User:Kssheth

From UnccVisualGrid

Contents

[edit]

First of all getting Certificates

The first step in getting certificates is that root must add the user who wants the certificates for using the grid. You can do that by 

 >useradd username
 >passwd username

After this, change to username and then do the following:- 

 >grid-cert-request

This will first ask for the username for whom the certificate is to be created. e.g. John Smith. After that the passphrase will be asked for the user. Enter the passphrase. After this step is over your certificates are created and three files are created. The first directory created is /home/username/.globus. Under this directory three files are usercert_request.pem, usercert.pem, userkey.pem.

Now after this you need to do the following steps in order to sign the certificate from the simpleCA. 

 >cp /home/username/.globus/usercert_request.pem /tmp

Then you need to change to globus user as it has the rights for signing the certificates. 

 >su globus
 >cd /tmp 
 >grid-ca-sign -in usercert_request.pem -out signed.pem
 >exit (to user)
 >cp /tmp/signed.pem /home/user/usercert.pem

             -------------now user has a certificate--------------



[edit]

Getting proxy credentials

Now do you need to get the proxy credentials. 

 >grid-proxy-init

Now you will be asked for entering the passphrase for the proxy. Enter the passphrase and remember it. After getting the proxies you need to see if you can run the job. So the below mentioned command can be used to see if it works. 

  >globusrun-ws -submit -F localhost:8440 -f /
$GLOBUS_LOCATION/test/globus_wsrf_gram_service_java_test_unit/test.xml


            -------------now user has a proxy-------------------
[edit]

Getting myrpoxy credentials and verifying proxy=

The MyProxy is like a server that stores credetials for users so you don't have to have the certificates in every computers. For example, if you now wnat to submit a job at coit-grid02 you would need to copy the usercert.pem and userkey.pem to the .globus dir in 02. Instead you could just retrive the credentials from a myproxy server. However, I don't know how to do this from the command line, but it is possible.

so in 01, to put the credentials in the 01 myproxy server type in 01 (from Grid Documentation -- Configuring My Proxy) 

 >myproxy-init -l user -s coit-grid01.uncc.edu



         ---------------user now has credentials in coit-grid01.uncc.edu---------
[edit]

Configuring NIS SERVER AND CLIENT (NIS:-NETWORK INFORMATION SERVICE)

[edit]

Why to use NIS

NIS enables you to create user accounts that can be shared across all systems on your network. The user account is created only on the NIS server. NIS clients download the necesary username and password data from the NIS server to verify each user login.

An advantage of the NIS is that users need to change their passwords on the NIS server only, instead of every system on the network. This makes NIS popular in computer training labs, distributed software development projects or any other situation where groups of people have to share many different computers.

The disadvantage are that NIS doesn't encrypt the username and password information sent to the clients with each login and that all users have access to the encrypted passwords stored on the NIS server. So one must restrict its use to highly secure networks or to networks where access to non-NIS networks is hightly restricted.

So I am assuming that you already have NIS installed and you just need to configure NIS server and client. The source from which I configured the NIS server and client is as follows:- [[1]]

[edit]

Configuring NIS Server

The first step is to edit your /etc/sysconfig/network File:- You need to add the NIS domain you wish to use in the /etc/sysconfig/network file.

  1. /etc/sysconfig/network

NISDOMAIN="NIS-COIT-DOMAIN"

Edit your etc/yp.conf file:- NIS servers also have to be NIS clients themselves, so you'll have to edit the NIS client configuration file /etc/yp.conf to list the domain's NIS server as being the server itself or localhost.

  1. /etc/yp.conf -ypbind configuration file

ypserver 127.0.0.1

Start the Key NIS Server Related Daemons

Start the necessary NIS daemons int the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot. 

    >service portmap start
    Starting portmapper:[OK]

If you have not set the path where the command can be found just do that in /etc/profile The service and portmap are in /sbin directory. So find that and it will work otherwise it will give error command not found. Else you will receive message Starting portmapper: [OK]. 

