Openjdk
OpenSSL
This dependencies can be resolved on Debian based distributions through:
sudo apt-get update
sudo apt-get install openssl openjdk-6-jdk
This dependencies can be resolved on RedHat based distributions through:
yast2 -i openssl java-1_6_0-openjdk
1. Install PMES-COMPSs Service:
1.1 Checkout the project from VENUS-C SVN:
http://venus-c.sourceforge.net/
1.2 Install the pmes-compss on the system:
- User & Password security based:
sudo dpkg -i pmes-compss-X.X-latest.deb (Debian based distros)
sudo rpm -i pmes-compss-X.X-X-latest.rpm (RedHat based distros)
rm -rf pmes-compss-*
- Certificates security based:
sudo dpkg -i pmes-compss-certs-X.X-latest.deb (Debian based distros)
sudo rpm -i pmes-compss-certs-X.X-X-latest.rpm (RedHat based distros)
rm -rf pmes-compss-*
1.3 Configure pmes system user:
sudo passwd pmes
sudo login pmes
ssh-keygen -t dsa
ssh-copy-id -i ~/.ssh/id_dsa.pub pmes@HOSTNAME
2. Prepare private key and public PMES-COMPSs certificates
2.1 Create the PMES-COMPSs private key store:
cd /home/pmes/certs/
keytool -genkey -alias your_client_alias -keyalg RSA -keystore /path/to/keystore_file
Example:
keytool
-genkey -alias pmes
-keyalg RSA -keystore keystore
Enter keystore password: <somePassword> Re-enter new password: <somePassword>
What is your first and last name?
[Unknown]: venusc-pmes.bsc.es (Must be the hostname of the machine).
What is the name of your organizational unit?
[Unknown]: Computer Sciences
What is the name of your organization?
[Unknown]: Barcelona Supercomputing Center
What is the name of your City or Locality?
[Unknown]: Barcelona
What is the name of your State or Province?
[Unknown]: Spain
What is the two-letter country code for this unit?
[Unknown]: ES
Is CN=venusc-pmes.bsc.es, OU=Computer Sciences, O=Barcelona Supercomputing Center, L=Barcelona, ST=Spain, C=ES correct?
[no]: yes
Enter key password for pmes (RETURN if same as keystore password): [return]
Important: By now, the key password must be the same as the keystore password.
2.2. Create your client's public certificate from PMES-COMPSs private key store:
keytool -export -alias your_client_alias -keystore /path/to/keystore_file -file /path/to/certificate_file
Example:
keytool -export -alias pmes -keystore keystore -file pmesCert.cer
Enter keystore password:
Certificate stored in file <pmesCert.cer>
3. PMES-COMPSs & Tomcat Configuration:
3.1. PMES- COMPSs service configuration:
vi /home/pmes/conf/PMESConfig.xml
<!-- PMES Service Configuration -->
<PMESConfig>
<!-- PMES Configuration -->
<PMES>
<Address>https://HOSTNAME/venusbes/factory</Address>
<User>pmes</User>
<TempDir>/home/pmes/tmp</TempDir>
<UserDBFile>/home/pmes/conf/usersdb</UserDBFile>
<!--<UsersMapFile>/home/pmes/conf/mapfile</UsersMapFile>-->
<Scheduler>com.bsc.venusbes.jobmanager.jobscheduler.SJNScheduler</Scheduler>
<!-- Max allowed time per job (minutes) -->
<MaxJobWallClock>360</MaxJobWallClock>
<!-- Update logs time (minutes) -->
<UpdateLogsTime>1</UpdateLogsTime>
<!-- Job expiration control (minutes) -->
<FinishedExpTime>120</FinishedExpTime>
<CancelledExpTime>120</CancelledExpTime>
<FailedExpTime>120</FailedExpTime>
<ExpCheckTime>5</ExpCheckTime>
</PMES>
<!-- Resources Configuration -->
<RESOURCES>
<!-- CLOUD Provider Configuration -->
<CLOUD>
<EndPoint>https://HOSTNAME:PORT/...</EndPoint>
<Connector>com.bsc.venusbes.connectors.emotive.DRP</Connector>
<Cert>
<Source>/home/pmes/certs/certificate.p12</Source>
<DeploymentPath>/home/user/certs</DeploymentPath>
</Cert>
<User>user</User>
<!-- Maximum allowed VM creation time in minutes -->
<MaxVMCreationTime>10</MaxVMCreationTime>
<!-- Application deploy path on provider VM -->
<DeploymentPath>/home/user/apps</DeploymentPath>
<!-- Shared space mountpoint on virtual instances -->
<SharedPoint>/sharedDisk</SharedPoint>
<Resources>
<!-- Defines a pool of pre-started VMs speeding up job submissions (OPTIONAL) -->
<StaticPool>
<Resource image="debianbase">
<Instances>2</Instances>
<CPU>4</CPU>
<MEM>2.0</MEM>
<Disk>2.0</Disk>
<Arch>x86_64</Arch>
</Resource>
</StaticPool>
<!-- Maximum of system cores -->
<MaxCores>44</MaxCores>
<!-- Maximum of system memory -->
<MaxMemory>112</MaxMemory>
</Resources>
</CLOUD>
</RESOURCES>
<!-- COMPSs Configuration -->
<COMPSs>
<Location>/opt/COMPSs/Runtime</Location>
<Connector>integratedtoolkit.connectors.emotivecloud.DRPSecureClientConnector_2</Connector>
<WorkingDir>/home/user/IT</WorkingDir>
<!-- COMPSs job monitoring frequency (seconds) -->
<MonitorFreq>3</MonitorFreq>
<!-- Master VM Specs -->
<Master>
<CPU>1</CPU>
<MEM>2.0</MEM>
<Disk>2.0</Disk>
<Arch>x86_64</Arch>
</Master>
<!-- COMPSs service resources (OPTIONAL) -->
<Services>
<!-- Service resource definition example -->
<Service>
<Name>HmmerObjects</Name>
<WSDL>http://HOSTNAME:PORT/servicepath?wsdl</WSDL>
<Namespace>http://hmmerobj.worker</Namespace>
<Port>HmmerObjectsPort</Port>
<Tasks>3</Tasks>
</Service>
</Services>
</COMPSs>
<!-- Accounting Configuration (OPTIONAL) -->
<ACCOUNTING>
<EndPoint>http://HOSTNAME:PORT/usagetracker/rest</EndPoint>
<User>user</User>
<Password>password</Password>
<Owner>ORGANIZATION</Owner>
</ACCOUNTING>
</PMESConfig>IMPORTANT: For basic security profile (username/password) use the <UserDBFile> tag; for certificate based security use the <UsersMapFile> tag as explained in section 4.
3.2. Tomcat http secure channel configuration:
vi /home/pmes/apache-tomcat/conf/server.xml
In Tomcat service.xml configuration file add:
<Connector port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/pmes/certs/keystore"
keystorePass="<KeystorePassword>"/>
Then start the service:
source ~/.bashrc
/home/pmes/apache-tomcat/bin/catalina.sh start
4. System users configuration:
4.1. Basice security: create a users database file:
· vi /home/pmes/conf/usersdb
Add users following the pattern that can be found below:
user1:hashedpassword1
user2:hashedpassword2
...
usern:hashedpasswordn
Hash the default assigned passwords through:
echo -n “mypassword” | md5sum | cut -f1 -d' '
Important: If the user named “admin” is created, this can act as superuser managing all system jobs.
