Vine Admin Guide

Welcome to the Vine Toolkit Admin Guide! In this guide we present the information required for the proper Vine Toolkit configuration, installation and deployment in the various environments.

Vine Toolkit overview

Vine Toolkit is a modular, extensible Java library that offers developers an easy-to-use, high-level Application Programmer Interface (API) for Grid-enabling applications. Vine can be deployed for use in desktop, Java Web Start, Java Servlet 2.3 and Java Portlet 1.0 environments with ease. Additionally, Vine Toolkit supports a wide array of middleware and third-party services. Using the Vine Toolkit, one composes applications as collections of resources and services for utilizing those resources (basic idea in Vine - generic resource model - any service and data source can me modeled as an abstract entity called resource and can be integrated with web applications using high-level APIs).

Vine Toolkit schemaVine Toolkit schema

The Vine Toolkit makes it possible to organize resources into a hierarchy of domains to represent one or more virtual organizations (VOs). Vine offers security mechanisms for authenticating end-users and authorizing their use of resources within a given domain. Other core features include an extensible model for executing tasks (every action is persisted as Task) and transparent support for persisting information about resources and tasks with in-memory or external relational databases.

Adobe Flex and BlazeDS technologies allow creating advanced and sophisticated web applications similar to many stand-alone GUIs. Vine comes with many co-bundled components. There is a set of bundled components. User / Role / Application managers - administrative tools for user management, their roles, application related right management for accessible methods of web applications, user login and user registration - it is module based so the process could be extended and span any external service. like ldap or ms active directory and portal incorporates authenticated users automatically. Resource manager where the configuration of resources is accessible, could be displayed and changed by advanced users if desired. File browser component allows to manage data on different data management servers and also portal file system (PFS) - Vine provides such components to allow storing of users data in the portal. Job Manager component based on JSDL specification allows to prepare JSDL based job description and submits jobs. Jobs are monitored and outputs could be retrieved later. Basic information about the job is also displayed. Different job managers are used here according to the installed and configured plugins. Credential manager allows to get proxy credentials from MyProxy server configured for the portal. User is able also to add some mapping to his accounts for the accessible DN - so later it is possible to log in using MyProxy user account - single sign-on is possible then, proxy certificates are loaded automatically and user can use grid services directly. Resource browser is able to display information about grid resources - globus MDS services is used here - it is possible to show also dynamic values as free memory for example.

Installation and deployment

Vine has implemented complex build system facilitating the process of sources compilation, build and deployment. Despite its usefulness it contains of numerous modules and dependencies which could be confusing to the new users. Here we present a set of information which should clarify your understanding of Vine build system.

Requirements

In order to compile and build Vine Toolkit the following prerequisites need to be satisfied:

Java SDK >= 5
Apache Ant >= 1.7
Apache Tomcat 5.5.26 servlet container.

Flex SDK version 4.1.0.16076 - in case you want to develop your own Flex components with the latest Vine sources.

Flex SDK version 3.2.0.3958 - in case you want to develop your own Flex components with the Vine < 1.2 .

Portal environments:

GridSphere 3.1 portlet container.
Liferay bundle liferay-5.2.3/tomcat-5.5.27

Vine Toolkit quick install guide.

Installers

The modular structure of Vine is not only about its internal design, but also concerns its flexibility in various ways of compilation, configuration and deployment.

To make the configuration process user friendly an installer concept has emerged.

Installer consists of a set of configuration files and properties defining Vine Toolkit instance setup

It means that instead of changing Vine Toolkit properties globally for every usecase we are working on, we create a separate set of configuration files and use it when needed. That implies the fact we can prepare different configurations of Vine according to our needs ( i.e. a test bed installer and the production quality one ) and use them with the same source base.

All installers are stored as directories in the following path:

$VINE_HOME$/installers

Adding custom project to the installer

There are two ways of adding new project to the installer.