    >service yppasswdd start
    Starting YP passwd service: [OK]

    >service ypserv start
    Setting NIS domain name NIS-COIT-DOMAIN:[OK]
    Starting YP server services: [OK]

    >chkconfig portmap on
    >chkconfig yppasswdd on
    >chkconfig ypserv on

Make sure they are all running before continuing to the next step. You can use the rpcinfo command to do this. 

    >rpcinfo -p localhost

After you issue this command you will get the details of the daemons thier program, versions, proto and port on which they are running. The ypbind and ypxfrd daemons won't start properly until after you initialize the NIS domain. You'll start these daemons after initialization is completed.

[edit]

Initialize Your NIS Domain

    >/usr/lib/yp/ypinit -m

After you issue this command it will give you the below mentioned output:- At this point, we have to construct a list of the hosts whihc will run NIS servers. <Domain name> is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>.

And then you can continue adding the names of the hosts which you wish to add. So after you go through the instructions after executing the above mentioned command you will set up your NIS master server. Note:- Make sure portmap is running before trying this step of you'll get errors, such as:

--Failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid...

You will have to delete the /var/yp/NIS-SCHOOL-NETWORK directory and restart portmap, yppasswd and ypserv before you'll be able to do this again successfully.

[edit]

Start the ypbind and ypxfrd Daemons

You can now start the ypbind and the ypxfrd daemons because the NIS domain files have been created. 

    >service ypbind start

    >service ypxfrd start

    >chkconfig ypbind on
    >chkcinfig ypxfrd on
[edit]

Make sure the Daemons are running

So you can make sure by running the above mentioned command rpcinfo command to check whether all the daemons are running correctly. 

    >rpcinfo -p localhost
[edit]

Adding New NIS Users

    >useradd -g users nisuser
    >passwd nisuser

    >cd /var/yp
    >make

You can check to see if the user's authentication information has been updated by using the ypmatch command, which should return the user's encrypted password string. 

    >ypmatch nisuser passwd

You can also user getent command, which has similar syntax. Unlike ypmatch, getent doesn't provide an encrypted password when run on an NIS server, it just provides the user's entry in the /etc/passwd file. On a NIS client the results are identical with both showing the encrypted password. 

    >getent passwd nisuser
[edit]

Configuring the NIS Client

After the NIS Server is configured, it's time to configure the NIS clients. There are a number of related configuration files that you need to edit to get it to work. Take a look at the procedure.

[edit]

Run authconfig

The authconfig program automatically configures your NIS files after prompting you for the IP address and domain of the NIS server. 

    >authconfig

Once finished it should create an /etc/yp.conf file that defines, amongst other things, the IP address of the NIs server for a particular domain. It also edits the /etc/sysconfig/network file to define the NIS domain to which the NIS client belongs. 

    #/etc/yp.conf -ypbind configuration file
    domain NIS-COIT_DOMAIN server <IP address>

    #/etc/sysconfig/network
    NISDOMAIN =NIS-COIT-DOMAIN

In addition the authconfid program updates the /etc/nsswitch.conf file that lists the order in which certain data sources hosuld be searched for name lookups, such as those in DNC, LDAP, and NIS. Here you can see where NIS entries were added for the important login files. 

    #/etc/nsswitch.conf
[edit]

Start the NIS client Related Daemons

Start the ypbind NIS client, yppasswdd and portmap daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot. Remember to use the rpcinfo command to ensure they are running correctly. 

    >service portmap start
    >service ypbind start
    >service yppasswdd start
    >chkconfig ypbind on
    >chkconfig portmap on
    >chkconfig yppasswdd on

    >rpcinfo -p localhost
[edit]

Verify Name Resolution

As the configuration examples refer to the NIS client and server by their hostnames, you'll have to make sure the names resolve correctly to IP addresses. This can be configured either in DNS, when the hosts reside in same domain, or more simply by editing the /etc/hosts file. 

