...
Code Block |
---|
-- -- Populate the TeraPaths database for the TeraPaths UMich-side secure testbed -- MySQL server on tera01.ultralight.org (192.84.86.25) -- Database structure version 1.2.0 -- 01/23/07 -- USE terapaths; -- -- database settings -- INSERT INTO terapathsDatabaseInfo ( version, creationTimeStamp, serverIpAddress, serverName, siteName ) VALUES ( "1.2.0", NOW(), "192.124.59.130", "terapaths.slac.stanford.edu", "SLAC" ); -- -- drivers for communication between instance and router INSERT INTO routerDrivers ( name, driverInfo ) VALUES ( "DUMMY_DRIVER", "hardware,DUMMY,type,DUMMY,os,DUMMY,comm_protocol,DUMMY" ); INSERT INTO routerDrivers ( name, driverInfo ) VALUES ( "CISCO_WS-C6509_IOS_TELNET", "hardware,CISCO,type,WS-6509,os,IOS,comm_protocol,TELNET" ); INSERT INTO routerDrivers ( name, driverInfo ) VALUES ( "CISCO_WS-C6509_IOS_SSH", "hardware,CISCO,type,WS-6509,os,IOS,comm_protocol,SSH" ); SELECT @driver := LAST_INSERT_ID(); -- -- terapath instance, and endpoint to communicate to -- INSERT INTO routerManagers ( ipAddress, name, wsdlURL, interface, managerDir ) VALUES ( "192.124.59.130", "terapaths01.slac.stanford.edu", "http://192.124.59.130:48580/terapathsNetworkDeviceControllers/tpsNDC", "GigabitEthernet3/33", "/home/terapaths/routerConfig" ); SELECT @edgeManager := LAST_INSERT_ID(); SELECT @borderManager := @edgeManager; -- -- routers -- INSERT INTO routers ( ipAddress, name, routerInfo, driverParameters, driverId, managingNodeId, position ) VALUES ( "192.124.59.129", "tera", "hardware,CISCO,type,WS-6509,os,IOS12.2(18)SXD1", "system_prompt,tera,terapaths,XXXXXXX,entry_pass,XXXXXXX,enable_pass,XXXXXXX,policy_name_root,QoS_nile", @driver, @edgeManager, "edge" ); SELECT @edge := LAST_INSERT_ID(); SELECT @border := @edge; INSERT INTO virtualRouters ( name ) VALUES ( "tera (physical-edge)" ); SELECT @vedge := LAST_INSERT_ID(); INSERT INTO virtualRouters ( name ) VALUES ( "nile (physical-border)" ); SELECT @vborder := LAST_INSERT_ID(); INSERT INTO virtualRouterMembers ( virtualRouterId, routerId ) VALUES (<at:var at:name="vedge," />edge@vedge,@edge), (<at:var at:name="vborder," />border@vborder,@border); INSERT INTO routes ( edge, border ) VALUES ( @vedge, @vborder ); SELECT @route := LAST_INSERT_ID(); -- -- worker nodes --- INSERT INTO hosts ( ipAddress, name, route, interface ) VALUES ("192.124.59.200", "node00.slac.stanford.edu", @route, "GigabitEthernet3/4"), ("192.124.59.201", "node01.slac.stanford.edu", @route, "GigabitEthernet3/5"), ("192.124.59.202", "node02.slac.stanford.edu", @route, "GigabitEthernet3/6"), ("192.124.59.203", "node03.slac.stanford.edu", @route, "GigabitEthernet3/7"), ("192.124.59.204", "node04.slac.stanford.edu", @route, "GigabitEthernet3/8"), ("192.124.59.205", "node05.slac.stanford.edu", @route, "GigabitEthernet3/9"), ("192.124.59.206", "node06.slac.stanford.edu", @route, "GigabitEthernet3/10"), ("192.124.59.207", "node07.slac.stanford.edu", @route, "GigabitEthernet3/11"), ("192.124.59.208", "node08.slac.stanford.edu", @route, "GigabitEthernet3/12"); INSERT INTO remoteLANServiceURL ( ipAddress, mask, maskedIpAddress, prefix, wsdlURL, preference ) VALUES ("198.124.220.0", "255.255.255.0", ipAddr2dec("198.124.220.0")&ipAddr2dec("255.255.255.0"), 24, "http://198.124.220.9:48588/terapathsRemoteTPsListeners/tpsRTPsL" , 0); INSERT INTO WANServiceURL ( ipAddress, mask, maskedIpAddress, prefix, wsdlURL, preference ) VALUES ("198.124.220.0", "255.255.255.0", ipAddr2dec("198.124.220.0")&ipAddr2dec("255.255.255.0"), 24, "OSCARS,https://oscars.es.net/axis2/services/OSCARS", 0); INSERT INTO diffServClasses ( name, dscp, aggregateBandwidth, configured, active ) VALUES ("BE",0,0,0,0), ("CS01",1,0,0,0), ("CS02",2,0,0,0), ("CS03",3,0,0,0), ("CS04",4,0,0,0), ("CS05",5,0,0,0), ("CS06",6,0,0,0), ("CS07",7,0,0,0), ("CS1",8,0,0,0), ("CS11",9,0,0,0), ("AF11",10,0,0,0), ("CS13",11,0,0,0), ("AF12",12,0,0,0), ("CS15",13,0,0,0), ("AF13",14,0,0,0), ("CS17",15,0,0,0), ("CS2",16,0,0,0), ("CS21",17,0,0,0), ("AF21",18,0,0,0), ("CS23",19,0,0,0), ("AF22",20,0,0,0), ("CS25",21,0,0,0), ("AF23",22,0,0,0), ("CS27",23,0,0,0), ("CS3",24,0,0,0), ("CS31",25,0,0,0), ("AF31",26,0,0,0), ("CS33",27,0,0,0), ("AF32",28,0,0,0), ("CS35",29,0,0,0), ("AF33",30,0,0,0), ("CS37",31,0,0,0), ("CS4",32,0,0,0), ("CS41",33,0,0,0), ("AF41",34,0,0,0), ("CS43",35,0,0,0), ("AF42",36,0,0,0), ("CS45",37,0,0,0), ("AF43",38,0,0,0), ("CS47",39,0,0,0), ("CS5",40,0,0,0), ("CS51",41,0,0,0), ("CS52",42,0,0,0), ("CS53",43,0,0,0), ("CS54",44,0,0,0), ("CS55",45,0,0,0), ("EF",46,0,0,0), ("CS57",47,0,0,0), ("CS6",48,0,0,0), ("CS61",49,0,0,0), ("CS62",50,0,0,0), ("CS63",51,0,0,0), ("CS64",52,0,0,0), ("CS65",53,0,0,0), ("CS66",54,0,0,0), ("CS67",55,0,0,0), ("CS7",56,0,0,0), ("CS71",57,0,0,0), ("CS72",58,0,0,0), ("CS73",59,0,0,0), ("CS74",60,0,0,0), ("CS75",61,0,0,0), ("CS76",62,0,0,0), ("CS77",63,0,0,0); --Simple partitioning of bandwidth for testbed's 1 Gbit connection UPDATE diffServClasses SET aggregateBandwidth= 15000000, configured=1 WHERE name="CS1"; UPDATE diffServClasses SET aggregateBandwidth= 20000000, configured=1 WHERE name="AF11"; UPDATE diffServClasses SET aggregateBandwidth= 40000000, configured=1 WHERE name="CS2"; UPDATE diffServClasses SET aggregateBandwidth= 50000000, configured=1 WHERE name="AF21"; UPDATE diffServClasses SET aggregateBandwidth= 75000000, configured=1 WHERE name="AF31"; UPDATE diffServClasses SET aggregateBandwidth=100000000, configured=1 WHERE name="AF41"; UPDATE diffServClasses SET aggregateBandwidth=150000000, configured=1 WHERE name="CS47"; UPDATE diffServClasses SET aggregateBandwidth=200000000, configured=1 WHERE name="EF"; UPDATE diffServClasses SET aggregateBandwidth=250000000, configured=1 WHERE name="CS7"; INSERT INTO bandwidthClasses ( name, diffServClassId, bandwidth, type, configured, active ) VALUES ("CS1_1",(SELECT id FROM diffServClasses WHERE name="CS1"), 5000000,"shared",1,0), ("CS1_2",(SELECT id FROM diffServClasses WHERE name="CS1"), 5000000,"shared",1,0), ("CS1_3" ,(SELECT id FROM diffServClasses WHERE name="CS1"), 5000000,"shared",1,0), ("AF11_1",(SELECT id FROM diffServClasses WHERE name="AF11"),10000000,"shared",1,0), ("AF11_2",(SELECT id FROM diffServClasses WHERE name="AF11"),10000000,"shared",1,0), ("CS2_1",(SELECT id FROM diffServClasses WHERE name="CS2"), 20000000,"shared",1,0), ("CS2_2",(SELECT id FROM diffServClasses WHERE name="CS2"), 20000000,"shared",1,0), ("AF21",(SELECT id FROM diffServClasses WHERE name="AF21"), 50000000,"static",1,0), ("AF31",(SELECT id FROM diffServClasses WHERE name="AF31"), 75000000,"static",1,0), ("AF41",(SELECT id FROM diffServClasses WHERE name="AF41"), 100000000,"static",1,0), ("CS47",(SELECT id FROM diffServClasses WHERE name="CS47"), 150000000,"static",1,0), ("EF",(SELECT id FROM diffServClasses WHERE name="EF"), 200000000,"static",1,0), ("CS7",(SELECT id FROM diffServClasses WHERE name="CS7"), 250000000,"static",1,0); --Default user INSERT INTO users ( userName, passWord, type ) VALUES ('terapaths',PASSWORD('*******'),'standard'); |
