Java WS Core Administration Guide Jarek Gawor Overview Java WS Core overview Configuration files Container security configuration Configuration profiles Usage statistics Logging Starting and stopping the container Container hostname/IP configuration Service deployment and undeployment Tomcat deployment and configuration Java WS Core Overview Provides libraries, tools, API for building stateful Web Services Implementation of WS-Resource Framework (WSRF) and WS-Notification (WSN) family of specifications – June 2004 version of the specifications with March 2004 version of WS-Addressing specification Support for transport and message level security Implemented with ‘standard’ Apache software – – – – Axis (SOAP engine) Addressing (WS-Addressing implementation) WSS4J (WS-Security implementation) and more Configuration Files Configuration files stored in $G_L/etc/<service>/ subdirectories – server-config.wsdd – jndi-config.xml – security-config.xml The configuration files are only readable by the user that installed GT Configuration Files WSDD *.wsdd – Configures Axis (SOAP engine) – Contain information on > Type mappings > Handlers – Server side > server-config.wsdd > Also contains service information Service implementation, operation providers, WSDL reference, etc. Can container information on a number of services > Multiple Under $G_L/etc/<service>/ subdirectories – Client side > client-config.wsdd > Only one Directly under $G_L/ directory Configuration Files JNDI jndi-config.xml – Configures JNDI registry – Contains information on > Mainly on ‘Resource homes’ – way of discovering, managing resources, etc. > Can be used to store arbitrary configuration information Configuration Files Security Descriptor security-config.xml – Configures security settings > Credentials > Authorization type > Authentication type – Types of security descriptor > Client > Service/Resource > Container Main WSDD Configuration File $G_L/etc/globus_wsrf_core/server-config.wsdd – Container hostname/IP options – Global security descriptor – Usage statistics targets – Standalone container options (# of threads) Options specified within <globalConfiguration> section in the format: – <parameter name=“<name>” value=“<value>”/> Example: <globalConfiguration> .. <parameter name="usageStatisticsTargets" value="usage-stats.globus.org:4810"/> .. </globalConfiguration> Container Security Descriptor $G_L/etc/globus_wsrf_core/global_security_descriptor.x ml Specifies container-wide security defaults By default configured with: – Credentials > /etc/grid-security/containercert.pem and > /etc/grid-security/containerkey.pem – Authorization > Gridmap: /etc/grid-security/gridmap-file Specified via – “containerSecDesc” parameter in the main WSDD configuration file or – “-containerDesc” argument on globus-start-container command line > Overwrites “containerSecDesc” parameter if set Container Security Descriptor Cert/Key <securityConfig xmlns="http://www.globus.org"> ... <credential> <key-file value="keyFile"/> <cert-file value="certFile"/> </credential> ... </securityConfig> Proxy <securityConfig xmlns="http://www.globus.org"> ... <proxy-file value="proxyFile"/> ... </securityConfig> Container Security Descriptor Gridmap file <securityConfig xmlns="http://www.globus.org"> ... <gridmap value="gridMapFile"/> ... </securityConfig> Configuration Profiles Support for multiple configurations in the same installation Configuration files are pre-pended with profile name: – <profile>-server-config.wsdd – <profile>-jndi-config.xml ‘Client’ profile – Used by notification consumers (clients listening for notifications) > Uses client-server-config.wsdd and client-jndi-config.xml Services can be deployed into a configuration profile via “profile” argument on globus-deploy-gar command line Container can be started with a specific configuration profile using “-profile” argument on globus-start-container command line Multiple containers running as the same user might need to configured with an unique server id to prevent collisions of persistent data – By default persistent data is stored in ~/.globus/persistent/<host>/ directory – To set server id do > setenv GLOBUS_OPTIONS -Dorg.globus.wsrf.container.server.id=<some id> Usage Statistics Usage information sent on container startup and shutdown By default information sent to – usage-stats.globus.org:4810 Specified by – ‘usageStatisticsTargets’ parameter in the main WSDD configuration file To disable – Comment out the parameter – Remote the parameter all together – Remove its values Logging Log4j used as the logging engine Configuration files: – Container only: $G_L/container-log4j.properties – Everything else (e.g. clients): $G_L/log4j.properties Loggers are named using a hierarchical dot-separated namespace – Enabling logging at a given namespace enables logging for all namespaces below it Logging levels – – – – – FATAL (highest) ERROR WARN INFO DEBUG (lowest) Enabling logging at a given level also enables logging at all higher levels Logging Examples Syntax – log4j.category.