Administration
|
Key
This line was removed.
This word was removed. This word was added.
This line was added.
|
Comment:
Changes (1)
View Page History{cagridtoc}
h1. How to Deploy CaGrid 1.1
----
----
...
The document describes a process for installing a complete grid using caGrid 1.1. The instructions generally should be followed in the order described herein, though, after the core security services are installed, there is no longer a strict requirement to do things in the order specified. h1. Revision History
----
| Version Number | Revision Date | Author | Summary of Changes |
| 1.0 | 08/27/07 | Scott Oster, Stephen Langella, Joshua Philips | Initial Draft, using caGrid-1_1_release_rc9 |
| 1.0.1 | 08/28/07 | Scott Oster | Fixed URL/port typos (template errors) |
{anchor:Deployment Planning}
h1. Deployment Planning
----
Select the services you want to deploy, and identify the hosts for them. This document describes deploying all the core services, and uses 6 different hosts, with multiple different containers on each host (note the port differences in the table). The simplest way to run multiple containers on the same host is to just use different user accounts for each (that isn't strictly necessary, but you must be sure to separate the environment variables and directory structures appropriately if you don't).
In general, you can deploy as many core services in the same container as you like, but you should be aware of the performance and security ramifications of doing so. That is, as we are using host credentials for secure containers, each service in the container shares the same "identity." Some services are awarded administrative rights to other services (e.g. Dorian is an admin on GTS, to publish CRLs), so you'll likely at least want to separate the security services from one another. At a bare minimum, try to run Dorian and the GTSs in their own containers. Some services, like the Index Service, may have a large memory footprint in some scenarios, so you'll want to keep that in mind as well. The maximum flexibility is achieved by running each service in its own container, but that is not always necessary or possible.
The following is a matrix of the nodes we are using, and which services are deployed on them:
{div:class=horizscroll}
| Host:Port | https | Index | GME | caDSR | EVS | FQP | Workflow | Dorian | GTS | SyncGTS | Grid Grouper | Authentication | Portal | Browser |
| cagrid-portal.nci.nih.gov | YES | | | | | | | | | @ | | | @ | @ |
| cagrid-auth.nci.nih.gov:8443 | YES | | | | | | | | | @ | | @ | | |
| cagrid-workflow.nci.nih.gov:8443 | YES | | | | | @ | @ | | | @ | | | | |
| cagrid-service.nci.nih.gov:8080 | NO | | @ | @ | @ | | | | | @ | | | | |
| cagrid-gridgrouper.nci.nih.gov:8443 | YES | | | | | | | | | @ | @ | | | |
| cagrid-index.nci.nih.gov:8080 | NO | @ | | | | | | | | @ | | | | |
| cagrid-gts-slave.nci.nih.gov:8443 | YES | | | | | | | | S | @ | | | | |
| cagrid-gts-master.nci.nih.gov:8443 | YES | | | | | | | | M | @ | | | | |
| cagrid-dorian.nci.nih.gov:8443 | YES | | | | | | | @ | | @ | | | | |
{div}
The following is a listing of the service URLs for this deployment:
|| Authentication Service | [https://cagrid-auth.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService|https://cagrid-auth.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService] ||
|| caDSR | [http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/CaDSRService|http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/CaDSRService] ||
|| Dorian | [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian] ||
|| EVS | [http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/EVSGridService|http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/EVSGridService] ||
|| FQP | [https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/FederatedQueryProcessor|https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/FederatedQueryProcessor] ||
|| GME | [http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange|http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange] ||
|| Grid Grouper | [https://cagrid-gridgrouper.nci.nih.gov:8443/wsrf/services/cagrid/GridGrouper|https://cagrid-gridgrouper.nci.nih.gov:8443/wsrf/services/cagrid/GridGrouper] ||
|| GTS (Master) | [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS] ||
|| GTS (Slave) | [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS] ||
|| Index | [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] ||
|| Workflow | [https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/WorkflowFactoryService|https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/WorkflowFactoryService] ||
!imagegallery:Record_note.png^Record_note.png|align=left! After completion of this section, you should record the following information for future use:
# Tables similar to the examples shown above
{anchor:HSM setup}
h1. Hardware Security Module (HSM) Setup
----
{info}
*NOTE: This section is optional, and is for those which will be generating CAs on a Hardware Security Module.* {info}
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
*_(_{*}{*}_\* Using the HSM with Dorian REQUIRES that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files (_{*}*\***[Java 5|http://java.sun.com/javase/downloads/index_jdk5.jsp]* *\**{*}{_}be installed into your JVM *_{*}{*}_)_*
From the machine which houses the HSM:
* Add the following location to your LD_LIBRARY_PATH: _/opt/Eracom/lib_
* Download the \[[SafeNet Protect Server Gold HSM utilities|http://gforge.nci.nih.gov/frs/download.php/2216/eracom-utils.tgz]\].
* Decompress the downloaded file, eracom-utils.tgz as follows:
{noformat}
%> tar xvzf eracom-utils.tgz
{noformat}
* Run the HSM administration tool as follows:
{noformat}
%> cd eracom-utils
%> ant adminEracomHSM
{noformat}
* If this is the first time you have run the HSM admin tool, you will be required to initialize the HSM. This will require creating a pin for both a _Security Officer_ and _User_.
* After the HSM is initialized you will be asked to authenticate, select the _User_ radio button and enter your the User pin in the _pin_ text field and click the _Ok_ button.
* Next we must set the Security Mode of the HSM to FIPS 140-2. To do so from the _Edit_ menu select _Security Mode_. This will bring up the _Modify Security Mode_ window. Select the following: (1) the _FIPS 140-2_ radio button, (2) the _Tamper on Upgrade_ check box, and (3) the _Mode Locked_ checkbox. Click the _Ok_ button, this will reset the security mode and may require to re-authenticate.
* Now we must create slots or locations to store the CA keys and certificates. We will create two slots, one for the GTS CA, and one for the Dorian CA. To create the two slots from the _File_ drop down select _Create Slots_, this will bring up a small window with a single text field, enter the number _2_ in the text field and click _Ok_. This will create two slots on the cards, once create you will be required to re-authenticate to the HSM admin tool.
* Next we must initialize each of the slots we created in the last step:
* *Complete the following to initialize the* *{_}GTS Slot{_}{*}*:*
** From the _Edit_ drop down select _Tokens...._, this will bring up the _Manage Tokens_ window. From the _Slot_ drop down select the first slot that is labeled _(uninitialized token)_. The number associated with slot will be the slot number for the GTS CA. Click the _Initialise_ button, this will bring up the _Initialise Token_ window.
** In the _Token Label_ text field enter _gts_.
** Create and verify a _Security Officer_ pin for this slot.
** Create and verfiy a _User_ pin for this slot.
** Click the _Ok_ button, this will initialize the _GTS Slot_
* *Complete the following to initialize the* *{_}Dorian Slot{_}{*}*:*
** From the _Edit_ drop down select _Tokens...._, this will bring up the _Manage Tokens_ window. From the _Slot_ drop down select the first slot that is labeled _(uninitialized token)_. The number associated with slot will be the slot number for the Dorian CA. Click the _Initialise_ button, this will bring up the _Initialise Token_ window.
** In the _Token Label_ text field enter _dorian_.
** Create and verify a _Security Officer_ pin for this slot.
** Create and verfiy a _User_ pin for this slot.
** Click the _Ok_ button, this will initialize the _Dorian Slot_
!imagegallery:Record_note.png^Record_note.png|align=left! After completion of this section, you should record the following information for future use:
# HSM Security Officer PIN
# HSM User PIN
# 'gts' slot number
# 'gts' slot Security Officer PIN
# 'gts' slot User PIN
# 'dorian' slot number
# 'dorian' slot Security Officer PIN
# 'dorian' slot User PIN
h1. Security Bootstrapping
----
In order for a caGrid release to be configured to point to this deployment, somethings need to be known before attempting to deploy the software. We will use a [binary build of the 'gridca' project|http://gforge.nci.nih.gov/frs/download.php/2215/caGrid-1.1-gridca-bin.zip] from a checkout of the release branch in order to create the GTS CA and credentials. Then, the 'target grid' will be created, and the release candidate will be cut. The remainder of the process will use the installer and code from the release candidate. Anyone else following these instructions could just use the actual caGrid release for these steps.
{anchor:Generate GTS}
h2. Generate GTS CA
----
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
* Download [the binary release of the gridca project|http://gforge.nci.nih.gov/frs/download.php/2215/caGrid-1.1-gridca-bin.zip] and save it to USER_HOME/ext.
* Unzip the downloaded zip file (this should create the directory _USER_HOME/ext/gridca_).
{noformat}
%> unzip caGrid-1.1-gridca-bin.zip
{noformat}
* The _gridca_ binary release also needs Globus to be installed (but not configured) so it can use libraries it provides. Download \[[http://gforge.nci.nih.gov/frs/download.php/1334/ws-core-enum-4.0.3.zip|http://gforge.nci.nih.gov/frs/download.php/1334/ws-core-enum-4.0.3.zip] and save it to USER_HOME/ext/gridca_globus.
* Unzip the downloaded zip file (this should create the directory _USER_HOME/ext/gridca_globus/ws-core-4.0.3_).
{noformat}
%> unzip ws-core-enum-4.0.3.zip
{noformat}
* To generate the GTS CA run the following from the gridca directory (_USER_HOME/ext/gridca_), specifying the GLOBUS_LOCATION as an argument (or you could just set the GLOBUS_LOCATION environment variable, but we will later be installing Globus elsewhere):
** *NOTE:* When running the commands, be sure to replace USER_HOME with your home directory (or \~).
{noformat}
%> cd USER_HOME/ext/gridca
%> ant -Denv.GLOBUS_LOCATION=USER_HOME/ext/gridca_globus/ws-core-4.0.3 generateEracomCA
{noformat}
This will run a command line program that will prompt you for the following:
# An alias of name for the CA, enter the following:_gtsca_
# The Distinguished Name (DN) of the CA, enter the following: \_O=caBIG,OU=caGrid,OU=Trust Fabric,CN=caGrid Trust Fabric
Certificate Authority\_
# The number of days that the certificate authority should be valid for. Enter the following: _3650_.
# The slot number on the HSM where the CA should be created. You should enter the number of the slot you initialized for the GTS CA
[earlier; refer to your notes|#HSM setup]
# Enter the password for the HSM. You should enter the _User_ pin you created for the GTS slot when you initialized it [earlier; refer to your notes|#HSM setup]
# Finally enter a directory where you would like the program to write out the CA certificate for the GTS CA.
Below is an example output of running the program just described:
{noformat}
%> ant generateEracomCA
Buildfile: build.xml
generateEracomCA:
[input] Please enter an alias for the new CA (ex. gtsca):
gtsca
[input] Please enter the DN for the new CA (ex. O=osu,OU=bmi,CN=Some CA):
O=caBIG,OU=caGrid,OU=Trust Fabric,CN=caGrid Trust Fabric Certificate Authority
[input] Please enter the number of days the new CA will be valid for:
3650
[input] Please enter a slot number on the HSM to store the CA:
0
[input] Please enter the password for the HSM:
mypassword
[input] Please enter a directory to write the CA certificate to:
.
[java] Successfully created the CA certificate:
[java] O=caBIG,OU=caGrid,OU=Trust Fabric,CN=caGrid Trust Fabric Certificate Authority
[java] CA certificate valid till:
[java] Thu Jul 20 15:03:52 EDT 2017
[java] The CA certificate and private key were written to slot 4 on the HSM.
[java] The CA certificate was written to the file: /home/grid/projects/caGrid-1.1/projects/gridca/./68907d53.0
[java] The CA signing policy was written to the file: /home/grid/projects/caGrid-1.1/projects/gridca/./68907d53.signing_policy
BUILD SUCCESSFUL
Total time: 8 minutes 29 seconds
{noformat}
!imagegallery:Record_note.png^Record_note.png|align=left! After completion of this section, you should record the following information for future use:
# The location of the generated CA Certificate and CA Signing Policy files
h3. Backup the CA to a Smart Card
* Add the following location to your LD_LIBRARY_PATH: _/opt/Eracom/lib_
* Download the \[[SafeNet Protect Server Gold HSM utilities|http://gforge.nci.nih.gov/frs/download.php/2216/eracom-utils.tgz]\].
