Revision 6870
Added by Matt Jones over 12 years ago
replication.rst | ||
---|---|---|
61 | 61 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
62 | 62 |
To add, remove, or alter servers on your home server's Replication list, or to |
63 | 63 |
activate and customize the Delta-T handler, use the Replication control panel, |
64 |
which is accessed at the following URL:: |
|
64 |
which is accessed via the Metacat Administration interface at the following URL::
|
|
65 | 65 |
|
66 |
http://somehost.somelocation.edu/context/style/skins/dev/replControl.html
|
|
66 |
http://somehost.somelocation.edu/context/admin
|
|
67 | 67 |
|
68 | 68 |
"http://somehost.somelocation.edu/context" should be replaced with the name |
69 | 69 |
of your Metacat server and context (e.g., http://knb.ecoinformatics.org/knb/). |
... | ... | |
79 | 79 |
remove a replication server after replication has occurred is to remove the |
80 | 80 |
certificates. |
81 | 81 |
|
82 |
Also note that you must SCP partner certificates to your machine; you cannot |
|
83 |
use the "Download Certificate from" option on the Control Panel. For more |
|
84 |
information about creating and installing certificates, please see Generating |
|
85 |
and Exchanging Security Certificates. |
|
86 |
|
|
87 | 82 |
Generating and Exchanging Security Certificates |
88 | 83 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
89 | 84 |
Before you can take advantage of Metacat's replication feature, you must |
90 | 85 |
generate security certificates on both the replication partner and home servers. |
91 |
The certificates will be exchanged so that each machine understands that the |
|
92 |
other has replication access. |
|
86 |
Depending on how the certificates are generated, the certificates may need to be |
|
87 |
exchanged so that each machine "trusts" that the other has replication access. |
|
88 |
Certificates that are purchased from a commercial and well-recognized |
|
89 |
Certificate Authority do not need to be exchanged with the other replication |
|
90 |
partner before replication takes place. Metacat replication relies on SSL with |
|
91 |
client certificate authentication enabled. When a replication partner server |
|
92 |
communicates with another replication partner, it presents a certificate that |
|
93 |
serves to verify and authenticate that the server is trusted. |
|
93 | 94 |
|
94 |
The process for generating certificates is different for Metacat servlets |
|
95 |
running under Tomcat and those under Tomcat/Apache (the recommended configuration). |
|
96 |
For instructions on generating and exchanging certificates on systems running |
|
97 |
only Tomcat (and Java 6), see Generating a Certificate for Tomcat standalone |
|
98 |
(no Apache). |
|
95 |
If you must generate a self-signed certificate, the partner replication server |
|
96 |
will need the public certificate added to its existing Certificate Authorities. |
|
99 | 97 |
|
100 | 98 |
Generate Certificates for Metacat running under Apache/Tomcat |
101 | 99 |
............................................................. |
102 | 100 |
Note: Instructions are for Ubuntu/Debian systems. |
103 | 101 |
|
104 |
1. Generate a certificate key using openssl. The key will be named
|
|
102 |
1. Generate a private key using openssl. The key will be named
|
|
105 | 103 |
``<hostname>-apache.key``, where ``<hostname>`` is the name of your Metacat |
106 | 104 |
server. Example values for the individual key fields are included in the |
107 | 105 |
table below. |
... | ... | |
144 | 142 |
you'd like, but keep in mind that the file will be sent to the partner |
145 | 143 |
machine used for replication. The certificate name should have enough |
146 | 144 |
meaning that someone who sees it on that machine can figure out where it |
147 |
came from. |
|
145 |
came from and for what purpose it should be used.
|
|
148 | 146 |
|
149 |
3. Enter the certificate into Apache's security configuration. You must |
|
147 |
3. Enter the certificate into Apache's security configuration. This will |
|
148 |
be used to identify your server to a replication partner. You must |
|
150 | 149 |
register the certificate in the local Apache instance. Note that the |
151 | 150 |
security files may be in a different directory from the one used in the |
152 | 151 |
instructions depending on how you installed Apache. Copy the certificate and |
... | ... | |
157 | 156 |
sudo cp <hostname>-apache.crt /etc/ssl/certs |
158 | 157 |
sudo cp <hostname>-apache.key /etc/ssl/private |
159 | 158 |
|
160 |
4. Apache needs to know about Metacat SSL. The helper file named "knb-ssl" has |
|
161 |
rules that tell Apache which traffic to route to the Metacat SSL port. Set up |
|
162 |
SSL by dropping the knb-ssl file into the sites-available directory and |
|
163 |
running ``a2ensite`` to enable the site: |
|
159 |
4. Apache needs to be configured to request a “client certificate” when the |
|
160 |
replication API is utilized. The helper file named "knb-ssl" has default |
|
161 |
rules that configure Apache for SSL and client certificate authentication. |
|
162 |
Set up these SSL settings by copying the knb-ssl file into the ``sites-available`` |
|
163 |
directory, editing pertinent values to match your system and running |
|
164 |
``a2ensite`` to enable the site. (Note: some settings in knb-ssl need to be |
|
165 |
changed to match the specifics of your system.) |
|
164 | 166 |
|
165 | 167 |
:: |
166 | 168 |
|
... | ... | |
173 | 175 |
|
174 | 176 |
sudo /etc/init.d/apache2 restart |
175 | 177 |
|
176 |
6. SCP ``<hostname>-apache.crt`` to the replication partner machine. |
|
178 |
6. If using a self-signed certificate, SCP ``<hostname>-apache.crt`` to the |