Manual edit:

1. Edit the $VINE$/installers/$INSTALLER_NAME$/build.properties file.

2. Add your project name as the value of application.projects property separated with comma:


#----------------------------------------------------------
# Application projects
#----------------------------------------------------------
application.projects=newproject,myproject

GUI edit:

1. In Vine directory type:

ant gui

2. In tab 'Installer' choose desired installer from the list and click 'Change'.
Configurator - installer tabConfigurator - installer tab
3. You need to reopen Vine configurator in order to load new environment.

4. Find your project in the 'Projects in installer' list and add it to the selection ( with ctrl buton pressed ). Then choose 'Save changes' to save new configuration.

Notice that configuration for your installer is saved in {vine_home}/installers/{installer_name}/build.properties file. Due to Ant task limitations when updating property file Ant is removing all comments, so for your convenience, it's good to keep a copy of your build.properties file with original comments.

Creating new installer

Currently the best way is to copy existing one and change its properties to fit your needs. However, in a near future Vine configurator will be enhanced to support this feature.

Installer directory description

On the attached image you can see an example installer's directory:

Installer directory contentsInstaller directory contents

In the root directory we have:

.
|-- WEB-INF
|   |-- classes - logger properties for the Vine webapp
|   |   `-- log4j.properties
|   |-- gridsphere_3_0 - portlet container specific directory is copied to the portlet container webapp
|   |   `-- portal
|   |       |-- classes
|   |       |   `-- log4j.properties
|   |       `-- layouts
|   |           |-- admin.xml
|   |           |-- guest.xml
|   |           |-- loggedin.xml
|   |           |-- login.xml
|   |           `-- register.xml
|   `-- vine
|       |-- hibernate - database config file
|       |   `-- hibernate.properties
|       |-- properties - directory for storing custom properties
|       |   |-- gss_demo_cert_properties.properties
|       |   `-- gss_demo_cert_properties_confidentiality.properties
|       `-- resources
|           `-- Domain.xml - main config file for Vine services
`-- build.properties - main config file regarding deployment. Detailed description in the subpage of this section

build.properties

build.properties - main configuration file for the installer with the all major properties ( detailed description is given above the property ):

#----------------------------------------------------------
# Installer title - for information purposes, displayed while the build process is going on.
#----------------------------------------------------------
software.installer.title=OMII-Europe Demonstration for Tomcat 5.X and GridSphere 3.1

#----------------------------------------------------------
# Installer type - dist means it will be always listed when we do not have any installer set, dev - it's not on the installers list, but it could be set manually.
#----------------------------------------------------------
software.installer.type=dist

#----------------------------------------------------------
# Application projects - list of projects ( plugins ) included in the current configuration.
#----------------------------------------------------------
application.projects=grid,gt2,gt4,voms,bes,glite3,unicore6,besgt4,grms,opendsp

#----------------------------------------------------------
# Application type - web is used when Vine is deployed to Tomcat, main is used in a standalone mode.
#----------------------------------------------------------
application.type=web

#----------------------------------------------------------
# Web aplication type - portlet is used when application is deployed to the portlet container ( Liferay, Gridsphere ), servlet when application is deployed directly to Tomcat.
#----------------------------------------------------------
application.web.type=portlet

#----------------------------------------------------------
# Turn off blazeds support - needs to be set to false when we are in the sevlet mode
#----------------------------------------------------------
application.web.blazeDsSupport=false

#----------------------------------------------------------
# Servlet container - type of servlet container, currently only tomcat_5_x is supported
#----------------------------------------------------------
servlet.container=tomcat_5_x

#----------------------------------------------------------
# Portlet container - type of portlet container, the vaild values are: gridsphere_3_0 or liferay_5_3
#----------------------------------------------------------
portlet.container=gridsphere_3_0

#----------------------------------------------------------
# Portlet container setup module class - depreciated
#----------------------------------------------------------
portlet.container.custom_setup_servlet_class=org.vinetoolkit.gs3.web.VineGridSphereSetupServlet

Predefined installers

BlazeDs

Nanoabinit

PLGrid

PlGrid installers ( the are version for Liferay and Gridsphere ) are designed to serve the developers from PlGrid project as a base for creating new portals and applications. Thereby they need to have all necessary resource configured out of the box. It's also a good starting point for creating more advanced and dedicated configurations ( see nanoabinit installer ).

build.properties

From this file we can see that for this Vine instance all of the major middleware plugins are enabled. By default Flex sources compilation phase is disabled for testing purposes. Build file for the Gridsphere differs just in the different value for the portlet.container property.

