Background
This page documents the installation proceedure at SLAC.
Unix accounts
No log in. No password.
[yee@terapaths home]$ sudo /usr/sbin/luseradd terapaths -u 30000 -g terapaths
Java
From: here
[yee@terapaths installation]$ sudo mkdir /usr/java Password: [yee@terapaths installation]$ sudo mv jdk1.5.0_13/ /usr/java/
SJSAS
From here
[terapaths@terapaths installation]$ sh sjsas_pe-8_2-linux.bin sjsas_pe-8_2-linux.bin: sjsas_pe-8_2-linux.bin: cannot execute binary file [terapaths@terapaths installation]$ chmod ugo+x sjsas_pe-8_2-linux.bin
The Sun Java System Application Server Platform Edition components will be
installed in the following directory, which is referred to as the "Installation
Directory".To use this directory, press only the Enter key. To use a different
directory, type in the full path of the directory to use followed by pressing
the Enter key.
Installation Directory [/home/terapaths/SUNWappserver] {"<" goes back, "!"
exits}:
The directory "/home/terapaths/SUNWappserver" does not exist.
Do you want to create it now or choose another directory?
1. Create Directory
2. Choose New
Enter the number corresponding to your choice [1] {"<" goes back, "!"
exits} 1
The Sun Java System Application Server requires a Java 2 SDK.
Please provide the path to a Java 2 SDK 1.4.1 or greater.
Recommended version is 1.4.2 or greater. [/usr/java/jdk1.5.0_13] {"<" goes
back, "!" exits}
Supply the administrator user's password and override any of the other initial
configuration settings as necessary.
Administrator User [admin] {"<" goes back, "!" exits}:
Administrator User's Password (8 chars minimum):
Re-enter Password:
Do you want to store administrator user name and password in user preference
file [yes] {"<" goes back, "!" exits}? yes
Administration Port [4848] {"<" goes back, "!" exits}: 53470
HTTP Port [8080] {"<" goes back, "!" exits}: 40860
HTTPS Port [8181] {"<" goes back, "!" exits}: 48580
Please choose installation options.
Do you want to upgrade from previous Application Server version [no] {"<"
goes back, "!" exits}?
Installation Successful.
Next Steps:
1. Access the About Application Server PE 8 welcome page at:
file:///home/terapaths/SUNWappserver/docs/about.html
2. Start the Application Server by executing:
/home/terapaths/SUNWappserver/bin/asadmin start-domain domain1
3. Start the Admin Console:
http://localhost:53470
Append to configuration file
/home/terapaths/SUNWappserver/domains/domain1/config/server.policy
// TeraPaths-specific permissions
// Permission to NetworkDeviceController to create ClassLoaders for hardware drivers
grant codeBase "file:${com.sun.aas.instanceRoot}/generated/ejb/j2ee-modules/terapathsNetworkDeviceControllers/-" {
permission java.lang.RuntimePermission "createClassLoader";
};
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/terapathsNetworkDeviceControllers/-" {
permission java.lang.RuntimePermission "createClassLoader";
};
// Permissions needed by WAN proxy server(s)
grant codeBase "file:${com.sun.aas.instanceRoot}/generated/ejb/j2ee-modules/terapathsESnetOSCARSProxy/-" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.io.FilePermission "<>", "read,write,delete";
};
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/terapathsESnetOSCARSProxy/-" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.io.FilePermission "<>", "read,write,delete";
};
Change jvm settings, place within <java-config/> tag at end.
/home/terapaths/SUNWappserver/domains/domain1/config/domain.xml
<!-- this is to prevent the java.lang.OutOfMemoryError: PermGen space during deployment--> <jvm-options>-XX:MaxPermSize=256m</jvm-options> <!-- --> <!-- additional jvm options to fix file descriptor leak due to sockets not being closed (bug#:6321777) --> <jvm-options>-server</jvm-options> <jvm-options>-Dcom.sun.enterprise.web.connector.grizzly.useKeepAliveAlgorithm=true</jvm-options> <jvm-options>-Dcom.sun.enterprise.web.connector.grizzly.socketSoTimeout=30000</jvm-options> <jvm-options>-Dcom.sun.enterprise.web.connector.grizzly.maxKeepAliveRequests=250</jvm-options> <jvm-options>-Dcom.sun.enterprise.server.ss.ASQuickStartup=false</jvm-options> <!-- end of additional jvm options -->
Security Setup
Need keys etc.
[terapaths@terapaths ~]$ export PATH=$PATH:/usr/java/jdk1.5.0_13/bin/
[terapaths@terapaths ~]$ keytool -list -keystore /home/terapaths/SUNWappserver/domains/domain1/config/keystore.jks Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry s1as, Nov 8, 2007, keyEntry, Certificate fingerprint (MD5): F1:C4:86:53:BD:35:41:33:CC:3B:41:32:A7:E2:6C:EE
Add DOE Cert and ESnet
[terapaths@terapaths ~]$ keytool -import -noprompt -trustcacerts -alias DOECertAlias -file /home/terapaths/installation/DOE-01.25.13.pem -keystore /home/terapaths/SUNWappserver/domains/domain1/config/cacerts.jks -storepass changeit Certificate was added to keystore [terapaths@terapaths ~]$ keytool -import -noprompt -trustcacerts -alias ESnetAlias -file /home/terapaths/installation/ESnet-10.26.22.pem -keystore /home/terapaths/SUNWappserver/domains/domain1/config/cacerts.jks -storepass changeit Certificate was added to keystore [terapaths@terapaths config]$ pwd /home/terapaths/SUNWappserver/domains/domain1/config [terapaths@terapaths config]$ keytool -list -keystore /home/terapaths/SUNWappserver/domains/domain1/config/cacerts.jks Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 13 entries verisignc1g3, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73 verisignc1g2, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83 esnetalias, Nov 9, 2007, trustedCertEntry, Certificate fingerprint (MD5): 32:AC:21:5D:DE:43:73:E9:3A:EE:90:BC:17:C4:8F:36 verisignc1g1, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): 97:60:E8:57:5F:D3:50:47:E5:43:0C:94:36:8A:B0:62 verisignc2g3, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6 verisignc2g2, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1 verisignc2g1, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E doecertalias, Nov 9, 2007, trustedCertEntry, Certificate fingerprint (MD5): F3:76:00:EC:D0:8E:DB:20:BC:2B:E0:06:60:24:C4:9F verisignc3g3, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09 verisignc3g2, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9 verisignc3g1, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 s1as, Nov 8, 2007, trustedCertEntry, Certificate fingerprint (MD5): F1:C4:86:53:BD:35:41:33:CC:3B:41:32:A7:E2:6C:EE verisignsecureserver, Apr 8, 2004, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
Make sure server works properly:
[terapaths@terapaths bin]$ pwd /home/terapaths/SUNWappserver/bin [terapaths@terapaths bin]$ ./asadmin start-domain --debug=true domain1 Nov 9, 2007 5:36:27 PM com.sun.enterprise.util.ASenvPropertyReader setSystemProperties SEVERE: property_reader.unknownHost java.net.UnknownHostException: terapaths: terapaths at java.net.InetAddress.getLocalHost(InetAddress.java:1346) at com.sun.enterprise.util.net.NetUtils.getCanonicalHostName(NetUtils.java:66) at com.sun.enterprise.util.ASenvPropertyReader.setSystemProperties(ASenvPropertyReader.java:161) at com.sun.enterprise.cli.framework.CLIMain.invokeCommand(CLIMain.java:87) at com.sun.enterprise.cli.framework.CLIMain.main(CLIMain.java:46) Starting Domain domain1, please wait. Log redirected to /home/terapaths/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 failed to startup. Please check the server log for more details. CLI156 Could not start the domain domain1.