|
179 |
replication partner machine where it will be added as an additional |
|
180 |
Certificate Authority. |
|
177 | 181 |
|
178 |
Generating a Certificate for Tomcat standalone (no Apache) |
|
179 |
.......................................................... |
|
180 |
If you are running Metacat under Tomcat (no Apache), generate keys in the Java |
|
181 |
default key store. The generated key is placed into the binary certificate's |
|
182 |
file located at ``/etc/java-1.5.0-sun/security/cacerts``. |
|
182 |
If using self-signed certificates, after you have created and SCP'd a |
|
183 |
certificate file to each replication partner, and received a certificate file |
|
184 |
from each partner in return, both home and partner servers must add the |
|
185 |
respective partner certificates as Certificate Authorities. |
|
183 | 186 |
|
184 |
1. Generate the key by running the following command (note that you must be |
|
185 |
logged in as the root user to use the keytool): |
|
186 |
|
|
187 |
:: |
|
188 |
|
|
189 |
keytool -genkey -alias <aliasname> -keyalg RSA -validity 800 -keystore /etc/java-1.6.0-sun/security/cacerts |
|
190 | 187 |
|
191 |
``<aliasname>`` is a unique name that you choose for this key. Something |
|
192 |
like "<hostname-tomcat>" might be appropriate, where ``<hostname-tomcat>`` |
|
193 |
is the name of the Metacat host. |
|
194 |
|
|
195 |
2. The Password-keytool will ask for a password. If writing to a pre-existing |
|
196 |
keystore, you must know the password. If you are creating a new keystore, |
|
197 |
the password you enter will become the keystore password. |
|
198 |
|
|
199 |
Sample values when creating certificate: |
|
200 |
|
|
201 |
:: |
|
202 |
|
|
203 |
What is your first and last name? myserver.nceas.ucsb.edu (note: use the host name without port number) |
|
204 |
What is the name of your organizional unit? NCEAS |
|
205 |
What is the name of your organizional unit? UCSB |
|
206 |
What is the name of your City or Locality? Santa Barbara |
|
207 |
What is the name of your State or Province? California (note: this is spelled in full) |
|
208 |
What is the two-letter country code for this unit? US |
|
209 |
|
|
210 |
3. Create a certificate by running the command: |
|
211 |
|
|
212 |
:: |
|
213 |
|
|
214 |
keytool -export -alias <aliasname> -file <outputfile>.cert -keystore /etc/java-1.6.0-sun/security/cacerts |
|
215 |
|
|
216 |
``<aliasname>`` is the same name you used when you created the key file. A |
|
217 |
file named ``<outputfile>.cert`` will be created in the directory from which |
|
218 |
you ran the keytool command. You can name the output file anything you like, |
|
219 |
but keep in mind that it will be sent to the partner machine used for |
|
220 |
replication. The filename should have enough meaning that someone who sees |
|
221 |
it on that machine can figure out where it came from. Again, something like |
|
222 |
"<hostname>-tomcat.cert" will suffice. |
|
223 |
|
|
224 |
4. Edit the Tomcat server file at ``$TOMCAT_HOME/conf/server.xml`` to enable |
|
225 |
SSL in Tomcat. |
|
226 |
|
|
227 |
* Uncomment the section that starts with "<Connector port="8443" ... |
|
228 |
(Note: Databased Information comments start with <!-- and end with -->). |
|
229 |
|
|
230 |
* Add two attribute to that section: |
|
231 |
|
|
232 |
:: |
|
233 |
|
|
234 |
keystoreFile="/etc/java-1.6.0-sun/security/cacerts" |
|
235 |
keystorePass="<keystore_password>" |
|
236 |
|
|
237 |
where ``<keystore_password>`` is the password you used when you created |
|
238 |
or accessed the keystore. |
|
239 |
|
|
240 |
5. SCP the certificate to the partner server. |
|
241 |
|
|
242 | 188 |
To import a certificate |
243 | 189 |
....................... |
244 |
1. Log in as a root user (the keytool must run as a root user)
|
|
190 |
1. Copy it into the Apache directory
|
|
245 | 191 |
|
246 | 192 |
:: |
247 | 193 |
|
248 |
sudo su –
|
|
194 |
sudo cp <remotehostfilename> /etc/ssl/certs/
|
|
249 | 195 |
|
250 |
2. Import the remote certificate by running:
|
|
196 |
2. Rehash the certificates for Apache by running:
|
|
251 | 197 |
|
252 | 198 |
:: |
253 | 199 |
|
254 |
keytool -import -alias <remotehostalias> -file <remotehostfilename>.crt -keystore /etc/java-1.6.0-sun/security/cacerts |
|
200 |
cd /etc/ssl/certs |
|
201 |
sudo c_rehash |
|
255 | 202 |
|
203 |
|
|
256 | 204 |
where the ``<remotehostfilename>`` is the name of the certificate file |
257 | 205 |
created on the remote partner machine and SCP'd to the home machine. |
258 |
The ``<remotehostalias>`` is the name the certificate will use in the |
|
259 |
keystore. The name should identify the remote host. |
|
260 | 206 |
|
261 | 207 |
Update your Metacat database |
262 | 208 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
... | ... | |
272 | 218 |
To update your Metacat database to use replication, select the "Add this server" |
273 | 219 |
radio button from the Replication Control Panel, enter the partner server name, |
274 | 220 |
and specify how the replication should occur (whether to replicate xml, data, |
275 |
or use the local machine as a hub). Note that you cannot download certificates |
|
276 |
using this interface. |
|
221 |
or use the local machine as a hub). |
|
277 | 222 |
|
278 | 223 |
To update the database using SQL |
279 | 224 |
................................ |
Also available in: Unified diff
Merged most recent changes from trunk into the RST converted version of the Administrator's Guide. Now the Sphinx/RST version is up to date rlative to the most recent word document, and is now the active copy. The MS Word document will be deprecated and removed. All future changes should be made to the RST version.