 |
Page History
...
This section will likely vary based on many factors and more notably your specific version of BDA and existing deployment configuration steps.
TODO
TODO
Changes to Promotion Tiers (involves Systems Team)
...
1. Request Host Certificates for each grid-related server instance that is to become secured.
2. Make updates to the various jboss-4.0.5.GA-jems-ejb3/server/<serverinstance>/deploy/jbossweb-tomcat55.sar/server.xml files for the JBoss server instances requiring a secure grid listener.
3. Make updates to server instance's bindings configuration (bindings.xml)
4. Ensure that OS user account has Globus available on the file system with a environment variable exported (export GLOBUS_LOCATION=<path>)
Details for specific steps (above)
...
Request Host Certificates for each grid-related server instance that is to become secured.
...
Systems will need to request the host certificates for the various promotion tiers and place the generated pair of files (*-cert.pem and *-key.pem) in a location accessible to each of the various user accounts responsible for running each JBoss server instance by following the instructions here, http://cagrid.org/display/knowledgebase/Request+a+Host+Certificate
. NOTE:
| Note |
|---|
When this is done a hostname will need to be specified which will be used by all server instances that resolve to this grid service hostname. |
...
Make updates to the various jboss-4.0.5.GA-jems-ejb3/server/<serverinstance>/deploy/jbossweb-tomcat55.sar/server.xml files for the JBoss server instances requiring a secure grid listener.
...
Information on how to update jboss-4.0.5.GA-jems-ejb3/server/<serverinstance>/deploy/jbossweb-tomcat55.sar/server.xml files
| Note |
|---|
...
The Grid uses it's own Trust Fabric and does not require certificates from an external Certificate Authority (CA) vendor, it includes it's own local CA and knows how to trust these certificates. This is not a standard SSL configuration. |
Basically, in this step you'll be adding a HTTPS <Connector> and removing any existing HTTP & HTTPS <Connector>(s) for the <Service> definition within the bundled Tomcat servlet container inside JBoss.
...
In the above example, you'll notice the absolute path to Host Cert files for the cert and key attributes. Again, these files can be anywhere on the filesystem so long as they are both accessible to the user account tied to the particular jboss server instance (jboss-4.0.5.GA-jems-ejb3/server/<serverinstance>/).
Next, you'll need to make sure you choose a <DesiredPortForHTTPS> for both the port and proxyPort attributes and that they are the same.
...
3.
...
Make updates to server instance's bindings configuration (bindings.xml)
...
Lastly, some changes will need to be made to the server instance bindings configuration for our instance's configuration. In short, since we've removed the existing HTTP-based <Connector> and replaced it with a HTTPS-based <Connector> we'll need to update the references to the previously defined HTTP-based port within the bindings.xml. Attached is an example bindings.xml that we've generated. You'll notice that we use 29443 throughout for our HTTPS port. NOTE:
| Note |
|---|
It may be easiest, though somewhat confusing, to simply repurpose the existing HTTP port to become the HTTPS port. We choose not to do that however, that appears to be a viable option too. |
...
4.
...
Ensure that OS user account has Globus available on the file system with a environment variable exported (export GLOBUS_LOCATION=<path>)
...
The binary can be found here, http://gforge.nci.nih.gov/svnroot/commonlibrary/trunk/techstack-2006/os-independent/ws-core-enum-4.0.3.zip
...