Add local dns (no dns server is configured on these machines)
/etc/hosts
127.0.0.1 terapaths 192.124.59.130 terapaths
Fixes the startup problem:
[terapaths@terapaths bin]$ ./asadmin start-domain --debug=true domain1 Starting Domain domain1, please wait. Log redirected to /home/terapaths/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 is ready to receive client requests. Additional services are being started in background.
Listening ports
yee@terapaths ~]$ netstat -nlp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:9009 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:946 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN - tcp 0 0 :::48580 :::* LISTEN - tcp 0 0 :::3820 :::* LISTEN - tcp 0 0 ::ffff:127.0.0.1:32876 :::* LISTEN - tcp 0 0 :::8686 :::* LISTEN - tcp 0 0 :::3920 :::* LISTEN - tcp 0 0 :::3700 :::* LISTEN - tcp 0 0 :::32884 :::* LISTEN - tcp 0 0 :::32885 :::* LISTEN - tcp 0 0 :::22 :::* LISTEN - tcp 0 0 :::32887 :::* LISTEN - tcp 0 0 :::40860 :::* LISTEN - tcp 0 0 :::7676 :::* LISTEN - tcp 0 0 :::53470 :::* LISTEN - udp 0 0 0.0.0.0:514 0.0.0.0:* - udp 0 0 0.0.0.0:2055 0.0.0.0:* - udp 0 0 0.0.0.0:940 0.0.0.0:* - udp 0 0 0.0.0.0:943 0.0.0.0:* - udp 0 0 0.0.0.0:7001 0.0.0.0:* - udp 0 0 0.0.0.0:111 0.0.0.0:* - udp 0 0 0.0.0.0:631 0.0.0.0:* - udp 0 0 192.124.59.130:123 0.0.0.0:* - udp 0 0 127.0.0.1:123 0.0.0.0:* - udp 0 0 0.0.0.0:123 0.0.0.0:* - udp 0 0 :::123 :::* -
MySQL
[root@terapaths installation]# rpm -Uhv MySQL-* error: Failed dependencies: MySQL conflicts with mysql-4.1.20-2.RHEL4.1.0.1.i386 [root@terapaths installation]# rpm -e mysql-4.1.20 error: Failed dependencies: libmysqlclient.so.14 is needed by (installed) cyrus-sasl-sql-2.1.19-14.i386 libmysqlclient.so.14(libmysqlclient_14) is needed by (installed) cyrus-sasl-sql-2.1.19-14.i386 [root@terapaths installation]# rpm -Uhv MySQL-server-community-5.0.45-0.rhel4.x86_64.rpm error: Failed dependencies: MySQL conflicts with mysql-4.1.20-2.RHEL4.1.0.1.i386 [root@terapaths installation]# rpm -e mysql-4.1.20 error: Failed dependencies: libmysqlclient.so.14 is needed by (installed) cyrus-sasl-sql-2.1.19-14.i386 libmysqlclient.so.14(libmysqlclient_14) is needed by (installed) cyrus-sasl-sql-2.1.19-14.i386 [root@terapaths installation]# rpm -e cyrus-sasl-sql-2.1.19 [root@terapaths installation]# rpm -e mysql-4.1.20
Change users
[root@terapaths installation]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.45-community MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select User,Host from mysql.user
-> ;
+------+-----------+
| User | Host |
+------+-----------+
| root | 127.0.0.1 |
| root | localhost |
| root | terapaths |
+------+-----------+
3 rows in set (0.01 sec)
mysql> create database terapaths;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON terapaths.* TO 'terapaths'@'localhost' IDENTIFIED BY '********';
Query OK, 0 rows affected (0.00 sec)
mysql> select User,Host from mysql.user
-> ;
+-----------+-----------+
| User | Host |
+-----------+-----------+
| root | 127.0.0.1 |
| root | localhost |
| terapaths | localhost |
| root | terapaths |
+-----------+-----------+
4 rows in set (0.00 sec)
mysql>
Database creation
Create the terapaths MySQL database by running terapaths-create-1.2.0.sql.
[root@terapaths dist]# pwd /home/terapaths/installation/dist [root@terapaths dist]# mysql < terapaths-create-1.2.0.sql [terapaths@terapaths ~]$ mysql -u terapaths -p -D terapaths Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 5.0.45-community MySQL Community Edition (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show tables; +-----------------------+ | Tables_in_terapaths | +-----------------------+ | WANServiceURL | | bandwidthClasses | | diffServClasses | | hosts | | remoteLANServiceURL | | reservations | | routerDrivers | | routerManagers | | routers | | routes | | systemMessages | | terapathsDatabaseInfo | | users | | virtualRouterMembers | | virtualRouters | +-----------------------+ 15 rows in set (0.01 sec)
Edit terapaths-populate-1.2.0.sql to match your network host information and run it to populate the database.
