enter the number of days that the host credentials should be valid for.
- Enter a location to write the host private key.
- Enter a location to write the host certificate.
In order for the GTS to be used to distribute trust roots we MUST configure Globus to trust the CA that issued the host credentials we obtained in the previous step. To do this we place a copy of the certificate for the CA that issued the host credentials in the Globus trusted certificates directory. Unless otherwise specified during installation, the Globus trusted certificate directory is usually 8USER_HOME/.globus/certificates*. Globus requires all CA certificates in its trusted certificates directory to be in PEM format and to have a digit extension (0-9). For example if a CA certificate is stored in the file cacert.pem in PEM format than in order to configure Globus to trust this certificate authority it should be copied in to the directory USER_HOME/.globus/certificates (create directory if needed) with the file name cacert.0
Now that you have obtained host credentials, you may use them to configure a secure container. The GTS can be run from a secure Globus container or a secure Tomcat container. For directions on how to configure a secure Globus container CLICK HERE. For directions on how to configure a secure Tomcat container CLICK HERE.
The GTS is configured through a single configuration file which is located at GTS_LOCATION/etc/gts-conf.xml (shown below). The GTS uses a Mysql Database as its backend data store; you must provide the GTS with the connection details for your Mysql database. The database element in the GTS configuration is used to specify the connection information for your Mysql database. In the majority of cases you will only need to specify the hostname of your database server, the port that the server runs on, and the username and password of a database user. When the GTS is first initialized it will create a database, named with the value of the gts-internal-id element. The GTS will also proceed to setup its database schema in the database it created. In order to do so the GTS needs to be configured with a database user that has the appropriate permissions. If you do not wish to provide the GTS with such a user you may create the database manually and provide the GTS with a user whom has the permission to modify the database schema. In this scenario the GTS will not create the database but will proceed to setup its database schema in the database that was manually created
Many of the operations provided by the GTS provide a means of administrating the trust fabric and are therefore restricted to GTS administrators. GTS Administrators are "super users" and can perform any operation on a GTS (i.e., manage certificate authorities, manage trust levels, manage permissions, etc). In order to bootstrap the GTS such that it may be administered through its service interface we must provide the GTS with at least one initial administrator. The GTS provides a command line program for adding initial administrators, to leverage this program type the following from a command prompt:
This will prompt you for the grid identity of the initial administrator to add, please enter the grid identity of the user you want to add as an initial administrator as shown below:
Once you have configured a secure container (Globus or Tomcat) you need to deploy the GTS to that container. To deploy the GTS to a secure Globus container type the following from a command prompt:
To deploy the GTS to a secure Tomcat container type the following from a command prompt:
No matter which container you choose you should see a significant amount of output to the screen, if the deployment is successful you should see the words "BUILD SUCCESSFUL" outputted to the screen.
Once you have deployed the GTS, you have completed the installation and configuration of the GTS. Next we will verify that the installation was successful, however before doing so we must start the GTS service. This is done by starting the container that the GTS was deployed to. For directions on starting a secure Globus container CLICK HERE. To start a secure Tomcat container run the startup script (startup.sh or startup.bat) located in TOMCAT_INSTALLATION_DIRECTORY/bin. If the container starts up we are ready to verify that the GTS installation was successful. To do so type the following from the command prompt:
This will bring up a the GTS Administration UI, after the UI opens please complete the following steps:
- Click the Certificate Authorities button, this will bring up a Certificate Authorities window.
- From the Service drop down select
- Click the Find Trusted Authorities button.
After clicking the Find Trusted Authorities button the UI will connect to the GTS and get a list of all the trusted certificate authorities managed by that GTS. Since this is a new installation this should return 0 certificate authorities, this should be reflected in the status message displayed in the progress bar below Find Trusted Authorities button. Upon successfully connecting to the GTS, the value of the status message in the progress bar should say Completed [Found 0 Trusted Authority(s)]. This is illustrated in the screen shot below. Congratulations you have successfully installed and configured the Grid Trust Service (GTS).
|There are no images attached to this page.|