...
Code Block |
---|
mysql> select * from remoteLANServiceURL; +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ | ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference | +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ | 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | http://198.124.220.9:8080/terapathsRemoteTPsListeners/tpsRTPsL | 0 | +---------------+---------------+-----------------+--------+----------------------------------------------------------------+------------+ 1 row in set (0.00 sec) mysql> select * from WANServiceURL; +---------------+---------------+-----------------+--------+----------------------------------------------------+------------+ | ipAddress | mask | maskedIpAddress | prefix | wsdlURL | preference | +---------------+---------------+-----------------+--------+----------------------------------------------------+------------+ | 198.124.220.0 | 255.255.255.0 | 3330071552 | 24 | OSCARS,https://oscars.es.net/axis2/services/OSCARS | 0 | +---------------+---------------+-----------------+--------+----------------------------------------------------+------------+ 1 row in set (0.00 sec) |
Getting the DOE Certificate
Use firefox.
- Request a new certificate
- add the certificate to your browser by going to
http://pki1.doegrids.org/ca
: Go to 'Retrieval' -> 'Import CA Certificate Chain' -> 'Import the CA certificate chain into your browser' -> 'Submit' - when you get an email back from the DOE, click on the link to retrieve your certificate; scroll to the bottom and click on 'import your certificate'
- in firefox preferences' 'advanced' -> 'encryption' -> 'view certificates'
Select your certificate and click on 'backup'
save the file as p12 format and enter your password that you used on the DOE Cert form.
Setting up certificates for OSCARS
Create a directory for where the certs will be kept. We need to use keytool to copy the DOE cert into the keystore, and then make an useable alias for the cert. This alias will then be used in the 2 property files for Terapaths.
Get the repo (you could create this manually, but i got it from Dimitri)
Code Block |
---|
[terapaths@terapaths ~]$ pwd
/home/terapaths/repo
[terapaths@terapaths ~]$ unzip repo.zip
Archive: repo.zip
creating: repo/
inflating: repo/axis2.xml
inflating: repo/jetty-6.1.5.jar
inflating: repo/log4j.properties
creating: repo/modules/
inflating: repo/modules/rampart-1.3.mar
inflating: repo/sec-client.jks (need to add own cert)
inflating: repo/sec-client.properties
creating: repo/services/
inflating: repo/ssl-keystore.jks (used for contacting oscars server - does not need to be changed)
|
currently, the password that we put into the keystore must be kept in the sec-client.jks file.
Code Block | ||
---|---|---|
| ||
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=sec-client.jks
net.es.oscars.client.security.PWCallback.keypass=<somepassword>
|
We now want to import our certificate that we got from the DOE and saved as a .p12 file in firefox into the keystore sec-client.jks. Note that the default password used here for the keystore is 'password'.
Code Block |
---|
[terapaths@terapaths repo]$ /usr/java/jdk1.5.0_13/bin/java -cp /home/terapaths/repo/jetty-6.1.5.jar org.mortbay.jetty.security.PKCS12Import <p12 certificate file> sec-client.jks
Enter input keystore passphrase: <DOE Password>
Enter output keystore passphrase: password
Alias 0: yee-ting li 940780's id
Adding key for alias yee-ting li 940780's id
|
Just to check the contents of the sec-client.jks store:
Code Block |
---|
[terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 9 entries
jra3, Sep 13, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD
ca, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
alice, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
esnetroot, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8
bob, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
root, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
dcsca, Mar 29, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6
yee-ting li 940780's id, Nov 15, 2007, keyEntry,
Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8
doegridsca, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
|
The second to last entry show the newly inserted certificate.