--
-- Populate the TeraPaths database for the TeraPaths UMich-side secure testbed
-- MySQL server on tera01.ultralight.org (192.84.86.25)
-- Database structure version 1.2.0
-- 01/23/07
--
USE terapaths;
--
-- database settings
--
INSERT INTO terapathsDatabaseInfo (
version,
creationTimeStamp,
serverIpAddress,
serverName,
siteName
) VALUES (
"1.2.0",
NOW(),
"192.124.59.130",
"terapaths.slac.stanford.edu",
"SLAC"
);
--
-- drivers for communication between instance and router
INSERT INTO routerDrivers (
name,
driverInfo
) VALUES (
"DUMMY_DRIVER",
"hardware,DUMMY,type,DUMMY,os,DUMMY,comm_protocol,DUMMY"
);
INSERT INTO routerDrivers (
name,
driverInfo
) VALUES (
"CISCO_WS-C6509_IOS_TELNET",
"hardware,CISCO,type,WS-6509,os,IOS,comm_protocol,TELNET"
);
INSERT INTO routerDrivers (
name,
driverInfo
) VALUES (
"CISCO_WS-C6509_IOS_SSH",
"hardware,CISCO,type,WS-6509,os,IOS,comm_protocol,SSH"
);
SELECT @driver := LAST_INSERT_ID();
--
-- terapath instance, and endpoint to communicate to
--
INSERT INTO routerManagers (
ipAddress,
name,
wsdlURL,
interface,
managerDir
) VALUES (
"192.124.59.130",
"terapaths01.slac.stanford.edu",
"http://192.124.59.130:48580/terapathsNetworkDeviceControllers/tpsNDC",
"GigabitEthernet3/33",
"/home/terapaths/routerConfig"
);
SELECT @edgeManager := LAST_INSERT_ID();
SELECT @borderManager := @edgeManager;
--
-- routers
--
INSERT INTO routers (
ipAddress,
name,
routerInfo,
driverParameters,
driverId,
managingNodeId,
position
) VALUES (
"192.124.59.129",
"tera",
"hardware,CISCO,type,WS-6509,os,IOS12.2(18)SXD1",
"system_prompt,tera,terapaths,XXXXXXX,entry_pass,XXXXXXX,enable_pass,XXXXXXX,policy_name_root,QoS_nile",
@driver,
@edgeManager,
"edge"
);
SELECT @edge := LAST_INSERT_ID();
SELECT @border := @edge;
INSERT INTO virtualRouters (
name
) VALUES (
"tera (physical-edge)"
);
SELECT @vedge := LAST_INSERT_ID();
INSERT INTO virtualRouters (
name
) VALUES (
"nile (physical-border)"
);
SELECT @vborder := LAST_INSERT_ID();
INSERT INTO virtualRouterMembers (
virtualRouterId,
routerId
) VALUES
(@vedge,@edge),
(@vborder,@border);
INSERT INTO routes (
edge,
border
) VALUES (
@vedge,
@vborder
);
SELECT @route := LAST_INSERT_ID();
--
-- worker nodes
---
INSERT INTO hosts (
ipAddress,
name,
route,
interface
) VALUES
("192.124.59.200", "node00.slac.stanford.edu", @route, "GigabitEthernet3/4"),
("192.124.59.201", "node01.slac.stanford.edu", @route, "GigabitEthernet3/5"),
("192.124.59.202", "node02.slac.stanford.edu", @route, "GigabitEthernet3/6"),
("192.124.59.203", "node03.slac.stanford.edu", @route, "GigabitEthernet3/7"),
("192.124.59.204", "node04.slac.stanford.edu", @route, "GigabitEthernet3/8"),
("192.124.59.205", "node05.slac.stanford.edu", @route, "GigabitEthernet3/9"),
("192.124.59.206", "node06.slac.stanford.edu", @route, "GigabitEthernet3/10"),
("192.124.59.207", "node07.slac.stanford.edu", @route, "GigabitEthernet3/11"),
("192.124.59.208", "node08.slac.stanford.edu", @route, "GigabitEthernet3/12");
INSERT INTO remoteLANServiceURL (
ipAddress,
mask,
maskedIpAddress,
prefix,
wsdlURL,
preference
) VALUES
("198.124.220.0", "255.255.255.0", ipAddr2dec("198.124.220.0")&ipAddr2dec("255.255.255.0"), 24, "http://198.124.220.9:48588/terapathsRemoteTPsListeners/tpsRTPsL"
, 0);
INSERT INTO WANServiceURL (
ipAddress,
mask,
maskedIpAddress,
prefix,
wsdlURL,
preference
) VALUES
("198.124.220.0", "255.255.255.0", ipAddr2dec("198.124.220.0")&ipAddr2dec("255.255.255.0"), 24, "OSCARS,https://oscars.es.net/axis2/services/OSCARS", 0);
INSERT INTO diffServClasses (
name,
dscp,
aggregateBandwidth,
configured,
active
) VALUES
("BE",0,0,0,0),
("CS01",1,0,0,0),
("CS02",2,0,0,0),
("CS03",3,0,0,0),
("CS04",4,0,0,0),
("CS05",5,0,0,0),
("CS06",6,0,0,0),
("CS07",7,0,0,0),
("CS1",8,0,0,0),
("CS11",9,0,0,0),
("AF11",10,0,0,0),
("CS13",11,0,0,0),
("AF12",12,0,0,0),
("CS15",13,0,0,0),
("AF13",14,0,0,0),
("CS17",15,0,0,0),
("CS2",16,0,0,0),
("CS21",17,0,0,0),
("AF21",18,0,0,0),
("CS23",19,0,0,0),
("AF22",20,0,0,0),
("CS25",21,0,0,0),
("AF23",22,0,0,0),
("CS27",23,0,0,0),
("CS3",24,0,0,0),
("CS31",25,0,0,0),
("AF31",26,0,0,0),
("CS33",27,0,0,0),
("AF32",28,0,0,0),
("CS35",29,0,0,0),
("AF33",30,0,0,0),
("CS37",31,0,0,0),
("CS4",32,0,0,0),
("CS41",33,0,0,0),
("AF41",34,0,0,0),
("CS43",35,0,0,0),
("AF42",36,0,0,0),
("CS45",37,0,0,0),
("AF43",38,0,0,0),
("CS47",39,0,0,0),
("CS5",40,0,0,0),
("CS51",41,0,0,0),
("CS52",42,0,0,0),
("CS53",43,0,0,0),
("CS54",44,0,0,0),
("CS55",45,0,0,0),
("EF",46,0,0,0),
("CS57",47,0,0,0),
("CS6",48,0,0,0),
("CS61",49,0,0,0),
("CS62",50,0,0,0),
("CS63",51,0,0,0),
("CS64",52,0,0,0),
("CS65",53,0,0,0),
("CS66",54,0,0,0),
("CS67",55,0,0,0),
("CS7",56,0,0,0),
("CS71",57,0,0,0),
("CS72",58,0,0,0),
("CS73",59,0,0,0),
("CS74",60,0,0,0),
("CS75",61,0,0,0),
("CS76",62,0,0,0),
("CS77",63,0,0,0);
--Simple partitioning of bandwidth for testbed's 1 Gbit connection
UPDATE diffServClasses SET aggregateBandwidth= 15000000, configured=1 WHERE name="CS1";
UPDATE diffServClasses SET aggregateBandwidth= 20000000, configured=1 WHERE name="AF11";
UPDATE diffServClasses SET aggregateBandwidth= 40000000, configured=1 WHERE name="CS2";
UPDATE diffServClasses SET aggregateBandwidth= 50000000, configured=1 WHERE name="AF21";
UPDATE diffServClasses SET aggregateBandwidth= 75000000, configured=1 WHERE name="AF31";
UPDATE diffServClasses SET aggregateBandwidth=100000000, configured=1 WHERE name="AF41";