<logger name>=<log level> Examples – Default Globus > log4j.category.org.globus=INFO – Authorization > log4j.category.org.globus.wsrf.impl.security.authorization.Ser viceAuthorizationChain=WARN – Service-specific > MDS log4j.category.org.globus.mds=DEBUG > GRAM log4j.category.org.globus.exec=DEBUG > RFT log4j.category.org.globus.transfer=DEBUG Starting The Container To start the container do: – $G_L/bin/globus-start-container The container will start in foreground By default the container starts in HTTPS mode on port 8443 – To start in HTTP mode add ‘–nosec’ option > ‘-nosec’ does not disable security! Message level security still can be used Configuration profile can be specified via ‘-profile’ argument Global security configuration can be specified via ‘containerDesc’ argument Use ‘-debug’ argument to get more information if container fails to start up Stopping The Container To stop the container do: – $G_L/bin/globus-stop-container Invokes a ShutdownService in the container – Therefore, can be used to shutdown remote containers – By default, only the user running the container can shut it down (service performs self authorization) > Can be customized Shutdown modes – ‘hard’ > Calls exit() explicitly – ‘soft’ (default) > Let’s the threads, etc. die naturally Staring The Container (detached) Unix/Linux only To start container do: – $G_L/sbin/globus-start-container-detached The container will start in background with – Output redirected to $G_L/var/container.log – Process id of the container stored in $G_L/var/container.pid The program accepts the same options as regular globus-start-container The container can be stopped via regular globusstop-container Stopping The Container (detached) Unix/Linux only To stop the container do: – $G_L/sbin/globus-stop-container-detach Reads $G_L/var/container.pid and kills the process – Therefore, can only stop locally running container Container Hostname/IP By default container: – Binds to all network devices – Performs DNS lookup – Publishes IP in service URLs To disable DNS lookup (hostnames will be published) add (in the main WSDD configuration file): – <parameter name=“disableDNS” value=“true”/> To specify a different hostname: – Add <parameter name=“logicalHost” value=“<value>”/> (in the main WSDD configuration file) or – Set GLOBUS_HOSTNAME environment property Proxy support – Container locally runs on port A but publishes service URLs with port B – To enable proxy support do > setenv GLOBUS_OPTIONS -Dorg.globus.wsrf.proxy.port=<port> Service Deployment Adds new services to the container using GAR files GAR – Zip file with certain directory structure and naming – Contains service code, WSDL, documentation, etc. Container must be off To deploy: – $G_L/bin/globus-deploy-gar <gar file> – Optionally can add specific profile via ‘–profile’ argument – Example: > $G_L/bin/globus-deploy-gar /tmp/foo-1.gar –profile bar Service Undeployment Removes services from the container – Files are actually removed, all profiles of the service Container must be off To undeploy: – $G_L/bin/globus-undeploy-gar <gar id> – <gar id> is the gar filename without the .gar extension – For example (using previous example): > $G_L/bin/globus-undeploy-gar foo-1 Tomcat Deployment Tomcat 4.1.x and 5.0.x supported Non-direct service deployment – GARs must be first deployed into a separate GT installation – That GT installation is then deployed into Tomcat To deploy GT installation into Tomcat – cd $GLOBUS_LOCATION – ant –f share/globus_wsrf_common/tomcat/tomcat.xml deploySecureTomcat -Dtomcat.dir=<tomcat.dir> Warning: Not all GT4 services have been tested in Tomcat Tomcat Configuration Needs to be done only once Update $TOMCAT_DIR/conf/server.xml file with – HTTPS Connector – HTTPS Valve Tomcat 4.1.x: HTTPS Connector Add under <service> section: <Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" authenticate="true" acceptCount="10" debug="1" scheme="https" secure="true"> <Factory className="org.globus.tomcat.catalina.net.HTTPSServerSocketFactory" cert=“/etc/grid-security/containercert.pem" key=“/etc/grid-security/containerkey.pem" cacertdir=“/etc/grid-security/certificates" /> </Connector> Tomcat 4.1.x: HTTPS Valve Add under <engine> section: <Valve className="org.globus.tomcat.catalina.valves.HTTPSValve"/> Tomcat 5.0.x: HTTPS Connector Add under <service> section: <Connector className="org.globus.tomcat.coyote.net.HTTPSConnector" port=“8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https“ cert=“/etc/grid-security/containercert.pem" key=“/etc/grid-security/containerkey.pem" cacertdir=“/etc/grid-security/certificates" /> Tomcat 5.0.x: HTTPS Valve Add under <engine> section: <Valve className="org.globus.tomcat.coyote.valves.HTTPSValve"/>