#----------------------------------------------------------
# Installer title
#----------------------------------------------------------
software.installer.title=PLGrid with Liferay

#----------------------------------------------------------
# Installer type
#----------------------------------------------------------
software.installer.type=dist

#----------------------------------------------------------
# Application projects
#----------------------------------------------------------
application.projects=grid,gt2,gt4,gt421,voms,glite3,srm,unicore6,bes,opendsp,liferay

#----------------------------------------------------------
# Application type
#----------------------------------------------------------
application.type=web

#----------------------------------------------------------
# Web aplication type
#----------------------------------------------------------
application.web.type=portlet

#----------------------------------------------------------
# Servlet container
#----------------------------------------------------------
servlet.container=tomcat_5_x

#----------------------------------------------------------
# Portlet container
#----------------------------------------------------------
portlet.container=liferay_5_3
#portlet.container=gridsphere_3_0

software.installer.excludeFlex=true

Domain.xml

<domain name="vo.plgrid.pl" label="PLGrid" description="Polish Grid">

    <!-- Portlet authentication -->
    <authenticationModule key="PortletAuthModule"
                          order="1"/>

    <!-- required in case of liferay integration -->
    <authenticationModule key="OnFlyAccountAuthModule" order="2"/>

    <!-- Credential repository authentication used with MyProxy server-->
    <!--authenticationModule key="CredentialRepositoryAuthModule" order="3"/-->

    <!-- VOMS Credential repository authentication used with MyProxy server and VOMS server according to root domain name-->
    <authenticationModule key="VomsCredentialRepositoryAuthModule" order="4"/>

    <!-- Default credential authentication module - can't coexist with VomsDefaultCredentialAuthModule-->
    <!-- Proxy created from local user cert and key-->
    <!--authenticationModule key="DefaultCredentialAuthModule" order="5"/-->

    <!-- Default credential authentication module - can't coexist with DefaultCredentialAuthModule-->
    <!-- Proxy created from local user cert and key-->
    <!--authenticationModule key="VomsDefaultCredentialAuthModule" order="6"/-->

    <vineRoleResource/>

    <!-- Portal -->
    <hostResource name="portal"
                  hostname="localhost"
                  label="Portal"
                  description="Portal">

        <!-- Portal file system -->
        <portalFileSystem label="Portal File System" description="Portal File System"/>

        <!-- Liferay Wiki -->
        <liferayWikiFileResource label="Liferay Wiki Manager" description="Liferay Wiki File Manager"/>

        <!-- Account manager -->
        <accountResource name="GuestAccountManager"
                         label="Guest Account"
                         description="Guest Account Manager">

            <liferayRegistrationResource name="LiferayRegistration" label="LiferayRegistration"/>

        </accountResource>

    </hostResource>

    <!-- MyProxy resource PCSS fury -->
    <hostResource name="fury"
                  hostname="fury.man.poznan.pl"
                  label="Fury"
                  description="Linux Host (2 CPUs)">

        <!-- MyProxy -->
        <myproxyResource label="Fury (MyProxy)" useCredential="false" checkConnection="true"
                         timeoutMiliseconds="5000"/>

    </hostResource>

    <!-- seagrass test unicore-->
    <hostResource name="seagrass"
                  hostname="seagrass.man.poznan.pl"
                  label="Seagrass"
                  description="Linux Host (2 CPUs)">