* Decompress the downloaded file, eracom-utils.tgz as follows:
{noformat}
%> tar xvzf eracom-utils.tgz
{noformat}
* Run the HSM key management tool as follows:
{noformat}
%> cd eracom-utils
%> ant manageEracomKeys
{noformat}
This will bring up the _Safenet, Inc. Key Management Utility_, to back up the GTS CA keys using this utility complete the following steps:
# Insert a _SafeNet Protect Host / Protect Server (FW V2.02 and Later) Smartcard_ into the HSM smart card reader.
# From the _Select a Token_ drop down, select the slot containing the _GTS CA_ private key and certificate.
# In the _Enter Pin_ dialog, enter the user pin for the slot selected, and click the _Ok_ button.
# Holding the _Ctrl_ button left click the CA private key and certificate such that but the CA private key and certificate are selected.
# Right click on the selected items and select _Export_ from the right click menu. This will launch the _Export Key(s)_ window.
# Select the _Write to smart card(s)_ option.
# In the _Batch Name_ text box enter _gtsca_.
# In the _No. Custodians_ text box enter _2_.
# Click the _Ok_ button. This will bring up the _Exporting_ window.
# In the _Username_ text box enter a username. In the _Smartcard Pin_ text box enter a pin or password. In the _Re Enter Pin_ text box, re-enter the pin. The username and pin selected will apply to the first of two smart cards that the CA key(s) and certificate will be written to. You will need this username and pin to restore the CA key and certificate to the HSM.
# Click the _Ok_ button. This will bring up a _Please Confirm_ dialog.
# Click the _Ok_ button. This will bring up another dialog asking you to enter the HSM administrative pin, enter it and click _Ok_. At this point the HSM will begin to write to the first smart card, this may take several minutes. When this has completed a dialog will appear asking you to insert another smart card.
# Remove the first smart card and insert a second smard card and click the _Ok_ button. This will bring up the _Exporting_ dialog.
# In the _Username_ text box enter a username. In the _Smartcard Pin_ text box enter a pin or password. In the _Re Enter Pin_ text box, re-enter the pin. The username and pin selected will apply to the second of two smart cards that the CA key(s) and certificate will be written to. You will need this username and pin to restore the CA key and certificate to the HSM.
# Click the _Ok_ button. This will bring up a _Please Confirm_ dialog.
# Click the _Ok_ button. At this point the HSM will begin to write to the second smart card, this may take several minutes. When this has completed a dialog will appear with a message _Export Successful_, at this point you have succesfully backed up the GTS CA onto smart cards.
!imagegallery:Record_note.png^Record_note.png|align=left! After completion of this section, you note the following:
# The username and pin for each of the two smartcards in which the GTS CA is backed up across.
# You should label each of the two smart cards and place them in a safe place, both smart cards will be required for restoring the GTS CA.
{anchor:Create GTS Master}
h2. Create GTS (Master) Credentials
----
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
In order to run a GTS we need to obtain host credentials signed by the GTS certificate authority. This can be accomplished by running a command line utility supplied by the _gridca_ package. Since the GTS CA key exists in a HSM we must run this utility from the machine that the HSM resides on. To create the host credentials for the Master GTS please run the following from the _gridca_ directory (USER_HOME/ext/gridca), which you created from [the download|http://gforge.nci.nih.gov/frs/download.php/2215/caGrid-1.1-gridca-bin.zip] earlier. We will be specifying the GLOBUS_LOCATION as an argument (or you could just set the GLOBUS_LOCATION environment variable, but we will later be installing Globus elsewhere):
* *NOTE:* When running the commands, be sure to replace USER_HOME with your home directory (or \~).
{noformat}
%> cd USER_HOME/ext/gridca
%> ant -Denv.GLOBUS_LOCATION=USER_HOME/ext/gridca_globus/ws-core-4.0.3 createAndSignEracomHostCertificate
{noformat}
This program will prompt you for the following:
# The alias of the GTS CA, enter _gtsca_.
# The slot number on the HSM in which the GTS CA is stored. You should enter the number of the slot you initialized earlier for the GTS CA.
# Enter the password for the HSM. You should enter the User pin you created for the GTS slot when you initialized it earlier.
# Enter the host name of the host that will run the Master GTS. Enter: _cagrid-gts-master.nci.nih.gov_
# Enter the number of days that the host credential will be valid. Enter: _1825_
# Enter the location to write the host's private key to. Enter _cagrid-gts-master.nci.nih.gov-trust-key.pem_.
# Enter the location to write the host's certificate to. Enter _cagrid-gts-master.nci.nih.gov-trust-cert.pem_.
Below is an example output of running the program just described:
{noformat}
%> ant createAndSignEracomHostCertificate
Buildfile: build.xml
createAndSignEracomHostCertificate:
[input] Please enter an alias for the new CA (ex. gtsca):
gtsca
[input] Please enter a slot number on the HSM where the CA is stored:
0
[input] Please enter the password for the HSM:
mypassword
[input] Please enter the Hostname [dorian.bmi.ohio-state.edu]:
cagrid-gts-master.nci.nih.gov
[input] Please enter the number of days the host certificate will be valid for:
1825
[input] Please enter a location to write the host key:
cagrid-gts-master.nci.nih.gov-trust-key.pem
[input] Please enter a location to write the host certificate:
cagrid-gts-master.nci.nih.gov-trust-cert.pem
[java] Successfully created the host certificate:
[java] O=caBIG,OU=caGrid,OU=Trust Fabric,CN=host/cagrid-gts-master.nci.nih.gov
[java] Host certificate issued by:
[java] O=caBIG,OU=caGrid,OU=Trust Fabric,CN=caGrid Trust Fabric Certificate Authority
[java] Host certificate valid till:
[java] Sat Jul 21 15:37:10 EDT 2012
[java] Host private key written to:
[java] cagrid-gts-master.nci.nih.gov-trust-key.pem
[java] Host certificate written to:
[java] cagrid-gts-master.nci.nih.gov-trust-cert.pem
BUILD SUCCESSFUL
Total time: 2 minutes 24 seconds
{noformat}
*(**\* The host certificate and private key generated should be securely moved to the host that will run the Master GTS, and deleted from the local system ***)*
!imagegallery:Record_note.png^Record_note.png! After completion of this section, you should record the following information for future use:
# The location of the generated certificate and private key on the machine you copied them to (which will run the Master GTS service)
{anchor:Create GTS Slave}
h2. Create GTS (Slave) Credentials
----
!imagegallery:Mycomputer.png^Mycomputer.png! You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).\*
In order to run a GTS we need to obtain host credentials signed by the GTS certificate authority. This can be accomplished by running a command line utility supplied by the _gridca_ package. Since the GTS CA key exists in a HSM we must run this utility from the machine that the HSM resides on. To create the host credentials for the Master GTS please run the following from the _gridca_ directory (USER_HOME/ext/gridca), which you created from [the download|http://gforge.nci.nih.gov/frs/download.php/2215/caGrid-1.1-gridca-bin.zip] earlier. We will be specifying the GLOBUS_LOCATION as an argument (or you could just set the GLOBUS_LOCATION environment variable, but we will later be installing Globus elsewhere):
** *NOTE:* When running the commands, be sure to replace USER_HOME with your home directory (or \~).
{noformat}
%> cd USER_HOME/ext/gridca
%> ant -Denv.GLOBUS_LOCATION=USER_HOME/ext/gridca_globus/ws-core-4.0.3 createAndSignEracomHostCertificate
{noformat}
This program will prompt you for the following:
# The alias of the GTS CA, enter _gtsca_.
# The slot number on the HSM in which the GTS CA is stored. You should enter the number of the slot you initialized earlier for the GTS CA.
# Enter the password for the HSM. You should enter the User pin you created for the GTS slot when you initialized it earlier.
# Enter the host name of the host that will run the Slave GTS. Enter: _cagrid-gts-slave.nci.nih.gov_
# Enter the number of days that the host credential will be valid. Enter: _1825_
# Enter the location to write the host's private key to. Enter _cagrid-gts-slave.nci.nih.gov-trust-key.pem_.
# Enter the location to write the host's certificate to. Enter _cagrid-gts-slave.nci.nih.gov-trust-cert.pem_.
Below is an example output of running the program just described:
{noformat}
%> ant createAndSignEracomHostCertificate
Buildfile: build.xml
createAndSignEracomHostCertificate:
[input] Please enter an alias for the new CA (ex. gtsca):
gtsca
[input] Please enter a slot number on the HSM where the CA is stored:
0
[input] Please enter the password for the HSM:
mypassword
[input] Please enter the Hostname [dorian.bmi.ohio-state.edu]:
cagrid-gts-slave.nci.nih.gov
[input] Please enter the number of days the host certificate will be valid for:
1825
[input] Please enter a location to write the host key:
cagrid-gts-slave.nci.nih.gov-trust-key.pem
[input] Please enter a location to write the host certificate:
cagrid-gts-slave.nci.nih.gov-trust-cert.pem
[java] Successfully created the host certificate:
[java] O=caBIG,OU=caGrid,OU=Trust Fabric,CN=host/cagrid-gts-slave.nci.nih.gov
[java] Host certificate issued by:
[java] O=caBIG,OU=caGrid,OU=Trust Fabric,CN=caGrid Trust Fabric Certificate Authority
[java] Host certificate valid till:
[java] Sat Jul 21 15:37:10 EDT 2012
[java] Host private key written to:
[java] cagrid-gts-slave.nci.nih.gov-trust-key.pem
[java] Host certificate written to:
[java] cagrid-gts-slave.nci.nih.gov-trust-cert.pem
BUILD SUCCESSFUL
Total time: 2 minutes 24 seconds
{noformat}
*(**\* The host certificate and private key generated should be securely moved to the host that will run the Slave GTS, and deleted from the local system ***)*
!imagegallery:Record_note.png^Record_note.png|align=left! After completion of this section, you should record the following information for future use:
# The location of the generated certificate and private key on the machine you copied them to (which will run the Slave GTS service)
h1. Release bootstrapping
----
{info}
*NOTE: This section is only necessary if you are deploying a grid which will be present as a target grid in a release of caGrid. (i.e. unless you are redistributing caGrid, or making the actual caGrid release, you likely don't need to do this)*{info}
In caGrid/share/resources/target_grids/ configure the appropriate, or add a new target grid (by copying an existing one).
For the training grid, there are various files in caGrid/share/resources/target_grids/training, which need to be edited.
# Examine each file for Service URLs, and replace the values appropriately with those to be used in this deployment as [planned above|#Deployment Planning](the properties files and XML files should contain such values). Generally you will just need to replace the hostname,
port, and protocol (http/https) in the files that are already present.
# Place the GTS CA public certificate (the .0 file) and signing policy file (the .signing_policy file), [generated above|#Generate GTS], in the certificates directory of the target grid. (caGrid/share/resources/target_grids/training/certificates).
*The caGrid release process should be followed at this point to generate a release, and create the caGrid installer. This configured release is what the rest of the deployment should use.*
h1. Core Security Services
----
h2. Dorian
----
{anchor:Dorian Installation}
h3. Dorian Installation
!imagegallery:Mycomputer.png^Mycomputer.png|align=left!\*You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).\*
* If it exists delete the directory: _USER_HOME/.globus/certificates_.
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{noformat}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{noformat}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{noformat}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{noformat}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox. Select the _Install caGrid Services_ checkbox. De-select all other check boxes. Click the _Next_ button.
* Select the _"Dorian"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* Next you will be asked to specify a directory in which to install Ant. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_
* Next you will be asked to specify a directory in which to install Tomcat. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install Globus. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install caGrid. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have caGrid installed...
*** You will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
*** You will then be asked if you would like to reconfigure caGrid for another target grid; choose _Yes_ if you would like to reconfigure it. Press _Next_.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Click the _Start_ button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
** {info}*NOTE: this step may take a while to download and extract all the files, and build caGrid.* {info}!imagegallery:BreakTime.png^BreakTime.png!
* Once the tasks have finished, click the _Next_ button.
* In the _Hostname_ text field, enter the name of the host (_cagrid-dorian.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTPS" Port_ text field enter _8443_.
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* In the next screen, _Dorian Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|#Deployment Planning].
* In the next screen, edit the database connection information specifying the _Database Hostname_, _Database Port_, _Database Name_, _Database Username_, and _Database Password_. Click the _Next_ button.