    #/etc/hosts (NIS Client)
    <ipaddress> servername

    #/etc/hosts (NIS Server)
    <ipaddress> clientname
[edit]

Test NIS Access to the NIS Server

You can run the ypcat, ypmatch and getent commands to make sure communication to the server is correct. 

    >ypcat passwd
    >ypmatch nisuser passwd
    >getent passwd nisuser
[edit]

Test logins via The NIS server

Once your basic NIS functionality testing is complete, try to test a remote login. Failures in this area could be due to firewalls blocking TELNET or SSH access and the TELNET and SSH server process not being started on the clients.

[edit]
Logging in Via Telnet

Try logging into the NIS client via telnet if it is enabled 

    >telnet <client ip address>
[edit]
Logging in Via SSH

Try logging into the NIS client via SSH. 

    >ssh -l username <ip address client>

In some versions of Linux the NIS client's SSH daemon doesn't re-read the /etc/nsswitch.conf file you just modified until SSH is restarted. SSH logins, therefore, won't query the NIS server until this is done. Restart SSH on the NIS client. 

    >service sshd restart



[edit]

How to backup data in MySQL

For backing and restoring up one or more databases inside the MySQL database the following are the links which give you a better understanding about how to do that.

http://www.devshed.com/c/a/MySQL/Backing-up-and-restoring-your-MySQL-Database/

http://stanxterm.aecom.yu.edu/wiki/index.php?page=MySQL_backups

And some more of them are as follows:-

http://dev.mysql.com/doc/mysql/en/backup.html

http://www.devshed.com/c/a/MySQL/Backing-up-and-restoring-your-MySQL-Database/

http://builder.com.com/5100-6388-5259660.html

http://www.macosx.com/articles/backing-up-and-restoring-your-mysql-database.html

in one command: 

 mysqldump -u [username] -p [password] [databasename] > [backupfile.sql]
[edit]

Converting tomcat container from http to https i.e. making it secure

I searched on this topic for making tomcat a secure container so that the passwords entered for logging are in a encrypted format rather than plain text. I referred many websites but the major one are as follows:-

http://www.dga.co.uk/customer/publicdo.nsf/Lookup-howtos/2B4063F90912CC5D85256CB00007888B!OpenDocument http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html

So these are the two websites which gave me the clear picture of how to make the tomcat container secure. So if you want you can refer this website for detailed understanding why you need the SSL https or you can read the document here as I am not explaining the things in detail but with errors I got to make this work.

To install and configure SSL support on Tomcat 5, you need to follow these simple steps:-

1)If you are running a 1.3 JVM, download JSSE 1.0.3 (or later) from http://java.sun.com/products/jsse/ and either make it an installed extension on the system, or else set an environment variable JSSE_HOME that points at the directory into which you installed JSSE.

2)Create a certificate keystore by executing the following command: 

 Windows: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
 Unix:    $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
 and specify a password value of "changeit".

3)Uncomment the "SSL HTTP/1.1 Connector" entry in $CATALINA_HOME/conf/server.xml and tweak as necessary.

By doing this steps you will successfully make your tomcat container secure. Then for confirming it is working just restart the tomcat by giving the command 

    >$CATALINA_HOME/ogce2-2.0.1/./portal-tomcat-startup.sh

Then try to open https://coit-grid04.uncc.edu:8443/gridsphere. It should ask for certificate and you need to accept for opening the page. If you cannot open the page and you get the message as Page cannot be Displayed look into the log file in the apache tomcat directory. There you should open the latest catalina.out log file to check what is the error. Some of the errors I got while doing this are as under:-

org.apache.coyote.http11.Http11BaseProtocol init SEVERE: Error initializing endpoint java.net.BindException: Address already in use:8080 

       at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:297)
       at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:137)
       at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
       at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
       at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762)
       at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
       at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

Then I came to know that everytime the page was not displayed I restarted the tomcat. So the port 8080,8443 were not free but they were still busy. So I then shutdown every process. 

