public:srmclientinstallation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
public:srmclientinstallation [2014-06-23 12:39] – [JAVA based portable GRID storage access tools installation (no root access required)] Joern Kuensemoellerpublic:srmclientinstallation [2017-03-08 15:27] (current) – external edit 127.0.0.1
Line 1: Line 1:
  
 ====== JAVA based portable GRID storage access tools installation (no root access required) ====== ====== JAVA based portable GRID storage access tools installation (no root access required) ======
 +
 +
 +//This page describes the procedure to set up the tools for working directly on the srm storage. You may want to consider using the staging and download services provided by Astron if you just want to retrieve data from the archive: [[http://www.lofar.org/wiki/doku.php?id=public:lta_howto]].//
  
 //For the impatient: skip text and jump to the [[#walkthrough|installation walk-through]]. (Assumes you have a grid certificate available and have been placed in the VOMS /lofar/user group.)// //For the impatient: skip text and jump to the [[#walkthrough|installation walk-through]]. (Assumes you have a grid certificate available and have been placed in the VOMS /lofar/user group.)//
Line 11: Line 14:
 ===== General requirements ===== ===== General requirements =====
  
-Given the title of this page, it is obviously necessary to start with a system with a JAVA VM installed (1.or higher). NB Since there is a [[public:grid_srm_software_installation#srmtools|known issue for the dCache/FNAL SRM client tools on openjdk-7]], it may be required to install an alternative JVM than the system default and point ''JAVA_HOME'' to the alternative location.+Given the title of this page, it is obviously necessary to start with a system with a JAVA VM installed (1.or higher). NB Since there is a [[public:grid_srm_software_installation#srmtools|known issue for the dCache/FNAL SRM client tools on openjdk-7]], it may be required to install an alternative JVM than the system default and point ''JAVA_HOME'' to the alternative location.
  
 The key elements in any minimal installation are: The key elements in any minimal installation are:
Line 19: Line 22:
  
 Below, we will take a detailed look at each individual element. Below, we will take a detailed look at each individual element.
 +
 +**Note** that you only have to install your grid certificate yourself and can then simply use our [[#Prepackaged tarball|prepackaged tarball]] for the rest.
  
 ===== Grid certificate ===== ===== Grid certificate =====
  
-The procedure for obtaining a personal grid certificate is described [[public:grid_certificate|here]]. The default locations for the private key and the signed certificate are respectively ''$HOME/.globus/userkey.pem'' and ''$HOME/.globus/usercert.pem''. Alternative locations may be used but should than be configured by setting appropriate values for the ''X509_USER_KEY'' and ''X509_USER_CERT'' environment variables.+The procedure for obtaining a personal grid certificate is described [[public:grid_certificate|here]]. The default locations for the private key and the signed certificate are respectively ''$HOME/.globus/userkey.pem'' and ''$HOME/.globus/usercert.pem''. Alternative locations may be used but should then be configured by setting appropriate values for the ''X509_USER_KEY'' and ''X509_USER_CERT'' environment variables.
  
 NB It is not required to store the personal certificate on the system that has the SRM clients installed. These clients only require a valid 'proxy' generated from the certificate and it is perfectly possible to generate the proxy elsewhere and copy it to the SRM client system using e.g. ''scp'' or 'MyProxy' (to be further documented). NB It is not required to store the personal certificate on the system that has the SRM clients installed. These clients only require a valid 'proxy' generated from the certificate and it is perfectly possible to generate the proxy elsewhere and copy it to the SRM client system using e.g. ''scp'' or 'MyProxy' (to be further documented).
Line 30: Line 35:
 ===== Proxy generation ===== ===== Proxy generation =====
  
-The script ''voms-proxy-init.sh'' from the VOMS client tools can be used to generate a proxy with VOMS attributes from the personal certificate. +The ''voms-proxy-init'' tool from the VOMS client tools can be used to generate a proxy with VOMS attributes from the personal certificate. 
  
 **Note** that the previouly provided ''proxy-init.sh'' script from [[http://code.google.com/p/jlite/|jLite]] is now discouraged because its encryption strength of 512 bit is not considered sufficient any more. SRM sites require a minimum strength of 1024 bit.  **Note** that the previouly provided ''proxy-init.sh'' script from [[http://code.google.com/p/jlite/|jLite]] is now discouraged because its encryption strength of 512 bit is not considered sufficient any more. SRM sites require a minimum strength of 1024 bit. 
  
