Assuming Bash shell A) To Configure Servers STEP1) You first step is to populate the SAZDB. Start the mysql deamon by logging as root and % /etc/init.d/mysqld start Then populate the database by % cd saz/setup % ./createDB.sh ----------------------------------------------------------------- Please NOTE that your initial password for connecting to the SAZDB is '12345' and userid is sazdbuser. You will need this password as the first argument when starting the SAZServer or AIServer. You can change this password by standard mysql commands (GRANT ALL ON SAZDB.* TO sazdbuser@localhost IDENTIFIED BY '12345';) If somehow the server is giving access denied to datasource error, that means your mysql server is still not configured to allow user root on localhost to connect using password '12345'. Try instead (GRANT ALL ON SAZDB.* TO sazdbuser@yourfullhostname IDENTIFIED BY '12345';) ----------------------------------------------------------------- Step2) Your second step is to chance csLogin.conf file in conf/csLogin.conf Change the AIServer principal to your full hostname For example if your hostname is tam01.fnal.gov then principal="host/tam01.fnal.gov@FNAL.GOV"; ----------------------------------------------------------------- Step3) Your third step is to change the conf file saz.conf and sazc.conf. The SAZServer reads the saz.conf file. You can make your changes accordingly in this file before starting the SAZServer. sazc.conf file is read by the SAZClient. You need to change the SAZ_SERVER_HOST ,SAZ_SERVER_PORT and SAZ_SERVER_DN to the actual hostname, port number where you are running the SAZServer and the DN of the SAZServer itself respectively. ----------------------------------------------------------------- Step4) Your last step is to add your Principal in the SAZDB manually so that you are authorized to use AIClient mysql -p12345 use SAZDB; insert into admin (dn,prin,vo,rights) values ('null','dane@FNAL.GOV','uscms','add,del,ls,prin,vo,enable,disable'); Please change your prin and VO accordingly. The AIServer will never know who is authorized to add an admin untill the admin himself is in the database. Someone has to be present in the DB at the first place to do use AIClient for normal SQL operations thru AIServer ---------------------------------------------------------------- B) To compile and check that everthing is working This compiling is not required but recommended. % cd rootDirectoryOfInstall % . install/setup.sh % gmake Please Note that you need to be in the same dir as this README file to either execute install/setup.sh or gmake. Also you will need vdt1.1.10 or higher installed if you want to test the callout i.e the client that talks to the SAZServer. For instructions on how to use callout in the gatekeeper, please refer bottom of this file. Also note that you do not need to compile the software as everything is preconpiled into jar files except the callout for gatekeeper which is in C. ----------------------------------------------------------------- C) To run SAZServer, log in as root % cd rootDirectoryOfInstall % . install/setup.sh % sazserver your_db_connect_password ----------------------------------------------------------------- D) To run AIServer, log in as root % cd rootDirectoryOfInstall % . install/setup.sh % aiserver your_db_connect_password ----------------------------------------------------------------- E) To run SAZClient for testing SAZServer, log in as normal user % grid-proxy-init % cd rootDirectoryOfInstall % . install/setup.sh % sazclient or % sazjclient ----------------------------------------------------------------- F) To run AIClient, log in as normal user % kinit % cd rootDirectoryOfInstall % . install/setup.sh % aiclient full_host_name_domain_name_AI_Server port_number_of_AI_Server For example aiclient heorot.fnal.gov 9999 ----------------------------------------------------------------- G) To run UIClient, log in as normal user % kinit % cd rootDirectoryOfInstall % . install/setup.sh % uiclient full_host_name_domain_name_AI_Server port_number_of_AI_Server For example uiclient heorot.fnal.gov 9999 ----------------------------------------------------------------- H) To periodically copy the database to