Menu
▾
▴
[Unicore-cvs-commits] SF.net SVN: unicore:[6665] gateway/trunk
|
From: <bsc...@us...> - 2010-03-22 08:36:54
|
Revision: 6665
http://unicore.svn.sourceforge.net/unicore/?rev=6665&view=rev
Author: bschuller
Date: 2010-03-22 08:36:47 +0000 (Mon, 22 Mar 2010)
Log Message:
-----------
switch documentation and changelog to asciidoc
Modified Paths:
--------------
gateway/trunk/Changes.txt
Added Paths:
-----------
gateway/trunk/docs/gateway-doc.txt
Removed Paths:
-------------
gateway/trunk/docs/GW.doc
gateway/trunk/docs/screenshot.png
Property Changed:
----------------
gateway/trunk/docs/
Modified: gateway/trunk/Changes.txt
===================================================================
--- gateway/trunk/Changes.txt 2010-03-22 08:27:19 UTC (rev 6664)
+++ gateway/trunk/Changes.txt 2010-03-22 08:36:47 UTC (rev 6665)
@@ -1,8 +1,15 @@
-#
-# Change log for the UNICORE 6 Gateway
-#
+Change log for the UNICORE 6 Gateway
+====================================
+6.3.1
+-----
+
+ - fix "ping" to https VSites, avoiding the (harmless) "close notify" exceptions on the VSite
+ - convert documentation (and change log) to asciidoc format
+
6.3.0
+-----
+
- a new implementation of POST method processing, faster and less error prone, fixed bug 2547272
- SOAP faults are now standard complaint.
- Chunked HTTP dispatch is really configurable now (config option was ignored up to now, and
@@ -23,10 +30,14 @@
- bugfix: vsites can be removed from connections.properties now without requiring a gateway restart
6.2.2
+-----
+
- allow to configure HTTP protocol details ("connection: close" and
"Expect: continue")
6.2.1
+-----
+
- forward VSite HTTP error code to the client when doing HTTP PUT
- log all connection attempts (client IPs) at debug level
- allow to disable site details on the web page ("monkey page")
@@ -34,6 +45,8 @@
- minor code cleanup
6.2.0
+-----
+
- improved logging. All loggers have prefix "unicore.gateway", and the logging file
config is periodically checked for changes. Exceptions are logged in a nicer fashion.
The connecting client is logged at DEBUG level.
@@ -45,17 +58,23 @@
- update to Jetty 6.1.15
6.1.3
+-----
+
- experimental support for "gateway plugins", for tunneling other protocols through the
established SSL connection to the gateway
- update to httpclient 3.1 final
- initial support for CRL checking (through new version of securityLibrary)
6.1.2 p1
+--------
+
- fix IllegalStateException
- log everything to gateway.log (through log4j)
- simplify Vsite resolution (now only checks the site name)
6.1.2
+-----
+
- package renaming to eu.unicore.gateway
- AJP support
- bind to specified interface only
@@ -63,6 +82,7 @@
- send 404 if GET request cannot be resolved, or is not for the GW web page ("/")
6.1.1
+-----
- pluggable proxy validation
- update Jetty to 6.1.8
@@ -70,39 +90,43 @@
- add optional NIO connector (activate using "jetty.useNIO=true" in gateway.properties)
6.1
+---
-- move to Jetty 6
-- remove code that is not strictly necessary
-- clean up dependencies (e.g. activesoap, commons-io, etc)
-- standardise directory structure and build procedures
-- registration of Vsites
-- connections.properties modifications take effect at runtime
-- use log4j logging framework
+ - move to Jetty 6
+ - remove code that is not strictly necessary
+ - clean up dependencies (e.g. activesoap, commons-io, etc)
+ - standardise directory structure and build procedures
+ - registration of Vsites
+ - connections.properties modifications take effect at runtime
+ - use log4j logging framework
6.0.0 rc1:
+----------
--fix bugs in parsing security headers
--accept more credentials in security header
--SAML Consignor token is inserted as the 1st child of SOAP Header. For unauthenticated
-connections such assertion DOESN'T include Subject.
--old-style Unigrids security tokens (U/E/C) are now not mandatory and warning is
-issued when they are found at log level info.