** {info}NOTE: this will validate the JDBC connection settings (as they are needed later). If you get an error, be sure MySQL is installed and running with a username and password matching your specifications.{info}
* The next screen allows for the configuration of the Dorian IdP. Please complete the following steps:
# In the _IdP Name_ field enter _Dorian._
# From the _Registration Policy_ drop down, select _Automatic Registration_.
# Click the _Next_ button.
* The next screen allows for the configuration of the federation properties of Dorian. Please complete the following steps:
# In the _Credential Lifetime Years_ text field enter _5_.
# In the _GTS URL_ text field enter, [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# Click the _Next_ button.
* The next screen asks you which Dorian Ceritifcate Authority type to use, from the _CA Type_ drop down select _EracomHybrid_. Click the _Next_ button.
* The next screen allows for the configuration of the Dorian Certificate Authority. To configure the Dorian CA complete the following steps:
# In the _CA Password_ text field enter the _User PIN_ you [created above|#HSM setup] for the Dorian CA Slot on the HSM.
# If the Dorian CA will have an _OID_ enter the _OID_ in the _OID_ text field. For NCICB Production, the OID is _2.16.840.1.113883.3.26.3.2_
# In the _Credential Auto-renew_ Years text field enter _5_.
# In the _Certificate Subject_ text field enter _O=caBIG,OU=caGrid,OU=LOA1,CN=caGrid LOA1 Certificate Authority_.
# In the _Lifetime Years_ text field enter _25_.
# In the _Eracom Slot Number_ text field enter the slot number of the Dorian CA Slot ([created above|#HSM setup]) on the HSM.
# Click the _Next_ button.
* The next screen faciliates the creation of host credentials for the Tomcat container running Dorian. To obtain the credentials complete the following steps:
# In the _Hostname_ text field enter the hostname of the host (cagrid-dorian.nci.nih.gov) that will run Dorian, from [your plan above|#Deployment Planning].
# In the _Directory_ text field specify a location to write those credentials to.
# Click the _Next_ button.
* Click the _Start_ button to install Dorian as configured.
* Once Dorian has finished installing click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
* During installation a copy of the Dorian CA certificate was place in the directory, _USER_HOME/.globus/certificates_. Assuming you deleted this directory before installation there should be only two files in the directory:
# The CA certificate which has a file prefix containing a hash code of the CA and a extention of _.0_, for example _68907d53.0_.
# The CA Signing policy which has a file prefix containing a hash code of the CA and a extention of _.signing_policy_, for example _68907d53.signing_policy_.
*It is important that you make a copy of the Dorian CA certificate, the file with the* *_.0{_}* *extension. Please be sure to place the copy in a safe location as we will refer to it later in this guide.*
!imagegallery:Record_note.png^Record_note.png|align=left! After completion of this section, you should record the following information for future use:
# The location of the Dorian CA Certificate.
h3. Starting Dorian
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
To start Dorian complete the following steps:
On Unix-based Systems
{noformat}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{noformat}
{info}*NOTE:* You may need to set execute permissions on the script, to be able to run it.{info}
On Windows-based Systems:
{noformat}
%> cd $CATALINA_HOME\bin
%> startup.bat
{noformat}
!imagegallery:Apply.png^Apply.png|align=left! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Initial Service Administration
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
When first run Dorian comes configured with a default user account, the _dorian_ user. For security reasons the first thing we want to do is register a second user. The second user should be considered a "real user" or bound to a "real person". Once we have created this user we will assign this user administrative rights and then remove the _dorian_ or default user. The GAARDS Admin UI (distributed with caGrid) provides a mechanism for administrating Dorian. To launch the GAARDS UI complete the following:
{noformat}
%> cd USER_HOME/ext/caGrid
%> ant security
{noformat}
{anchor:Register User}
h4. Register User
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
Through the UI we can create a second user account as follows:
# From the _Account Management_ menu, select the _Local Accounts_ sub menu, then select _Registration_. This will open a _Registration_ window.
# Complete the entire _Registration_ form.
# Click the _Apply_ button.
!imagegallery:Record_note.png^Record_note.png|align=left! After completion of this section, you should record the following information for future use:
# The username you selected for your account
# The password you selected for your account
h4. Approve User and Make IdP Administrator
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).\*
Once the account is submitted we must approve the account (if needed, meaning auto-approve was not enabled on Dorian) and make this new user an administrator of the Dorian Identity Provider. To do this complete the following:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter _dorian_.
# In the _Password_ text field enter _DorianAdmin$1_.
# Click the _Authenticate_ button. This will authenticate you to Dorian using the default account and launch the _Proxy Manager_ window, click the _Set Default_ button and close the window.
# From the _Account Management_ menu, select the _Local Accounts_ sub menu, then select _Local Account Management_. This will open a _Local Account Management_ window.
# Click the _Find Users' button._
# Select the user you just registered and click the _Manage User_ button. This will launch the _Manage User_ window for the user selected.
# Click the _Account Information_ tab.
# If not already selected, from the _User Status_ drop down select _Active_.
# From the _User Role_ drop down select _Administrator_.
# Click the _Update User_ button.
# Close all windows (with exception of the security UI itself).
{anchor:Test User}
h4. Test User Login
!imagegallery:Apply.png^Apply.png|align=left! These steps will verify we can login as the user we just created.
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
Now that we have activated the local account we should test that we can login. Complete the following steps to login into the Grid:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, DO NOT click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
!imagegallery:Record_note.png^Record_note.png|align=left! After completion of this section, you should record the following information for future use:
# Your "Grid Identity" from the _Proxy Manager_ window, for future use.
h4. Add User as a Grid Account Administrator
!imagegallery:Mycomputer.png^Mycomputer.png|align=left! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
Now that we have verified that the account has been created we need to make the newly created user a grid account administrator. To do so complete the following steps:
# From the _Account Management_ menu, select the _Grid Account Management_ sub menu, then select _Administrators_. This will open the _Administrators_ window.
# Click the _Add Admin_ button. This will launch the _Add Admin_ window.
# Click the _Find_ button. This will launch the _Find Users_ window.
# Click the _Find Users_ button, this will list all the users with Grid Accounts on Dorian.
# Select the user you just [created above|#Register User] and click the _Select Users_ button. This will return you to the _Add Admin_ window populating the _Grid Identity_ text field with the user just selected.
# Click the _Add Admin_ button. This will add the selected user as a grid account administrator.
# To verify click the _List Administrators_ in the _Administrators_ window, this should list all the users that are grid account administrators for Dorian. You should see the grid identity for the user you just added.
h4. Bind Existing Host Credentials to User
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
When we installed Dorian we created host credentials for the host running Dorian. Dorian binds all host credentials to a grid user account, if a grid user account is suspended or removed the same is true of all host credentials bound to their account. The host credentials we created for the host running Dorian were by default bound to the _dorian_ account. Thus before removing the _dorian_ we must bind Dorian's host credentials to the new admin user. This can be completed as follows:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _Account Management_ menu, select the _Grid Account Management_ sub menu, then select _Host Certificate Management_. This will open the _Host Certificate Management_ window.
# Click the "Find Host Certificates _button. This will list all the host certificates issued by this Dorian, at this point there should most likely be one (the one for Dorian itself)._
# Select the host certificate for the host running Dorian and click the _View/Update Host Certificate_ button. This will launch the _Host Certificate_ window for the selected host certificate.
# *Record the Host Grid Identity for future use*; this is the Identity of the host credential the Dorian service is running with.
# Click the _Find_ button next to the _Owner_ text field, this will launch the _Find Users_ window.
# Click the _Find Users_ button, this will list all the users with Grid Accounts on Dorian.
# Select the user you [created above|#Register User] and click the _Select Users_ button. This will return you to the _Host Certificate_ window populating the _Owner_ text field with the grid identity of the user just selected.
# Click the _Update Certificate_ button.
# To verify that this change was successfully made, from the _Host Certificate Management_ window, click the "Find Host Certificates _button. This will list all the host certificates issued by this Dorian, at this point there should most likely be one (the one for Dorian itself)._
# Select the host certificate for the host running Dorian and click the _View/Update Host Certificate_ button. This will launch the _Host Certificate_ window for the selected host certificate. Double check that the _Owner_ text field contains the grid identity of the user [created above|#Register User]. Close all windows with exception the security UI itself (the main application).
!imagegallery:Record_note.png^Record_note.png! After completion of this section, you should record the following information for future use:
# The "Host Grid Identity" of the Dorian Service
h4. Remove Default User Account
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
At this point we are ready to remove the default Dorian account, before doing so make sure that you have completed the steps above, specifically 1) registered new user, 2) approved new user and made them an administrator of the Dorian IdP, 3) Added the new user as a grid account administrator, and 4) Bound the Dorian host credentials to the new user. Once you are confident that you completed the above steps, remove the default user account as follows:
# From the _Account Management_ menu, select the _Local Accounts_ sub menu, then select _Local Account Management_. This will open a _Local Account Management_ window.
# Click the _Find Users' button._
# Select the _dorian_ user and click the _Remove User_ button.
{info}*NOTE: After this is done, you will no longer be able to administer Dorian using the default user, and must be sure you remember the username and password for the new administrative account you* [created above|#Register User]\*.\*
{info}
h3. Backup the CA to a Smart Card
* Add the following location to your LD_LIBRARY_PATH: _/opt/Eracom/lib_
* Download the \[[SafeNet Protect Server Gold HSM utilities|http://gforge.nci.nih.gov/frs/download.php/2216/eracom-utils.tgz]\].
* Decompress the downloaded file, eracom-utils.tgz as follows:
{noformat}
%> tar xvzf eracom-utils.tgz
{noformat}
* Run the HSM key management tool as follows:
{noformat}
%> cd eracom-utils
%> ant manageEracomKeys
{noformat}
This will bring up the _Safenet, Inc. Key Management Utility_, to back up the Dorian keys using this utility complete the following steps:
# Insert a _SafeNet Protect Host / Protect Server (FW V2.02 and Later) Smartcard_ into the HSM smart card reader.
# From the _Select a Token_ drop down, select the slot containing the _Dorian CA_ private key, certificate, and wrapping key.
# In the _Enter Pin_ dialog, enter the user pin for the slot selected, and click the _Ok_ button.
# Holding the _Ctrl_ button left click the CA private key, certificate, and wrapping key such that the CA private key, certificate, and wrapping key are selected.
# Right click on the selected items and select _Export_ from the right click menu. This will launch the _Export Key(s)_ window.
# Select the _Write to smart card(s)_ option.
# In the _Batch Name_ text box enter _dorianca_.
# In the _No. Custodians_ text box enter _2_.
# Click the _Ok_ button. This will bring up the _Exporting_ window.
# In the _Username_ text box enter a username. In the _Smartcard Pin_ text box enter a pin or password. In the _Re Enter Pin_ text box, re-enter the pin. The username and pin selected will apply to the first of two smart cards that the CA key(s) and certificate will be written to. You will need this username and pin to restore the CA key and certificate to the HSM.
# Click the _Ok_ button. This will bring up a _Please Confirm_ dialog.
# Click the _Ok_ button. This will bring up another dialog asking you to enter the HSM administrative pin, enter it and click _Ok_. At this point the HSM will begin to write to the first smart card, this may take several minutes. When this has completed a dialog will appear asking you to insert another smart card.
# Remove the first smart card and insert a second smard card and click the _Ok_ button. This will bring up the _Exporting_ dialog.
# In the _Username_ text box enter a username. In the _Smartcard Pin_ text box enter a pin or password. In the _Re Enter Pin_ text box, re-enter the pin. The username and pin selected will apply to the second of two smart cards that the CA key(s) and certificate will be written to. You will need this username and pin to restore the CA key and certificate to the HSM.
# Click the _Ok_ button. This will bring up a _Please Confirm_ dialog.
# Click the _Ok_ button. At this point the HSM will begin to write to the second smart card, this may take several minutes. When this has completed a dialog will appear with a message _Export Successful_, at this point you have succesfully backed up the Dorian CA onto smart cards.