-To allow setting of VOMS attributes for the LOFAR VO (Virtual Organisation), there are three additional steps to take:+To allow usage of the LOFAR VO (Virtual Organization), there are three additional steps to take:
  
-  * Create a ''vomses'' file to allow ''proxy-init'' to contact the relevant VOMS server+  * Create a ''vomses'' file to allow ''voms-proxy-init'' to contact the relevant VOMS server
   * Create a file that contains the certificate chain for authentication of the VOMS server   * Create a file that contains the certificate chain for authentication of the VOMS server
   * Install the set of trusted grid Certificate Authority (CA) certificates (these are also required by the SRM tools).   * Install the set of trusted grid Certificate Authority (CA) certificates (these are also required by the SRM tools).
Line 44: Line 49:
 To allow generation of proxies with LOFAR voms attributes, a 'vomses' file must exist that contains at least the following line: To allow generation of proxies with LOFAR voms attributes, a 'vomses' file must exist that contains at least the following line:
 <code>"lofar" "voms.grid.sara.nl" "30019" "/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl" "lofar"</code> <code>"lofar" "voms.grid.sara.nl" "30019" "/O=dutchgrid/O=hosts/OU=sara.nl/CN=voms.grid.sara.nl" "lofar"</code>
-jLite expects this file to be located at ''$JLITE_HOME/etc/vomses'', in the location pointed to by the ''$VOMS_USERCONF'' environment or in the default 'gLite' locations, usually: ''$HOME/.glite/vomses'' 
  
 +Place the file in a location where the proxy generator (voms-proxy-init) can find it (e.g. ~/.glite/vomses or export custom location to $X509_VOMSES variable).
 +Alternatively, you may point voms-proxy-init to any custom location by the '-vomses' option.
 ==== VOMS server certificate chain ==== ==== VOMS server certificate chain ====
  
Line 54: Line 60:
 </code> </code>
  
-The default VOMS directory for jLite is ''$JLITE_HOME/etc/certs/voms''. An alternative location can be configured by setting the ''$X509_VOMS_DIR'' environment value and if neither locations contains a valid configuration, jLite will also look in the default (system-wide) gLite location ''/etc/grid-security/vomsdir'' directory.+The VOMS directory location can be configured by setting the ''$X509_VOMS_DIR'' environment value. 
  
 ==== Trusted grid CA certificates ==== ==== Trusted grid CA certificates ====
  
-If your system has been installed with grid software already, it is likely that the trusted CA certificates can be found in the default directory ''/etc/grid-security/certificates''. If this is not the case, or you receive error messages related to not being able to determine the authenticity of a certificate, you can retrieve the latest certificates, e.g. from [[https://dist.eugridpma.info/distribution/igtf/current/accredited/igtf-preinstalled-bundle-classic.tar.gz|EUGridPMA]], and place them in a directory of your choosing. jLite will expect them in the directory ''$JLITE_HOME/etc/certs/ca'' but will also look in the directory set by the ''$X509_CERT_DIR'' variable or in the default system wide directory. +If your system has been installed with grid software already, it is likely that the trusted CA certificates can be found in the default directory ''/etc/grid-security/certificates''. If this is not the case, or you receive error messages related to not being able to determine the authenticity of a certificate, you can retrieve the latest certificates, e.g. from [[https://dist.eugridpma.info/distribution/igtf/current/accredited/igtf-preinstalled-bundle-classic.tar.gz|EUGridPMA]], and place them in a directory of your choosing (set environment variable X509_CERT_DIR accordingly)If you use our prepackaged tarball, you can use the provided script 'update_certificates.sh' (for bash; use the .csh version for c-shell) to deploy the latest certificates (Note: The script requires the lynx text browser to be installed on your system).
- +
-==== Prepackaged tarball ==== +
- +
-The {{:public:jlite-0.2-lofar-vo.tgz|jLite with lofar voms}} tarball comes prepackaged with the above as required to access the LOFAR VO. The executable files are in the ''jlite-0.2/cli'' subdirectory. The relevant commands are ''proxy-init.sh'for generating a proxy and ''proxy-info.sh'' for inspecting the generated proxy.+
  
 ===== SRM client tools ===== ===== SRM client tools =====
  
-There are (at least) two JAVA based packages that provide the required SRM client functionality, including support for the gsiftp (a.k.a. 'gridftp') protocol. One has been developed by [[https://srm.fnal.gov|Fermilab]] and is hosted by [[http://www.dcache.org/|dCache]]. Another has been developed at [[https://sdm.lbl.gov/bestman/|Berkeley]].+There are (at least) two JAVA based packages that provide the required SRM client functionality, including support for the gsiftp (a.k.a. 'gridftp') protocol. One has been developed by [[https://srm.fnal.gov|Fermilab]] and is hosted by [[http://www.dcache.org/|dCache]]. Another has been developed at [[https://sdm.lbl.gov/bestman/|Berkeley]]. 
  