Note that this created an alias 'yee-ting li 940780's id' (note that double space). We don't want to use this because the username is not very useable. So we will clone the id:
Code Block |
---|
[terapaths@terapaths repo]$ keytool -keyclone -alias "yee-ting li 940780's id" -dest ytl -keystore sec-client.jks
Enter keystore password: password
Enter key password for <ytl>
(RETURN if same as for <yee-ting li 940780's id>)<DOE PASSWORD>
|
Code Block |
---|
[terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 10 entries
jra3, Sep 13, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD
ytl, Nov 15, 2007, keyEntry,
Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8
ca, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
alice, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
bob, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
esnetroot, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8
root, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
dcsca, Mar 29, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6
yee-ting li 940780's id, Nov 15, 2007, keyEntry,
Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8
doegridsca, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
|
The cloned cert is 2nd from top. Now lets remove the original certificate (as we have no use for it)
Code Block |
---|
[terapaths@terapaths repo]$ keytool -delete -alias "yee-ting li 940780's id" -keystore sec-client.jks
Enter keystore password: password
[terapaths@terapaths repo]$ keytool -list -keystore sec-client.jks
Enter keystore password: password
Keystore type: jks
Keystore provider: SUN
Your keystore contains 9 entries
jra3, Sep 13, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 61:02:09:AC:22:A0:6A:B5:AB:BA:FA:1F:60:B2:6E:FD
ytl, Nov 15, 2007, keyEntry,
Certificate fingerprint (MD5): 43:F7:AD:B1:1B:76:3B:EB:95:8B:CE:C2:78:AB:AD:D8
ca, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6
alice, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84
esnetroot, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 25:85:99:E6:D4:49:F6:F2:85:AB:B0:69:37:B9:47:B8
bob, Jun 4, 2005, keyEntry,
Certificate fingerprint (MD5): 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC
root, Jun 4, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14
dcsca, Mar 29, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 92:21:D8:26:10:73:0A:CE:36:56:7D:F8:6C:65:9E:C6
doegridsca, Oct 23, 2006, trustedCertEntry,
Certificate fingerprint (MD5): B3:76:40:75:F6:C4:BF:AF:82:CA:9A:D5:1D:FC:00:97
|
Setup Terapaths to use keystores
Now we have setup the keystores. We now need to assign them to the relevant terapaths modules. There are two files, proxy.properties
which should contain the keystore alias (ytl in the case above) to use to communicate with OSCARS, and axis2.xml
- ditto.
Set up an alias on the terapaths OSCARs proxy.properties file that refers to the relevant keystore certificate.
Code Block | ||
---|---|---|
| ||
# Proxy server properties file
enabled.for.service.OSCARS = YES
#url.for.service.OSCARS = https://ndb3-blmt.abilene.ucaid.edu:8443/axis2/services/OSCARS
url.for.service.OSCARS = https://198.128.3.10/axis2/services/OSCARS
repo.for.service.OSCARS = /home/terapaths/repo
user.for.service.OSCARS = ytl
burstLimit.for.service.OSCARS = 10000
|
Note that because we do not have a dns server, we have to substitute oscars.es.net
for it's IP address.
Edit axis2.xml and add user alias into the file...
Code Block | ||
---|---|---|
| ||
<parameter name="OutflowSecurity">
<action>
<items>Timestamp Signature</items>
<user>ytl</user>
...
|
Server configuration
Code Block |
---|
Application Server -> JVM Settings -> Path settings
add to 'Classpath Prefix' '/home/terapaths/repo'
|
Code Block |
---|
Application Server -> JVM Settings -> JVM Options
click 'Add JVM Option'
add to the empty field '-Daxis2.xml=/home/terapaths/repo/axis2.xml'
|
Troubleshooting
Module Permissions
We upgraded to a version of the new OSCARS proxy, however, we must also change the server.policy file to allow the server to execute the code:
Code Block | ||
---|---|---|
| ||
grant codeBase "file:${com.sun.aas.instanceRoot}/generated/ejb/j2ee-modules/terapathsOSCARSProxy/-" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.io.FilePermission "<>", "read,write,delete";
};
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/terapathsOSCARSProxy/-" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.io.FilePermission "<>", "read,write,delete";
};
|
Starting/Stopping the Server
In order to pick up new policies and configuraiotn files outside of the webapps, you must restart the server:
Code Block |
---|
[terapaths@terapaths j2ee-modules]$ /home/terapaths/SUNWappserver/bin/asadmin stop-domain
Domain domain1 stopped.
|
Deploying new modules
Log into the admin web page and click 'undeploy' under 'Applications'->'Web Applications' for the module that that you want to upgrade. Then it's a simple task of copying the war into the autodeploy directory.
Code Block |
---|
[terapaths@terapaths installation]$ cp terapathsOSCARSProxy.war /home/terapaths/SUNWappserver/domains/domain1/autodeploy/
|
You do not need to restart the service