        <!-- Unicore Gateway -->
        <unicoreGatewayResource name="unicore" label="Seagrass (UNICORE6)" port="8099" protocol="https"
                                servicePath="/TEST-SITE/services">
            <resourceAttribute name="description" value="UNICORE Gateway 6.0 version 1.0"/>
            <resourceAttribute name="serviceTimeout" value="3"/>
            <resourceAttribute name="userKeystore" value="true"/>

        </unicoreGatewayResource>

        <!-- Unicore SMS -->
        <smsResource name="sms_unicore6" label="Seagrass (SMS-UNICORE6)" port="8099" protocol="https">
                     <resourceAttribute name="smsPath" value="u622space"/>
                     <resourceAttribute name="userKeystore" value="true"/>
                     <resourceAttribute name="rootContext" value="/TEST-SITE/services"/>
        </smsResource>

        <!--WS MDS Information resource-->
        <wsMdsResource label="Seagrass (WS-MDS)"/>

        <!--Proxy cert used by WS MDS 4.0.X client-->
        <gssCertConfiguration proxyFile="c:\x509up_u_dejw"/>

    </hostResource>

    <!-- ICM WMS-->
    <hostResource name="icmWMS"
                  hostname="wms.polgrid.pl"
                  label="ICM WMS"
                  description="Resource broker in ICM">

        <!-- GridFtp -->
        <gridftpResource label="ICM (WMS Grid-FTP)" description="ICM WMS gsiftp server" port="2811" protocol="gsiftp"/>

        <wmproxyResource name="wmproxy" label="ICM (WM-Proxy)" port="7443" protocol="https"
                         servicePath="/glite_wms_wmproxy_server">
            <resourceAttribute name="monitoringURL" value="https://wms.polgrid.pl:9003"/>
            <resourceAttribute name="description" value="WM-Proxy 3.1"/>
            <resourceAttribute name="serviceTimeout" value="3"/>
            <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=polgridgsiftp,HostResource=IcmSRM2,Domain=vo.plgrid.pl"/>
        </wmproxyResource>
    </hostResource>

    <!-- ICM SRM2 -->
    <hostResource name="IcmSRM2"
                  hostname="se.polgrid.pl"
                  label="ICM SRM v.2"
                  description="SRM v.2 in ICM">

        <!-- GridFtp -->
        <gridftpResource name="polgridgsiftp" label="IcmSRM2 (Grid-FTP)" description="IcmSRM2 gsiftp server" port="2811" protocol="gsiftp" servicePath="/dpm/polgrid.pl/home/vo.plgrid.pl"/>

				<!-- protocol="srm", NOT protocol="httpg" -->
        <srmResource name="srm" label="ICM SRM v. 2" port="8446" protocol="srm" servicePath="">
            <resourceAttribute name="description" value="SRM v. 2.0"/>
            <resourceAttribute name="rootContext" value="/srm/managerv2"/>
        </srmResource>

    </hostResource>

    <!-- Cyfronet WMS-->
    <hostResource name="cyfronetWMS"
                  hostname="rb1.cyf-kr.edu.pl"
                  label="cyfronet"
                  description="Resource broker in Cyfronet">

        <!-- GridFtp -->
        <gridftpResource label="Cyfronet Rb1 (WMS Grid-FTP)" description="Cyfronet Rb1 WMS gsiftp server" port="2811" protocol="gsiftp"/>

        <wmproxyResource name="wmproxy" label="Cyfronet (WM-Proxy)" port="7443" protocol="https"
                         servicePath="/glite_wms_wmproxy_server">
            <resourceAttribute name="monitoringURL" value="https://lb.grid.cyf-kr.edu.pl:9003"/>
            <resourceAttribute name="description" value="WM-Proxy 3.1"/>
            <resourceAttribute name="serviceTimeout" value="3"/>
            <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=cyfronetgsiftp,HostResource=CyfronetSRM2,Domain=vo.plgrid.pl"/>
        </wmproxyResource>
    </hostResource>