!imagegallery:Record_note.png^Record_note.png! After completion of this section, you note the following:
# The username and pin for each of the two smartcards in which the Dorian CA is backed up across.
# You should label each of the two smart cards and place them in a safe place, both smart cards will be required for restoring the Dorian CA.
h2. GTS (Master)
----
h3. Master GTS Installation
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-master.nci.nih.gov).*
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{noformat}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{noformat}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{noformat}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{noformat}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox. Select the _Install caGrid Services_ checkbox. De-select all other check boxes. Click the _Next_ button.
* Select the _"GTS"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* Next you will be asked to specify a directory in which to install Ant. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_
* Next you will be asked to specify a directory in which to install Tomcat. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install Globus. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install caGrid. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have caGrid installed...
*** You will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
*** You will then be asked if you would like to reconfigure caGrid for another target grid; choose _Yes_ if you would like to reconfigure it. Press _Next_.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Click the _Start_ button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
** {info}*NOTE: this step may take a while to download and extract all the files, and build caGrid.* !imagegallery:BreakTime.png^BreakTime.png! {info}
* Once the tasks have finished, click the _Next_ button.
* In the _Hostname_ text field, enter the name of the host (_cagrid-gts-master.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTPS" Port_ text field enter _8443_.
* Next the installer will ask if server credentials are present, select the _Yes_ check box and click next.
* In the _Certificate Path_ text field browse to the certificate created [here|#Create GTS Master].
* In the _Certificate Key_ text field browse to the private key created [here|#Create GTS Master].
* Click the _Next_ button.
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* In the next screen, _GTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|#Deployment Planning].
* In the next screen, edit the database connection information specifying the _Database Hostname_, _Database Port_, _Database Name_, _Database Username_, and _Database Password_. Click the _Next_ button.
** NOTE: this will validate the JDBC connection settings (as they are needed later). If you get an error, be sure MySQL is installed and running with a username and password matching your specifications.
* If a database with the same name exists in the database service, the next panel will indicate that the existing database will be destroyed. Press _Next_.
* The next screen prompts you for an initial administrator for the GTS. In the _Identity_ text field enter the Grid Identity for the user your created, and logged on as [here|#Test User].
* Click the _Next_ button.
* Click the _Start_ button to install the GTS as configured.
* Once the GTS has finished installing click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Starting the Master GTS
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-master.nci.nih.gov).*
To start the GTS complete the following steps:
* If it does not exist, create the directory: _USER_HOME/.globus/certificates_.
* Copy the GTS CA certificate ([Created Here|#Generate GTS]) to the directory, _USER_HOME/.globus/certificates_. The file should be named with a .digit\[0-9\] extension, for example _gtsca.0_.
* Copy the Dorian CA certificate ([Created Here|#Dorian Installation]) to the directory, _USER_HOME/.globus/certificates_. The file should be named with a .digit\[0-9\] extension, for example _dorianca.0_.
* Start Tomcat
On Unix-based Systems
{noformat}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{noformat}
{info}*NOTE:* You may need to set execute permissions on the script, to be able to run it.{info}
On Windows-based Systems:
{noformat}
%> cd $CATALINA_HOME\bin
%> startup.bat
{noformat}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Create Trust Levels
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-master.nci.nih.gov).*
A level of assurance or trust level specifies the level of confidence with which a given certificate authority is trusted in the Grid. The GAARDS Admin UI provides a mechanism for administrating the GTS, this includes creating trust levels. To launch the GAARDS UI complete the following:
{noformat}
%> cd USER_HOME/ext/caGrid
%> ant security
{noformat}
To add a trust level to the GTS using the GAARDS UI complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _Trust Fabric menu, select_ Levels of Assurance_, this will launch the\_ Levels of Assurance _window._
# Click the _Add Trust Level_ button, this will launch the _Add Trust Level_ window.
# In the _Service_ drop down select [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Name_ text box enter _LOA1_.
# In the _Description_ text box enter _This trust level maintains a grouping of caGrid LOA1 Authorities._
# Click the _Add Trust Level_ button, this will add the trust level to the GTS.
!imagegallery:Apply.png^Apply.png! To verify that the trust level was successfully added complete the following steps:
# From the _Trust Fabric menu, select_ Levels of Assurance_, this will launch the\_ Levels of Assurance _window._
# In the _Service_ drop down select [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# Click the _List Trust Levels_ button, this should list all the trust levels for the selected GTS in the table.
*If the* *{_}LOA1{_}* *trust level appears in the table then it was successfully added.*
h3. Add Dorian to the Trust Fabric
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-master.nci.nih.gov).*
The GAARDS Admin UI provides a mechanism for administrating the GTS, this includes add certificate authorities to the GTS. To launch the GAARDS UI complete the following:
{noformat}
%> cd USER_HOME/ext/caGrid
%> ant security
{noformat}
To add the Dorian CA to the GTS using the GAARDS UI complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register_User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register_User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _Trust Fabric_ menu select _Certificate Authorities_, this will launch the _Certificate Authorities_ window.
# Click the _Add Trusted Authority_ button, this will launch the _Add Certificate Authority_ window.
# In the Service drop down select [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# Click the _Import Certificate_ button, this will bring up a file browser. Browse to the file containing the Dorian CA Certificate ([Created Here|#Dorian Installation]) and click the _Open_ button. This will import the certificate into the UI.
# Click on the _Trust Levels_ tab.
# Select the check box for the _LOA1_ trust level.
# Click the _Add Trusted Authority_ button, this will add the Dorian CA to the GTS.
!imagegallery:Apply.png^Apply.png! To verify that the Dorian Certificate Authority was successfully added complete the following steps:
# From the _Trust Fabric_ menu select _Certificate Authorities_, this will launch the _Certificate Authorities_ window.
# In the _Service_ drop down select [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# Click the _Find Trusted Authorities_ button, this should list all the certificate authorities registered with GTS in the table.
*If the Dorian CA is listed in the table then it was successfully added.*
h3. Grant Dorian Rights Publish its CRL
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-master.nci.nih.gov).*
The GAARDS Admin UI provides a mechanism for administrating the GTS, this includes granting permission on administrating the GTS. To launch the GAARDS UI complete the following:
{code}
%> cd USER_HOME/ext/caGrid
%> ant security
{code}
To grant Dorian right to publish its CRL to the GTS using the GAARDS UI complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _Trust Fabric_ menu select _Permissions_, this will launch the _Permission_ window.
# Click the _Add Permission_ button, this will launch the _Add Permission_ Window.
# From the _Service_ drop down select [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Grid Identity_ text box enter: _/O=caBIG/OU=caGrid/OU=LOA1/OU=Services/CN=host/cagrid-dorian.nci.nih.gov_
# From the _Trusted Authority_ drop down select: _O=caBIG,OU=caGrid,OU=LOA1,CN=caGrid LOA1 Certificate Authority_
# From the _Role_ drop down select: _TrustAuthorityManager_.
# Click the _Add Permission_ button. This will grant Dorian the ability to publish its CRL to the GTS.
!imagegallery:Apply.png^Apply.png! To verify that Dorian was successfully granted rights to publish its CRL complete the following steps:
# From the _Trust Fabric_ menu select _Permissions_, this will launch the _Permission_ window.
# From the _Service_ drop down select [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# Click the _List Permissions_ button.
This will list all the rights granted on the GTS in the table. If Dorian was successfully granted rights to publish its CRL you will see a listing as follows:
* *Grid Identity* \- _/O=caBIG/OU=caGrid/OU=LOA1/OU=Services/CN=host/cagrid-dorian.nci.nih.gov_
* *Trusted Authority* \- _O=caBIG,OU=caGrid,OU=LOA1,CN=caGrid LOA1 Certificate Authority_
* *Role* \- _TrustAuthorityManager_
h3. Deploy SyncGTS to GTS (Master) Container
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-master.nci.nih.gov).*
* Shut down Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> shutdown.bat
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* De-select the _Install caGrid_ check box.
* Select the _Install caGrid Services_ check box.
* De-select all other check boxes.
* Click the _Next_ button.
* Select the _"SyncGTS"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* The installer will then ask whether or not you want to re-install Ant. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Tomcat. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Globus. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install caGrid. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the _Yes_ check box is _NOT_ selected. Press _Next_.
* Click the _Start_ button.
* Click the _Next_ button.
* The installer will ask if you want to redeploy Globus to Tomcat, deselect _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* The installer will ask if you want to the container to be secure, select _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-master.nci.nih.gov_.
# *Unselect* the _Perform First Sync?_ check box.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
* Click the _Start_ button. The installer will install SyncGTS, when the installation is finished click the _Next_ button.
* Click the _Finished_ button.
* Close the installer.
* Startup Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h2. GTS (Slave)
h3. Slave GTS/SyncGTS Installation
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-slave.nci.nih.gov).*
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{code}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox. Select the _Install caGrid Services_ checkbox. De-select all other check boxes. Click the _Next_ button.
* Select the _SyncGTS_ check box.
* Select the _"GTS"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* Next you will be asked to specify a directory in which to install Ant. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_
* Next you will be asked to specify a directory in which to install Tomcat. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install Globus. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install caGrid. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have caGrid installed...
*** You will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
*** You will then be asked if you would like to reconfigure caGrid for another target grid; choose _Yes_ if you would like to reconfigure it. Press _Next_.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Click the _Start_ button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
** \*NOTE: this step may take a while to download and extract all the files, and build caGrid !imagegallery:BreakTime.png^BreakTime.png!
* Once the tasks have finished, click the _Next_ button.
* In the _Hostname_ text field, enter the name of the host (_cagrid-gts-slave.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTPS" Port_ text field enter _8443_.
* Next the installer will ask if server credentials are present, select the _Yes_ check box and click next.
* In the _Certificate Path_ text field browse to the certificate created [here|#Create GTS Slave].
* In the _Certificate Key_ text field browse to the private key created [here|#Create GTS Slave].
* Click the _Next_ button.
* Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-master.nci.nih.gov_.
# *Select* the _Perform First Sync?_ check box.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* In the next screen, _GTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|#Deployment Planning].
* In the next screen, edit the database connection information specifying the _Database Hostname_, _Database Port_, _Database Name_, _Database Username_, and _Database Password_. Click the _Next_ button.
** NOTE: this will validate the JDBC connection settings (as they are needed later). If you get an error, be sure MySQL is installed and running with a username and password matching your specifications.
* If a database with the same name exists in the database service, the next panel will indicate that the database will be destroyed. Press _Next_.
* The next screen prompts you for an initial administrator for the GTS. In the _Identity_ text field enter the Grid Identity for the user you recorded [here|#Test User].
* Click the _Next_ button.
* Click the _Start_ button to install the GTS as configured.
* Once the GTS has finished installing click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Starting the Slave GTS
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-slave.nci.nih.gov).*
To start the GTS you need to start Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Add Master GTS as an Authority to the Slave GTS
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gts-slave.nci.nih.gov).*
The GAARDS Admin UI provides a mechanism for administrating the GTS, this includes adding authorities to a GTS. To launch the GAARDS UI complete the following:
{code}
%> cd USER_HOME/ext/caGrid
%> ant security
{code}
To add the Master GTS as an authority of the Slave GTS using the GAARDS UI complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _Trust Fabric_ menu select _Trust Federation_, this will launch the _Trust Federation_ window.
# Click the _Add Authority_ button, this will launch the _Add Authority_ window.
# In the Service drop down select [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS]. This is the GTS you are administering.
# In the _GTS URI_ text box enter [https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-master.nci.nih.gov:8443/wsrf/services/cagrid/GTS]. This is the GTS you are adding as an Authority to the GTS you are administering.
# From the _Perform Authorization_ drop down, select _True_.
# In the _Authorization Identity_ text box enter /O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-master.nci.nih.gov
# From the _Hours_ drop down select _4_.
# Click the _Add Authority_ button, this will add the master GTS to the slave GTS as an authority.
To verify that the Master GTS was successfully added as an authority to the Slave GTS completed the following steps:
# From the _Trust Fabric_ menu select _Certificate Authorities_, this will launch the _Certificate Authorities_ window.
# In the Service drop down select [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS]
# Click the _Find Trusted Authorities_ button.
This will list all the trusted certificate authorities for the Slave GTS. If the Master GTS was succesfully added to the Slave GTS as an authority you should see the Dorian CA listed.
*_(It may take a few minutes for the Slave GTS to sync with the Master GTS, if you do not see the Dorian CA listed immediately, click the Find Trusted Authorities button again in a few minutes.)_*
h2. Deploy SyncGTS to Dorian Container
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-dorian.nci.nih.gov).*
* Shut down Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> shutdown.bat
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* De-select the _Install caGrid_ check box.
