This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
install_doc [2013/11/07 07:18] bzizou |
install_doc [2013/11/07 07:20] (current) bzizou [Donwload and install] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | =====Cigri installation==== | ||
+ | ==== Donwload and install==== | ||
+ | * Download | ||
+ | <code>git clone git://scm.gforge.inria.fr/cigri/cigri.git</code> | ||
+ | * Install | ||
+ | <code> | ||
+ | useradd -m -d /var/lib/cigri -c "Cigri server" cigri | ||
+ | make install-cigri | ||
+ | </code> | ||
+ | * Please, check the INSTALL file from the sources directory. | ||
+ | ====Setting up the CiGri RESTFul API==== | ||
+ | TODO | ||
+ | ==== Certificate Authority ==== | ||
+ | You may have to create your own Certificate Authority | ||
+ | |||
+ | You can follow the instructions from http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ for generating the CA | ||
+ | |||
+ | ==== Cigri cert ==== | ||
+ | Then, you have to create a certificate for your cigri server. | ||
+ | <code> | ||
+ | # Make a req | ||
+ | cd /etc/cigri/ssl | ||
+ | openssl req -config openssl.my.cnf -new -nodes -keyout private/cigri.key -out cigri.csr -days 3650 | ||
+ | chmod 400 private/cigri.key | ||
+ | chown cigri private/cigri.key | ||
+ | # Sign | ||
+ | openssl ca -config openssl.my.cnf -policy policy_anything -out certs/cigri.crt -infiles cigri.csr | ||
+ | # Copy to cigri | ||
+ | cp certs/cigri.crt /etc/cigri/ssl | ||
+ | cp private/cigri.key /etc/cigri/ssl | ||
+ | </code> | ||
+ | ===== Clusters frontend side (done for each new cluster) ===== | ||
+ | ==== OAR API configuration ==== | ||
+ | * Activate ssl into apache if not already done | ||
+ | <code> | ||
+ | a2enmod ssl | ||
+ | a2ensite default-ssl | ||
+ | </code> | ||
+ | * Copy the cigriCA.crt cert file to the host and add it to the list of CA-certs: | ||
+ | <code> | ||
+ | cat /etc/ssl/certs/cigriCA.crt >> /etc/ssl/certs/ca-certificates.crt | ||
+ | </code> | ||
+ | * Check apache configuration, so that it uses the good list, into /etc/apache2/sites-enabled/default-ssl: | ||
+ | <code> | ||
+ | SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt | ||
+ | </code> | ||
+ | * Check that your OAR API is running as a FastCGI (or you will have big performance issues!) | ||
+ | |||
+ | * Add a configuration file for cigri, with ssl filtering (SSLRequire directive), here is an example: | ||
+ | <code> | ||
+ | cat >/etc/apache2/conf.d/oar-restful-api-cigri.conf <<EOF | ||
+ | ScriptAlias /oarapi-cigri /usr/lib/cgi-bin/oarapi/oarapi.cgi | ||
+ | <Location /oarapi-cigri> | ||
+ | Options ExecCGI -MultiViews FollowSymLinks | ||
+ | SSLVerifyClient require | ||
+ | SSLVerifyDepth 1 | ||
+ | SSLRequire ( %{SSL_CLIENT_S_DN_OU} eq "CIMENT" | ||
+ | and %{SSL_CLIENT_S_DN_CN} eq "CIGRI" ) | ||
+ | ## Add some checks on the X_REMOTE_IDENT header | ||
+ | ## This example only allows users kameleon and oar to be authenticated to the API | ||
+ | # RewriteEngine On | ||
+ | # RewriteCond %{HTTP:X_REMOTE_IDENT} (.*) | ||
+ | # RewriteRule .* - [[E=MY_REMOTE_IDENT:%1]] | ||
+ | # RewriteCond %{HTTP:X_REMOTE_IDENT} !=kameleon | ||
+ | # RewriteCond %{HTTP:X_REMOTE_IDENT} !=oar | ||
+ | # RewriteRule .* - [[E=MY_REMOTE_IDENT:]] | ||
+ | # RequestHeader set X_REMOTE_IDENT %{MY_REMOTE_IDENT}e | ||
+ | </Location> | ||
+ | EOF | ||
+ | </code> | ||
+ | * Restart apache | ||
+ | ==== Testing the OAR API from the Cigri host=== | ||
+ | TODO (with curl) | ||
+ | ==== Cigri configuration ==== | ||
+ | Add the new cluster into cigri database, for example: | ||
+ | <code> | ||
+ | sudo su - cigri | ||
+ | /usr/local/share/cigri/sbin/newcluster gofree https://gofree.imag.fr/oarapi-cigri cert null null gofree.imag.fr oar2_5 core 10 // | ||
+ | </code> | ||