Reconfigure Secure Tomcat Container on a New Host

This article describes how to manually update a secure Tomcat container for use on a new host. It is assumed that this container was configured by the caGrid 1.2 installer.

STEP 1: Generate New Host Certificate and Key

Access the GAARDS UI to request a new host certificate: Request a Host Certificate.

STEP 2: Configure the Container

The second step is to configure the container to use the new host certificate and key.

Edit the file $CATALINA_HOME/conf/server.xml. Configure the section at the end of the file with your new key and cert.

Do NOT copy/paste the example snippet below into your file. This section varies depending on your Tomcat version. Refer to Manually Configure Tomcat Container for more information.)

The following is an example of this section:

<Connector acceptCount="10" autoFlush="true"
           cert="<LOCATION_TO_CERT>\<host>-cert.pem"
           className="org.globus.tomcat.coyote.net.HTTPSConnector"
           debug="0" disableUploadTimeout="true" enableLookups="true"
           key="<LOCATION_TO_KEY>\<host>-key.pem" maxSpareThreads="75"
           maxThreads="150" minSpareThreads="25" port="8443" scheme="https"/>

STEP 3: Modify the Security Descriptor

The third step is to modify the security descriptor to point to your cert and key.
Modify $CATALINA_HOME/webapps/wsrf/WEB-INF/etc/globus_wsrf_core/global_security_descriptor.xml

<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns="http://www.globus.org">
    <credential>
        <key-file value="<LOCATION_TO_KEY>\<host>-key.pem"/>
        <cert-file value="<LOCATION_TO_CERT>\<host>-cert.pem"/>
    </credential>
</securityConfig>

This file controls the container's security descriptor: http://www.globus.org/toolkit/docs/4.0/security/authzframe/security_descriptor.html#s-authzframe-secdesc-configCred