    <!-- Cyfronet SRM2 -->
    <hostResource name="CyfronetSRM2"
                  hostname="dpm.cyf-kr.edu.pl"
                  label="Cyfronet SRM v.2"
                  description="SRM v.2 in Cyfronet">

        <!-- GridFtp -->
        <gridftpResource name="cyfronetgsiftp" label="CyfronetSRM2 (Grid-FTP)" description="CyfronetSRM2 gsiftp server" port="2811" protocol="gsiftp" servicePath="/dpm/cyf-kr.edu.pl/home/vo.plgrid.pl"/>

				<!-- protocol="srm", NOT protocol="httpg" -->
        <srmResource name="srm" label="Cyfronet SRM v.2" port="8446" protocol="srm" servicePath="">
            <resourceAttribute name="description" value="SRM v.2"/>
            <resourceAttribute name="rootContext" value="/srm/managerv2"/>
        </srmResource>

    </hostResource>

    <!-- PCSS reef SRM2 -->
    <hostResource name="ReefSRM2"
                  hostname="se.reef.man.poznan.pl"
                  label="Reef SRM v.2"
                  description="SRM v.2 in PSNC">

        <!-- GridFtp -->
        <!-- Service path is set with the path of the srm server -->
        <gridftpResource name="reefgsiftp" label="Reef (Grid-FTP)" description="Reef gsiftp server" port="2811" protocol="gsiftp" servicePath="/dpm/reef.man.poznan.pl/home/vo.plgrid.pl"/>

				<!-- protocol="srm", NOT protocol="httpg" -->
        <srmResource name="srm" label="Reef SRM v.2" order="1" port="8446" protocol="srm" servicePath="">
            <resourceAttribute name="description" value="SRM v. 2"/>
            <resourceAttribute name="rootContext" value="/srm/managerv2"/>
        </srmResource>

    </hostResource>

    <!-- WCSS darkmass SRM2 -->
    <hostResource name="DarkmassSRM2"
                  hostname="darkmass.wcss.wroc.pl"
                  label="Wroclaw SRM v. 2"
                  description="SRM v. 2 in Wroclaw">

        <!-- GridFtp -->
        <!-- Service path is set with the path of the srm server -->
        <gridftpResource name="darkmassgsiftp" label="DarkmassSRM2 (Grid-FTP)" description="Darkmass gsiftp server" port="2811" protocol="gsiftp" servicePath="/dpm/wcss.wroc.pl/home/vo.plgrid.pl"/>

				<!-- protocol="srm", NOT protocol="httpg" -->
        <srmResource name="srm" label="WCSS Darkmass SRM2" port="8446" protocol="srm" servicePath="">
            <resourceAttribute name="description" value="SRM v. 2.0"/>
            <resourceAttribute name="rootContext" value="/srm/managerv2"/>
        </srmResource>
    </hostResource>

    <!-- TASK SRM2 -->
    <hostResource name="TaskSRM2"
                  hostname="se.grid.task.gda.pl"
                  label="Task SRM v.2"
                  description="SRM v.2 in Task">

        <!-- GridFtp -->
        <!-- Service path is set with the path of the srm server -->
        <gridftpResource name="taskgsiftp" label="TaskSRM2 (Grid-FTP)" description="Task gsiftp server" port="2811" protocol="gsiftp" servicePath="/dpm/grid.task.gda.pl/home/vo.plgrid.pl"/>

				<!-- protocol="srm", NOT protocol="httpg" -->
        <srmResource name="srm" label="TASK SRM2" port="8446" protocol="srm" servicePath="">
            <resourceAttribute name="description" value="SRM v. 2.0"/>
            <resourceAttribute name="rootContext" value="/srm/managerv2"/>
        </srmResource>
    </hostResource>

    <!-- PSNC CREAM -->
    <hostResource name="reefcream"
                  hostname="creamce.reef.man.poznan.pl"
                  label="cream at reef"
                  description="CREAM CE in PSNC">