...
Application | Description |
---|---|
terapathsWebInterface | Web frontend to terapaths |
terapathsInternalWebServices | |
terapathsPublicWebServices | |
terapathsESnetOSCARSProxy | Interaction with OSCARS |
terapathsRemoteTPsListeners | Interaction with other terapaths instances |
terapathsNetworkDeviceControllers | Router interactions |
Web Interface
Located at
http://192.124.59.130:40860/terapathsWebInterface
You can log in using accounts that have been setup in the MySQL table 'users'; if you can't log on, that's because you don't have an account in the database.
...
Code Block |
---|
mysql> select * from remoteLANServiceURL;
+---------------+---------------+-----------------+--------+-----------------------------------------------------------------+------------+
| ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference |
+---------------+---------------+-----------------+--------+-----------------------------------------------------------------+------------+
| 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | http://198.124.220.9:48588/terapathsRemoteTPsListeners/tpsRTPsL | 0 |
+---------------+---------------+-----------------+--------+-----------------------------------------------------------------+------------+
1 row in set (0.00 sec)
|
Router Configuration
Certain rules need to be put in place on the router:
Code Block |
---|
swh-iepm-10g(config)#mls qos swh-iepm-10g(config)#$onform-action set-dscp-transmit 26 exceed-action drop swh-iepm-10g(config)#$onform-action set-dscp-transmit 18 exceed-action drop swh-iepm-10g(config)#$onform-action set-dscp-transmit 10 exceed-action drop swh-iepm-10g(config)#$conform-action set-dscp-transmit 46 exceed-action drop swh-iepm-10g(config)#$action set-dscp-transmit 34 exceed-action drop swh-iepm-10g(config)#$action set-dscp-transmit 39 exceed-action drop swh-iepm-10g(config)#$ conform-action set-dscp-transmit 56 exceed-action drop swh-iepm-10g(config)#$nform-action set-dscp-transmit 8 exceed-action drop swh-iepm-10g(config)#$nform-action set-dscp-transmit 16 exceed-action drop swh-iepm-10g(config)# swh-iepm-10g(config)# swh-iepm-10g(config)# swh-iepm-10g(config)#class-map match-all CS1_out swh-iepm-10g(config-cmap)# match access-group name CS1_out swh-iepm-10g(config-cmap)#class-map match-all CS2_out swh-iepm-10g(config-cmap)# match access-group name CS2_out swh-iepm-10g(config-cmap)#class-map match-all CS7_out swh-iepm-10g(config-cmap)# match access-group name CS7_out swh-iepm-10g(config-cmap)#class-map match-all CS47_out swh-iepm-10g(config-cmap)# match access-group name CS47_out swh-iepm-10g(config-cmap)#class-map match-all EF_out swh-iepm-10g(config-cmap)# match access-group name EF_out swh-iepm-10g(config-cmap)#class-map match-all AF41_out swh-iepm-10g(config-cmap)# match access-group name AF41_out swh-iepm-10g(config-cmap)#class-map match-all AF31_out swh-iepm-10g(config-cmap)# match access-group name AF31_out swh-iepm-10g(config-cmap)#class-map match-all AF21_out swh-iepm-10g(config-cmap)# match access-group name AF21_out swh-iepm-10g(config-cmap)#class-map match-all AF11_out swh-iepm-10g(config-cmap)# match access-group name AF11_out swh-iepm-10g(config-cmap)# swh-iepm-10g(config-cmap)#class-map match-all CS47_in swh-iepm-10g(config-cmap)# match access-group name CS47_in swh-iepm-10g(config-cmap)#class-map match-all AF41_in swh-iepm-10g(config-cmap)# match access-group name AF41_in swh-iepm-10g(config-cmap)#class-map