UPDATE diffServClasses SET aggregateBandwidth=150000000, configured=1 WHERE name="CS47";
UPDATE diffServClasses SET aggregateBandwidth=200000000, configured=1 WHERE name="EF";
UPDATE diffServClasses SET aggregateBandwidth=250000000, configured=1 WHERE name="CS7";
INSERT INTO bandwidthClasses (
name,
diffServClassId,
bandwidth,
type,
configured,
active
) VALUES
("CS1_1",(SELECT id FROM diffServClasses WHERE name="CS1"), 5000000,"shared",1,0),
("CS1_2",(SELECT id FROM diffServClasses WHERE name="CS1"), 5000000,"shared",1,0),
("CS1_3" ,(SELECT id FROM diffServClasses WHERE name="CS1"), 5000000,"shared",1,0),
("AF11_1",(SELECT id FROM diffServClasses WHERE name="AF11"),10000000,"shared",1,0),
("AF11_2",(SELECT id FROM diffServClasses WHERE name="AF11"),10000000,"shared",1,0),
("CS2_1",(SELECT id FROM diffServClasses WHERE name="CS2"), 20000000,"shared",1,0),
("CS2_2",(SELECT id FROM diffServClasses WHERE name="CS2"), 20000000,"shared",1,0),
("AF21",(SELECT id FROM diffServClasses WHERE name="AF21"), 50000000,"static",1,0),
("AF31",(SELECT id FROM diffServClasses WHERE name="AF31"), 75000000,"static",1,0),
("AF41",(SELECT id FROM diffServClasses WHERE name="AF41"), 100000000,"static",1,0),
("CS47",(SELECT id FROM diffServClasses WHERE name="CS47"), 150000000,"static",1,0),
("EF",(SELECT id FROM diffServClasses WHERE name="EF"), 200000000,"static",1,0),
("CS7",(SELECT id FROM diffServClasses WHERE name="CS7"), 250000000,"static",1,0);
--Default user
INSERT INTO users (
userName,
passWord,
type
) VALUES
('terapaths',PASSWORD('*******'),'standard');
[terapaths@terapaths dist]$ mysql -u terapaths -D terapaths -p < terapaths-end2end-SLACside-secure-1.2.0.sql Enter password: @driver := LAST_INSERT_ID() 3 @edgeManager := LAST_INSERT_ID() 1 @borderManager := @edgeManager 1 @edge := LAST_INSERT_ID() 1 @border := @edge 1 @vedge := LAST_INSERT_ID() 1 @vborder := LAST_INSERT_ID() 2 @route := LAST_INSERT_ID() 1
Manually edit database entries for passwords etc:
mysql> UPDATE routers SET driverParameters='system_prompt,<prompt>,user_name,<terapaths>,entry_pass,<loginpass>,enable_pass,<enable_pass>,policy_name_root,QoS_slac';
Edit terapaths.properties to contain the database info and service module URLs for each host at which one or more terapaths modules will be deployed.
[yee@terapaths dist]$ cat terapaths.properties ################################################### # Change this file to match your host information # ################################################### # driver.for.host.terapaths = com.mysql.jdbc.Driver db.for.host.terapaths = jdbc:mysql://localhost/terapaths?user=terapaths&password=******** pws.for.host.terapaths = https://localhost:40860/terapathsPublicWebServices/tpsPWS iws.for.host.terapaths = https://localhost:40860/terapathsInternalWebServices/tpsIWS OSCARS.for.host.terapaths = https://localhost:40860/terapathsESnetOSCARSProxy/ESnetOSCARSProxy ################################################ # Add other hosts here by specifying same five # # values as above for each host # ################################################
Edit proxy.properties to match your WAN provider accounts (currently only ESnet/OSCARS is supported)
N/A
Edit terapathsWebInterfaceDefaults to contain the defaults of your choice for the web interface.
Copy the file to the /home/terapaths directory of the host where terapathsWebInterface will be deployed.
The defaults can be changed at any time, even when the service is running.
This file overrides the build-in defaults.
[yee@terapaths dist]$ cat terapathsWebInterfaceDefaults ################################## # Defaults for the web interface # # This file must be in the # # /home/terapaths directory # # ORDER IS IMPORTANT!!! # ################################## # default web interace value # 1. source IP address 192.124.59.200 # 2. destination IP address # 198.124.220.134 192.124.59.204 # 3. source low port # 10000 # 4. source high port # 10000 # 5. destination low port # 10000 # 6. destination high port # 10000 # 7. protocol tcp # 8. reservation direction bidirectional # 9. time span for schedule day
[terapaths@terapaths dist]$ pwd /home/terapaths/installation/dist [terapaths@terapaths dist]$ cp terapathsWebInterfaceDefaults /home/terapaths/
Edit autodeploy-hosts to describe which modules to deploy at which hosts.
[yee@terapaths dist]$ cat autodeploy-hosts ################################################################# # user@host_to_deploy:path_of_autodeploy_dir war1 war2 ... warN # ################################################################# #terapaths@localhost:/home/terapaths/SUNWappserver/domains/domain2/autodeploy/ terapathsWebInterface.war terapaths@localhost:/home/terapaths/SUNWappserver/domains/domain1/autodeploy/ terapathsWebInterface.war terapathsInternalWebServices.war terapathsPublicWebServices.war terapathsESnetOSCARSProxy.war terapathsRemoteTPsListeners.war terapathsNetworkDeviceControllers.war terapaths@localhost:/home/terapaths/SUNWappserver/domains/domain1/autodeploy/ terapathsNetworkDeviceControllers.war
Run the 'terapaths-deploy' script.
Environments
[terapaths@terapaths dist]$ ./terapaths-deploy If ssh keys are not set up for remote deploy hosts, you will be prompted for your password multiple times. Environment variable JAVA_HOME is not set.