4.2. Certificates security: create a users map file:
vi /home/pmes/conf/mapfile
Add certificates:usernames pairs like:
EMAILADDRESS=daniele.lezzi@bsc.es, CN=Daniele Lezzi, OU=Computer Science, O=Barcelona Supercomputing Center, L=Barcelona, ST=Spain, C=ES:dlezzibsc
5.1.1 Create the private key store in PKCS12 format:
keytool -genkey -alias your_client_alias -keyalg RSA -keystore /path/to/keystore_file -storetype pkcs12
Important: The alias and the keystore name must be the same as is shown in following example.
Example:
cd /home/pmes/certs/
keytool -genkey -alias cloudprovider -keyalg RSA -keystore cloudprovider.p12 -storetype pkcs12
Enter keystore password: <somePassword>
Re-enter new password: <somePassword>
What is your first and last name?
[Unknown]: Some Client
What is the name of your organizational unit?
[Unknown]: Some Department
What is the name of your organization?
[Unknown]: Some Science Company
What is the name of your City or Locality?
[Unknown]: Paris
What is the name of your State or Province?
[Unknown]: Paris
What is the two-letter country code for this unit?
[Unknown]: FR
Is CN=Some Client, OU=Some Department, O=Some Science Company, L=Paris, ST=Paris, C=FR correct?
[no]: yes
Enter key password for cloudprovider (RETURN if same as keystore password): [return]
Important: By now, the key password must be the same as the keystore password.
5.1.2 Create your client public certificate from private keystore:
keytool -export -rfc -alias your_client_alias -keystore /path/to/keystore_file -file /path/to/certificate_file -storetype pkcs12
Example:
keytool -export -rfc -alias cloudprovider -keystore cloudprovider.p12 -file client.pem -storetype pkcs12
Enter keystore password: <somePassword>
Certificate stored in file <client.pem>
If you show the contents of <client.pem> file, it will show something similar to this:
-----BEGIN CERTIFICATE-----
MIICbzCCAdigAwIBA........ <some Base64 text lines>
-----END CERTIFICATE-----
5.1.3 Send the certificate file to your Cloud Infrastructure administrator, so he will grant your access to the infrastructures.
1. exit
2. sudo apt-get install openvpn
3. cd ~
4.
Download clientbscvpn.tar.gz from the next URL:
http://sourceforge.net/projects/venus-c/files/tools/security/bscvpn.tar.gz
5.
Untar bscvpn.tar.gz in /etc/openvpn folder:
cd
/etc/openvpn
sudo tar xvzf ~/bscvpn.tar.gz rm ~/bscvpn.tar.gz
6.
You need to create your private key from the PKCS12 key store:
sudo
openssl pkcs12 -in /path/to/keystore_file.p12
-nocerts -out
/path/to/private_key
7.
Example:
sudo
openssl
pkcs12
-in /home/pmes/certs/cloudprovider.p12 -nocerts -out
bscvpn/client.key
Enter
Import Password: <somePassword>
MAC
verified OK
Enter PEM pass phrase: <somePassword>
Verifying
- Enter PEM pass phrase: <somePassword>
8.
If you show the content of private file, you will get something
similar to this:
Bag
Attributes
friendlyName: Some Client
localKeyID: 54 69 6D 65 20
31 33 31 39 36 31 38 34 32 32 39 35 32
Key Attributes: <No
Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type:
4,ENCRYPTED
DEK-Info:
DES-EDE3-CBC,817562795A654075
hpuSl4g0py5e1l0AyIPYRqKxua ..…..
<some
Base64 text lines>
-----END
RSA PRIVATE KEY-----
9.
Generate a new Certificate Signing Request (CSR). It is mandatory to
enter a Common Name when requested:
sudo
openssl
req -days 3650 -new -key
bscvpn/client.key -out bscvpn/client.csr
10. Send the generated .csr file to your provider in order to get a signed certificate. He will send you back a file named client.crt
11. Copy the client.crt file that you received from the administrator under /etc/openvpn/bscvpn/ folder.
12.
Installation is complete. Start the OpenVPN to
access to the newly created IPs through VPN:
cd
/etc/openvpn
sudo openvpn --config vpn.conf --script-security 3 &