Software Requirements

If you're installing this extension you've probably already installed all or part of the OGCE distribution. However, if you have come to this page directly, please see the installation instructions for setting up your environment. If you haven't already, install Gridsphere.

Configuration

The root directory for this module is located in ogce2/Extensions/GridSphereSSO. There are a few properties that you can configure in the project.properties file.

The first and most important property to set is catalina.home which should point to your root tomcat installation directory. 


	    # TOMCAT PATH	
	    catalina.home=/opt/tomcat/jakarta-tomcat-5.5.9

The install process will copy various security related jars into your Tomcat's shared/lib directory. If you've already installed OGCE, then those jars are already there, so you can set ogce.installed to true. By default this property is: 


	    ogce.installed=false

You can enable and disable the authentication modes by setting the auth.enable properties to either true or false. true will turn the module on and false will turn the module off after re-deployment of the modules and restarting tomcat (see the Install section). 


	    # ACTIVE MODULES 
	    # enable and disable authentication modules
	    myproxy.auth.enable=true
	    gridport.auth.enable=false
For more information of the types of authentication available with these modules, please see the sections on Configuring MyProxy Authentication and the Configuring GridPort Repository Authentication.

Configuring MyProxy Authentication

You can configure these authentication modules with as many as 2 different MyProxy servers. If authentication with the first MyProxy server is successful the module will not try the second one. However, if authentication to the first MyProxy server fails the module will automatically try to authenticate to the second one.

The properties that you can configure for each server are the hostname, port and lifetime. By default, the port properties are set to 7512 which is the default port that MyProxy runs on. The default proxy lifetime is set to 2. You will need to set the hostnames to point to actual MyProxy servers as the properties are blank by default. NOTE: You do not have to configure both MyProxy servers at the same time. 


	      # MYPROXY CONFIGURATION
	      # You can configure up to 2 MyProxy servers
	      myproxy.host.1=
	      myproxy.port.1=7512
	      myproxy.lifetime.1=2
	      
	      myproxy.host.2=
	      myproxy.port.2=7512
	      myproxy.lifetime.2=2

Configuring GridPort Repository Authentication

The GridPort Repository comes from the GridPort project and allows a developers to set up grid authentication without a MyProxy server. Rrerequisites for a GridPort Repository are at least one certificate and private key pair of .pem files and at least one GridSphere portal account created for the user you wish to have single sign-on grid capability through the portal.

If the GridPort authentication module is enabled then a GridPort repository will be created automatically in $HOME/.globus/GridPortRepository with the appropriate directory structure. You can also configure the GridPort repository to install in a directory other than the default by setting the gridport.repo property in project.properties. 


	      # GRIDPORT CONIFURATION
	      # local portal repository containing credentials
	      gridport.repo=${user.home}/.globus/GridPortRepository
Inside the repository you will find three directories, storeCredentials/, storedProxies/, and sessions/. You should copy your certificate and private key .pem files into storedCredentials/ and rename them to have your portal user's username as a prefix followed by _cert.pem and _key.pem, respectively. 

	      localhost> pwd
	      /home/ericrobe/.globus/GridPortRepository/storedCredentials
	      localhost> ls -l
	      total 12
	      -r--------  1 ericrobe users 4860 2005-08-01 18:43 ericrobe_cert.pem
	      -r--------  1 ericrobe users 1743 2005-08-01 18:43 ericrobe_key.pem
You should also ensure that all of the directories in the GridPort repository have read, write and execute permissions only for the user running the portal (in UNIX this would be 700). In the example above the user ericrobe is also running the portal.

Install

Once you have configured the modules you are ready to install them. To do this simply run maven install on the command line. 


	    localhost> maven install
Now, start Tomcat up using the following command 

	    localhost> $CATALINA_HOME/bin/startup.sh

Grid Single Sign-on

If the portal is installed on your local system point your browser to http://localhost:8080/gridsphere. Before you can perform single sign-on grid authentication you need to create a portal user account. The username should be chosen such that it's the same as the username that you've used to delegate proxies to MyProxy or the same as the username you named your certificate and key after in the GridPort repository. To create a portal account login to the portal using the username root and no password (assuming you haven't changed the root password for the portal). Once authenticated, click on the Administration tab and then the Users subtab. Next, click on the Create a New User link, fill out the form with the desired username, password and other information and click Save user. Finally, logout of the portal.

To perform a single sign-on login simply enter the username of the portal account you just created and a password that corresponds to either one of your proxies delegated to MyProxy or the certificate you placed in the GridPort repsository. If single sign-on grid authentication is successful you will be logged in and you should see a DN added to your list of proxies in the Proxy Manager portlet. NOTE: you can still login to GridSphere without grid authentication by providing the password you used when you created your portal account.