Java WS Core
Administration Guide
Jarek Gawor
Overview










Java WS Core overview
Configuration files
Container security configuration
Configuration profiles
Usage statistics
Logging
Starting and stopping the container
Container hostname/IP configuration
Service deployment and undeployment
Tomcat deployment and configuration
Java WS Core Overview


Provides libraries, tools, API for building stateful Web
Services
Implementation of WS-Resource Framework (WSRF)
and WS-Notification (WSN) family of specifications
– June 2004 version of the specifications with March 2004
version of WS-Addressing specification


Support for transport and message level security
Implemented with ‘standard’ Apache software
–
–
–
–
Axis (SOAP engine)
Addressing (WS-Addressing implementation)
WSS4J (WS-Security implementation)
and more
Configuration Files

Configuration files stored in $G_L/etc/<service>/
subdirectories
– server-config.wsdd
– jndi-config.xml
– security-config.xml

The configuration files are only readable by the
user that installed GT
Configuration Files
WSDD

*.wsdd
– Configures Axis (SOAP engine)
– Contain information on
> Type mappings
> Handlers
– Server side
> server-config.wsdd
> Also contains service information
 Service implementation, operation providers, WSDL
reference, etc.
 Can container information on a number of services
> Multiple
 Under $G_L/etc/<service>/ subdirectories
– Client side
> client-config.wsdd
> Only one
 Directly under $G_L/ directory
Configuration Files
JNDI

jndi-config.xml
– Configures JNDI registry
– Contains information on
> Mainly on ‘Resource homes’ – way of discovering, managing
resources, etc.
> Can be used to store arbitrary configuration information
Configuration Files
Security Descriptor

security-config.xml
– Configures security settings
> Credentials
> Authorization type
> Authentication type
– Types of security descriptor
> Client
> Service/Resource
> Container
Main WSDD Configuration File

$G_L/etc/globus_wsrf_core/server-config.wsdd
– Container hostname/IP options
– Global security descriptor
– Usage statistics targets
– Standalone container options (# of threads)

Options specified within <globalConfiguration> section
in the format:
– <parameter name=“<name>” value=“<value>”/>

Example:
<globalConfiguration>
..
<parameter name="usageStatisticsTargets"
value="usage-stats.globus.org:4810"/>
..
</globalConfiguration>
Container Security Descriptor



$G_L/etc/globus_wsrf_core/global_security_descriptor.x
ml
Specifies container-wide security defaults
By default configured with:
– Credentials
> /etc/grid-security/containercert.pem and
> /etc/grid-security/containerkey.pem
– Authorization
> Gridmap: /etc/grid-security/gridmap-file

Specified via
– “containerSecDesc” parameter in the main WSDD
configuration file or
– “-containerDesc” argument on globus-start-container
command line
> Overwrites “containerSecDesc” parameter if set
Container Security Descriptor

Cert/Key
<securityConfig xmlns="http://www.globus.org">
...
<credential>
<key-file value="keyFile"/>
<cert-file value="certFile"/>
</credential>
...
</securityConfig>

Proxy
<securityConfig xmlns="http://www.globus.org">
...
<proxy-file value="proxyFile"/>
...
</securityConfig>
Container Security Descriptor

Gridmap file
<securityConfig xmlns="http://www.globus.org">
...
<gridmap value="gridMapFile"/>
...
</securityConfig>
Configuration Profiles


Support for multiple configurations in the same installation
Configuration files are pre-pended with profile name:
– <profile>-server-config.wsdd
– <profile>-jndi-config.xml

‘Client’ profile
– Used by notification consumers (clients listening for notifications)
> Uses client-server-config.wsdd and client-jndi-config.xml



Services can be deployed into a configuration profile via “profile” argument on globus-deploy-gar command line
Container can be started with a specific configuration profile
using “-profile” argument on globus-start-container
command line
Multiple containers running as the same user might need to
configured with an unique server id to prevent collisions of
persistent data
– By default persistent data is stored in
~/.globus/persistent/<host>/ directory
– To set server id do
> setenv GLOBUS_OPTIONS -Dorg.globus.wsrf.container.server.id=<some id>
Usage Statistics


Usage information sent on container startup and
shutdown
By default information sent to
– usage-stats.globus.org:4810

Specified by
– ‘usageStatisticsTargets’ parameter in the main
WSDD configuration file

To disable
– Comment out the parameter
– Remote the parameter all together
– Remove its values
Logging


Log4j used as the logging engine
Configuration files:
– Container only: $G_L/container-log4j.properties
– Everything else (e.g. clients): $G_L/log4j.properties

Loggers are named using a hierarchical dot-separated
namespace
– Enabling logging at a given namespace enables logging for
all namespaces below it

Logging levels
–
–
–
–
–

FATAL (highest)
ERROR
WARN
INFO
DEBUG (lowest)
Enabling logging at a given level also enables logging at all
higher levels
Logging Examples