    >$CATALINA_HOME/ogce2-2.0.1/./portal-tomcat-shutdown.sh

And then I tried to open the URL https://coit-grid04.uncc.edu:8443. It successfully asked me to trust the certificate and I accepted the certificate and was able to open the page.

[edit]

Now for redirecting from http to https

Well you must be wondering that you need to specifically give https://coit-grid04.uncc.edu:8443/gridsphere to make the tomcat container secure. But instead of doing that we want that directly if we give http://coit-grid04.uncc.edu:8080/gridsphere it must redirect to https. So how is this possible.

So for accomplishing that you need to make changes in the web.xml file located in /home/tomcat/ogce2-2.0.1/portal_deploy/apache-tomcat-5.5.12/webapps/gridsphere/WEB_INF directory. So in that web.xml file you need to put add a security-constraint tag at the end as follows:- 

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>gridsphere</web-resource-name>
           <url-pattern>/*</url-pattern>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
       </web-resource-collection>
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

So now if you give the URL as http://coit-grid04.uncc.edu:8080/gridsphere it will automatically redirect to https://coit-grid04.uncc.edu:8443/gridsphere.

[edit]

Converting tomcat container from http to https i.e. making it secure by installing the signed Certificate request from trusted authority

Well earlier step explains how to make your tomcat container secure by generating the self-signed ceritificate. But if you want to install cerfificate signed by trusted authority and make your site secure and trusted to the end users you need to follow the following steps to achieve this. For implementing all this for our particular application I did all this using user tomcat. I don't know if the user matters.

1) Create a local Certificate Signing Request(CSR)

In order to obtain a Certificate from the trusted Certificate Authority of your choice you have to create a Certificate Signing Request(CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". To create the CSR follow these steps:-

Create a local Certificate (as shown in previous step)--------- 
$ su tomcat
$ keytool -genkey -alias tomcat -keyalg RSA -keystore <your_keystore_filename>

here your_keystore_filename means location of file where .keytstore file is store. For us it is at /home/tomcat/.keystore So executing this you will be asked for the keystore password and information regarding the certificate like name of organization etc.. details. So enter the information correctly.

After this you need to create a CSR on the basis of the keystore created. The CSR is created with:- 

$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>

So the file certreq.csr will be created in the present directory you are running the command. Now you need to send the certreq.csr file to the Trusted Certificate Authority who is supposed to sign the certificate request. So you can then using WinSCP transfer it to windows and then send to the trusted authority.

After this the Trusted Certificate will confirm the source of certificate request and verify it. And then sign the CSR and send the signed certificate to you. For us they sent us three files. The files are like first file is ROOT, second is the Chain, and the third is the signed certificate pertaining to the CSR.

You need to install each and every certificate properly and in sequence. First of all you need to install the ROOT certificate. You can do this using the following command:- 


$ keytool -import -alias root -keystore /home/tomcat/.keystore -trustcacerts -file /home/tomcat/GTECyberTrustGlobalRoot.crt

$ keytool -import -alias chain -keystore /home/tomcat/.keystore -trustcacerts -file /home/tomcat/ComodoSecurityServicesCA.crt

$ keytool -import -alias tomcat -keystore /home/tomcat/.keystore -trustcacerts -file /home/tomcat/STAR_uncc_edu.crt

So after executing this in sequence you will find the message certificate installed successfully. You also need to make one change in one file for successfully implementing this. You need to add one attribute in the server.xml file located in the conf directory of the apache in the 8443 Connector tag:-

SSLImplementation="org.apache.tomcat.util.net.jsse.JSSEImplementation"

And then you will be able to do this.

Retrieved from "http://coit-grid01.uncc.edu/wiki/index.php?title=User:Kssheth"