a different machine 1) Identyfy one host as master host and others as slave hosts 2) Create file /var/lib/mysql/.k5login and add entry host/$masterhostname@FNAL.GOV in it. Where masterhost name is the fully qualified name of the master host. For example if your master host is tam02.fnal.gov, then the entry in the .k5login will be host/tam02.fnal.gov@FNAL.GOV. 3) cd bin 4) Edit prop.sh at line 2,3,6 and 7. User FQDN of the master host in the master variable. Include all the slave hosts seperated by blank space in the sazlist variable. Change kbin variable to point to the directory of your kerberos bin and change mysqlbin to the directory of your mysql bin. 5) Run the script % ./prop.sh & Please note that you have to populate the schema atleast once on each slave host before running this script. To populate the schema. For information read the top most portion of this README file. ----------------------------------------------------------------- I) If you would like to use the gatekeeper that has been modified to use the authz callout, please do following things: 1. Rename globus/sbin/gatekeeper to globus/sbin/gatekeeper.orig Rename globus/sbin/gatekeeper.authz to globus/sbin/gatekeeper 2. Copy $PWD/conf/globus-authzmod.conf to /etc/grid-security You can edit this file for disabling or enabling the callout by commenting or uncommenting the modules respectively. 3. Backup some globus libraries: cd $GLOBUS_LOCATION/lib #mv libglobus_gss_assist_gcc32dbg.a libglobus_gss_assist_gcc32dbg.a.old mv libglobus_gss_assist_gcc32dbg.so.0.0.0 \ libglobus_gss_assist_gcc32dbg.so.0.0.0.old #mv libglobus_gssapi_gsi_gcc32dbg.a libglobus_gssapi_gsi_gcc32dbg.a.old mv libglobus_gssapi_gsi_gcc32dbg.so.0.0.0 \ libglobus_gssapi_gsi_gcc32dbg.so.0.0.0.old 4. Add the authz libraries: mv libglobus_gss_assist_gcc32dbg.a.authz libglobus_gss_assist_gcc32dbg.a mv libglobus_gss_assist_gcc32dbg.so.0.0.0.authz \ libglobus_gss_assist_gcc32dbg.so.0.0.0 mv libglobus_gssapi_gsi_gcc32dbg.a.authz libglobus_gssapi_gsi_gcc32dbg.a mv libglobus_gssapi_gsi_gcc32dbg.so.0.0.0.authz \ libglobus_gssapi_gsi_gcc32dbg.so.0.0.0 5. Add SAZ libraries: cd - (back to SAZ_ROOT directory) cp $PWD/lib/libSAZ.so $GLOBUS_LOCATION/lib 6. Add conf files: cp $PWD/conf/sazc.conf /etc/grid-security/ 7. See more information at: http://zuni.cs.vt.edu/grid-security/globus-authz-mod.html 8. If you want to disable the callout all you have to do is to comment out the following line in /etc/grid-security/globus-authzmod.conf #authz SAZ 9. If you completely want to use the orginal gatekeeper, then stop the gatekeeper Rename globus/sbin/gatekeeper to globus/sbin/gatekeeper.authz Rename globus/sbin/gatekeeper.orig to globus/sbin/gatekeeper and start the gatekeeper /etc/init.d/xinetd start ----------------------------------------------------------------- Points to Note 1) When starting the SAZserver, be patient as it is fetching all the CRL from the web. Sometimes if the website is down then it will take more than a minute to initialize the SAZServer as timeout operation has to be perferomed. 2) If new CRL file or signning policy is added then you DO NOT have to restart the SAZServer for it to take in the effect. The SAZServer re initializes the CRL list very day. 3) If the CRL file or the signning policy is not in the right format, then SAZServer simply ignores them both. 4) If you are prompted for a kerberos password , it means your krb5 setting are not as required by SAZ. Please edit your /etc/krb5.conf and change the ccache_type from 2 to 3. Make sure you rebuild your ticket after you have made changes in your krb5.conf file. You just need to kinit again. ----------------------------------------------------------------- SAZ Client/Server Protocol specifications: PROTOCOL Client Server --> Connection Established <-- --> Send cert1 of chain Send "more" <-- --> Send cert2 of chain Send "more" <-- --> Send cert3 of chain Send "more" <-- . . . --> Send certN of chain Send "more" <-- --> Send "done" Send "yes/no" <-- if no[ --> Send "more" Send "reason why failed" <-- ] if yes[ --> Send "more" Send "Association of the user" <-- ] Connection Closed Everything sent and recieved is thru standard GSS encryption and decryption.