Access Keys:
Skip to content (Access Key - 0)

GTS

Grid Trust Service 1.1 Installation and Configuration

Table of Contents

The Grid Trust Service (GTS) is distributed as standalone project as well as part of other projects such as caGrid. Each of the distributions contains a gts directory herein referred to as GTS_LOCATION. To install and configure the GTS please follow the steps below.

Step 1: Install Prerequisite Software

In order to install and run the GTS, it is required that the following prerequisite software is installed:

Step 2: Building the GTS

If you have obtained a source release of the GTS you will need to build the GTS. To build the GTS type the following from a command prompt:

%> cd GTS_LOCATION

%> ant clean all
Depending on the GTS distribution it may be required to build the entire project that the GTS is distributed with prior to building the GTS. For example if you have obtained a caGrid source distribution this is required, if you received a the GTS standalone distribution this is not required.

Step 3: Obtain a Host Credential

Deployments leverage the GTS to maintain the trust fabric are effectively delegating their authentication responsibility to the GTS. Therefore it is imperative the GTS instance(s) can be trusted. In order for the GTS to be trusted it must run securely with a host credential (X.509 certificate and private key). It is critical that this host credential be issued by an authority that the entities in the deployment trust. If you already have a host credential or have a means of obtaining one please do so and proceed to the next step, otherwise for the purposes of this guide we will create our own certificate authority and use it to issue a host credential. To create a certificate authority please complete the following steps from a command prompt(illustrated below):

  1. cd GTS_LOCATION
  2. Type ant generateCA
  3. Enter the distinguished name (DN) for the CA (i.e O=xyz,OU=abc,CN=My CA).
  4. Enter the number of days that the CA will be valid for (i.e 3650)
  5. Enter a password which will be used to encrypt the CA's private key.
  6. Enter a file to write the CA private key to.
  7. Enter a file to write the CA certificate to.
%> cd GTS_LOCATION

%> ant generateCA

Buildfile: build.xml



setGlobus:



checkGlobus:

     [echo] Globus: C:\ext\ws-core-4.0.3



generateCA:

    [input] Please enter the DN for the new CA (ex. O=xyz,OU=abc,CN=My CA):

O=xyz,OU=abc,CN=My CA

    [input] Please enter the number of days the new CA will be valid for:

3650

    [input] Please enter a password for the new CA:

password

    [input] Please enter a location to write the new CA's private key:

cakey.pem

    [input] Please enter a location to write the new CA's certificate:

cacert.pem

     [java] Successfully create the CA certificate:

     [java] O=xyz,OU=abc,CN=My CA

     [java] CA Certificate Valid Till:

     [java] Fri Jun 23 12:47:10 EDT 2017

     [java] CA Private Key Written to:

     [java] cakey.pem

     [java] CA Certificate Written to:

     [java] cacert.pem



BUILD SUCCESSFUL

Total time: 46 seconds

Once we have created a certificate authority we can use it to issue a host credentials. To create host credentials please complete the following steps from a command prompt(illustrated below):

  1. cd GTS_LOCATION
  2. Type ant createAndSignHostCertificate
  3. Enter the location of the CA's private key.
  4. Enter the password used to encrypt the CA's private key.
  5. Enter the location of the CA's certificate.
  6. Enter the name of the host.
  7. Enter the number of days that the host credentials should be valid for.
  8. Enter a location to write the host private key.
  9. Enter a location to write the host certificate.
%> cd GTS_LOCATION

%> ant createAndSignHostCertificate

Buildfile: build.xml



setGlobus:



checkGlobus:

     [echo] Globus: C:\ext\ws-core-4.0.3



createAndSignHostCertificate:

    [input] Please enter the location of the CA's private key:

cakey.pem

    [input] Please enter the CA's password:

password

    [input] Please enter the location of the CA's certificate:

cacert.pem

    [input] Please enter the Hostname [${env.HOST}]:

myhost

    [input] Please enter the number of days the host certificate will be valid f

or:

365

    [input] Please enter a location to write the host key:

hostkey.pem

    [input] Please enter a location to write the host certificate:

hostcert.pem

     [java] Successfully create the user certificate:

     [java] O=xyz,OU=abc,CN=host/vmyhost

     [java] User certificate issued by:

     [java] O=xyz,OU=abc,CN=My CA

     [java] User Certificate Valid Till:

     [java] Wed Jun 25 13:58:37 EDT 2008

     [java] User Private Key Written to:

     [java] hostkey.pem

     [java] User Certificate Written to:

     [java] hostcert.pem



BUILD SUCCESSFUL

Total time: 52 seconds

Step 4: Configure Globus To Trust the GTS

In order for the GTS to be used to distribute trust roots we MUST configure Globus to trust the CA that issued the host credentials we obtained in the previous step. To do this we place a copy of the certificate for the CA that issued the host credentials in the Globus trusted certificates directory. Unless otherwise specified during installation, the Globus trusted certificate directory is usually 8USER_HOME/.globus/certificates*. Globus requires all CA certificates in its trusted certificates directory to be in PEM format and to have a digit extension (0-9). For example if a CA certificate is stored in the file cacert.pem in PEM format than in order to configure Globus to trust this certificate authority it should be copied in to the directory USER_HOME/.globus/certificates (create directory if needed) with the file name cacert.0

Step 5: Configuring a Secure Container

Now that you have obtained host credentials, you may use them to configure a secure container. The GTS can be run from a secure Globus container or a secure Tomcat container. For directions on how to configure a secure Globus container CLICK HERE. For directions on how to configure a secure Tomcat container CLICK HERE.