--stop.sh and start.sh can be invoked from any directory
--there is possibility to configure if the consignor assertion should be signed
-(and it's time thereshold).
--add Maven build
+ - fix bugs in parsing security headers
+ - accept more credentials in security header
+ - SAML Consignor token is inserted as the 1st child of SOAP Header. For unauthenticated
+ connections such assertion DOESN'T include Subject.
+ - old-style Unigrids security tokens (U/E/C) are now not mandatory and warning is
+ issued when they are found at log level info.
+ - stop.sh and start.sh can be invoked from any directory
+ - there is possibility to configure if the consignor assertion should be signed
+ (and it's time thereshold).
+ - add Maven build
6.0.0 beta1:
+------------
--use latest codebase
--fix concurrency problems
--add dynamic registration
--fix missing "xmls" dir in distribution which led to "500 internal server error"
+ - use latest codebase
+ - fix concurrency problems
+ - add dynamic registration
+ - fix missing "xmls" dir in distribution which led to "500 internal server error"
6.0.0 alpha7:
+-------------
--change default config dir from etc/ to conf/
--replace hardcoded "/" by File.separator
--make logging properties configurable
+ - change default config dir from etc/ to conf/
+ - replace hardcoded "/" by File.separator
+ - make logging properties configurable
Property changes on: gateway/trunk/docs
___________________________________________________________________
Added: svn:ignore
+ gateway-doc.html
Deleted: gateway/trunk/docs/GW.doc
===================================================================
(Binary files differ)
Added: gateway/trunk/docs/gateway-doc.txt
===================================================================
--- gateway/trunk/docs/gateway-doc.txt (rev 0)
+++ gateway/trunk/docs/gateway-doc.txt 2010-03-22 08:36:47 UTC (rev 6665)
@@ -0,0 +1,452 @@
+UNICORE Gateway
+===============
+
+This is a brief introduction to running and using the UNICORE 6 gateway.
+Please note also the following places for getting more information:
+
+UNICORE Website: http://www.unicore.eu
+
+Support list: uni...@li...
+
+Developer's list: uni...@li...
+
+Introduction
+------------
+
+The Gateway is the entry point into a UNICORE site. It is installed in
+front of any networking firewall. It authenticates incoming messages
+and forwards them to their intended destination. The following figure
+shows how a client request to the UNICORE virtual site (Vsite) “Alpha”
+is resolved and forwarded. The gateway receives the reply and sends it
+back to the client.
+
+In effect, traffic to the “virtual” URL, e.g.
+“https://mygateway:8088/Alpha” is forwarded to the real URL, e.g.
+“https://host1:7777”. In this way, only a single open port in a
+site's firewall has to be configured. (Technical note: this process
+only works for “most” HTTP requests (i.e. POST, GET and PUT), and is
+not a complete HTTP reverse proxy implementation).
+
+The mappings of virtual URL to real URL for the available sites are
+listed in a configuration file “connections.properties”.
+Additionally, the gateway supports dynamic registration of sites.
+
+The second functionality of the gateway is authentication of incoming
+requests. Connections to the gateway are made using
+client-authenticated SSL, so the gateway will check whether the caller
+presents a certificate issued by a trusted authority.
+
+Configuration
+-------------
+
+The gateway is configured using a set of configuration files, which
+usually reside in the /conf subdirectory.
+
+connections.properties
+~~~~~~~~~~~~~~~~~~~~~~
+This is a simple list connecting the names of sites and their physical addresses.
+An example is:
+
+----
+DEMO-SITE = https://localhost:7777
+REGISTRY = https://localhost:7778
+----
+
+If this file is modified, the gateway will re-read it at runtime, so there is no need to
+restart the gateway in order to add or remove sites.
+
+Additionally sites may register dynamically at runtime.
+
+gateway.properties
+~~~~~~~~~~~~~~~~~~
+
+Use the “hostname” property to configure the network interface and
+port the gateway will listen on, and to select between https (recommended!) and http.
+
+----
+hostname = https://localhost:8080
+----
+
+NOTE: If you set the host to “0.0.0.0”, the gateway will listen on all network interfaces
+of the host machine, else it will listen only on the specified one.
+
+If the scheme of the hostname URL is set to https, the Gateway uses the configuration
+data from security.properties to configure the HTTPS listener.