 **NB If the client srm copy call returns timeout messages, the most likely cause is that a firewall is blocking outward connections. The following ports are typically needed by the srm client tools: 8443/8444, 2811, and any port in the gridftp port range (typically in the range 20000 - 25000). Note that these ports are configured on the server side so this list may not be complete for all situations. If at all possible, it is advisable to configure the firewall to allow all outward connections. The next best option is to allow all outward connections to the domains that provide LOFAR LTA services (currently grid.sara.nl, fz-juelich.de, and target.rug.nl)** **NB If the client srm copy call returns timeout messages, the most likely cause is that a firewall is blocking outward connections. The following ports are typically needed by the srm client tools: 8443/8444, 2811, and any port in the gridftp port range (typically in the range 20000 - 25000). Note that these ports are configured on the server side so this list may not be complete for all situations. If at all possible, it is advisable to configure the firewall to allow all outward connections. The next best option is to allow all outward connections to the domains that provide LOFAR LTA services (currently grid.sara.nl, fz-juelich.de, and target.rug.nl)**
  
-**NB2 If you want to enable 'active' transfers, firewalls should allow incoming access to the ports configured as the globus port range (look in client documentation for more details). This type of transfer can improve performance as it will use multiple parallel connections for retrieving a file. For the FNAL/dCache client, 'active' transfers are initiated if the ''-server_mode=passive'' setting is omitted. For the Berkely client, parallel transfers will be initiated when the ''-parallelism'' parameter is set to a value larger than 1. Since in most cases LOFAR datasets consist of a large number of files, a similar performance improvement can be achieved by splitting the set of files over multiple srm copy processes.** 
  
 ==== FNAL/dCache client tools ==== ==== FNAL/dCache client tools ====
  
-We provide a slightly modified package: {{:public:srm.tar.gz|srm client tools}}. This contains updated scripts that allow installation in any directory. The tarball can be unpacked anywhere after which the ''$SRM_PATH'' environment variable should be set to the root directory of the unpacked tarball. Additionally, the ''$SRM_PATH/bin'' directory should be added to ''$PATH'' and [[#trusted_ca_certificates|trusted CA certificates]] must be installed. Finally, a valid proxy must be available in the default grid location (''/tmp/x509up_u<UID>'') or in the location configured as ''$X509_USER_PROXY''. Note that jLite does not store the proxy in the default grid location so an appropriate setting of the environment is required for it. You should now be able to retrieve a file from the LOFAR LTA:+We provide a slightly modified package in two different versions: {{srmclient-2.6.28.tar.gz|srm client tools (Java 7)}} (or alternatively {{srmclient-2.2.25.tar.gz|srm client tools (Java 6)}})(Note that both are also part of the prepackaged tarball together with an init script to set up the environment.) These contain updated scripts that allow installation in any directory. The client can be unpacked anywhere after which the ''$SRM_PATH'' environment variable should be set to the root directory of the unpacked tarball. Additionally, the ''$SRM_PATH/bin'' directory should be added to ''$PATH'' and [[#trusted_ca_certificates|trusted CA certificates]] must be installed. Finally, a valid proxy must be available in the default grid location (''/tmp/x509up_u<UID>'') or in the location configured as ''$X509_USER_PROXY''. You should now be able to retrieve a file from the LOFAR LTA:
 <code> <code>
-srmcp -server_mode=passive srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file:///`pwd`/file1M+srmcp -server_mode=passive srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file:///file1M
 </code> </code>
  
-==== Berkeley client tools ====+If your firewall allows incoming connections to non-standard ports, you can try [[#active_gridftp|active gridftp]], which will enable utilization of multiple streams to increase performance.
  
-The Berkely client tools can be downloaded from the [[https://codeforge.lbl.gov/frs/?group_id=54&release_id=353|bestman repository]]. After unpackingperform+If you have the [[public:grid_srm_software_installation#globus_client_software|gridftp client software]] installed (requires installation with root privileges) and in your path, it provides superior performance as compared to the native JAVA gridftp client that is provided by srmcpIn order to utilize thisdownload {{:public:lta-url-copy.sh.gz|lta-url-copy.sh.gz}}, unzip it and use the command
-<code+<file
-cd bestman-client/setup +srmcp -use_urlcopy_script=true -urlcopy=./lta-url-copy.sh -server_mode=passive srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file:///`pwd`/file1M 
-./configure  --enable-clientonly +</file>
-cd .. +
-export PATH=`pwd`/bin:$PATH +
-</code> +
-Just like for the FNAL/dCache client tools, [[#trusted_ca_certificates|trusted CA certificates]] must be installed and a valid proxy must be available in the default grid location (''/tmp/x509up_u<UID>'') or in the location configured as ''$X509_USER_PROXY''.+
  