Syntax
– log4j.category.<logger name>=<log level>

Examples
– Default Globus
> log4j.category.org.globus=INFO
– Authorization
> log4j.category.org.globus.wsrf.impl.security.authorization.Ser
viceAuthorizationChain=WARN
– Service-specific
> MDS
 log4j.category.org.globus.mds=DEBUG
> GRAM
 log4j.category.org.globus.exec=DEBUG
> RFT
 log4j.category.org.globus.transfer=DEBUG
Starting The Container

To start the container do:
– $G_L/bin/globus-start-container


The container will start in foreground
By default the container starts in HTTPS mode on
port 8443
– To start in HTTP mode add ‘–nosec’ option
> ‘-nosec’ does not disable security! Message level
security still can be used



Configuration profile can be specified via ‘-profile’
argument
Global security configuration can be specified via ‘containerDesc’ argument
Use ‘-debug’ argument to get more information if
container fails to start up
Stopping The Container

To stop the container do:
– $G_L/bin/globus-stop-container

Invokes a ShutdownService in the container
– Therefore, can be used to shutdown remote containers
– By default, only the user running the container can shut it
down (service performs self authorization)
> Can be customized

Shutdown modes
– ‘hard’
> Calls exit() explicitly
– ‘soft’ (default)
> Let’s the threads, etc. die naturally
Staring The Container
(detached)


Unix/Linux only
To start container do:
– $G_L/sbin/globus-start-container-detached

The container will start in background with
– Output redirected to $G_L/var/container.log
– Process id of the container stored in
$G_L/var/container.pid


The program accepts the same options as regular
globus-start-container
The container can be stopped via regular globusstop-container
Stopping The Container
(detached)

Unix/Linux only

To stop the container do:
– $G_L/sbin/globus-stop-container-detach

Reads $G_L/var/container.pid and kills the process
– Therefore, can only stop locally running container
Container Hostname/IP

By default container:
– Binds to all network devices
– Performs DNS lookup
– Publishes IP in service URLs

To disable DNS lookup (hostnames will be published) add (in
the main WSDD configuration file):
– <parameter name=“disableDNS” value=“true”/>

To specify a different hostname:
– Add <parameter name=“logicalHost” value=“<value>”/> (in
the main WSDD configuration file) or
– Set GLOBUS_HOSTNAME environment property

Proxy support
– Container locally runs on port A but publishes service URLs with
port B
– To enable proxy support do
> setenv GLOBUS_OPTIONS -Dorg.globus.wsrf.proxy.port=<port>
Service Deployment


Adds new services to the container using GAR files
GAR
– Zip file with certain directory structure and naming
– Contains service code, WSDL, documentation, etc.


Container must be off
To deploy:
– $G_L/bin/globus-deploy-gar <gar file>
– Optionally can add specific profile via ‘–profile’
argument
– Example:
> $G_L/bin/globus-deploy-gar /tmp/foo-1.gar –profile bar
Service Undeployment

Removes services from the container
– Files are actually removed, all profiles of the service

Container must be off

To undeploy:
– $G_L/bin/globus-undeploy-gar <gar id>
– <gar id> is the gar filename without the .gar
extension
– For example (using previous example):
> $G_L/bin/globus-undeploy-gar foo-1
Tomcat Deployment


Tomcat 4.1.x and 5.0.x supported
Non-direct service deployment
– GARs must be first deployed into a separate GT
installation
– That GT installation is then deployed into Tomcat

To deploy GT installation into Tomcat
– cd $GLOBUS_LOCATION
– ant –f
share/globus_wsrf_common/tomcat/tomcat.xml
deploySecureTomcat
-Dtomcat.dir=<tomcat.dir>

Warning: Not all GT4 services have been tested in
Tomcat
Tomcat Configuration


Needs to be done only once
Update $TOMCAT_DIR/conf/server.xml file
with
– HTTPS Connector
– HTTPS Valve
Tomcat 4.1.x: HTTPS Connector

Add under <service> section:
<Connector
className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" authenticate="true"
acceptCount="10" debug="1" scheme="https"
secure="true">
<Factory
className="org.globus.tomcat.catalina.net.HTTPSServerSocketFactory"
cert=“/etc/grid-security/containercert.pem"
key=“/etc/grid-security/containerkey.pem"
cacertdir=“/etc/grid-security/certificates"
/>
</Connector>
Tomcat 4.1.x: HTTPS Valve

Add under <engine> section:
<Valve
className="org.globus.tomcat.catalina.valves.HTTPSValve"/>
Tomcat 5.0.x: HTTPS Connector

Add under <service> section:
<Connector
className="org.globus.tomcat.coyote.net.HTTPSConnector"
port=“8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https“
cert=“/etc/grid-security/containercert.pem"
key=“/etc/grid-security/containerkey.pem"
cacertdir=“/etc/grid-security/certificates"
/>
Tomcat 5.0.x: HTTPS Valve

Add under <engine> section:
<Valve
className="org.globus.tomcat.coyote.valves.HTTPSValve"/>