* Select the _Install caGrid Services_ check box.
* De-select all other check boxes.
* Click the _Next_ button.
* Select the _"SyncGTS"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* The installer will then ask whether or not you want to re-install Ant. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Tomcat. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Globus. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install caGrid. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the _Yes_ check box is _NOT_ selected. Press _Next_.
* Click the _Start_ button.
* Click the _Next_ button.
* The installer will ask if you want to redeploy Globus to Tomcat, deselect _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* The installer will ask if you want to the container to be secure, select _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-slave.nci.nih.gov_.
# *Select* the _Perform First Sync?_ check box.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
* Click the _Start_ button. The installer will install SyncGTS, when the installation is finished click the _Next_ button.
* Click the _Finished_ button.
* Close the installer.
* Startup Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h1. Metadata Services
h2. Index Service
h3. Install Index Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-index.nci.nih.gov).*
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{code}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox. Select the _Install caGrid Services_ checkbox. De-select all other check boxes. Click the _Next_ button.
* Select the _"Index Service"_ *{_}and{_}* _"SyncGTS"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* Next you will be asked to specify a directory in which to install Ant. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_
* Next you will be asked to specify a directory in which to install Tomcat. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install Globus. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install caGrid. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have caGrid installed...
*** You will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
*** You will then be asked if you would like to reconfigure caGrid for another target grid; choose _Yes_ if you would like to reconfigure it. Press _Next_.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Click the _Start_ button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
** *NOTE: this step may take a while to download and extract all the files, and build caGrid.* !imagegallery:BreakTime.png^BreakTime.png!
* Once the tasks have finished, click the _Next_ button.
* The installer will ask if you want to the container to be secure, you don't, so *DO NOT* select Yes and click the next button.
* In the _Hostname_ text field, enter the name of the host (_cagrid-index.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTP" Port_ text field enter _8080_.
* Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-slave.nci.nih.gov_.
# *Select* the _Perform First Sync?_ check box.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
* Click the _Start_ button to install the services as configured.
* Once the services have finished installing click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Starting the Index Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-index.nci.nih.gov).*
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validating the Index Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-index.nci.nih.gov).*
Now we will validate that the Index Service is running, and responding to queries. Type the following command:
{code}
$GLOBUS_LOCATION/bin/wsrf-query -a -z none -s http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService /
{code}
!imagegallery:Apply.png^Apply.png! You should see a bunch of XML printed to the screen, this is the contents of the Index Service.
Next we will print out the URLs of the services which are currently registered to the Index Service. Type the following command:
{code}
$GLOBUS_LOCATION/bin/wsrf-query -a -z none -s http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService "/*/*/*[local-name()='MemberServiceEPR']/*[local-name ( )='Address']/text()"
{code}
!imagegallery:Apply.png^Apply.png! You may see the URLs of one of more of the services we have already deployed. As we just started the Index Service (and services which have been trying to register may not have tried again yet), it may not be a complete list for at least 10 minutes. We will come back later and check that it is complete.
Finally, we will verify the Index Service using the DiscoveryClient provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/discovery
ant runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating the Index Service running at [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] is being queried, and the resulting services will be output.
h2. Global Model Exchange (GME)
{anchor:Install GME}
h3. Install GME
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{code}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox. Select the _Install caGrid Services_ checkbox. De-select all other check boxes. Click the _Next_ button.
* Select the _"GME"_ *{_}and{_}* _"SyncGTS"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* Next you will be asked to specify a directory in which to install Ant. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_
* Next you will be asked to specify a directory in which to install Tomcat. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install Globus. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install caGrid. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have caGrid installed...
*** You will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
*** You will then be asked if you would like to reconfigure caGrid for another target grid; choose _Yes_ if you would like to reconfigure it. Press _Next_.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Click the _Start_ button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
** *NOTE: this step may take a while to download and extract all the files, and build caGrid.* !imagegallery:BreakTime.png^BreakTime.png!
* Once the tasks have finished, click the _Next_ button.
* The installer will ask if you want to the container to be secure, you don't, so *DO NOT* select Yes and click the next button.
* In the _Hostname_ text field, enter the name of the host (_cagrid-service.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTP" Port_ text field enter _8080_.
* Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-slave.nci.nih.gov_.
# *Select* the _Perform First Sync?_ check box.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* In the next screen, edit the database connection information specifying the _Database Hostname_, _Database Port_, _Database Name_, _Database Username_, and _Database Password_. Click the _Next_ button.
** *NOTE*: this will validate the JDBC connection settings (as they are needed later). If you get an error, be sure MySQL is installed and running with a username and password matching your specifications.
** *NOTE*: Be sure to pick a unique name for the database if you are using the same database server as other services.
* If there is a database with the same name in the database server, the next panel will indicate that the database will be destroyed. Press _Next_.
* In the next screen, _GME Standard Properties_ edit *(NOTE: These are important\! If they don't match your deployment, the GME won't work properly)*:
** *the* *{_}service.deployment.host{_}* *and set it to the host running GME (cagrid-service.nci.nih.gov)*
** the _service.deployment.port_ and set it to the port running GME (8080)
** the _service.deployment.protocol_ and set it to the protocol for the GME (http)
** then click the _Next_ button.
* Click the _Start_ button to install the services as configured.
* Once the services have finished installing click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
!imagegallery:Record_note.png^Record_note.png! After completion of this section, you should record the following information for future use (if you plan to import existing data into the new GME):
# _Database Hostname_
# _Database Port_
# _Database Name_
# _Database Username_
# _Database Password_
h3. Importing Data into GME
*This step is optional, and allows us to import data from an existing GME installation. If you don't have an existing GME deployment which you want to extract data from, you can skip this section.*
The scripts provided, and detailed below, make some assumption about your database environment. Explicitly, when used as is, they assume the mysql user is _root_ and you are running them from the physical machine which is running the database. If this is not the case for your environment you can either edit the scripts appropriately (such as to include host, port, etc information), or use your existing database backup/restore mechanisms.
\[[edit|https://wiki.cagrid.org/mwiki/index.php?title=CaGrid:How-To:Deploy_caGrid_1.1&action=edit§ion=42]\]
h4. Export Data
*NOTE:* You must, run these steps from a node which has access to the existing GME database. In this example, the current GME deployment host does have such access. If you are in a situation where it does not, you may need to additionally install caGrid on a host which does, or just copy the relevant scripts (used below) to that host.
1) We will use some scripts provided with caGrid to extract the data from the existing GME database.
{code}
%> cd USER_HOME/ext/caGrid/projects/gme/tools/move
%> ./gmeExportDB.sh <LEGACY GME DATABASE NAME> <LEGACY GME DATABASE PASSWORD>
{code}
*NOTE:* The _<LEGACY GME DATABASE NAME>_ _<LEGACY GME DATABASE PASSWORD>_ should respectively be the database name and password of your existing GME deployment. By default, the _<LEGACY GME DATABASE NAME>_ is _GlobusGME_.
*NOTE:* If you are running these scripts on a unix-like system, and you have problems executing them, you may need to fix the permissions and line return characters by first running the command:
{code}
dos2unix *.sh
{code}
When running the command, you should see information like the following printed out:
{code}
Starting to backup databases
GME_REGISTRY.sql.gz
SCHEMA_STORE.sql.gz
SCHEMA_CACHE.sql.gz
Finished backing up databases into file gmeDBExport.tar
{code}
2) Copy the file _gmeDBExport.tar_ to the host where the new GME is being deployed, if this is not the same host.
h4. Import Data
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
1) We will use some scripts provided with caGrid to import the data extracted from the existing GME database.
{code}
%> cd USER_HOME/ext/caGrid/projects/gme/tools/move
%> ./gmeImportDB.sh <NEW GME DATABASE NAME> gmeDBExport.tar <NEW GME DATABASE PASSWORD>
{code}
*NOTE:* The _<NEW GME DATABASE NAME>_ _<NEW GME DATABASE PASSWORD>_ should respectively be the database name and password of your new GME deployment, which you recorded in the [GME installation process|#Install GME].
*NOTE:* If you are running these scripts on a unix-like system, and you have problems executing them, you may need to fix the permissions and line return characters by first running the command:
{code}
dos2unix *.sh
{code}
When running the command, you should see information like the following printed out:
{code}
GME_REGISTRY.sql.gz
SCHEMA_STORE.sql.gz
SCHEMA_CACHE.sql.gz
Importing gme database table data into GME_REGISTRY
Importing gme database table data into GME_SCHEMA_STORE
Importing gme database table data into GME_SCHEMA_CACHE
Finished Importing databases
{code}
2) Next we will modify the ownership of the old schemas to point to the new service. *This step is NOT REQUIRED if you are running the new GME with the same service URL as the old GME, in which case, you can skip this step.*
Again, we will use a script provided by caGrid.
{code}
%> cd USER_HOME/ext/caGrid/projects/gme/tools/move
%> ./gmeChangeURL.sh <NEW GME DATABASE NAME> <LEGACY GME SERVICE URL> http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange <NEW GME DATABASE PASSWORD>
{code}
*NOTE:* The _<NEW GME DATABASE NAME>_ _<NEW GME DATABASE PASSWORD>_ should respectively be the database name and password of your new GME deployment, which you recorded in the [GME installation process|#Install_GME]. The _<LEGACY GME SERVICE URL>_ should be the existing service URL of the GME which you exported the database from.
When running the command, you should see information like the following printed out:
{code}
Changing hostname to http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange
Finished Modifying Databases
{code}
h3. Starting the GME Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validate GME
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
h4. Validate GME (Discovery)
First, we will verify the GME service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/discovery
ant runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating the Index Service running at [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] is being queried, and see in the results, the GME Service running at [http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange|http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange], from the appropriate hosting information.
h4. Validate GME (Extract)
Next, we will verify the GME service is able to return us appropriate schemas. To do this, we will execute an ant target provided by GME to extract some schemas we know to be present.
{code}
cd USER_HOME/ext/caGrid/projects/gme
ant gmeExtract
{code}
# When prompted for a directory, enter: _extract_testing_
# When prompted for a the service url of the GME, enter: [http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange|http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange]
# When prompted for a comma separated list of schema uris to retrieve, enter: gme://caGrid.caBIG/1.0/gov.nih.nci.cagrid.metadata
!imagegallery:Apply.png^Apply.png! This script should then contact the GME and download several schemas into the _extract_testing_ directory; you should see results similar to the output example shown below. You can open each to ensure its contents are valid (i.e. non-empty). You can then delete the _extract_testing_ directory if desired, although leaving it there will not hurt anything either.
Example result of running script:
{code}
%> ant gmeExtract
Buildfile: build.xml
promptDirectory:
[input] Please enter the directory place the schema files. [./]:
extract_testing
promptService:
[input] Please enter the service url of the GME. [http://localhost:8080/wsrf/services/cagrid/GlobalModelExchange]:
http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/GlobalModelExchange
promptURIs:
[input] Please enter a comma separated list of schema uris to retrieve. :
gme://caGrid.caBIG/1.0/gov.nih.nci.cagrid.metadata
gmeExtract:
[java] Need to locate schema for namespace Domain = caGrid.caBIG, Name = 1.0/gov.nih.nci.cagrid.metadata
[java] Need to locate schema for namespace Domain = caGrid.caBIG, Name = 1.0/gov.nih.nci.cagrid.metadata
[java] Writting file extract_testing\caGrid.caBIG-1.0_gov.nih.nci.cagrid.metadata.common.xsd
[java] Writting file extract_testing\caGrid.caBIG-1.0_gov.nih.nci.cagrid.metadata.common.xsd
[java] Writting file extract_testing\caGrid.caBIG-1.0_gov.nih.nci.cagrid.metadata.service.xsd
[java] Writting file extract_testing\caGrid.caBIG-1.0_gov.nih.nci.cagrid.metadata.xsd
[java] Writting file extract_testing\namespace2package.mappings
BUILD SUCCESSFUL
Total time: 24 seconds
{code}
h4. Validate GME (Introduce)
We will verify the GME using the Introduce capability to browse schemas in the GME.
{code}
cd USER_HOME/ext/caGrid
ant introduce
{code}
# Click the _Browse Data Types_ button on the top menu bar. This should open a _Discovery Tools_ window.
# Select the _Global Model Exchange_ tab.
# Verify there are values in the _Namespace_ and _Name_ combo boxes, and that the _Schema Text_ changes accordingly when you change the combo box selections.
!imagegallery:Apply.png^Apply.png! You should see the schemas listed
h2. EVS Grid Service
{anchor:Install EVS}
h3. Install EVS
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
* Shut down Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> shutdown.bat
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* De-select the _Install caGrid_ check box.
* Select the _Install caGrid Services_ check box.
* De-select all other check boxes.
* Click the _Next_ button.
* Select the _"EVS"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* The installer will then ask whether or not you want to re-install Ant. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Tomcat. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Globus. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install caGrid. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the _Yes_ check box is _NOT_ selected. Press _Next_.
* Click the _Start_ button.
* Click the _Next_ button.
* The installer will ask if you want to redeploy Globus to Tomcat, deselect _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* The installer will ask if you want to the container to be secure, you do not, so unselect _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* In the next screen, _EVS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|#Deployment Planning].
* Click the _Start_ button. The installer will install EVS, when the installation is finished click the _Next_ button.
* Click the _Finished_ button.
* Close the installer.
h3. Starting the EVS Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validate EVS
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
h4. Validate EVS (Discovery)
First, we will verify the EVS service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/discovery
ant runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating the Index Service running at [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] is being queried, and see in the results, the EVS Service running at [http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/EVSGridService|http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/EVSGridService], from the appropriate hosting information.
h4. Validate EVS (client)
We will verify the EVS using the client provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/evs
ant -Dservice.url=http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/EVSGridService runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating some results of calling the client.
h2. caDSR Grid Service
h3. Install caDSR
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
* Shut down Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> shutdown.bat
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* De-select the _Install caGrid_ check box.
* Select the _Install caGrid Services_ check box.
* De-select all other check boxes.
* Click the _Next_ button.
* Select the _"caDSR"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* The installer will then ask whether or not you want to re-install Ant. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Tomcat. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Globus. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install caGrid. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the _Yes_ check box is _NOT_ selected. Press _Next_.
* Click the _Start_ button.
* Click the _Next_ button.
* The installer will ask if you want to redeploy Globus to Tomcat, deselect _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* The installer will ask if you want to the container to be secure, you do not, so unselect _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* In the next screen, _caDSR Standard Deploy-time Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|https://wiki.cagrid.org/s/1515/17/2.10/_/download/resources/com.atlassian.confluence.tinymceplugin:tinymceeditor/tinymcesource/#Deployment_Planning].
* In the next screen, _caDSR Standard Run-time Properties_ you DO NOT need to edit anything, just click the _Next_ button.
* Click the _Start_ button. The installer will install caDSR, when the installation is finished click the _Next_ button.
* Click the _Finished_ button.
* Close the installer.
h3. Starting the caDSR Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validate caDSR
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-service.nci.nih.gov).*
h4. Validate caDSR (Discovery)
First, we will verify the caDSR service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/discovery
ant runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating the Index Service running at [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] is being queried, and see in the results, the caDSR Service running at [http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/CaDSRService|http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/CaDSRService], from the appropriate hosting information.
h4. Validate caDSR (client)
We will verify the caDSR using the client provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/cadsr
ant -Dservice.url=http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/CaDSRService runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating some results of calling the client.
h1. Other Security Services
h2. GridGrouper
h3. Install caGrid
!imagegallery:Mycomputer.png^Mycomputer.png! You should run the following commands from the machine (cagrid-gridgrouper.nci.nih.gov).\*
If you have already installed caGrid in the account *{_}training_s{_}* on the host *{_}cagrid-gridgrouper.nci.nih.gov{_}* you may proceed to the next section, otherwise follow the instructions below to install caGrid.
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{code}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox. *Unselect* the _Install caGrid Services_ checkbox. De-select all other check boxes. Click the _Next_ button.
* From the _Container Type_ drop down select _Tomcat_ and click _Next_.
* Next you will be asked to specify a directory in which to install Ant. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_
* Next you will be asked to specify a directory in which to install Tomcat. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install Globus. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install caGrid. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have caGrid installed...
*** You will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
*** You will then be asked if you would like to reconfigure caGrid for another target grid; choose _Yes_ if you would like to reconfigure it. Press _Next_.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Click the _Start_ button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
** *NOTE: this step may take a while to download and extract all the files, and build caGrid.* !imagegallery:BreakTime.png^BreakTime.png!
* Once the tasks have finished, click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Request Host Credentials
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gridgrouper.nci.nih.gov).*
If you have already obtained host credentials from Dorian for the host *{_}cagrid-gridgrouper.nci.nih.gov{_}* you may proceed to the next section, otherwise follow the instructions below to request host credentials from Dorian.
The GAARDS Admin UI provides a mechanism for requesting host credentials from Dorian. To launch the GAARDS UI complete the following:
{code}
%> cd USER_HOME/ext/caGrid
%> ant security
{code}
To request host credentials from Dorian using the GAARDS UI please complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _MyAccount_ select _Request a Host Certificate_, this will launch the _Request Host Certificate_ window.
# Select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian] from the _Service URI_ drop down.
# In the _Host_ text box enter _cagrid-gridgrouper.nci.nih.gov_.
# In the _Specify Directory to Write Credentials_ text box enter or browse to the directory: _USER_HOME/certificates_ (You may need to created this directory if it does not exist.
# Click the _Request Host Certificate_ button.
# This will request a host certificate from Dorian, and an informational window will then detail the results, telling you where the credentials were created. Record this information, and press the _Close_ button.
If you followed the instructions above, the host certificate and private key will be written to out as follows:
* *{_}Certificate{_}* \- _USER_HOME/certificates/cagrid-gridgrouper.nci.nih.gov-cert.pem_
* *{_}Private Key{_}* \- _USER_HOME/certificates/cagrid-gridgrouper.nci.nih.gov-key.pem_
!imagegallery:Record_note.png^Record_note.png! After completion of this section, you should record the location of the host certificate and private key. The installer will ask you for these when you configure your secure container.
h3. Install Grid Grouper/SyncGTS
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gridgrouper.nci.nih.gov).*
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* De-select the _Install caGrid_ check box.
* Select the _Install caGrid Services_ check box.
* De-select all other check boxes.
* Click the _Next_ button.
* Select the _"SyncGTS" and "GridGrouper"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* The installer will will now ask you for the information it needs to install or re-install the following dependencies: Ant, Tomcat, and Globus
* Indicate if/where each should be installed.
* The installer will also ask if caGrid should be re-installed. Do *NOT* check the _Yes_ check box.
* Then the installer will ask if you want to reconfigure caGrid. Again, do *NOT* check the _Yes_ check box.
* Press _Next_
* Press _Start_
The installer will now download and install whatever components you indicated should be (re)installed.
* Once the installer is finished downloading/copying the selected components, press _Next_.
* In the _Hostname_ text field, enter the name of the host (_cagrid-gridgrouper.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTPS" Port_ text field enter _8443_.
* Next the installer will ask if server credentials are present, select the _Yes_ check box and click next.
* In the _Certificate Path_ text field enter _USER_HOME/certificates/cagrid-gridgrouper.nci.nih.gov-cert.pem_
* In the _Certificate Key_ text field enter _USER_HOME/certificates/cagrid-gridgrouper.nci.nih.gov-key.pem_
* Click the _Next_ button.
* Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-slave.nci.nih.gov_.
# *Select* the _Perform First Sync?_ check box.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* Next the installer will ask you to configure GridGrouper. To configure GridGrouper complete the following steps:
# In the _Administrator Identity_ text box enter the Grid Identity for the user your created, and logged on as [here|#Test User].
# In the _JDBC URL_ text box make any necessary changes to the default value such that the value contains the JDBC URL needed for interacting with you _MySQL_ database.
# In the _RDBMS Username_ text box enter the username of a user on you _MySQL_ database. _(This user should have right to create databases.)_
# In the _RDBMS Password_ text box enter the password for the user entered in the _RDBMS Username_ text box.
# Click the _Next_ button.
* If there is a database with the same name in the database server, the next panel will indicate that this database will be destroyed. Press _Next_.
* In the next screen, _Grid Grouper Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|#Deployment Planning].
* Click the _Start_ button to install Grid Grouper/SyncGTS as configured.
* Once the installation has completed click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Start Grid Grouper
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gridgrouper.nci.nih.gov).*
To start Grid Grouper, start tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Testing Grid Grouper
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-gridgrouper.nci.nih.gov).*
The GAARDS Admin UI provides a mechanism for administrating the Grid Grouper. To launch the GAARDS UI complete the following:
{code}
%> cd USER_HOME/ext/caGrid
%> ant security
{code}
To test that Grid Grouper has been installed and configure successfully, complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# Click the _MyGroups_ button, this will launch the _MyGroups_ window.
!imagegallery:Apply.png^Apply.png! When the _MyGroups_ window launches, the UI will connect to Grid Grouper and obtain all the groups that you are a member of. If Grid Grouper was successfully installed you should see that you are a member of the _Grid Grouper Administrators_ group on the Grid Grouper [https://cagrid-gridgrouper.nci.nih.gov:8443/wsrf/services/cagrid/GridGrouper|https://cagrid-gridgrouper.nci.nih.gov:8443/wsrf/services/cagrid/GridGrouper].
h2. Authentication Service
h3. Install caGrid
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-auth.nci.nih.gov).*
If you have already installed caGrid in the account *{_}globus{_}* on the host *{_}cagrid-auth.nci.nih.gov{_}* you may proceed to the next section, otherwise follow the instructions below to install caGrid.
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{code}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox, and de-select all other checkboxes.
Since Ant and Globus are dependencies of caGrid, you'll be prompted for where to install these. If you have already installed one or both of then, the installer will ask if you'd like to re-install them.
* Once you have indicated where/if to install Ant, Globus, and caGrid, you'll be presented with the _Select Target Grid_ panel.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Press the _Start_ button.
The installer will download and install caGrid (and perhaps Ant and Globus). It could take quite a while to download and install all of these components. A panel at the bottom of the screen indicates the installer progress.
* Once these components have been installed, the _Next_ button will be activate. Click _Next_.
* The following page will indicate the these environment variable should be set: _ANT_HOME_, _GLOBUS_LOCATION_.
* Set these environment variables now.
* Click _Finish_ and then _Close_ to close the installer.
h3. Request Host Credentials
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-auth.nci.nih.gov).*
If you have already obtained host credentials from Dorian for the host *{_}cagrid-auth.nci.nih.gov{_}* you may proceed to the next section, otherwise follow the instructions below to request host credentials from Dorian.
The GAARDS Admin UI provides a mechanism for requesting host credentials from Dorian. To launch the GAARDS UI complete the following:
{code}
%> cd USER_HOME/ext/caGrid
%> ant security
{code}
To request host credentials from Dorian using the GAARDS UI please complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _MyAccount_ select _Request a Host Certificate_, this will launch the _Request Host Certificate_ window.
# Select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian] from the _Service URI_ drop down.
# In the _Host_ text box enter _cagrid-auth.nci.nih.gov_.
# In the _Specify Directory to Write Credentials_ text box enter or browse to the directory: _USER_HOME/certificates_ (You may need to created this directory if it does not exist.
# Click the _Request Host Certificate_ button.
# This will request a host certificate from Dorian, and an informational window will then detail the results, telling you where the credentials were created. Record this information, and press the _Close_ button.
If you followed the instructions above, the host certificate and private key will be written to out as follows:
* *{_}Certificate{_}* \- _USER_HOME/certificates/cagrid-auth.nci.nih.gov-cert.pem_
* *{_}Private Key{_}* \- _USER_HOME/certificates/cagrid-auth.nci.nih.gov-key.pem_ !imagegallery:Record_note.png^Record_note.png! After completion of this section, you should record the location of the host certificate and private key. The installer will ask you for these when you configure your secure container.
h3. Install Authentication Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-auth.nci.nih.gov).*
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* Select the _Install caGrid Services_ check box.
* De-select all other check boxes.
* Click the _Next_ button.
* Select the _"SyncGTS" and "Authentication Service"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* The installer will will now ask you for the information it needs to install or re-install the following dependencies: Ant, Tomcat, and Globus
* Indicate if/where each should be installed.