match-all EF_in swh-iepm-10g(config-cmap)# match access-group name EF_in swh-iepm-10g(config-cmap)#class-map match-all AF21_in swh-iepm-10g(config-cmap)# match access-group name AF21_in swh-iepm-10g(config-cmap)#class-map match-all AF31_in swh-iepm-10g(config-cmap)# match access-group name AF31_in swh-iepm-10g(config-cmap)#class-map match-all AF11_in swh-iepm-10g(config-cmap)# match access-group name AF11_in swh-iepm-10g(config-cmap)#class-map match-all CS1_in swh-iepm-10g(config-cmap)# match access-group name CS1_in swh-iepm-10g(config-cmap)#class-map match-all CS2_in swh-iepm-10g(config-cmap)# match access-group name CS2_in swh-iepm-10g(config-cmap)#class-map match-all CS7_in swh-iepm-10g(config-cmap)# match access-group name CS7_in swh-iepm-10g(config-cmap)# swh-iepm-10g(config-cmap)# swh-iepm-10g(config-cmap)# swh-iepm-10g(config-cmap)#policy-map QoS_r2_out swh-iepm-10g(config-pmap)# class EF_out swh-iepm-10g(config-pmap-c)# swh-iepm-10g(config-pmap-c)# class CS2_out swh-iepm-10g(config-pmap-c)# police aggregate CS2_CAP swh-iepm-10g(config-pmap-c)#$action set-dscp-transmit 16 exceed-action drop swh-iepm-10g(config-pmap-c)# class AF11_out swh-iepm-10g(config-pmap-c)# police aggregate AF11_CAP swh-iepm-10g(config-pmap-c)#$action set-dscp-transmit 10 exceed-action drop swh-iepm-10g(config-pmap-c)# class AF21_out swh-iepm-10g(config-pmap-c)# police aggregate AF21_CAP swh-iepm-10g(config-pmap-c)# class AF31_out swh-iepm-10g(config-pmap-c)# police aggregate AF31_CAP swh-iepm-10g(config-pmap-c)# class AF41_out swh-iepm-10g(config-pmap-c)# police aggregate AF41_CAP swh-iepm-10g(config-pmap-c)# class CS1_out swh-iepm-10g(config-pmap-c)# police aggregate CS1_CAP swh-iepm-10g(config-pmap-c)#$tion set-dscp-transmit 8 exceed-action drop swh-iepm-10g(config-pmap-c)# class CS47_out swh-iepm-10g(config-pmap-c)# police aggregate CS47_CAP swh-iepm-10g(config-pmap-c)# class CS7_out swh-iepm-10g(config-pmap-c)# police aggregate CS7_CAP swh-iepm-10g(config-pmap-c)# swh-iepm-10g(config-pmap-c)#policy-map QoS_r2_in swh-iepm-10g(config-pmap)# class EF_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class CS2_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class AF11_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class AF21_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class AF31_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class AF41_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class CS47_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class CS7_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)# class CS1_in swh-iepm-10g(config-pmap-c)# trust dscp swh-iepm-10g(config-pmap-c)#ip access-list extended AF11_in swh-iepm-10g(config-ext-nacl)#ip access-list extended AF11_out swh-iepm-10g(config-ext-nacl)#ip access-list extended AF21_in swh-iepm-10g(config-ext-nacl)#ip access-list extended AF21_out swh-iepm-10g(config-ext-nacl)#ip access-list extended AF31_in swh-iepm-10g(config-ext-nacl)#ip access-list extended AF31_out swh-iepm-10g(config-ext-nacl)#ip access-list extended AF41_in swh-iepm-10g(config-ext-nacl)#ip access-list extended AF41_out swh-iepm-10g(config-ext-nacl)#ip access-list extended CS1_in swh-iepm-10g(config-ext-nacl)#ip access-list extended CS1_out swh-iepm-10g(config-ext-nacl)#ip access-list extended CS2_in swh-iepm-10g(config-ext-nacl)#ip access-list extended CS2_out swh-iepm-10g(config-ext-nacl)#ip access-list extended CS47_in swh-iepm-10g(config-ext-nacl)#ip access-list