-Note that the Berkeley client tools work slightly different as compared to the FNAL/dCache client toolsMost notably, they require explicit setting of the server 'WSDL' url which for dCache installations is the host URL, including portplus the path ''srm/managerv2'', e.g.: +**Note:** Usually, the url-copy script requires an absolute destination pathMake sure that you don't use the one from other sourcesbut the modified script from this page (named //lta-url-copy.sh//, now also included in the tarball below) to retrieve data with the //srm.txt// files from your notification mails
-<code> +
-srm-copy srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file:///`pwd`/file1M  -serviceurl srm://srm.grid.sara.nl:8443/srm/managerv2 +
-</code> +
-====== Walkthrough =====+
  
-This walkthrough utilizes the FNAL/dCache SRM client tools and assumes a bash-like shell is used for setting the environment variables.. 
  
-  * Store your private key in ''$HOME/.globus/userkey.pem'' +=== Active gridftp ===
-  * Execute:\\ <code>chmod 600 $HOME/.globus/userkey.pem</code> +
-  * Store your signed certificate in ''$HOME/.globus/usercert.pem'' +
-  * Download {{:public:jlite-0.2-lofar-vo.tgz|jLite with lofar voms}} +
-  * Untar package in directory of your choosing:\\ <code>tar -xvzf jlite-0.2-lofar-vo.tgz</code> +
-  * Update path:\\ <code>export PATH=`pwd`/jlite-0.2/cli:$PATH</code> +
-  * Set CA certificate environment variable (required by srm tools):\\ <code>export X509_CERT_DIR=`pwd`/jlite-0.2/etc/certs/ca</code> +
-  * Generate a proxy:\\ <code>proxy-init.sh lofar:/lofar/user</code> +
-  * Set proxy environment variable to location provided in 'Proxy location: <proxy_location>':\\ <code>export X509_USER_PROXY=<proxy_location></code> +
-  * Download {{:public:srm.tar.gz|srm client tools}} +
-  * Untar package in directory of your choosing:\\ <code>tar -xvzf srm.tar.gz</code> +
-  * Set srm path variable:\\ <code>export SRM_PATH=`pwd`/srm</code> +
-  * Update path:\\  <code>export PATH=$SRM_PATH/bin:$PATH</code> +
-  * Test data retrieval:\\ <code>srmcp -server_mode=passive srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file:///file1M</code> +
-  * Done!// NB You will off course need to put all ''export'' commands (with full paths where appropriate) in a shell start-up script to make them permanent.//+
  
-These are the shell commands you have to use for (t)csh: +In the examples above, srmcp is run with the option -server_mode=passive, which limits the transfer to a single stream. If you want to enable 'active' transfers, your firewall has to allow **incoming** access to the ports configured as the globus port range (typically ports 20000-25000also open 844384442811).  
-<code>> setenv mypath `pwd` +The IP ranges for remote gridftp servers that need to be able to connect to your machine are:
-> setenv PATH ${mypath}/jlite-0.2/cli:${PATH} +
-> setenv X509_CERT_DIR ${mypath}/jlite-0.2/etc/certs/ca +
-> proxy-init.sh lofar:/lofar/user +
-Enter your private key passphrase:          +
-Created VOMS proxy: O=dutchgrid,O=users,O=astron,CN=User,CN=proxy +
-Proxy is valid until: Tue Jun 25 04:29:11 2013 CEST +
-Proxy location/var/folders/kp/jvqqvjyd3k119ryygxm3qlpm0000gn/T/x509up_u_user+
  
-> setenv X509_USER_PROXY /var/folders/kp/jvqqvjyd3k119ryygxm3qlpm0000gn/T/x509up_u_user +  * 145.100.32.0/22, i.e. 145.100.32.0 to 145.100.35.255, for SURFsara  
-> setenv SRM_PATH ${mypath}/srm +  * 134.94.32.0/22, i.e. 134.94.32.0 to 134.94.32.255, for FZJuelich. 
-> setenv PATH ${mypath}/srm/bin:${PATH} +
-</code>+
  