[root@terapaths ~]# cat /etc/profile.d/java.sh export JAVA_HOME=/usr/java/jdk1.5.0_13/ export PATH=$PATH:$JAVA_HOME/bin [terapaths@terapaths yee]$ env | grep JAVA JAVA_HOME=/usr/java/jdk1.5.0_13/
Keys (no password on terapaths local user account)
[terapaths@terapaths dist]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/terapaths/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/terapaths/.ssh/id_dsa. Your public key has been saved in /home/terapaths/.ssh/id_dsa.pub. The key fingerprint is: cc:f0:46:d8:55:1d:36:5b:fe:f5:b9:9f:d1:89:3b:50 terapaths@terapaths [terapaths@terapaths dist]$ cp ~/.ssh/id id_dsa id_dsa.pub id_rsa.pub identity.pub [terapaths@terapaths dist]$ cp ~/.ssh/id_dsa.pub ~/.ssh/authorized_keys2 [terapaths@terapaths dist]$ ls -lah ~/.ssh/.public/authorized_keys2 -rw-rw-r-- 1 terapaths terapaths 609 Nov 12 11:42 /home/terapaths/.ssh/.public/authorized_keys2 [terapaths@terapaths dist]$ chmod go-rwx ~/.ssh/authorized_keys2 [terapaths@terapaths dist]$ ls -lah ~/.ssh/.public/authorized_keys2 -rw------- 1 terapaths terapaths 609 Nov 12 11:42 /home/terapaths/.ssh/.public/authorized_keys2
[terapaths@terapaths yee]$ [terapaths@terapaths yee]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/terapaths/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/terapaths/.ssh/id_rsa. Your public key has been saved in /home/terapaths/.ssh/id_rsa.pub. The key fingerprint is: cd:74:d1:37:b0:0c:a5:1a:6f:c7:e4:62:40:ea:12:3b terapaths@terapaths [terapaths@terapaths yee]$ [terapaths@terapaths yee]$ [terapaths@terapaths yee]$ cat /home/terapaths/.ssh/id_rsa.pub > /home/terapaths/.ssh/authorized_keys
Check Service
http://192.124.59.130:53470
Log into the SJSAS server and determine that under the task bar, we have
Applications->Web Applications
and that it shows the terapaths* applications
Application |
Description |
|---|---|
terapathsWebInterface |
Web frontend to terapaths |
terapathsInternalWebServices |
|
terapathsPublicWebServices |
|
terapathsESnetOSCARSProxy |
Interaction with OSCARS |
terapathsRemoteTPsListeners |
Interaction with other terapaths instances |
terapathsNetworkDeviceControllers |
Router interactions |
Web Interface
Located at
http://192.124.59.130:40860/terapathsWebInterface
You can log in using accounts that have been setup in the MySQL table 'users'; if you can't log on, that's because you don't have an account in the database.
mysql> select * from users; +----+-----------+-------------------------------------------+----------+------+ | id | userName | passWord | type | info | +----+-----------+-------------------------------------------+----------+------+ | 1 | terapaths | ***************************************** | standard | NULL | +----+-----------+-------------------------------------------+----------+------+ 1 row in set (0.00 sec)
In the above case, you can see that there is only one terapaths user. The passWord is stored from the function password().
Logging in will show some IP addresses and a table at the bottom of green boxes. This is the reservation table. Click once on a box to select the appropriate time and bandwidth allocation requested. Click again somewhere else to select the end time.
This will then take you to a confirmation page where the details can be finalised.
Schedules
Schedules are created on the web interface and stored in the table reservations:
mysql> select * from reservations; +--------------------+-----------------------+---------------+----------+----------+----------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+----------------+-------------+-------------+--------+ | id | relatedReservationIds | startTime | duration | protocol | direction | bandwidthClassName | bandwidth | timeout | userName | who | srcIp | srcPortMin | srcPortMax | destIp | destPortMin | destPortMax | status | +--------------------+-----------------------+---------------+----------+----------+----------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+----------------+-------------+-------------+--------+ | SLAC-1194994094410 | NULL | 1194993900000 | 36000 | tcp | unidirectional | AF41 | 100000000 | 1195029900000 | terapaths | terapaths | 192.124.59.200 | 10000 | 10000 | 192.124.59.204 | 10000 | 10000 | active | +--------------------+-----------------------+---------------+----------+----------+----------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+----------------+-------------+-------------+--------+ 1 row in set (0.00 sec)
Here we see one active reservation. status=temporary reservations may appear that reflect in transient reservations that are being created.
Router configs
Routers are intrinsically defined in the table under routers:
mysql> select * from routers; +----+----------------+------+------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+----------+--------------------+----------------+---------------------+----------+ | id | ipAddress | name | routerInfo | driverParameters | driverId | basicConfiguration | managingNodeId | bottleneckBandwidth | position | +----+----------------+------+------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+----------+--------------------+----------------+---------------------+----------+ | 1 | 192.124.59.129 | tera | hardware,CISCO,type,WS-6509,os,IOS12.2(18)SXD1 | system_prompt,swh-iepm-10g,user_name,********,entry_pass,********,enable_pass,********,policy_name_root,QoS_slac | 3 | NULL | 1 | NULL | edge | +----+----------------+------+------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------+----------+--------------------+----------------+---------------------+----------+ 1 row in set (0.00 sec)
The driverParameters defines the expect script info for logging into the router. the values comes as key-value pairs.
The driverId field determines the driver to use to communication to by Terapaths. It references an index value in the routerDrivers table:
mysql> describe routerDrivers; +---------------+---------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +---------------+---------------------+------+-----+---------+----------------+ | id | bigint(20) unsigned | NO | PRI | NULL | auto_increment | | name | varchar(50) | YES | UNI | NULL | | | driverInfo | text | YES | | NULL | | | javaClassFile | varchar(255) | YES | | NULL | | | javaClassName | varchar(255) | YES | | NULL | | | javaClass | longblob | YES | | NULL | | +---------------+---------------------+------+-----+---------+----------------+ 6 rows in set (0.01 sec)
note that contains the java byte code in the 3 last fields.
mysql> select id,name,driverInfo from routerDrivers; +----+---------------------------+---------------------------------------------------------+ | id | name | driverInfo | +----+---------------------------+---------------------------------------------------------+ | 1 | DUMMY_DRIVER | hardware,DUMMY,type,DUMMY,os,DUMMY,comm_protocol,DUMMY | | 2 | CISCO_WS-C6509_IOS_TELNET | hardware,CISCO,type,WS-6509,os,IOS,comm_protocol,TELNET | | 3 | CISCO_WS-C6509_IOS_SSH | hardware,CISCO,type,WS-6509,os,IOS,comm_protocol,SSH | +----+---------------------------+---------------------------------------------------------+ 3 rows in set (0.00 sec)
show's the info for 3 drivers. Note that in the above router, we had id ref of 3 - which refers to the SSH driver.
