9.1. Setting up GSI-based Security for Opal

This section explains how to configure Opal in order to use GSI to autheticate clients.

1. Create a globus-based PEM server certificate and unencrypted private key for the tomcat server (consult the documentation of your CA software to help you with this step).

2. Make sure that Opal has been installed successfully. If not, do so by running the following command:

   ant install

3. To enable GSI HTTPS in Tomcat there are two different procedures depending on your version of Tomcat. If you are using 5.0.X, you can start from the sample etc/server.xml provided (works for version 5.0.30). The following snippets are responsible for enabling https:

   <Service name="Catalina"> ... <Connector className="org.globus.tomcat.coyote.net.HTTPSConnector" port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" clientAuth="true" debug="3" scheme="https" autoFlush="true" encryption="true" cert="/path/to/certificate/file" key="/path/to/private/key/file" cacertdir="/path/to/ca/certificates/directory" /> ... <Engine name="Catalina" defaultHost="localhost" debug="0"> .... <Valve className="org.globus.tomcat.coyote.valves.HTTPSValve"/> .... </Engine> </Service>

   Make sure that the cert and key points correctly to the server certificate and key generated in Step 1, and that the cacertdir points to your list of trusted CAs.

   If you are using Tomcat 5.5.X you should modify the server.xml in the following way:

   <Service name="Catalina"> ... <Connector className="org.globus.tomcat.coyote.net.HTTPSConnector" port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" autoFlush="true" disableUploadTimeout="true" scheme="https" enableLookups="true" acceptCount="10" debug="0" protocolHandlerClassName="org.apache.coyote.http11.Http11Protocol" socketFactory="org.globus.tomcat.catalina.net.BaseHTTPSServerSocketFactory" proxy="/path/to/proxy/file" cert="/path/to/certificate/file" key="/path/to/private/key/file" cacertdir="/path/to/ca/certificates/directory" encryption="true"/> ... <Engine name="Catalina" defaultHost="localhost" debug="0"> .... <Valve className="org.globus.tomcat.coyote.valves.HTTPSValve55"/> .... </Engine>

   The parameters proxy, cert, key and cacertdir should point to your local files. Furthermore, if you are using a proxy, do not use the cert/key combination - in other words, they are mutually exclusive. The encryption attribute is also optional (defaults to true if not set).

4. To enable grid-map authorization of clients, add the following XML fragment inside the <requestFlow/> element of the <globalConfiguration/> in $CATALINA_HOME/webapps/opal2/WEB-INF/server-config.wsdd.

   <handler type="java:edu.sdsc.nbcr.common.GridMapAuthHandler"> <parameter name="gridmap" value="/path/to/grid-mapfile"/> </handler>

   Make sure that the value points to a valid grid-map file. To authorize a client to use the service, add an entry into the grid-map file with a mapping between the client's DN and a local user. Since all jobs are being launched as the app_user, map all client DN's to the generic app_user, e.g the following is an entry in a grid-map file:

   "/C=US/O=nbcr/OU=sdsc/CN=app_user" app_user

   Instead, if you would like to authorize based on a list of acceptable CAs, then you must enable the ca-map authorization of clients. To do so, add the following XML fragment inside the <requestFlow/> element of the <globalConfiguration/> in $CATALINA_HOME/webapps/opal/WEB-INF/server-config.wsdd.

   <handler type="java:edu.sdsc.nbcr.common.CAAuthHandler"> <parameter name="ca-map" value="/path/to/ca-mapfile"/> </handler>

   Make sure that the value points to a valid ca-map file. To authorize a client to use the service, add an entry into the ca-map file with the DN for the client's CA, e.g. the following is an entry in a ca-map file:

   "C=US,O=nbcr,OU=sdsc,CN=Certificate Manager" NBCR

5. Restart the Tomcat server for the configurations to take effect.

6. Create a globus-based PEM certificate for the client, and create a limited-lifetime proxy by performing a "grid-proxy-init". Before invoking the client, make sure that the X509_USER_PROXY system property is set correctly to the location of the generated proxy. You may launch a job using GSI HTTPS as follows:

   java -DX509_USER_PROXY=$X509_USER_PROXY edu.sdsc.nbcr.opal.GenericServiceClient \ -l https://localhost:8443/opal2/services/Pdb2pqrServicePort \ -r launchJob \ -a "--ff=amber sample.pdb output.pqr" \ -f samples/sample.pdb

   You may need to ensure that both the client and the server trust each others' CA's (by adding entries into the .globus/certificates and /etc/grid-security/certificates directories respectively, if need be). The GenericServiceClient class shows how the user credentials can be set programmatically inside a client stub in order to enable GSI HTTPS.

7. Note that the Opal dashboard will not function out of the box when GSI-based mutual authentication is being used. This is because the Opal server will reject clients that are not authenticated. You will need to import your client certificate or proxy into your Web browser to be able to authenticate to the Opal server. The procedure for this varies from one browser to another. Please follow the documentation for your own specific Web browsers.