globus-start-container -p 8080 -secure -sp 9000
...
<globalConfiguration>
...
<parameter name="httpgPort" value="9000"/>
...
</globalConfiguration>
...
<!-- Define a GSI HTTP/1.1 Connector on port 8443
Supported parameters include:
proxy // proxy file for server to use
or
cert // server certificate file in PEM format
key // unencrypted server key file in PEM format
cacertdir // directory location containing trusted CA certs
gridMap // grid map file used for authorization of users
debug // "0" is off and "1" and greater for more info
-->
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" authenticate="true"
acceptCount="10" debug="1" scheme="httpg" secure="true">
<Factory className="org.globus.tomcat.catalina.net.GSIServerSocketFactory"
proxy="d:\certs\x509up_u945"
cert="d:\certs\hostcert.pem"
key="d:\certs\hostkey.pem"
cacertdir="d:\certs\certs"
gridMap="d:\certs\gridmap"
debug="1"/>
</Connector>
<Valve className="org.globus.tomcat.catalina.valves.CertificatesValve" debug="1" />
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\bootstrap.jar
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\bootstrap.jar;%CATALINA_HOME%\common\lib\cog-jglobus.jar;%CATALINA_HOME%\common\lib\log4j-1.2.8.jar;%CATALINA_HOME%\common\lib\xerces.jar;%CATALINA_HOME%\common\lib\puretls.jar;%CATALINA_HOME%\common\lib\jce-jdk13-120.jar;%CATALINA_HOME%\common\lib\cryptix32.jar;%CATALINA_HOME%\common\lib\cryptix-asn1.jar;%CATALINA_HOME%\common\lib\jgss.jar;%CATALINA_HOME%\common\lib\jaas.jar
set CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\bootstrap.jar;%CATALINA_HOME%\common\lib\cog-jglobus.jar;%CATALINA_HOME%\common\lib\log4j-1.2.8.jar;%CATALINA_HOME%\common\endorsed\xercesImpl.jar;%CATALINA_HOME%\common\endorsed\xmlParserAPIs.jar;%CATALINA_HOME%\common\lib\puretls.jar;%CATALINA_HOME%\common\lib\jce-jdk13-120.jar;%CATALINA_HOME%\common\lib\cryptix32.jar;%CATALINA_HOME%\common\lib\cryptix-asn1.jar;%CATALINA_HOME%\common\lib\jgss.jar;%CATALINA_HOME%\common\lib\jaas.jar
CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar
CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME/common/lib/cog-jglobus.jar":"$CATALINA_HOME/common/lib/log4j-1.2.8.jar":"$CATALINA_HOME/common/lib/xerces.jar":"$CATALINA_HOME/common/lib/puretls.jar":"$CATALINA_HOME/common/lib/jce-jdk13-120.jar":"$CATALINA_HOME/common/lib/cryptix32.jar":"$CATALINA_HOME/common/lib/cryptix-asn1.jar":"$CATALINA_HOME/common/lib/cryptix.jar":"$CATALINA_HOME/common/lib/jgss.jar":"$CATALINA_HOME/common/lib/jaas.jar"
CLASSPATH="$CLASSPATH":"$CATALINA_HOME"/bin/bootstrap.jar:"$CATALINA_HOME/common/lib/cog-jglobus.jar":"$CATALINA_HOME/common/lib/log4j-1.2.8.jar":"$CATALINA_HOME/common/endorsed/xercesImpl.jar":"$CATALINA_HOME/common/endorsed/xmlParserAPIs.jar":"$CATALINA_HOME/common/lib/puretls.jar":"$CATALINA_HOME/common/lib/jce-jdk13-120.jar":"$CATALINA_HOME/common/lib/cryptix32.jar":"$CATALINA_HOME/common/lib/cryptix-asn1.jar":"$CATALINA_HOME/common/lib/cryptix.jar":"$CATALINA_HOME/common/lib/jgss.jar":"$CATALINA_HOME/common/lib/jaas.jar"
<requestFlow>
...
<handler type="PersistentServiceHandler"/>
<handler type="java:org.globus.axis.handler.CredentialHandler"/>
...
<requestFlow/>
A client will automatically perform GSI authentication with a
service as long as the endpoint of the service specifies 'httpg' as the
access protocol. The GSI authentication parameters (such as delegation
type, etc.) can be controlled by setting various GSI properties. Please
see section 5.1 of the
Security Support page for details. There are no transport security
specific properties at this time.
Also ensure the generated ServiceLocator class for your service extends org.globus.ogsa.impl.core.service.ServiceLocator class. It will initialize the httpg transport automatically. Otherwise, the transport will need to be initialized manually.
public void method(String foo) throws RemoteException {Please note that the 'cred' object can be null if delegation was not performed. Also, the values of the GSIConstants.GSI_USER_DN and the GSIConstants.GSI_AUTH_USERNAME property can be retrieved from the MessageContext object using the same mechanism. These properties contain the caller's Globus ID (GSIConstants.GSI_USER_DN) and the local account that the caller was mapped to by the gridmap file (GSIConstants.GSI_AUTH_USERNAME).
MessageContext ctx = MessageContext.getCurrentContext();
GSSCredential cred =
(GSSCredential)ctx.getProperty(GSIConstants.GSI_CREDENTIALS);
....
}
To make sure that a service can be accessed via the 'httpg' protocol
modify the address location urls in the <service> section of the
<service>_service.wsdl file with url with httpg as the protocol
type and appropriate port number. For example:
<?xml version="1.0" encoding="UTF-8"?>
<definitions name="NotificationCounter"
targetNamespace="http://ogsa.globus.org/samples/counter/notification/service"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:notificationcounterbinding="http://ogsa.globus.org/samples/counter/notification/bindings"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/">
<import location="gsi_counter_bindings.wsdl"
namespace="http://ogsa.globus.org/samples/counter/notification/bindings"/>
<service name="NotificationCounterService">
<port
binding="notificationcounterbinding:NotificationCounterSOAPBinding"
name="NotificationCounterPort">
<soap:address location="httpg://localhost:8080/ogsa/services/"/>
</port>
</service>
</definitions>
For an example of a GSI-enabled service take a look at Counter example in ogsa/impl/java/src/org/globus/ogsa/impl/samples/counter/secure/SecureCounterImpl.java file.
Use the "GSI" type of the notification sink manager to receive notifications:
NotificationSinkManager manager = NotificationSinkManager.getInstance("GSI");
The security properties can be set on the sink manager using the manager.init() function:
Map props = new HashMap();
props.put(GSIConstants.GSI_CREDENTIALS, cred);
...
manager.init(props);
...
The security properties are set in exactly the same way as in the
message level security. Please see section 5.2 of the message
level security document for
details.