* The installer will also ask if caGrid should be re-installed. Do *NOT* check the _Yes_ check box.
* Then the installer will ask if you want to reconfigure caGrid. Again, do *NOT* check the _Yes_ check box.
* Press _Next_
* Press _Start_
The installer will now download and install whatever components you indicated should be (re)installed.
* Once the installer is finished downloading/copying the selected components, press _Next_.
* In the _Hostname_ text field, enter the name of the host (_cagrid-auth.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTPS" Port_ text field enter _8443_.
* Next the installer will ask if server credentials are present, select the _Yes_ check box and click next.
* In the _Certificate Path_ text field enter _USER_HOME/certificates/cagrid-auth.nci.nih.gov-cert.pem_
* In the _Certificate Key_ text field enter _USER_HOME/certificates/cagrid-auth.nci.nih.gov-key.pem_
* Click the _Next_ button.
* Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-slave.nci.nih.gov_.
# *Select* the _Perform First Sync?_ check box.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* Next the installer will ask you if the service credentials should be used to sign SAML assertions. Select the _Yes_ check box.
* If the installer locates JAAS configuration file at HOME/.java.login.config, it will ask you if it should append to, or overwrite that configuration. Select _Overwrite_ from the drop-down list. Press _Next_.
* Select _LDAP_ from the _Credential Provider Type_ drop-down list. Press _Next_.
* In the _AuthenticationService LDAP Credential Provider_ panel, provide the following values:
** *CSM Context Name:* AUTHNSVC
** *Host Name:* Any of the following values will work in QA
*** ldaps://ncids4a.nci.nih.gov:636
*** ldaps://ncids1b.nci.nih.gov:636
*** ldaps://ncids5a.nci.nih.gov:636
** *Search Base:* ou=nci,o=nih
** *Login ID Attribute:* cn
** *First Name Attribute:* givenName
** *Last Name Attribute:* sn
** *Email ID Attribute:* mail
* Press _Next_.
* In the next screen, _Edit AuthenticationService Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|#Deployment Planning].
* Click the _Start_ button to install AuthenticationService/SyncGTS as configured.
* Once the installation has completed click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Add AuthenticationService as Trusted Identity Provider (IdP) to Dorian
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-auth.nci.nih.gov).*
The certificate which matches the key that the AuthenticationService is using to sign SAML assertions must be registered with Dorian as a trusted IdP.
To launch the GAARDS UI complete the following:
{code}
%> cd USER_HOME/ext/caGrid
%> ant security
{code}
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, DO NOT click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# Click the _Account Management_ menu.
# Select _Grid Account Management_ > _Trusted Identity Provider(s)_.
# Select the proxy of the user you [created above|#Register User].
# Press the _Add Trusted IdP_ button.
# Select the _Certificate_ tab.
# Press the _Import Certificate_ button.
# Navigate to, and select the certificate at USER_HOME/certificates/cagrid-auth.nci.nih.gov-cert.pem
# Press the _Open_ button.
# Select the _IdP Information_ tab.
# Enter the name _NCICB AuthnSvc IdP_ into the _Name_ field.
# Select _Active_ as the _Status_.
# Select _Auto Approval / Auto Renewal_ as the _User Policy_.
# Check the _Password_ check box in the _Accepted Authentication Methods_ group.
# Press the _Add_ button.
# Press _Find Trusted Identity Providers_. You should see _NCICB AuthnSvc IdP_ in the list.
h3. Starting the Authentication Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-auth.nci.nih.gov).*
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validate the Authentication Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-auth.nci.nih.gov).*
h4. Validate Authentication Service(Discovery)
First, we will verify the Authentication Service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/discovery
ant runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating the Index Service running at [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] is being queried, and see in the results, the Authentication Service running at [https://cagrid-auth.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService|https://cagrid-auth.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService], from the appropriate hosting information.
h4. Validate Authentication Service (Login)
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-auth.nci.nih.gov).*
Verify that we can retrieve a proxy from Dorian using the AuthenticationService as the IdP.
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-auth.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService|https://cagrid-auth.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService].
# In the _User Id_ text field enter the username for your NCI account.
# In the _Password_ text field enter the password for this account.
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, do not click the _Set Default_ button.
# Close the window.
h1. Other Services
h2. Federated Query Processor (FQP)
h3. Install caGrid
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-workflow.nci.nih.gov).*
If you have already installed caGrid in the account *{_}training_s{_}* on the host *{_}cagrid-workflow.nci.nih.gov{_}* you may proceed to the next section, otherwise follow the instructions below to install caGrid.
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{code}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox. *Unselect* the _Install caGrid Services_ checkbox. De-select all other check boxes. Click the _Next_ button.
* From the _Container Type_ drop down select _Tomcat_ and click _Next_.
* Next you will be asked to specify a directory in which to install Ant. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Ant installed (with the ANT_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_
* Next you will be asked to specify a directory in which to install Tomcat. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Tomcat installed (with the CATALINA_HOME environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install Globus. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have Globus installed (with the GLOBUS_LOCATION environment variable set), you will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
* Next you will be asked to specify a directory in which to install caGrid. In the _Directory_ text field enter _USER_HOME/ext_ and click the _Next_ button.
** If you already have caGrid installed...
*** You will be prompted if you want to reinstall it; choose _Yes_ if you would like to replace it. Press _Next_.
*** You will then be asked if you would like to reconfigure caGrid for another target grid; choose _Yes_ if you would like to reconfigure it. Press _Next_.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Click the _Start_ button, the installer will begin to download and install Ant, Tomcat, Globus, and caGrid.
** *NOTE: this step may take a while to download and extract all the files, and build caGrid.* !imagegallery:BreakTime.png^BreakTime.png!
* Once the tasks have finished, click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Request Host Credentials
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-workflow.nci.nih.gov).*
If you have already obtained host credentials from Dorian for the host *{_}cagrid-workflow.nci.nih.gov{_}* you may proceed to the next section, otherwise follow the instructions below to request host credentials from Dorian.
The GAARDS Admin UI provides a mechanism for requesting host credentials from Dorian. To launch the GAARDS UI complete the following:
{code}
%> cd USER_HOME/ext/caGrid
%> ant security
{code}
To request host credentials from Dorian using the GAARDS UI please complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _MyAccount_ select _Request a Host Certificate_, this will launch the _Request Host Certificate_ window.
# Select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian] from the _Service URI_ drop down.
# In the _Host_ text box enter _cagrid-workflow.nci.nih.gov_.
# In the _Specify Directory to Write Credentials_ text box enter or browse to the directory: _USER_HOME/certificates_ (You may need to created this directory if it does not exist.
# Click the _Request Host Certificate_ button.
# This will request a host certificate from Dorian, and an informational window will then detail the results, telling you where the credentials were created. Record this information, and press the _Close_ button.
If you followed the instructions above, the host certificate and private key will be written to out as follows:
* *{_}Certificate{_}* \- _USER_HOME/certificates/cagrid-workflow.nci.nih.gov-cert.pem_
* *{_}Private Key{_}* \- _USER_HOME/certificates/cagrid-workflow.nci.nih.gov-key.pem_
!imagegallery:Record_note.png^Record_note.png! After completion of this section, you should record the location of the host certificate and private key. The installer will ask you for these when you configure your secure container.
h3. Install FQP/SyncGTS
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-workflow.nci.nih.gov).*
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* De-select the _Install caGrid_ check box.
* Select the _Install caGrid Services_ check box.
* De-select all other check boxes.
* Click the _Next_ button.
* Select the _"SyncGTS" and "FQP"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* The installer will then ask whether or not you want to re-install Ant. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Tomcat. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Globus. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install caGrid. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* If you have already installed caGrid, the next panel will ask if you want to reconfigure caGrid for another target grid. Make sure the _Yes_ check box is _NOT_ selected. Press _Next_.
* Click the _Start_ button.
* Click the _Next_ button.
* The installer will ask if you want to redeploy Globus to Tomcat, deselect _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* The installer will ask if you want to the container to be secure, select _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* In the _Hostname_ text field, enter the name of the host (_cagrid-workflow.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTPS" Port_ text field enter _8443_.
* Next the installer will ask if server credentials are present, select the _Yes_ check box and click next.
* In the _Certificate Path_ text field enter _USER_HOME/certificates/cagrid-workflow.nci.nih.gov-cert.pem_
* In the _Certificate Key_ text field enter _USER_HOME/certificates/cagrid-workflow.nci.nih.gov-key.pem_
* Click the _Next_ button.
* Next the installer will ask you to configure SyncGTS. To configure SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-slave.nci.nih.gov_.
# *Select* the _Perform First Sync?_ check box.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
# Click the _Next_ button.
* In the next screen, _Federated Query Processor Service Properties_ you DO NOT need to edit anything, just click the _Next_ button.
* In the next screen, _Federated Query Processor Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|#Deployment Planning].
* Click the _Start_ button to install FQP/SyncGTS as configured.
* Once the installation has completed click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Start FQP
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-workflow.nci.nih.gov).*
To start FQP, start tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validate FQP
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-workflow.nci.nih.gov).*
h4. Validate FQP (Discovery)
First, we will verify the FQP service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/discovery
ant runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating the Index Service running at [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] is being queried, and see in the results, the FQP Service running at [https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/FederatedQueryProcessor|https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/FederatedQueryProcessor], from the appropriate hosting information.
h4. Validate FQP (client)
We will verify the FQP using the client provided with caGrid. By default this will invoke a federated query against the caBIO data service.
{code}
cd USER_HOME/ext/caGrid/projects/fqp
ant -Dservice.url=https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/FederatedQueryProcessor runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating some results of calling the client.
h2. Workflow
h3. Install Workflow Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-workflow.nci.nih.gov).*
* Shut down Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> shutdown.bat
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* De-select the _Install caGrid_ check box.
* Select the _Install caGrid Services_ check box.
* De-select all other check boxes.
* Click the _Next_ button.
* Select the _"Workflow"_ check box and click _Next_.
* From the _Container Type_ drop down select _"Tomcat"_ and click _Next_.
* The installer will then ask whether or not you want to re-install Ant. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Tomcat. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* The installer will then ask whether or not you want to re-install Globus. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* Next you will be asked to specify a directory in which to install ActiveBPEL. In the Directory text field enter USER_HOME/ext and click the Next button.
** If you already have ActiveBPEL installed (with the ACTIVEBPEL_HOME environment variable set), you will be prompted if you want to reinstall it; choose yes if you don't have the proper version or would like to replace it.
* The installer will then ask whether or not you want to re-install caGrid. Make sure the _Yes_ button is *NOT* selected and click _Next_.
* Click the _Start_ button.
* Click the _Next_ button.
* The installer will ask if you want to redeploy Globus to Tomcat, deselect _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
* The installer will ask if you want to the container to be secure, select _Yes_ and click the next button. _(The Installer will not always ask this, if it does not proceed to the next step)_
*
* Edit the service metadata for your deployment. Be sure to provide:
** Appropriate _Research Center Metadata_ (including the Address, etc)
** Appropriate _Research Center Points of Contact_ (including a point of contact for support questions)
* Click the _Next_ button.
* In the next screen, _Workflow Service Properties_ you *DO need to edit* the abEndPoint property to make sure the port and protocol are correct for how you are deploying the service (i.e, edit http to https and 8080 to 8443, then click the _Next_ button.
* In the next screen, _Workflow Standard Run-time Properties_ you DO NOT need to edit anything, just click the _Next_ button.
** You should verify that _perform.index.service.registration_ is true and _index.service.url_ is set appropriately based on [your plan above|#Deployment Planning].
* The installer will then ask you for a _Username_ and _Password_ and _Role_ for the BPEL Administrative application. This will secure the ActiveBPEL administrative web application. You should enter and remember a _Username_ and _Password_, and leave the _Role_ as _admin_.
* Click the _Start_ button. The installer will install the Workflow Service, when the installation is finished click the _Next_ button.
* Click the _Finished_ button.
* Close the installer.
!imagegallery:Record_note.png^Record_note.png! After completion of this section, you should record the following information for future use:
# The _Username_ and _Password_ and _Role_ for the BPEL Administrative application. You won't need this for future deployment steps, but should keep it for potential future reference (so the Administrative application can be used).
h3. Start Workflow Service
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-workflow.nci.nih.gov).*
To start the Workflow Service, start tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validate Workflow
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-workflow.nci.nih.gov).*
h4. Validate Workflow (Discovery)
First, we will verify the Workflow service is properly advertising itself to the Index Service, using the DiscoveryClient provided with caGrid.