extended CS47_out swh-iepm-10g(config-ext-nacl)#ip access-list extended CS7_in swh-iepm-10g(config-ext-nacl)#ip access-list extended CS7_out swh-iepm-10g(config-ext-nacl)#ip access-list extended EF_in swh-iepm-10g(config-ext-nacl)#ip access-list extended EF_out swh-iepm-10g(config-ext-nacl)# swh-iepm-10g(config-ext-nacl)# swh-iepm-10g(config-ext-nacl)#int gi5/2 swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)#servi swh-iepm-10g(config-if)#service-policy in swh-iepm-10g(config-if)#service-policy input ? WORD policy-map name swh-iepm-10g(config-if)#service-policy ? history Keep history of QoS metrics input Assign policy-map to the input of an interface output Assign policy-map to the output of an interface swh-iepm-10g(config-if)#int vlan59 swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)#service-policy input QoS_r2_out swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)# swh-iepm-10g(config-if)#mls qo swh-iepm-10g(config-if)#mls qos ? bridged bridged keyword dscp-mutation mutation keyword exp-mutation exp mutation keyword loopback loopback cable between LAN and WAN port mpls mpls keyword swh-iepm-10g(config-if)#mls qos br swh-iepm-10g(config-if)#mls qos bridged ? <cr> swh-iepm-10g(config-if)#mls qos bridged |
WAN Configuration
Code Block |
---|
mysql> update remoteLANServiceURL set wsdlURL='http://198.124.220.9:8080/terapathsRemoteTPsListeners/tpsRTPsL' where ipAddress='198.124.220.0';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> select * from remoteLANServiceURL;
+---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+
| ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference |
+---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+
| 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | http://198.124.220.9:8080/terapathsRemoteTPsListeners/tpsRTPsL | 0 |
+---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+
1 row in set (0.00 sec)
|
Now enter an IP address in the reservation form with destination 198.124.220.134
.
Quick validation on the reservations table:
Code Block |
---|
mysql> select * from reservations;
+--------------------+------------------------------------------------+---------------+----------+----------+---------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+-----------------+-------------+-------------+---------+
| id | relatedReservationIds | startTime | duration | protocol | direction | bandwidthClassName | bandwidth | timeout | userName | who | srcIp | srcPortMin | srcPortMax | destIp | destPortMin | destPortMax | status |
+--------------------+------------------------------------------------+---------------+----------+----------+---------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+-----------------+-------------+-------------+---------+
| SLAC-1195067218060 | OSCARS,ERROR-NULL_RESPONSE&ERROR-NULL_RESPONSE | 1195070400000 | 3600 | tcp | bidirectional | AF21 | 50000000 | 1195074000000 | terapaths | terapaths | 192.124.59.200 | 10000 | 10000 | 198.124.220.134 | 10000 | 10000 | pending |
+--------------------+------------------------------------------------+---------------+----------+----------+---------------+--------------------+-----------+---------------+-----------+-----------+----------------+------------+------------+-----------------+-------------+-------------+---------+
1 row in set (0.00 sec)
|
Note the OSCARS instance has thrown an error here; but this version of terapaths (due to debugging etc) accepted the end-to-end reservation.