        <creamResource name="cream" label="Cream in PSNC" port="8443" protocol="https"
                         servicePath="/ce-cream/services/CREAM2">
            <resourceAttribute name="delegationURL" value="https://creamce.reef.man.poznan.pl:8443/ce-cream/services/gridsite-delegation"/>
            <resourceAttribute name="batchSystem" value="pbs"/>
            <resourceAttribute name="queueName" value="plgrid"/>
            <resourceAttribute name="description" value="CREAM in PSNC"/>
            <resourceAttribute name="serviceTimeout" value="3"/>
            <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=reefgsiftp,HostResource=ReefSRM2,Domain=vo.plgrid.pl"/>
        </creamResource>
    </hostResource>

    <!-- Cyfronet CREAM -->
    <hostResource name="cyfkrcream"
                  hostname="cream.grid.cyf-kr.edu.pl"
                  label="cream at cyf-kr"
                  description="CREAM CE in Cyfronet">

        <creamResource name="cream" label="Cream in Cyfronet" port="8443" protocol="https"
                         servicePath="/ce-cream/services/CREAM2">
            <resourceAttribute name="delegationURL" value="https://cream.grid.cyf-kr.edu.pl:8443/ce-cream/services/gridsite-delegation"/>
            <resourceAttribute name="batchSystem" value="pbs"/>
            <resourceAttribute name="queueName" value="plgrid"/>
            <resourceAttribute name="description" value="CREAM in Cyfronet"/>
            <resourceAttribute name="serviceTimeout" value="3"/>
            <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=cyfronetgsiftp,HostResource=CyfronetSRM2,Domain=vo.plgrid.pl"/>
        </creamResource>
    </hostResource>

    <!-- plgrid LFC -->
    <hostResource name="LFC"
                  hostname="lfc.grid.cyf-kr.edu.pl"
                  label="LFC at cyf-kr"
                  description="LFC in plgrid">

        <lfcResource name="lfcsrv" label="LFC in plgrid" port="5010" protocol="lfn">
        </lfcResource>
    </hostResource>

    <!-- PCSS - SMOA Computing  -->
    <!-- elder1 -->
    <hostResource name="elder1"
                  hostname="elder1.man.poznan.pl"
                  label="elder1"
                  description="OpenDSP/SMOA in PSNC">

				<!-- GridFtp -->
        <gridftpResource name="elder1gridftp" label="Elder1 (Grid-FTP)" description="Elder1 gsiftp server" port="2811" protocol="gsiftp"/>

        <!-- SMOA/OpenDSP -->
        <opendspResource name="opendsp" label="elder1 (SMOA/OpenDSP at PSNC)" port="19000" servicePath="/">

            <resourceAttribute name="description" value="OpenDSP v1.0"/>
            <resourceAttribute name="serviceTimeout" value="5"/>
			<resourceAttribute name="serviceDN" value="/C=PL/O=GRID/O=PSNC/CN=smoa/elder1.man.poznan.pl"/>
			<resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=elder1gridftp,HostResource=elder1,Domain=vo.plgrid.pl"/>
			<resourceAttribute name="useWSA" value="true"/>
        </opendspResource>

    </hostResource>

</domain>

Vine Toolkit - standalone mode

Vine Toolkit may be used in different ways, one of it is standalone mode - it can be used as a library to access different grid resources for example.

Let's assume that '$VINESRC' is the location of the vine source installation package.

In '$VINESRC/projects' directory you can find an example project called: jobmanagertest - it contains simple standalone application.
(if it is not present set the default installer to 'testStandaloneJobManager' by 'ant choose-installer' command and run 'ant fetch' command to get all required projects)

In '$VINESRC/installers' directory you can find an example installer called 'testStandaloneJobManager' which could be used to test the standalone application. The application uses globus gt4, grms broker and unicore6 resources - but
of course it could be changed in the Domain.xml configuration file accordingly by the user requirements.