{code}
cd USER_HOME/ext/caGrid/projects/discovery
ant runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating the Index Service running at [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] is being queried, and see in the results, the WorkflowService running at [https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/WorkflowFactoryService|https://cagrid-workflow.nci.nih.gov:8443/wsrf/services/cagrid/WorkflowFactoryService], from the appropriate hosting information.
h1. Web Applications
h2. Portal
h3. Install caGrid
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-portal.nci.nih.gov).*
If you have already installed caGrid in the account *{_}globus{_}* on the host *{_}cagrid-portal.nci.nih.gov{_}* you may proceed to the next section, otherwise follow the instructions below to install caGrid.
* [Click here|http://gforge.nci.nih.gov/frs/download.php/2371/caGrid-1.1-installer-rc11-ncicb.zip] to download the Installer.
* Create a directory for the installer in your home directory, copy the downloaded zip file containing the installer and unzip the installer into the create directory.
The following is provided as an example:
{code}
%> mkdir ~/installer
%> mv caGrid-1.1-rc1-installer.zip ~/installer
%> cd ~/installer
%> unzip caGrid-1.1-rc1-installer.zip
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* If you have not already installed caGrid select the _Install caGrid_ checkbox, and de-select all other checkboxes.
Since Ant and Globus are dependencies of caGrid, you'll be prompted for where to install these. If you have already installed one or both of then, the installer will ask if you'd like to re-install them.
* Once you have indicated where/if to install Ant, Globus, and caGrid, you'll be presented with the _Select Target Grid_ panel.
* Select the _NCICB Production Grid_ from the Target Grid drop down and click _Next_.
* Press the _Start_ button.
The installer will download and install caGrid (and perhaps Ant and Globus). It could take quite a while to download and install all of these components. A panel at the bottom of the screen indicates the installer progress.
* Once these components have been installed, the _Next_ button will be activate. Click _Next_.
* The following page will indicate the these environment variable should be set: _ANT_HOME_, _GLOBUS_LOCATION_.
* Set these environment variables now.
* Click _Finish_ and then _Close_ to close the installer.
h3. Request Host Credentials
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-portal.nci.nih.gov).*
If you have already obtained host credentials from Dorian for the host *{_}cagrid-portal.nci.nih.gov{_}* you may proceed to the next section, otherwise follow the instructions below to request host credentials from Dorian.
The GAARDS Admin UI provides a mechanism for requesting host credentials from Dorian. To launch the GAARDS UI complete the following:
{code}
%> cd USER_HOME/ext/caGrid
%> ant security
{code}
To request host credentials from Dorian using the GAARDS UI please complete the following steps:
# Click the _Login_ button. This will launch the _Login_ window.
# From the _Dorian Service_ drop down, select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# From the _Authentication Service_ drop down select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian].
# In the _User Id_ text field enter the username for the account just [created earlier|#Register User].
# In the _Password_ text field enter the password for the account just [created earlier|#Register User].
# Click the _Authenticate_ button. This will authenticate you to Dorian using the account just created and launch the _Proxy Manager_ window, click the _Set Default_ button.
## If you have not yet done so, take note of your *Grid Identity*; this is the grid wide unique identifier for this user, which authorization policies can be set against.
# Close the window.
# From the _MyAccount_ select _Request a Host Certificate_, this will launch the _Request Host Certificate_ window.
# Select [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian] from the _Service URI_ drop down.
# In the _Host_ text box enter _cagrid-portal.nci.nih.gov_.
# In the _Specify Directory to Write Credentials_ text box enter or browse to the directory: _USER_HOME/certificates_ (You may need to created this directory if it does not exist.
# Click the _Request Host Certificate_ button.
# This will request a host certificate from Dorian, and an informational window will then detail the results, telling you where the credentials were created. Record this information, and press the _Close_ button.
If you followed the instructions above, the host certificate and private key will be written to out as follows:
* *{_}Certificate{_}* \- _USER_HOME/certificates/cagrid-portal.nci.nih.gov-cert.pem_
* *{_}Private Key{_}* \- _USER_HOME/certificates/cagrid-portal.nci.nih.gov-key.pem_
!imagegallery:Record_note.png^Record_note.png! After completion of this section, you should record the location of the host certificate and private key. The installer will ask you for these when you configure your secure container.
h3. Obtain Google Maps API Key
Go [here|http://www.google.com/apis/maps/signup.html] to sign up for a Google Maps API Key. You will have to create an account.
* Enter [https://cagrid-portal.nci.nih.gov:8443/portal|https://cagrid-portal.nci.nih.gov:8443/portal] as the value of the _My web site URL_ field.
* Press _Generate API Key_.
* Save the key for future use.
h3. Obtain Yahoo\! Application ID
Go here: [here|https://developer.yahoo.com/wsregapp/index.php] and apply for a Yahoo\! application ID. You'll have to create an account.
* Enter [http://cagrid-portal.nci.nih.gov:8080/portal|http://cagrid-portal.nci.nih.gov:8080/portal]
in the _Web Application URL_ field. (NOTE: Yahoo will not validate the URL if you use HTTPS. It doesn't matter that the URL is not correct.)
* Select the _Generic, No user authentication required_ radio button.
* Click _Continue_.
* Save your new application id for future use.
h3. Install Portal
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* Select _Install caGrid Portal_ and de-select everything else.
* The installer will will now ask you for the information it needs to install or re-install the following dependencies: Ant, Tomcat, and Globus
* Indicate if/where each should be installed.
* The installer will also ask if caGrid should be re-installed. Do *NOT* check the _Yes_ check box.
* Then the installer will ask if you want to reconfigure caGrid. Again, do *NOT* check the _Yes_ check box.
* Press _Next_
* Press _Start_
The installer will now download and install whatever components you indicated should be (re)installed.
* Once the installer is finished downloading/copying the selected components, press _Next_.
* On the _Secure Deployment_ panel, select the _Yes_ check box. Press _Next_.
* In the _Hostname_ text field, enter the name of the host (_cagrid-portal.nci.nih.gov_) that will run the service and click the _Next_ button.
* In the _Shutdown_ port text field enter '8005'. In the _"HTTPS" Port_ text field enter _443_.
* Next the installer will ask if server credentials are present, select the _Yes_ check box and click next.
* In the _Certificate Path_ text field enter _USER_HOME/certificates/cagrid-portal.nci.nih.gov-cert.pem_
* In the _Certificate Key_ text field enter _USER_HOME/certificates/cagrid-portal.nci.nih.gov-key.pem_
* Click the _Next_ button.
* On the _Configure Portal Database_ panel, provide the appropriate values for each field. Press _Next_.
* If the installer displays an error message, go back and check that you have specified the correct values.
* If an database already exists in with the name you gave in the previous step, the installer will ask if it should destroy that
database. Select the _Yes_ check box. Press _Next_.
* Enter the Google Maps Key that you generated earlier.
* Enter the Yahoo\! Application ID that you generated earlier.
* Enter _portal_ into the _WebApp Context Name (war name)_ field.
* Enter a value of [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] in the _Index Service URLs_ list.
* Press _Next_
* Next the installer will ask you to configure SyncGTS. To configure the Portal SyncGTS complete the following steps:
# In the _GTS Service URI_ text box enter [https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS|https://cagrid-gts-slave.nci.nih.gov:8443/wsrf/services/cagrid/GTS].
# In the _Expiration Hours_ text box enter _12_.
# In the _GTS Identity_ text box enter _/O=caBIG/OU=caGrid/OU=Trust Fabric/CN=host/cagrid-gts-slave.nci.nih.gov_.
# Click the _Next_ button.
# In the next screen, _SyncGTS Standard Properties_ you DO NOT need to edit anything, just click the _Next_ button.
# Next the installer ask if you want to replace the "Default GTS CA". Make sure that the _Yes_ check box is *NOT* selected and click the _Next_ button.
* Click the _Start_ button to install the portal as configured.
* Once the installation has completed click the _Next_ button.
* The installer will instruct you set the following environment variables: _ANT_HOME_, _GLOBUS_LOCATION_, and _CATALINA_HOME_. *Set these environment variables now.*
* Click the _Finish_ button and the click the _Close_ button to close the installer.
h3. Starting the Portal
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validate the Portal
* In your browser, go to [https://cagrid-portal.nci.nih.gov/portal|https://cagrid-portal.nci.nih.gov/portal].
* Click the _Maps_ tab.
* Click the _Services_ sub tab.
* Ensure that the map renders and displays all of the deployed services (except the index service, of course).
h2. Browser
h3. Install caGrid Browser
!imagegallery:Mycomputer.png^Mycomputer.png! *You should run the following commands from the machine (cagrid-portal.nci.nih.gov).*
* Shut down Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./shutdown.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> shutdown.bat
{code}
* Launch the installer:
It can be run from wherever you downloaded it. From our instructions earlier that would be:
{code}
%> cd ~/installer
%> java -jar caGrid-1.1-installer.jar
{code}
* Accept the caGrid license and click _Next_.
* Select _Install caGrid Browser_ and de-select everything else.
* The installer will will now ask you for the information it needs to install or re-install the following Ant, Tomcat, Globus, and caGrid.
* Do NOT check yes on any of these panels.
* Finally, the installer will ask where caGrid Browser should be installed. Provide the path, and press _Next_.
* Press _Start_
The installer will now download and install caGrid Browser.
* Once the installer is finished downloading/copying, press _Next_.
* Do NOT check yes on the _Redploy Globus_ panel. Press _Next_.
* Press _Next_ again.
* Enter the following values:
** *WebApp Context Name (war name):* cagrid-browser
** *EVS Grid Service URL:* [http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/EVSGridService|http://cagrid-service.nci.nih.gov:8080/wsrf/services/cagrid/EVSGridService]
** *IdP URL 1:* [https://cagrid-auth.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService|https://cagrid-auth.nci.nih.gov:8443/wsrf/services/cagrid/AuthenticationService]
** *IdP URL 2:* [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian]
** *IFS URL:* [https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian|https://cagrid-dorian.nci.nih.gov:8443/wsrf/services/cagrid/Dorian]
* In the _Index Service URLs_ list, enter [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService]
* Press _Next_.
* Press the _Start_ button.
* When the installer finishes, press _Next_, _Finish_, _Close_.
Since the cagrid-browser logging configuration assumes that Tomcat will be started from CATALINA_HOME, you need to modify that configuration (i.e. because these deployment procedures indicate that Tomcat should be started from CATALINA_HOME/bin). To do that, edit the _log4j.appender.browser.File_ property in CATALINA_HOME/webapps/cagrid-browser/classes/log4j.properties to look like this:
{code}
log4j.appender.browser.File=<CATALINA_HOME>/logs/cagrid-browser-log4j.log
{code}
...replacing <CATALINA_HOME> with the full path to the Tomcat installation directory.
* Startup Tomcat as follows:
On Unix-based Systems
{code}
%> cd $CATALINA_HOME/bin
%> ./startup.sh
{code}
*NOTE:* You may need to set execute permissions on the script, to be able to run it.
On Windows-based Systems:
{code}
%> cd $CATALINA_HOME\bin
%> startup.bat
{code}
!imagegallery:Apply.png^Apply.png! Once it has started up, be sure to look in $CATALINA_HOME/logs/catalina.out for any errors.
h3. Validate caGrid Browser
* In your browser, go to [https://cagrid-portal.nci.nih.gov/cagrid-browser|https://cagrid-portal.nci.nih.gov/cagrid-browser]
* Login using your NCI credentials.
* Select the _Discovery_ tab.
* Press the _Discovery Services_ button.
* Verify that all deployed services show up.
h1. Post Deployment Validation
h2. Discover Services
{code}
cd USER_HOME/ext/caGrid/projects/discovery
ant runClient
{code}
!imagegallery:Apply.png^Apply.png! You should see output indicating the Index Service running at [http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService|http://cagrid-index.nci.nih.gov:8080/wsrf/services/DefaultIndexService] is being queried, and the resulting services will be output. At this point we should see all the services listed in the Service Table [above|#Deployment Planning], and they should indicate the are from the appropriate provider (as supplied during service deployment steps).