+
+security.properties
+~~~~~~~~~~~~~~~~~~~
+
+----
+keystore=/keystore/path
+keystorepassword=xxx
+truststore=/truststore/path
+truststorepassword=xxx
+----
+
+The gateway supports the usual JKS (.jks) and PKCS12 (.p12)
+keystore / truststore types. These are determined automatically using
+the file extension.
+
+As truststore types, you may also use “file” or “directory” by explicitely setting
+the “truststoretype” parameter. In case of “file”, the “truststore” parameter is
+assumed to denote a single file containing trusted certificates in PEM format. In case
+of “directory”, the truststore setting is assumed to denote a directory. This directory
+will be scanned for files in PEM format (having the file extension “.pem” or “.cert”),
+which will be loaded as trusted certs. For example, to load all the pem files
+in /etc/security/trusted, you can set
+
+----
+truststore=/etc/security/trusted
+truststoretype=directory
+----
+
+*CRL checking*
+
+The gateway supports CRL checking if the CRLs are available as local files or on the network.
+To enable CRL checking, you need to edit the gateway start.sh script and set a system property:
+
+----
+OPTS=$OPTS” -Dcrlmanager.properties.file=<path to properties file>”
+----
+
+Windows note: you can set system properties in the wrapper.conf file.
+
+The properties file contains the following settings:
+
+----
+#crl checking mode: STRICT, LAX or NONE
+crlcheck.mode = LAX
+
+#update interval in seconds
+crlcheck.interval = 86400
+
+# list of URLs to CRLs
+1.crl.url = http://ca.grid-support.ac.uk/pub/crl/ca-crl.crl
+2.crl.url = file:///path/to/local/CRLFile
+----
+
+In LAX mode, CRLs are checked but it is not an error if for a given certificate no CRL has
+been loaded. In STRICT mode, a CRL must be checked for each certificate. Finally, NONE means
+no CRL checking. The update interval is given in seconds. The CRL location is given as a URL.
+Local files, HTTP servers, anonymous FTP etc can be used for CRL distribution.
+
+NOTE: currently HTTPS connections will use the usual Java security, so it might be necessary
+ to add the CRL server certificate to the Java truststore (i.e. the Gateway truststore
+ is not used for this purpose).
+
+
+Dynamic registration of Vsites
+++++++++++++++++++++++++++++++
+
+Dynamic registration is controlled by three properties in gateway.properties
+
+----
+registration.enable=true
+----
+
+If set to true, the gateway will accept dynamic registrations which are made by
+sending a HTTP POST request to the URL /VSITE_REGISTRATION_REQUEST
+
+Filters can be set to forbid access of certain hosts, or to require certain strings
+in the Vsite addresses. For example
+
+----
+registration.deny=foo.org example.org
+----
+
+will deny registration if the remote hostname contains “foo.org” or “example.org”.
+Conversely,
+
+----
+registration.allow=mydomain.org
+----
+
+will only accept registrations if the remote address contains “mydomain.org”.
+These two (deny and allow) can be combined.
+
+
+Disabling the detailed Vsite listing (monkey page)
+++++++++++++++++++++++++++++++++++++++++++++++++++
+
+To disable the Vsite details page, set
+
+----
+#disable details display on the web page
+webpage.disable=true
+----
+
+Server parameters
++++++++++++++++++
+
+To fine-tune the operational parameters of the embedded Jetty server, you can set some properties. These are the defaults:
+
+----
+#minimum number of threads
+jetty.minThreads=1
+#maximum number of threads
+jetty,maxThreads=255
+#time after which an idle connection will be terminated
+jetty.maxIdleTime=3000
+#same, but under low resource conditions
+jetty.lowResourceMaxIdleTime=100
+#low resource threshold
+jetty.lowThreads=50
+----
+
+You can use the non-blocking IO connector offered by Jetty:
+
+NOTE: due to a known issue (see http://jira.codehaus.org/browse/JETTY-387) the
+NIO connector has been reported to not work properly for large messages (e.g.
+when transfering files using BFT). Therefore we currently discourage the use
+of the NIO connector until this issue is resolved.
+
+To enable the use of the NIO connector, set
+
+----
+#use NIO connector
+jetty.useNIO=true
+----
+
+This will scale up to higher numbers of concurrent connections than the default connector.