Adding in External Services
mysql> select * from routerManagers; +----+----------------+-------------------------------+-----------------------------------------------------------------------+---------------------+------------------------------+ | id | ipAddress | name | wsdlURL | interface | managerDir | +----+----------------+-------------------------------+-----------------------------------------------------------------------+---------------------+------------------------------+ | 1 | 192.124.59.130 | terapaths01.slac.stanford.edu | https://192.124.59.130:48580/terapathsNetworkDeviceControllers/tpsNDC | GigabitEthernet3/33 | /home/terapaths/routerConfig | +----+----------------+-------------------------------+-----------------------------------------------------------------------+---------------------+------------------------------+ 1 row in set (0.00 sec)
mysql> select * from remoteLANServiceURL; +---------------+---------------+-----------------+--------+-----------------------------------------------------------------+------------+ | ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference | +---------------+---------------+-----------------+--------+-----------------------------------------------------------------+------------+ | 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | http://198.124.220.9:48588/terapathsRemoteTPsListeners/tpsRTPsL | 0 | +---------------+---------------+-----------------+--------+-----------------------------------------------------------------+------------+ 1 row in set (0.00 sec)
Router Configuration
Certain rules need to be put in place on the router:
swh-iepm-10g(config)#mls qos swh-iepm-10g(config)#$onform-action set-dscp-transmit 26 exceed-action drop swh-iepm-10g(config)#$onform-action set-dscp-transmit 18 exceed-action drop swh-iepm-10g(config)#$onform-action set-dscp-transmit 10 exceed-action drop swh-iepm-10g(config)#$conform-action set-dscp-transmit 46 exceed-action drop swh-iepm-10g(config)#$action set-dscp-transmit 34 exceed-action drop swh-iepm-10g(config)#$action set-dscp-transmit 39 exceed-action drop swh-iepm-10g(config)#$ conform-action set-dscp-transmit 56 exceed-action drop swh-iepm-10g(config)#$nform-action set-dscp-transmit 8 exceed-action drop swh-iepm-10g(config)#$nform-action set-dscp-transmit 16 exceed-action drop swh-iepm-10g(config)# swh-iepm-10g(config)# swh-iepm-10g(config)# swh-iepm-10g(config)#class-map match-all CS1_out swh-iepm-10g(config-cmap)# match access-group name CS1_out swh-iepm-10g(config-cmap)#class-map match-all CS2_out swh-iepm-10g(config-cmap)# match access-group name CS2_out swh-iepm-10g(config-cmap)#class-map match-all CS7_out swh-iepm-10g(config-cmap)# match access-group name CS7_out swh-iepm-10g(config-cmap)#class-map match-all CS47_out swh-iepm-10g(config-cmap)# match access-group name CS47_out swh-iepm-10g(config-cmap)#class-map match-all EF_out swh-iepm-10g(config-cmap)# match access-group name EF_out swh-iepm-10g(config-cmap)#class-map match-all AF41_out swh-iepm-10g(config-cmap)# match access-group name AF41_out swh-iepm-10g(config-cmap)#class-map match-all AF31_out swh-iepm-10g(config-cmap)# match access-group name AF31_out swh-iepm-10g(config-cmap)#class-map match-all AF21_out swh-iepm-10g(config-cmap)# match access-group name AF21_out swh-iepm-10g(config-cmap)#class-map match-all AF11_out swh-iepm-10g(config-cmap)# match access-group name AF11_out swh-iepm-10g(config-cmap)# swh-iepm-10g(config-cmap)#class-map match-all CS47_in swh-iepm-10g(config-cmap)# match access-group name CS47_in swh-iepm-10g(config-cmap)#class-map match-all AF41_in swh-iepm-10g(config-cmap)# match access-group name AF41_in swh-iepm-10g(config-cmap)#class-map match-all EF_in swh-iepm-10g(config-cmap)# match access-group name EF_in swh-iepm-10g(config-cmap)#class-map match-all AF21_in swh-iepm-10g(config-cmap)# match access-group name AF21_in swh-iepm-10g(config-cmap)#class-map match-all AF31_in swh-iepm-10g(config-cmap)# match access-group name AF31_in swh-iepm-10g(config-cmap)#class-map match-all AF11_in swh-iepm-10g(config-cmap)# match access-group name AF11_in swh-iepm-10g(config-cmap)#class-map match-all CS1_in swh-iepm-10g(config-cmap)# match access-group name CS1_in swh-iepm-10g(config-cmap)#class-map match-all CS2_in swh-iepm-10g(config-cmap)# match access-group name CS2_in swh-iepm-10g(config-cmap)#class-map match-all CS7_in swh-iepm-10g(config-cmap)# match access-group name CS7_in swh-iepm-10g(config-cmap)# swh-iepm-10g(config-cmap)# swh-iepm-10g(config-cmap)# swh-iepm-10g(config-cmap)#policy-map QoS_r2_out swh-iepm-10g(config-pmap)# class EF_out swh-iepm-10g(config-pmap-c)# swh-iepm-10g(config-pmap-c)# class CS2_out swh-iepm-10g(config-pmap-c)# police aggregate CS2_CAP swh-iepm-10g(config-pmap-c)#$action set-dscp-transmit 16 exceed-action drop swh-iepm-10g(config-pmap-c)# class AF11_out swh-iepm-10g(config-pmap-c)# police aggregate AF11_CAP swh-iepm-10g(config-pmap-c)#$action set-dscp-transmit 10 exceed-action drop swh-iepm-10g(config-pmap-c)# class AF21_out swh-iepm-10g(config-pmap-c)# police aggregate AF21_CAP swh-iepm-10g(config-pmap-c)# class AF31_out swh-iepm-10g(config-pmap-c)# police aggregate AF31_CAP swh-iepm-10g(config-pmap-c)# class AF41_out swh-iepm-10g(config-pmap-c)# police aggregate AF41_CAP swh-iepm-10g(config-pmap-c)# class CS1_out swh-iepm-10g(config-pmap-c)# police aggregate CS1_CAP swh-iepm-10g(config-pmap-c)#$tion set-dscp-transmit 8 exceed-action drop swh-iepm-10g(config-pmap-c)# class CS47_out swh-iepm-10g(config-pmap-c)# police aggregate CS47_CAP swh-iepm-10g(config-pmap-c)# class CS7_out swh-iepm-10g(config-pmap-c)# police aggregate CS7_CAP swh-iepm-10g(config-pmap-c)# swh-iepm-10g(config-pmap-c)#policy-map QoS_r2_in swh-iepm-10g(config-pmap)# class EF_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class CS2_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class AF11_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class AF21_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class AF31_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class AF41_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class CS47_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class CS7_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class CS1_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)#ip access-list extended AF11_in swh-iepm-10g(config-ext-nacl)#ip access-list extended AF11_out swh-iepm-10g(config-ext-nacl)#ip access-list extended AF21_in swh-iepm-10g(config-ext-nacl)#ip access-list extended AF21_out swh-iepm-10g(config-ext-nacl)#ip access-list extended AF31_in swh-iepm-10g(config-ext-nacl)#ip access-list extended