1. Create a globus-based PEM server certificate and private key for the tomcat server.
2. Make sure that Opal has been installed successfully. If not, do so by
running the following command:
ant -f build-opal.xml install
3. To enable GSI HTTPS in Tomcat, use the sample etc/server.xml provided
(works for version 5.0.28). The following two snippets are responsible for
enabling https:
<Service name="Catalina">
...
<Connector className="org.globus.tomcat.coyote.net.HTTPSConnector"
port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" clientAuth="true"
debug="3" scheme="https"
autoFlush="true" encryption="true"
cert="/Users/sriramkrishnan/certs/app_service.cert.pem"
key="/Users/sriramkrishnan/certs/app_service.privkey"
cacertdir="/Users/sriramkrishnan/.globus/certificates" />
...
<Engine name="Catalina" defaultHost="localhost" debug="0">
....
<Valve className="org.globus.tomcat.coyote.valves.HTTPSValve"/>
....
</Engine>
</Service>
Make sure that the cert and key points correctly to the server certificate and key generated in Step 1, and that the cacertdir points to your list of trusted CAs.
4. To enable grid-map authorization of clients, add the following XML
fragment inside the <requestFlow/> element of the
<globalConfiguration/> in
$CATALINA_HOME/webapps/axis/WEB-INF/server-config.wsdd.
<handler type="java:edu.sdsc.nbcr.common.GridMapAuthHandler">
<parameter name="gridmap" value="/Users/sriramkrishnan/.globus/grid-mapfile"/>
</handler>
Make sure that the value points to a valid grid-map file. To authorize a
client to use the service, add an entry into the grid-map file with a
mapping between the client's DN and a local user. Since all jobs are being
launched as the app_user, map all client DN's to the generic app_user, e.g
the following is an entry in a grid-map file:
"/C=US/O=nbcr/OU=sdsc/CN=app_user" app_user
5. Restart the Tomcat server for the configurations to take effect.
6. Create a globus-based PEM certificate for the client, and create a limited-lifetime proxy by performing a "grid-proxy-init". Before invoking the client, make sure that the X509_USER_PROXY system property is set correctly to the location of the generated proxy. Also make sure that both the client and the server trust each others' CA's (by adding entries into the .globus/certificates and /etc/grid-security/certificates directories respectively, if need be). The GenericServiceClient class shows how the user credentials can be set inside a client stub in order to enable GSI HTTPS.