+
+Controlling the number of concurrent connections
+++++++++++++++++++++++++++++++++++++++++++++++++
+
+The gateway acts as a https client for the VSites behind it.
+The number of concurrent calls is limited, and controlled by two parameters
+
+----
+# maximum total number of concurrent calls to Vsites
+http.connection.maxTotal=100
+# total number of concurrent calls per site
+http.connection.maxPerService=20
+----
+
+Proxy certificate support
++++++++++++++++++++++++++
+
+UNICORE optionally supports proxy certificates as used by other Grid middleware systems.
+In general, we think proxies are a bad idea, but for interoperability purposes, proxies
+are supported as an extension. To enable the proxy certificate support,
+
+----
+#enable proxy authentication
+proxyAuthentication=true
+#optional validator class name (default: eu.unicore.proxy.RFC3820ProxyValidator)
+proxyValidator=<class name>
+-----
+
+You need to install the necessary extension libraries into the gateway lib directory.
+The proxy extension is available separately from Sourceforge, if in doubt, ask on the
+UNICORE support or development mailing lists.
+
+AJP Connector for using Apache httpd as a frontend
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you wish to use the Apache webserver (httpd) as a frontent for the gateway (e.g. for security or
+fault-tolerance reasons), you can enable the AJP connector instead of the usual one.
+
+*Requirements*
+
+ - Apache httpd
+ - mod_jk for Apache httpd
+
+*Enabling AJP13 Gateway with Jetty and mod_jk*
+
+Enable "mod_ssl" module in httpd configuration files, for instance "ssl.conf":
+
+----
+ LoadModule ssl_module modules/mod_ssl.so
+ Listen 443
+----
+
+Enable "mod_jk" module in httpd configuration files, for instance "jk.conf":
+
+----
+ LoadModule jk_module modules/mod_jk.so
+ JkWorkersFile "conf.d/worker.properties"
+----
+
+Define a "mod_jk" worker, to dialog with Gateway's AJP connector, in
+"worker.properties" configuration file as referred in the above "jk.conf":
+
+----
+ worker.list=jetty
+ worker.jetty.port={{gateway_port}}
+ worker.jetty.host={{gateway_ip}}
+ worker.jetty.type=ajp13
+ worker.jetty.lbfactor=1
+----
+
+Configure a httpd virtual SSL host, dedicated to act as Gateway's frontend,
+in the httpd configuration files, for instance "unicore.conf". This virtual host
+lets the "mod_jk" worker defined above in "worker.properties", manage all the
+requests received and forwards the full client's certificate chain:
+
+----
+ # Apache VirtualHost configuration to serve as frontend
+ # for an "AJP connector enabled" UNICORE6 Gateway
+ <VirtualHost {{frontend_ip}}:{{frontend_port}}>
+ # Pass every request on this VirtualHost to the jetty worker
+ # defined in mod_jk's worker properties file.
+ JkMount /* jetty
+ # Pass SSL_CLIENT_CERT environment variable to the AJP connector
+ JkOptions +ForwardSSLCertChain
+
+ # Log
+ ErrorLog "logs/unicore_error_log"
+ TransferLog "logs/unicore_access_log"
+ JkLogFile "logs/unicore_mod_jk.log"
+
+ # Enable SSL
+ SSLEngine on
+
+ # Export SSL-related environment variables, especially SSL_CLIENT_CERT
+ # which contains client's PEM-encoded certificate
+ SSLOptions +StdEnvVars +ExportCertData
+
+ # Client have to present a valid certificate
+ SSLVerifyClient require
+
+ # Server certificate
+ SSLCertificateFile "{{/path/to/httpd_cert.pem}}"
+ SSLCertificateKeyFile "{{/path/to/httpd_key.pem}}"
+
+ # Trusted CAs
+ SSLCACertificateFile "{{/path/to/cacert.pem}}"
+ </VirtualHost>
+----
+
+On the Gateway, enable Jetty AJP connector instead of its HTTP connector in Gateway
+configuration file "gateway.properties":
+
+----
+ #enable AJP connector
+ jetty.ajp=true
+----
+
+*External references*
+
+ - Configuring AJP13 using mod_jk or mod_proxy_ajp - Jetty
+ http://docs.codehaus.org/display/JETTY/Configuring+AJP13+Using+mod_jk
+
+ - The Apache Tomcat Connector - Webserver HowTo
+ http://tomcat.apache.org/connectors-doc/webserver_howto/printer/apache.html
+
+Gateway plugins
+~~~~~~~~~~~~~~~
+The gateway supports tunneling other protocols through its socket. This is still experimental, so use at your own risk.