 +Active gridftp can improve performance of a single transfer as it will use multiple parallel connections for retrieving a file. For the FNAL/dCache client, 'active' transfers are initiated if the ''-server_mode=passive'' setting is omitted. For the Berkely client, parallel transfers will be initiated when the ''-parallelism'' parameter is set to a value larger than 1. Since most cases LOFAR datasets consist of a large number of files, a similar performance improvement can be achieved by splitting the set of files over multiple srm copy processes. This is usually easier to set up than the firewall requirements. Note that e.g. the dCache client does not have a default setting for the gridftp port range. Further, srmcp ignores the GLOBUS_TCP_PORT_RANGE environment variable. You have to specify the port range (that you opened in your firewall) via the ''globus_tcp_prt_range'' option of srmcp, e.g.:
  
-====== Troubleshoot ===== 
  
-=== Proxy Generation === +  srmcp -globus_tcp_port_range=20000,25000 srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file:///file1M 
-The 'proxy-init'-script sadly does not provide much usable feedback when there is an issue. +
-You might want to consider the jlite manual for some useful error message information or take a look at the following hints when something goes wrong with handling your certificate (e.g'no user credentials found!'). +
-Also, creating a Java project can help to track down where exactly the process fails, see the jlite manual for details.+
  
-  * OpenJDK 7 seems not to be capable of dealing with the certificate, make sure to run Java provided by Oracle + 
-  * Maybe your private key uses an unsupported algorithmYou might want to try the following command: +====== Prepackaged tarball ====== 
-<code> + 
-openssl rsa -des3 -in .globus/userkey.pem -out .globus/userkey.pem +We provide the {{lofar_grid_clients.tar.gz|Lofar Grid Clients}} tarball that comes prepackaged with the above (except your personal grid certificate of course) to allow easy access to the LOFAR VO. 
-</code> +Extract the tarball to a directory of your liking and source 'init.sh' if you use Java 7 (or newer) or source 'init_java6.sh' if you still use Java 6. This sets up the environment for you. 
-  *  Error: //org.glite.voms.contact.VOMSExceptionAC validation failed!//  +You can ''voms-proxy-init'' for generating a proxy and ''voms-proxy-info'' for inspecting the generated proxy. \\ 
-    Have you registered at the Lofar VO? --> https://voms.grid.sara.nl:8443/voms/lofar +It needs (semi-)regular updates of the certificates, with one of the supplied scripts. 
-    You need to have the certificate installed in your browser for this+ 
 +===== Walkthrough ===== 
 + 
 +This walkthrough guides you to setting up the prepackaged tarball (containing the FNAL/dCache SRM client tools) on your system. It assumes a bash-like shell. 
 + 
 +  * Store your private key in ''$HOME/.globus/userkey.pem'' 
 +  * Change private key permissions to owner-read-only:\\ <code>chmod 400 $HOME/.globus/userkey.pem</code> 
 +  * Store your signed certificate in ''$HOME/.globus/usercert.pem'' 
 +  * Download the {{lofar_grid_clients.tar.gz|Lofar Grid Clients}} 
 +  * Untar package in directory of your choosing:\\ <code>tar -xvzf lofar_grid_clients.tar.gz</code> 
 +  * Determine your java version:\\ <code>java -version</code> 
 +  * Source init.sh (Java 7 or 8) or init_java6 (Java 6) in lofar_grid/, e.g. :\\ <code>. lofar_grid/init.sh</code> 
 +  * Update the certificates with one of the provided scripts, e.g.: \\ <code>update_certificates_eugridpma.sh</code> 
 +  * OptionalSet proxy environment variable to custom location:\\ <code>export X509_USER_PROXY=<proxy_location></code> 
 +  Generate a proxy:\\ <code>voms-proxy-init -voms lofar:/lofar/user</code> 
 +  * Test data retrieval:\\ <code>srmcp -server_mode=passive srm://srm.grid.sara.nl/pnfs/grid.sara.nl/data/lofar/ops/fifotest/file1M file://`pwd`/file1M</code> 
 +  Done!\\ // NB If you modified any default location by the ''export'' command, you have to put it in a shell start-up script like '.bashrc' to make your changes permanent, of course (with full paths where appropriate).// 
 +  * If you get any errors <del>related to CA certificates</del>, retry after running one of the provided scripts to update your certificates, e.g.\\ <code>. update_certificates_eugridpma.sh</code>  The certificates change every now and then, and then you need to update them. 
 + 
 +**Note:** For (t)csh, use *.csh init scripts and 'setenv <key> <value>' instead of 'export <key>=<value>'
 + 
 +====== Troubleshoot ===== 
 + 
 +  * There is a [[public:lta_faq|LTA FAQ page]] that should help with the common difficulties. 
  • Last modified: 2014-06-23 12:39
  • by Joern Kuensemoeller