Deploying Secure Globus-WS to a Tomcat Container

Windows Installation Process:

Software Requirements:

Operating System: Microsoft Windows (XP, Vista, 2003, etc)

Installing JDK

1. Download and install Java JDK 1.6+ (available from http://java.sun.com/javase/downloads/index.jsp)

2. Create a JAVA_HOME environment variable that points to your Java installation.

Example: JAVA_HOME=C:\Program Files\Java\jdk1.6.0_10

3. Add %JAVA_HOME%\bin to the %PATH% variable

Installing Apache Tomcat

1. Download Apache Tomcat 6.0.20 (available from http://tomcat.apache.org/download-60.cgi)

2. Extract the Zip file to C:\

3. Change directory to C:\apache-tomcat-6.0.20\conf

4. Make a backup copy of the server.xml file.

5. Create a CATALINA_HOME environment variable that points to: c:\apache-tomcat-6.0.20

6. Add %CATALINA_HOME%\bin to the %PATH% variable

7. Open the server.xml file in located in the %CATALINA_HOME%\conf directory

8. Include the following entries in the <Service name="Catalina"> section of the server.xml file.

<Connector

className="org.globus.tomcat.coyote.net.HTTPSConnector"

port="8443" maxThreads="150"

minSpareThreads="25" maxSpareThreads="75"

autoFlush="true" disableUploadTimeout="true"

scheme="https" enableLookups="true"

acceptCount="10" debug="0"

protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol"

socketFactory="org.globus.tomcat.catalina.net.BaseHTTPSServerSocketFactory"

keystoreFile="C:\apache-tomcat-6.0.20\conf\server.jks"

keystorePass="changeit"

cacertdir="c:\etc\grid-security\certificates"

encryption="true"/>

9. Include the following entry in the <Engine name="Catalina" ... > section

<Valve className="org.globus.tomcat.coyote.valves.HTTPSValve55"/>

10. Save the file

Install Apache Ant

1. Download Apache Ant 1.7+ (available from http://ant.apache.org/bindownload.cgi)

2. Extract the Zip file to C:\

3. Create an environment variable for ANT_HOME Example: ANT_HOME=c:\apache-ant-1.7.1

4. Add %ANT_HOME%\bin to %PATH%

OpenSSL 0.9.8+ (for example Win32 OpenSSL v0.9.8k Light- http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe )

Installing OpenSSL

1. Download OpenSSL v0.9.8k to a local directory

2. Double click on the executable file to start the installation

3. Change the installation directory to c:\OpenSSL and accept all defaults.

4. Change directory to c:\openSSL

5. Add c:\openssl\bin to the %PATH% variable

6. Change directory to %CATALINA_HOME%\conf

7. Create a Java Key Store by using the following commands:

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Your_host_name, OU=phgrid.net, O=PHGRID, L=Atlanta, ST=GA, C=US" -keypass changeit -keystore server.jks -storepass changeit

keytool -genkeypair -alias globus -keystore globus.p12 -storetype pkcs12 -keyalg RSA -dname "CN=Your_host_name, OU=phgrid.net, O=PHGRID, L=Atlanta, ST=GA, C=US" -keypass changeit -storepass changeit

keytool -exportcert -alias globus -file globus.cer -keystore globus.p12 -storetype pkcs12 -storepass changeit

keytool -importcert -keystore server.jks -alias globus -file globus.cer -v -trustcacerts -noprompt -storepass changeit

del globus.cer

IMPORTANT NOTE: The password value should be changeit If you choose not to use changeit as the password value, you must add the keystorepass parameter to your server.xml file.

Importing the PHGrid CA certificates into your trusted keystore

1. Create the directory: c:\etc\grid-security\certificates

2. Create a Trusted CA environment variable TRUSTED_CA=C:\etc\grid-security\certificates

3. Download 31f15ec4.0 and 31f15ec4.signing_policy from the PHGrid Wiki site and copy the files to c:\etc\grid-security\certificates

Hash file - http://sites.google.com/site/phgrid/Home/installation-procedurs/ncphilabsimplecainfo/31f15ec4.0?attredirects=0

Signing Policy - http://sites.google.com/site/phgrid/Home/installation-procedurs/ncphilabsimplecainfo/31f15ec4.signing_policy?attredirects=0

4. Change directory to %CATALINA_HOME%\conf

5. keytool -importcert -keystore server.jks -alias globusCA -file c:\etc\grid-security\certificates\31f15ec4.0 -v -trustcacerts -noprompt -storepass changeit

6. Verify each alias was added to the keystore by using the following command:

keytool -list -v -keystore server.jks -storepass changeit

7. Verify each alias was added to the keystore by using the following command:

keytool -list -v -keystore server.jks -storepass changeit

Assumptions:

All prerequisite software has been installed by this point.

Globus Version 4.0.8 is being installed.