Configuring Destination Subnets
Two tables must be configured, remoteLANServiceURL
handles the mapping of endpoint subnets to the terapaths service endpoint. WANServiceURL
handles the WAN service to communicate to for the subnets defined.
Code Block |
---|
mysql> select * from remoteLANServiceURL;
+---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+
| ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference |
+---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+
| 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | http://198.124.220.9:8080/terapathsRemoteTPsListeners/tpsRTPsL | 0 |
+---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+
1 row in set (0.00 sec)
mysql> select * from WANServiceURL;
+---------------+---------------+-----------------+--------+----------------------------------------------------+------------+
| ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference |
+---------------+---------------+-----------------+--------+----------------------------------------------------+------------+
| 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | OSCARS,https://oscars.es.net/axis2/services/OSCARS | 0 |
+---------------+---------------+-----------------+--------+----------------------------------------------------+------------+
1 row in set (0.00 sec)
|
Getting the DOE Certificate
Use firefox.
- Request a new certificate
- add the certificate to your browser by going to
http://pki1.doegrids.org/ca
: Go to 'Retrieval' -> 'Import CA Certificate Chain' -> 'Import the CA certificate chain into your browser' -> 'Submit' - when you get an email back from the DOE, click on the link to retrieve your certificate; scroll to the bottom and click on 'import your certificate'
- in firefox preferences' 'advanced' -> 'encryption' -> 'view certificates'
Select your certificate and click on 'backup'
save the file as p12 format and enter your password that you used on the DOE Cert form.
Setting up certificates for OSCARS
Create a directory for where the certs will be kept. We need to use keytool to copy the DOE cert into the keystore, and then make an useable alias for the cert. This alias will then be used in the 2 property files for Terapaths.
Get the repo (you could create this manually, but i got it from Dimitri)
Code Block |
---|
[terapaths@terapaths ~]$ pwd
/home/terapaths/repo
[terapaths@terapaths ~]$ unzip repo.zip
Archive: repo.zip
creating: repo/
inflating: repo/axis2.xml
inflating: repo/jetty-6.1.5.jar
inflating: repo/log4j.properties
creating: repo/modules/
inflating: repo/modules/rampart-1.3.mar
inflating: repo/sec-client.jks (need to add own cert)
inflating: repo/sec-client.properties
creating: repo/services/
inflating: repo/ssl-keystore.jks (used for contacting oscars server - does not need to be changed)
|
currently, the password that we put into the keystore must be kept in the sec-client.jks file.
Code Block | ||
---|---|---|
| ||
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=sec-client.jks
net.es.oscars.client.security.PWCallback.keypass=<somepassword>
|
We now want to import our certificate that we got from the DOE and saved as a .p12 file in firefox into the keystore sec-client.jks. Note that the default password used here for the keystore is 'password'.
Code Block |
---|
[terapaths@terapaths repo]$ /usr/java/jdk1.5.0_13/bin/java -cp /home/terapaths/repo/jetty-6.1.5.jar org.mortbay.jetty.security.PKCS12Import <p12 certificate file> sec-client.jks
Enter input keystore passphrase: <DOE Password>
Enter output keystore passphrase: password
Alias 0: yee-ting li 940780's id
Adding key for alias yee-ting li 940780's id
|
Just to check the contents of the sec-client.jks store:
Code Block |
---|
[terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 9 entries
jra3, Sep 13, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD
ca, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
alice, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
esnetroot, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8
bob, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
root, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
dcsca, Mar 29, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6
yee-ting li 940780's id, Nov 15, 2007, keyEntry,
Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8
doegridsca, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
|
The second to last entry show the newly inserted certificate.
