The CiGri middleware

User Tools

Site Tools

Trace:
install_doc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
install_doc [2013/11/07 07:18]
bzizou 		install_doc [2013/11/07 07:20] (current)
bzizou [Donwload and install]
Line 1: Line 1:
 +=====Cigri installation====
 +==== Donwload and install====
 +  * Download
 +<​code>​git clone git://​scm.gforge.inria.fr/​cigri/​cigri.git</​code>​
 +  * Install
 +<​code>​
 +useradd -m -d /​var/​lib/​cigri -c "Cigri server"​ cigri
 +make install-cigri
 +</​code>​
 +  * Please, check the INSTALL file from the sources directory.
 +====Setting up the CiGri RESTFul API====
 +TODO
 +==== Certificate Authority ====
 +You may have to create your own Certificate Authority
 +
 +You can follow the instructions from http://​www.g-loaded.eu/​2005/​11/​10/​be-your-own-ca/​ for generating the CA
 +
 +==== Cigri cert ====
 +Then, you have to create a certificate for your cigri server.
 +<​code>​
 + # Make a req
 + cd /​etc/​cigri/​ssl
 + ​openssl req -config openssl.my.cnf -new -nodes -keyout private/​cigri.key -out cigri.csr -days 3650
 + chmod 400 private/​cigri.key
 + chown cigri private/​cigri.key
 + # Sign
 + ​openssl ca -config openssl.my.cnf -policy policy_anything -out certs/​cigri.crt -infiles cigri.csr
 + # Copy to cigri
 + cp certs/​cigri.crt /​etc/​cigri/​ssl
 + cp private/​cigri.key /​etc/​cigri/​ssl
 +</​code>​
 +=====  Clusters frontend side (done for each new cluster) ​ =====
 +====  OAR API configuration ​ ====
 +  * Activate ssl into apache if not already done
 +<​code>​
 + ​a2enmod ssl
 + ​a2ensite default-ssl
 +</​code>​
 +  * Copy the cigriCA.crt cert file to the host and add it to the list of CA-certs:
 +<​code>​
 + cat /​etc/​ssl/​certs/​cigriCA.crt >> /​etc/​ssl/​certs/​ca-certificates.crt ​
 +</​code>​
 +  * Check apache configuration,​ so that it uses the good list, into /​etc/​apache2/​sites-enabled/​default-ssl:​
 +<​code>​
 + ​SSLCACertificateFile /​etc/​ssl/​certs/​ca-certificates.crt
 +</​code>​
 +  * Check that your OAR API is running as a FastCGI (or you will have big performance issues!)
 +
 +  * Add a configuration file for cigri, with ssl filtering (SSLRequire directive), here is an example:
 +<​code>​
 + cat >/​etc/​apache2/​conf.d/​oar-restful-api-cigri.conf <<EOF
 +        ScriptAlias /​oarapi-cigri /​usr/​lib/​cgi-bin/​oarapi/​oarapi.cgi
 +       <​Location /​oarapi-cigri>​
 +         ​Options ExecCGI -MultiViews FollowSymLinks
 +          SSLVerifyClient require
 +          SSLVerifyDepth ​ 1
 +          SSLRequire ( %{SSL_CLIENT_S_DN_OU} eq "​CIMENT" ​
 +                      and %{SSL_CLIENT_S_DN_CN} eq "​CIGRI"​ )
 +          ## Add some checks on the X_REMOTE_IDENT header
 +          ## This example only allows users kameleon and oar to be authenticated to the API
 +          # RewriteEngine On
 +          # RewriteCond %{HTTP:​X_REMOTE_IDENT} ​ (.*)
 +          # RewriteRule .* - [[E=MY_REMOTE_IDENT:​%1]]
 +          # RewriteCond %{HTTP:​X_REMOTE_IDENT} ​ !=kameleon
 +          # RewriteCond %{HTTP:​X_REMOTE_IDENT} ​ !=oar
 +          # RewriteRule .* - [[E=MY_REMOTE_IDENT:​]]
 +          # RequestHeader set X_REMOTE_IDENT %{MY_REMOTE_IDENT}e
 +       </​Location>​
 + EOF
 +</​code>​
 +  * Restart apache
 +==== Testing the OAR API from the Cigri host===
 +TODO (with curl)
 +====  Cigri configuration ​ ====
 +Add the new cluster into cigri database, for example:
 +<​code>​
 +  sudo su - cigri
 + /​usr/​local/​share/​cigri/​sbin/​newcluster gofree https://​gofree.imag.fr/​oarapi-cigri cert null null gofree.imag.fr oar2_5 core 10 //
 +</​code>​
  
install_doc.txt ยท Last modified: 2013/11/07 07:20 by bzizou

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki