Note: This version of the VDT (1.5.0) is no longer supported. Feel free to look through the documentation and install it, but we cannot guarantee support for it. The current stable release is 2.0.0.
In a normal VDT installation, Globus-WS is configured to run as a container on a non-standard port. Apache is configured to listen on the port that Globus-WS normally uses; this allows the VDT to install two versions of Tomcat and run multiple web services on one machine, all using the same port. For more information about how Apache is used as a front-end to Tomcat, please see the documentation on Apache Jakarta Tomcat Connectors.
The following guide allows Globus-WS to be run as a web service in Tomcat and therefore, can be accessed by clients using the standard port number. Please note that one must be root in order to complete this setup.
This is an unsupported, last-minute feature in the VDT and that we make no guarantees that the following will work. In the future, this feature will be much easier and better integrated into the VDT installation process.
The VDT provides a special Axis handler for Tomcat that extracts certificate and identity information sent by Apache and provides Globus-WS access to it in the request. You can install it by issuing the following command after you have installed Apache, Globus-WS, and Tomcat-5.
cd $VDT_LOCATION pacman -get :Globus-Tomcat-Handler
There is a now a switch to the VDT's Globus' configuration script that prepares the Apache and Tomcat configuration files to allow Globus-WS to run. For more information about Globus' deployment process for Tomcat, please see the Globus documentation on Deploying into Tomcat.
$VDT_LOCATION/vdt/setup/configure_globus_ws --tomcat-install
Before starting Apache, Apache's SSL certificate and key needs to be changed to be the same as the certificate information used by the Globus-WS container. This allows Globus-WS clients to authenticate with Apache and have the appropriate certificate information passed to Tomcat. This is not preformed automatically by the configuration script in the previous step because it is possible that this will break other VDT supported webservices running in Tomcat.
In Apache's SSL configuration file ($VDT_LOCATION/apache/conf/extra/httpd-ssl.conf), change the following lines from:
SSLCertificateFile /etc/grid-security/http/httpcert.pem SSLCertificateKeyFile /etc/grid-security/http/httpkey.pemto:
SSLCertificateFile /etc/grid-security/containercert.pem SSLCertificateKeyFile /etc/grid-security/containerkey.pem
Globus-WS runs as user globus when running as a standalone container. When running in Tomcat, however, Globus-WS runs as the same user as the Tomcat server, which is normally daemon. Thus, the ownership of the container certificate and key and the persistence directory for application data must be changed to daemon. The ownership of the entire Globus-WS installation directory also needs to be changed to daemon in the VDT's Globus installation directory. Please note that may be possible to selectively change ownership in $VDT_LOCATION/globus/, but we have not tested to see which files need to change and which do not.
Note that this step does not apply if the system did not have a globus user to begin with.
chown daemon:daemon /etc/grid-security/container* chown daemon:daemon $VDT_LOCATION/vdt-app-data/globus/persisted/ chown -R daemon:daemon $VDT_LOCATION/globus/
The Globus-Tomcat documentation states that one can provide an alternative CA certificates directory using the cacertdir directive in Tomcat's server configuration file. We have observed in our testing that this does not work and Globus-WS always defaults to /etc/grid-security/certificates/. Therefore, if the certificates are installed locally, they will need to be copied into the directory that Globus-WS looks for them.
cp -r $GLOBUS_LOCATION/TRUSTED_CA/* /etc/grid-security/certificates/
Now start the following services in this order. Any startup error messages from Globus-WS will appear in the standard Tomcat output file ($VDT_LOCATION/tomcat/v5/logs/catalina.out).
$VDT_LOCATION/post-install/mysql start $VDT_LOCATION/post-install/apache start $VDT_LOCATION/post-install/tomcat-5 start
To test Globus-WS running in Tomcat, follow the simple testing procedures outlined in the Submitting Jobs to Web Service GRAM guide. The alternative port is no longer necessary when submitting jobs using globusrun-ws.