Note that this created an alias 'yee-ting li 940780's id' (note that double space). We don't want to use this because the username is not very useable. So we will clone the id:
Code Block |
---|
[terapaths@terapaths repo]$ keytool -keyclone -alias "yee-ting li 940780's id" -dest ytl -keystore sec-client.jks
Enter keystore password: password
Enter key password for <ytl>
(RETURN if same as for <yee-ting li 940780's id>)<DOE PASSWORD>
|
Code Block |
---|
[terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 10 entries
jra3, Sep 13, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD
ytl, Nov 15, 2007, keyEntry,
Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8
ca, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
alice, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
bob, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
esnetroot, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8
root, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
dcsca, Mar 29, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6
yee-ting li 940780's id, Nov 15, 2007, keyEntry,
Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8
doegridsca, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
|
The cloned cert is 2nd from top. Now lets remove the original certificate (as we have no use for it)
Code Block |
---|
[terapaths@terapaths repo]$ keytool -delete -alias "yee-ting li 940780's id" -keystore sec-client.jks
Enter keystore password: password
[terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 9 entries
jra3, Sep 13, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD
ytl, Nov 15, 2007, keyEntry,
Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8
ca, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
alice, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
esnetroot, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8
bob, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
root, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
dcsca, Mar 29, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6
doegridsca, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
|
Setup Terapaths to use keystores
Now we have setup the keystores. We now need to assign them to the relevant terapaths modules. There are two files, proxy.properties
which should contain the keystore alias (ytl in the case above) to use to communicate with OSCARS, and axis2.xml
- ditto.
Set up an alias on the terapaths OSCARs proxy.properties file that refers to the relevant keystore certificate.
Code Block | ||
---|---|---|
| ||
# Proxy server properties file
enabled.for.service.OSCARS = YES
#url.for.service.OSCARS = https://ndb3-blmt.abilene.ucaid.edu:8443/axis2/services/OSCARS
url.for.service.OSCARS = https://198.128.3.10/axis2/services/OSCARS
repo.for.service.OSCARS = /home/terapaths/repo
user.for.service.OSCARS = ytl
burstLimit.for.service.OSCARS = 10000
|
Note that because we do not have a dns server, we have to substitute oscars.es.net
for it's IP address.
Edit axis2.xml and add user alias into the file...
Code Block | ||
---|---|---|
| ||
<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature</items>
<user>ytl</user>
...
|
Server configuration
Code Block |
---|
Application Server -> JVM Settings -> Path settings
add to 'Classpath Prefix' '/home/terapaths/repo'
|
Code Block |
---|
Application Server -> JVM Settings -> JVM Options
click 'Add JVM Option'
add to the empty field '-Daxis2.xml=/home/terapaths/repo/axis2.xml'
|
Troubleshooting
Module Permissions
We upgraded to a version of the new OSCARS proxy, however, we must also change the server.policy file to allow the server to execute the code:
Code Block | ||
---|---|---|
| ||
grant codeBase "file:${com.sun.aas.instanceRoot}/generated/ejb/j2ee-modules/terapathsOSCARSProxy/-" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.io.FilePermission "<>", "read,write,delete";
};
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/terapathsOSCARSProxy/-" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.io.FilePermission "<>", "read,write,delete";
};
|
Starting/Stopping the Server
In order to pick up new policies and configuraiotn files outside of the webapps, you must restart the server:
Code Block |
---|
[terapaths@terapaths j2ee-modules]$ /home/terapaths/SUNWappserver/bin/asadmin stop-domain
Domain domain1 stopped.
|
Deploying new modules
Log into the admin web page and click 'undeploy' under 'Applications'->'Web Applications' for the module that that you want to upgrade. Then it's a simple task of copying the war into the autodeploy directory.
Code Block |
---|
[terapaths@terapaths installation]$ cp terapathsOSCARSProxy.war /home/terapaths/SUNWappserver/domains/domain1/autodeploy/
|
You do not need to restart the service