AF31_out swh-iepm-10g(config-ext-nacl)#ip access-list extended AF41_in swh-iepm-10g(config-ext-nacl)#ip access-list extended AF41_out swh-iepm-10g(config-ext-nacl)#ip access-list extended CS1_in swh-iepm-10g(config-ext-nacl)#ip access-list extended CS1_out swh-iepm-10g(config-ext-nacl)#ip access-list extended CS2_in swh-iepm-10g(config-ext-nacl)#ip access-list extended CS2_out swh-iepm-10g(config-ext-nacl)#ip access-list extended CS47_in swh-iepm-10g(config-ext-nacl)#ip access-list extended CS47_out swh-iepm-10g(config-ext-nacl)#ip access-list extended CS7_in swh-iepm-10g(config-ext-nacl)#ip access-list extended CS7_out swh-iepm-10g(config-ext-nacl)#ip access-list extended EF_in swh-iepm-10g(config-ext-nacl)#ip access-list extended EF_out swh-iepm-10g(config-ext-nacl)# swh-iepm-10g(config-ext-nacl)# swh-iepm-10g(config-ext-nacl)#int gi5/2 swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)#servi swh-iepm-10g(config-if)#service-policy in swh-iepm-10g(config-if)#service-policy input ? WORD policy-map name swh-iepm-10g(config-if)#service-policy ? history Keep history of QoS metrics input Assign policy-map to the input of an interface output Assign policy-map to the output of an interface swh-iepm-10g(config-if)#int vlan59 swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)#service-policy input QoS_r2_out swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)#mls qo swh-iepm-10g(config-if)#mls qos ? bridged bridged keyword dscp-mutation mutation keyword exp-mutation exp mutation keyword loopback loopback cable between LAN and WAN port mpls mpls keyword swh-iepm-10g(config-if)#mls qos br swh-iepm-10g(config-if)#mls qos bridged ? <cr> swh-iepm-10g(config-if)#mls qos bridged
WAN Configuration
mysql> update remoteLANServiceURL set wsdlURL='http://198.124.220.9:8080/terapathsRemoteTPsListeners/tpsRTPsL' where ipAddress='198.124.220.0'; Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0 mysql> select * from remoteLANServiceURL; +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ | ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference | +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ | 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | http://198.124.220.9:8080/terapathsRemoteTPsListeners/tpsRTPsL | 0 | +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ 1 row in set (0.00 sec)
Now enter an IP address in the reservation form with destination 198.124.220.134.
Quick validation on the reservations table:
mysql> select * from reservations; +--------------------+------------------------------------------------+---------------+----------+----------+---------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+-----------------+-------------+-------------+---------+ | id | relatedReservationIds | startTime | duration | protocol | direction | bandwidthClassName | bandwidth | timeout | userName | who | srcIp | srcPortMin | srcPortMax | destIp | destPortMin | destPortMax | status | +--------------------+------------------------------------------------+---------------+----------+----------+---------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+-----------------+-------------+-------------+---------+ | SLAC-1195067218060 | OSCARS,ERROR-NULL_RESPONSE&ERROR-NULL_RESPONSE | 1195070400000 | 3600 | tcp | bidirectional | AF21 | 50000000 | 1195074000000 | terapaths | terapaths | 192.124.59.200 | 10000 | 10000 | 198.124.220.134 | 10000 | 10000 | pending | +--------------------+------------------------------------------------+---------------+----------+----------+---------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+-----------------+-------------+-------------+---------+ 1 row in set (0.00 sec)
Note the OSCARS instance has thrown an error here; but this version of terapaths (due to debugging etc) accepted the end-to-end reservation.
Configuring Destination Subnets
Two tables must be configured, remoteLANServiceURL handles the mapping of endpoint subnets to the terapaths service endpoint. WANServiceURL handles the WAN service to communicate to for the subnets defined.
mysql> select * from remoteLANServiceURL; +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ | ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference | +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ | 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | http://198.124.220.9:8080/terapathsRemoteTPsListeners/tpsRTPsL | 0 | +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ 1 row in set (0.00 sec) mysql> select * from WANServiceURL; +---------------+---------------+-----------------+--------+----------------------------------------------------+------------+ | ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference | +---------------+---------------+-----------------+--------+----------------------------------------------------+------------+ | 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | OSCARS,https://oscars.es.net/axis2/services/OSCARS | 0 | +---------------+---------------+-----------------+--------+----------------------------------------------------+------------+ 1 row in set (0.00 sec)
Getting the DOE Certificate
Use firefox.
- Request a new certificate
- add the certificate to your browser by going to
http://pki1.doegrids.org/ca: Go to 'Retrieval' -> 'Import CA Certificate Chain' -> 'Import the CA certificate chain into your browser' -> 'Submit' - when you get an email back from the DOE, click on the link to retrieve your certificate; scroll to the bottom and click on 'import your certificate'
- in firefox preferences' 'advanced' -> 'encryption' -> 'view certificates'
Select your certificate and click on 'backup'
save the file as p12 format and enter your password that you used on the DOE Cert form.
Setting up certificates for OSCARS
Create a directory for where the certs will be kept. We need to use keytool to copy the DOE cert into the keystore, and then make an useable alias for the cert. This alias will then be used in the 2 property files for Terapaths.
Get the repo (you could create this manually, but i got it from Dimitri)
[terapaths@terapaths ~]$ pwd /home/terapaths/repo [terapaths@terapaths ~]$ unzip repo.zip Archive: repo.zip creating: repo/ inflating: repo/axis2.xml inflating: repo/jetty-6.1.5.jar inflating: repo/log4j.properties creating: repo/modules/ inflating: repo/modules/rampart-1.3.mar inflating: repo/sec-client.jks (need to add own cert) inflating: repo/sec-client.properties creating: repo/services/ inflating: repo/ssl-keystore.jks (used for contacting oscars server - does not need to be changed)
currently, the password that we put into the keystore must be kept in the sec-client.jks file.