Installing Globus

1. Download Globus Java Core from http://www-unix.globus.org/toolkit/survey/index.php?download=ws-core-4.0.8-bin.zip

2. Create the directory: "c:\gt4"

3. Extract the ws-core-4.0.8-bin.zip file to "c:\gt4"

4. Create the environment variable GLOBUS_LOCATION=c:\gt4\ws-core-4.0.8

5. Add c:\gt4\ws-core-4.0.8\bin to the %PATH% environment variable

6. Copy all files in %GLOBUS_LOCATION%\lib to %CATALINA_HOME%\lib

Requesting and installing Host Certificates

1. Open a command prompt and change directory to: c:\etc\grid-security\

2. Request the new certificate by running the following commands:

1) %GLOBUS_LOCATION%\bin\grid-cert-request -host [hostname] -int

This will enter interactive mode for generating a request.

2) Enter CA email address: DWashington1@cdc.gov

3) Enter name component: o

Enter 'O' value: PHGRID

4) Enter name component: ou

Enter 'OU' value: "phgrid.net"

5) Enter name component: ou

Enter 'OU' value: Globus Public Health NCPHI

6) Enter name component: cn

Enter 'CN' value:[fully qualified host name-e.g. hostname.domainname.gov]

7) Enter name component: [hit enter]

8) Email the resulting C:\Documents and Settings\[username]\.globus\hostcert_request.pem to DWashington1@cdc.gov

9) Copy the pem file you receive from NCPHI to c:\etc\grid-security\containercert.pem

10) Copy the hostkey.pem file from c:\Documents and Settings\[username]\.globus\hostkey.pem to c:\etc\grid-security\hostkey.pem (generated along with hostcert_request.pem in step #7)

11) Copy the c:\etc\grid-security\hostkey.pem file to c:\etc\grid-security\containerkey.pem

12) Copy containercert.pem to importcontainercert.pem

13) Edit importcontaincert.pem and Delete all text above ----------------BEGIN CERTIFICATE--------------- and save file

14) keytool -importcert -keystore server.jks -alias containercert -file c:\etc\grid-security\importcontainercert.pem -v -trustcacerts -noprompt -storepass changeit

Validating Host Certificate Installation

1. Run the following command to validate host certificate installation:

openssl verify -CApath c:\etc\grid-security\certificates -purpose sslserver c:\etc\grid-security\containercert.pem

You should get a message like: "c:\etc\grid-security\containercert.pem: OK" if the verification is successful.

Requesting and installing User Certificates

1. Open a command prompt and change directory to: %USERPROFILE%

2. Use the mkdir command to create the directory: .globus and .globus\certificates

3. Run the following commands to request a user certificate:

1) %GLOBUS_LOCATION%\bin\grid-cert-request -int

This will enter interactive mode for generating a request.

2) Enter CA email address: DWashington1@cdc.gov

3) Enter name component: o

Enter 'O' value: PHGRID

4) Enter name component: ou

Enter 'OU' value: phgrid.net

5) Enter name component: ou

Enter 'OU' value: Globus Public Health NCPHI

6) Enter name component: ou

Enter 'OU' value: phgrid.net

7) Enter name component: cn

Enter 'CN' value:[Windows userid-e.g. bgates]

8) Enter name component: [hit enter]

9) Enter PEM pass phrase:[enter difficult to guess pass phrase]

10) Email the resulting C:\Documents and Settings\[username]\.globus\usercert_request.pem to DWashington1@cdc.gov

11) Copy the usercert.pem file you receive from Dan to c:\Documents and Settings\ [username]\.globus\usercert.pem (overwriting the existing file)

Validating User Certificate Installation

1. Run the following command to validate correct host certificate installation:

openssl verify -CApath c:\etc\grid-security\certificates -purpose sslclient "c:\Documents and Settings\[username]\.globus\usercert.pem"

You should get a message like: "c:\Documents and Settings\[username]\.globus\usercert.pem : OK" if the verification is successful.

Setting up Globus Environment Variables

1. Create the following environment variables:

X509_CA_CERT=31f15ec4.0

X509_CERT_DIR=c:\etc\grid-security\certificates

X509_USER_CERT= "c:\documents and settings\[your_user_name]\.globus\usercert.pem"

X509_USER_KEY= "c:\documents and settings\[your_user_name]\.globus\userkey.pem"

Deploying to Tomcat

1. Open a command prompt and change directory to: %GLOBUS_LOCATION%

2. Run the command ant -f share\globus_wsrf_common\tomcat\tomcat.xml deploySecureTomcat -Dtomcat.dir=C:\apache-tomcat-6.0.20

Testing Globus

1. Open a command prompt and run the command: %GLOBUS_LOCATION%\etc\globus-devel-env.bat

2. Open a command prompt and run: grid-proxy-init -verify

3. Copy %USERPROFILE%\Local Settings\Temp\x509up_u_<your_username> to %CATALINA_HOME%\temp

5. Start Tomcat using the following command:

%CATALINA_HOME%\bin\startup

6. Test the Secure Counter Service using the following command:

counter-client -m conv -p enc -z self -s https://[your_ip_address]:8443/wsrf/services/SecureCounterService

You should see the output below.

Got notification with value: 3

Counter has value: 3

Got notification with value: 13