+To establish the tunnel, a special HTTP message is sent to the gateway:
+
+----
+HEAD / HTTP/1.1
+Upgrade: YOURPROTOCOLNAME
+----
+
+the method must be “HEAD”, and the message must contain the “Upgrade” header.
+The gateway replies:
+
+----
+HTTP/1.1 101 Switching protocols
+Upgrade: YOURPROTOCOLNAME
+----
+
+After this the gateway's socket connection is passed to a custom handler,
+which can read data from the client and write replies. The handler can be
+configured in gateway.properties:
+
+----
+protocolPlugin.YOURPROTOCOLNAME=your.handler.classname
+----
+The handler class must implement the eu.unicore.gateway.util.ProtocolPluginHandler
+interface. For more details please refer to the sourcecode of the plugin interface class.
+
+logging.properties
+~~~~~~~~~~~~~~~~~~
+
+The Gateway uses Log4j for logging, configured using a properties file (conf/logging.properties).
+Edit this file if you need to change the granularity of the logging, or where the logs are written to.
+By default, the logs are written to files in the logs folder, and files are rolled over daily.
+Since the 6.2.0 release, you change the log levels at runtime by editing and saving the configuration
+file (conf/logging.properties by default). The following logger names exist:
+
+[grid="all"]
+`-----------------------------`-------------------------------------------------------
+ unicore.gateway General gateway logging
+ unicore.gateway.connections Log IPs of clients, and the DN after the SSL handshake
+ unicore.gateway.jetty HTTP processing, Jetty server
+ unicore.gateway.security Certificate details and other security
+----
+
+Here is an example logging.properties file
+
+----
+# Set root logger level to INFO and its only appender to A1.
+log4j.rootLogger=INFO, A1
+
+# A1 is set to be a file appender with date rollover
+log4j.appender.A1=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.A1.File=logs/gateway.log
+
+# configure daily rollover: once per day the log will be copied
+# to a file named e.g. gateway.log.2008-12-24
+log4j.appender.A1.DatePattern='.'yyyy-MM-dd
+
+# A1 uses the PatternLayout
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=%d [%t] %-5p %c{1} %x - %m%n
+
+# log levels
+log4j.logger.unicore.gateway=INFO
+log4j.logger.unicore.gateway.connections=INFO
+log4j.logger.unicore.gateway.jetty=INFO
+log4j.logger.unicore.gateway.security=INFO
+
+# also configure JDK (java.util.logging) logging
+handlers=java.util.logging.ConsoleHandler
+# Default global logging level.
+# Loggers and Handlers may override this level
+.level=SEVERE
+----
+
+
+Web interface ("monkey page")
+-----------------------------
+
+For testing and simple monitoring purposes, the gateway displays a website
+showing detailed site information (the details view can be disabled).
+Once the Gateway is running, open up a browser and navigate to
+https://localhost:8080 (or whichever URL the gateway is running on).
+As the gateway usually runs using SSL, you will need to import a suitable
+client certificate into your web browser.
+
+
+A HTML form for testing the dynamic registration is available as well,
+by clicking the link in the footer of the main gateway page.
+
+
+Building the Gateway from source
+--------------------------------
+To checkout the latest version of the Gateway source code, do
+
+----
+svn co http://unicore.svn.sourceforge.net/svnroot/unicore/gateway/trunk gateway
+----
+
+You will need to install Maven from http://maven.apache.org
+Compile using
+
+----
+mvn install
+----
+
+Compiles the code and runs the tests.
+
+----
+mvn assembly:assembly
+----
+
+builds distribution archives in zip and tar.gz format in the target/ directory
+
+
+
Property changes on: gateway/trunk/docs/gateway-doc.txt
___________________________________________________________________
Added: svn:mime-type
+ text/plain
Deleted: gateway/trunk/docs/screenshot.png
===================================================================
(Binary files differ)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|