/home/terapaths/repo/sec-client.jks
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=jks org.apache.ws.security.crypto.merlin.keystore.password=password org.apache.ws.security.crypto.merlin.file=sec-client.jks net.es.oscars.client.security.PWCallback.keypass=<somepassword>
We now want to import our certificate that we got from the DOE and saved as a .p12 file in firefox into the keystore sec-client.jks. Note that the default password used here for the keystore is 'password'.
[terapaths@terapaths repo]$ /usr/java/jdk1.5.0_13/bin/java -cp /home/terapaths/repo/jetty-6.1.5.jar org.mortbay.jetty.security.PKCS12Import <p12 certificate file> sec-client.jks Enter input keystore passphrase: <DOE Password> Enter output keystore passphrase: password Alias 0: yee-ting li 940780's id Adding key for alias yee-ting li 940780's id
Just to check the contents of the sec-client.jks store:
[terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks Enter keystore password: password Keystore type: jks Keystore provider: SUN Your keystore contains 9 entries jra3, Sep 13, 2007, trustedCertEntry, Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD ca, Jun 4, 2005, trustedCertEntry, Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6 alice, Jun 4, 2005, keyEntry, Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84 esnetroot, Oct 23, 2006, trustedCertEntry, Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8 bob, Jun 4, 2005, keyEntry, Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC root, Jun 4, 2005, trustedCertEntry, Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14 dcsca, Mar 29, 2007, trustedCertEntry, Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6 yee-ting li 940780's id, Nov 15, 2007, keyEntry, Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8 doegridsca, Oct 23, 2006, trustedCertEntry, Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
The second to last entry show the newly inserted certificate.
Note that this created an alias 'yee-ting li 940780's id' (note that double space). We don't want to use this because the username is not very useable. So we will clone the id:
[terapaths@terapaths repo]$ keytool -keyclone -alias "yee-ting li 940780's id" -dest ytl -keystore sec-client.jks
Enter keystore password: password
Enter key password for <ytl>
(RETURN if same as for <yee-ting li 940780's id>)<DOE PASSWORD>
[terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks Enter keystore password: password Keystore type: jks Keystore provider: SUN Your keystore contains 10 entries jra3, Sep 13, 2007, trustedCertEntry, Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD ytl, Nov 15, 2007, keyEntry, Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8 ca, Jun 4, 2005, trustedCertEntry, Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6 alice, Jun 4, 2005, keyEntry, Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84 bob, Jun 4, 2005, keyEntry, Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC esnetroot, Oct 23, 2006, trustedCertEntry, Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8 root, Jun 4, 2005, trustedCertEntry, Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14 dcsca, Mar 29, 2007, trustedCertEntry, Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6 yee-ting li 940780's id, Nov 15, 2007, keyEntry, Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8 doegridsca, Oct 23, 2006, trustedCertEntry, Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
The cloned cert is 2nd from top. Now lets remove the original certificate (as we have no use for it)
[terapaths@terapaths repo]$ keytool -delete -alias "yee-ting li 940780's id" -keystore sec-client.jks Enter keystore password: password [terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks Enter keystore password: password Keystore type: jks Keystore provider: SUN Your keystore contains 9 entries jra3, Sep 13, 2007, trustedCertEntry, Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD ytl, Nov 15, 2007, keyEntry, Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8 ca, Jun 4, 2005, trustedCertEntry, Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6 alice, Jun 4, 2005, keyEntry, Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84 esnetroot, Oct 23, 2006, trustedCertEntry, Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8 bob, Jun 4, 2005, keyEntry, Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC root, Jun 4, 2005, trustedCertEntry, Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14 dcsca, Mar 29, 2007, trustedCertEntry, Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6 doegridsca, Oct 23, 2006, trustedCertEntry, Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
Setup Terapaths to use keystores
Now we have setup the keystores. We now need to assign them to the relevant terapaths modules. There are two files, proxy.properties which should contain the keystore alias (ytl in the case above) to use to communicate with OSCARS, and axis2.xml - ditto.
Set up an alias on the terapaths OSCARs proxy.properties file that refers to the relevant keystore certificate.
/home/terapaths/SUNWappserver/domains/domain1/applications/j2ee-modules/terapathsOSCARSProxy/WEB-INF/classes/tps/proxy.properties
# Proxy server properties file enabled.for.service.OSCARS = YES #url.for.service.OSCARS = https://ndb3-blmt.abilene.ucaid.edu:8443/axis2/services/OSCARS url.for.service.OSCARS = https://198.128.3.10/axis2/services/OSCARS repo.for.service.OSCARS = /home/terapaths/repo user.for.service.OSCARS = ytl burstLimit.for.service.OSCARS = 10000
Note that because we do not have a dns server, we have to substitute oscars.es.net for it's IP address.
Edit axis2.xml and add user alias into the file...
/home/terapaths/repo/axis2.xml
<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature</items>
<user>ytl</user>
...
Server configuration
Application Server -> JVM Settings -> Path settings add to 'Classpath Prefix' '/home/terapaths/repo'
Application Server -> JVM Settings -> JVM Options click 'Add JVM Option' add to the empty field '-Daxis2.xml=/home/terapaths/repo/axis2.xml'
Troubleshooting
Module Permissions
We upgraded to a version of the new OSCARS proxy, however, we must also change the server.policy file to allow the server to execute the code:
/home/terapaths/SUNWappserver/domains/domain1/config/server.policy
grant codeBase "file:${com.sun.aas.instanceRoot}/generated/ejb/j2ee-modules/terapathsOSCARSProxy/-" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.io.FilePermission "<>", "read,write,delete";
};
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/terapathsOSCARSProxy/-" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.io.FilePermission "<>", "read,write,delete";
};
Starting/Stopping the Server
In order to pick up new policies and configuraiotn files outside of the webapps, you must restart the server:
[terapaths@terapaths j2ee-modules]$ /home/terapaths/SUNWappserver/bin/asadmin stop-domain Domain domain1 stopped.
Deploying new modules
Log into the admin web page and click 'undeploy' under 'Applications'->'Web Applications' for the module that that you want to upgrade. Then it's a simple task of copying the war into the autodeploy directory.
[terapaths@terapaths installation]$ cp terapathsOSCARSProxy.war /home/terapaths/SUNWappserver/domains/domain1/autodeploy/
You do not need to restart the service