Step 6: Configuring the GTS

The GTS is configured through a single configuration file which is located at GTS_LOCATION/etc/gts-conf.xml (shown below). The GTS uses a Mysql Database as its backend data store; you must provide the GTS with the connection details for your Mysql database. The database element in the GTS configuration is used to specify the connection information for your Mysql database. In the majority of cases you will only need to specify the hostname of your database server, the port that the server runs on, and the username and password of a database user. When the GTS is first initialized it will create a database, named with the value of the gts-internal-id element. The GTS will also proceed to setup its database schema in the database it created. In order to do so the GTS needs to be configured with a database user that has the appropriate permissions. If you do not wish to provide the GTS with such a user you may create the database manually and provide the GTS with a user whom has the permission to modify the database schema. In this scenario the GTS will not create the database but will proceed to setup its database schema in the database that was manually created 

<gts>
   <resource name="GTSConfiguration" class="gov.nih.nci.cagrid.gts.service.GTSConfiguration">
       <gts-config>
           <gts-internal-id>GTS</gts-internal-id>
           <sync-authorities hours="0" minutes="2" seconds="0"/>
           <database>
               <name/>
               <driver>com.mysql.jdbc.Driver</driver>
               <urlPrefix>jdbc:mysql:</urlPrefix>
               <host>localhost</host>
               <port>3306</port>
               <username>root</username>
               <password></password>
               <pool>1</pool>
            </database>
        </gts-config>
    </resource>
</gts>

Step 7: Set Initial Administrators

Many of the operations provided by the GTS provide a means of administrating the trust fabric and are therefore restricted to GTS administrators. GTS Administrators are "super users" and can perform any operation on a GTS (i.e., manage certificate authorities, manage trust levels, manage permissions, etc). In order to bootstrap the GTS such that it may be administered through its service interface we must provide the GTS with at least one initial administrator. The GTS provides a command line program for adding initial administrators, to leverage this program type the following from a command prompt: 

%> cd GTS_LOCATION

%> ant addAmin

This will prompt you for the grid identity of the initial administrator to add, please enter the grid identity of the user you want to add as an initial administrator as shown below: 

%> cd GTS_LOCATION

%> ant addAmin

Buildfile: build.xml



setGlobus:



checkGlobus:

     [echo] Globus: C:\ext\ws-core-4.0.3



addAdmin:

    [input] Please enter the grid identity for the admin you wish to add:

/C=US/O=OSU/OU=BMI/OU=caGrid Development/OU=Users/OU=Dorian IdP/CN=jdoe

     [java] The user /C=US/O=OSU/OU=BMI/OU=caGrid Development/OU=Users/OU=Dorian

 IdP/CN=jdoe was succesfully added as an administrator of the GTS (GTS)



BUILD SUCCESSFUL

Total time: 48 seconds

Step 8: Deploying the GTS

Once you have configured a secure container (Globus or Tomcat) you need to deploy the GTS to that container. To deploy the GTS to a secure Globus container type the following from a command prompt: 

%> cd GTS_LOCATION

%> ant deployGlobus

To deploy the GTS to a secure Tomcat container type the following from a command prompt: 

%> cd GTS_LOCATION

%> ant deployTomcat

No matter which container you choose you should see a significant amount of output to the screen, if the deployment is successful you should see the words "BUILD SUCCESSFUL" outputted to the screen.

Step 9: Verifying the Installation

Once you have deployed the GTS, you have completed the installation and configuration of the GTS. Next we will verify that the installation was successful, however before doing so we must start the GTS service. This is done by starting the container that the GTS was deployed to. For directions on starting a secure Globus container CLICK HERE. To start a secure Tomcat container run the startup script (startup.sh or startup.bat) located in TOMCAT_INSTALLATION_DIRECTORY/bin. If the container starts up we are ready to verify that the GTS installation was successful. To do so type the following from the command prompt: 

%> cd GTS_LOCATION

%> ant ui

This will bring up a the GTS Administration UI, after the UI opens please complete the following steps:

  1. Click the Certificate Authorities button, this will bring up a Certificate Authorities window.
  2. From the Service drop down select 
    https://localhost:8443/wsrf/services/cagrid/GTS
  3. Click the Find Trusted Authorities button.

After clicking the Find Trusted Authorities button the UI will connect to the GTS and get a list of all the trusted certificate authorities managed by that GTS. Since this is a new installation this should return 0 certificate authorities, this should be reflected in the status message displayed in the progress bar below Find Trusted Authorities button. Upon successfully connecting to the GTS, the value of the status message in the progress bar should say Completed [Found 0 Trusted Authority(s)]. This is illustrated in the screen shot below. Congratulations you have successfully installed and configured the Grid Trust Service (GTS).

There are no images attached to this page.
Last edited by
Sarah Honacki (1356 days ago)
Adaptavist Theme Builder Powered by Atlassian Confluence