User Tools

Site Tools


install_doc

Cigri installation

Donwload and install

  • Download
git clone git://scm.gforge.inria.fr/cigri/cigri.git
  • Install
useradd -m -d /var/lib/cigri -c "Cigri server" cigri
make install-cigri
  • Please, check the INSTALL file from the sources directory.

Setting up the CiGri RESTFul API

TODO

Certificate Authority

You may have to create your own Certificate Authority

You can follow the instructions from http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ for generating the CA

Cigri cert

Then, you have to create a certificate for your cigri server.

 # Make a req
 cd /etc/cigri/ssl
 openssl req -config openssl.my.cnf -new -nodes -keyout private/cigri.key -out cigri.csr -days 3650
 chmod 400 private/cigri.key
 chown cigri private/cigri.key
 # Sign
 openssl ca -config openssl.my.cnf -policy policy_anything -out certs/cigri.crt -infiles cigri.csr
 # Copy to cigri
 cp certs/cigri.crt /etc/cigri/ssl
 cp private/cigri.key /etc/cigri/ssl

Clusters frontend side (done for each new cluster)

OAR API configuration

  • Activate ssl into apache if not already done
 a2enmod ssl
 a2ensite default-ssl
  • Copy the cigriCA.crt cert file to the host and add it to the list of CA-certs:
 cat /etc/ssl/certs/cigriCA.crt >> /etc/ssl/certs/ca-certificates.crt 
  • Check apache configuration, so that it uses the good list, into /etc/apache2/sites-enabled/default-ssl:
 SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
  • Check that your OAR API is running as a FastCGI (or you will have big performance issues!)
  • Add a configuration file for cigri, with ssl filtering (SSLRequire directive), here is an example:
 cat >/etc/apache2/conf.d/oar-restful-api-cigri.conf <<EOF
        ScriptAlias /oarapi-cigri /usr/lib/cgi-bin/oarapi/oarapi.cgi
       <Location /oarapi-cigri>
         Options ExecCGI -MultiViews FollowSymLinks
          SSLVerifyClient require
          SSLVerifyDepth  1
          SSLRequire ( %{SSL_CLIENT_S_DN_OU} eq "CIMENT" 
                      and %{SSL_CLIENT_S_DN_CN} eq "CIGRI" )
          ## Add some checks on the X_REMOTE_IDENT header
          ## This example only allows users kameleon and oar to be authenticated to the API
          # RewriteEngine On
          # RewriteCond %{HTTP:X_REMOTE_IDENT}  (.*)
          # RewriteRule .* - [[E=MY_REMOTE_IDENT:%1]]
          # RewriteCond %{HTTP:X_REMOTE_IDENT}  !=kameleon
          # RewriteCond %{HTTP:X_REMOTE_IDENT}  !=oar
          # RewriteRule .* - [[E=MY_REMOTE_IDENT:]]
          # RequestHeader set X_REMOTE_IDENT %{MY_REMOTE_IDENT}e
       </Location>
 EOF
  • Restart apache

Testing the OAR API from the Cigri host

TODO (with curl)

Cigri configuration

Add the new cluster into cigri database, for example:

  sudo su - cigri
 /usr/local/share/cigri/sbin/newcluster gofree https://gofree.imag.fr/oarapi-cigri cert null null gofree.imag.fr oar2_5 core 10 //
install_doc.txt · Last modified: 2013/11/07 07:20 by bzizou