Note: This version of the VDT (1.10.0) is no longer supported. Feel free to look through the documentation and install it, but we cannot guarantee support for it. The current stable release is 1.10.1.

Running VDT web services in a non-VDT Apache

The VDT installs several web services (VOMS Admin, GUMS, jClarens) that need to run under Tomcat or Apache. By default, the VDT installs and configures these servers itself and will ignore any other Apache or Tomcat installations on your system.

Some people have asked us to make the VDT recognize and use existing Apache installations like we do for Condor. Unfortunatly, the web services require changes to the Apache configuration. Given the complexity of the average Apache configuration file it's not reasonable for the VDT to modify an arbitrary config during the install. If you wish to use these web services with an existing Apache or Tomcat you'll need to do the configuration by hand.

VOMS Admin

1. Copy the VOMS Admin context XML file to your Tomcat 5 context directory; e.g.:

   cp $VDT_LOCATION/glite/etc/voms-admin/<VO>/voms-admin-<VO>.xml \ 
      $CATALINA_BASE/conf/Catalina/localhost/voms-admin-<VO>.xml

   where <VO> is the name of your VO.
2. Add an SSL connector to your Tomcat configuration or, if you're using Apache and mod_jk, add this section to your Apache configuration:

   <Location /voms>
       SSLCACertificatePath <x509_cert_dir>
       SSLVerifyClient require
       SSLVerifyDepth 10
       SSLOptions +StdEnvVars +ExportCertData
   </Location>
   

   where <x509_cert_dir> is the actual value of your X509_CERT_DIR environment variable.

GUMS

1. Create a symbolic link in your Tomcat 5 webapps directory to the GUMS web application archive file; e.g.:

   ln -s $VDT_LOCATION/gums-service/var/war $CATALINA_BASE/webapps/gums

2. Add an SSL connector to your Tomcat configuration.
3. If you're using Apache and mod_jk you'll need to rebuild apache with the GSI authentication patch available at http://www.sve.man.ac.uk/Research/AtoZ/SAMD/Resources. Vanilla Apache can not autenticate proxy certificates because the issuer (your certificate) is not in the Apache CA list. After rebuilding Apache add these lines to your config file:

   <Location /gums>
       SSLCACertificatePath <x509_cert_dir>
       SSLVerifyClient require
       SSLVerifyDepth 10
       SSLOptions +StdEnvVars +ExportCertData
   </Location>
   

   where <x509_cert_dir> is the actual value of your X509_CERT_DIR environment variable.

jClarens

1. Copy $VDT_LOCATION/tomcat/v5/webapps/jclarens to your existing Tomcat 5 webapps directory.
2. Create the file all.policy in your Tomcat 5 conf directory with the following contents:

   grant {
     permission java.security.AllPermission "", "";
   };
   

3. Modify catalina.sh to use the new security policy. Append the following arguments to the command that starts Tomcat:

   -Djava.security.manager -Djava.security.policy="$CATALINA_BASE"/conf/all.policy
   

4. Add an SSL connector to your Tomcat configuration or, if you're using Apache and mod_jk, add this section to your Apache configuration:

   <Location /jclarens>
       SSLCACertificatePath <x509_cert_dir>
       SSLVerifyClient require
       SSLVerifyDepth  10
       SSLOptions +StdEnvVars +ExportCertData
   </Location>
   

   where <x509_cert_dir> is the actual value of your X509_CERT_DIR environment variable.