So first the installer's build.properties:

#----------------------------------------------------------
# Installer title
#----------------------------------------------------------
software.installer.title=Job Manager Test

#----------------------------------------------------------
# Installer type
#----------------------------------------------------------
software.installer.type=dist

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=group,grid,voms,glite3,unicore6,bes,grms,opendsp,gt2,gt4,jobmanagertest

#----------------------------------------------------------
# Application type
#----------------------------------------------------------
application.type=main

#----------------------------------------------------------
# Turn off blazeds support
#----------------------------------------------------------
application.web.blazeDsSupport=false

Properties:
- software.installer.title - installer title
- software.installer.type - 'dist' defines the installer is accessible as official installer ('dev' means it won't be visible in 'ant choose-installer' command)
- application.projects - defines all Vine projects which should be installed and used within the standalone application (indirectly by using Vine Tookit API)
- application.type - has to be set to 'main' value what means standalone mode
- application.web.blazeDsSupport - web blazeDs support should be switched off

In the installer's directory 'WEB-INF\vine\resources\' you can find configuration file 'Domain.xml' where target resources could be defined.

So our project is present in the directory: $VINESRC\projects\jobmanagertest

Below you can see the 'project.properties' which could be found in directory $VINESRC\projects\jobmanagertest\ant

project.name=jobmanagertest
project.title=JobManager Test
project.priority=4
project.extends=grid,gt2,unicore6,glite3,gt4,grms

Project extends let you use different classes defined in the projects which become a part of the accessible API (in case of web installation in tomcat are placed in jars in shared/lib directory,
in case of standalone in vine/config/lib)

In the test project there is only one example java class - the example of the standalone application:

Package: org.vinetoolkit.jobmanagertest.spi.impl, java class: JobManagerTest.java

Inside it you can see how to use Vine API to use different grid resources defined in Domain.xml

After the 'testStandaloneJobManager' is set as the default (you can use 'ant choose-installer' for this in the $VINESRC directory)
you can install the Vine Toolkit with standalone apps: ant install (latest updates will be downloaded) or ant reinstall (current version from disk will be installed).

After installation is completed you can see new directory '$VINESRC/applications' - it contains Vine Toolkit in standalone mode.

Now we can go to the vine sub directory and use such command to run out test application:

ant -f ant\jobmanagertest.xml > somelog.txt

Logging information are directed to some file to be able to track the execution.
Our application requires a password argument - so you have to provide it after running or add it as the command line argument.
The password is used to create proxy credential as the suitable authentication module is set in the Domain.xml.
(user's certificate and private key have to be present in the '.globus' directory in the user's profile)

Ant script explanation - it is defined in our test project in directory: $VINESRC\projects\jobmanagertest\src\main\app\ant\jobmanagertest.xml
with properties file: $VINESRC\projects\jobmanagertest\src\main\app\ant\jobmanagertest.properties

The properties content is:

vine.app.main.title=Job Manager Test
vine.app.main.classname=org.vinetoolkit.jobmanagertest.spi.impl.JobManagerTest
vine.app.main.jvmargs=

So just the name, the class of the standalone application class with the main method and optional JVM arguments.

The ant script is always the same in all projects except the value for property 'build.properties.file' which has to be set for every project accordingly:

<project default="execute" basedir=".">

    <property name="build.properties.file" value="jobmanagertest.properties"/>
    <dirname property="build.properties.dir" file="./${build.properties.file}"/>
    <property name="build.properties.path" value="${build.properties.dir}/${build.properties.file}"/>

    <!-- =================================================================== -->
    <!-- Executes vine                                                       -->
    <!-- =================================================================== -->
    <target name="execute" description="Executes Vine">

        <ant antfile="../build.xml"
             inheritAll="false"
             target="execute-main">
            <property name="build.properties.path" value="${build.properties.path}"/>
        </ant>

    </target>

</project>

In this way you can run the Vine Toolkit in standalone mode by using standard build routine and accessible scripts.

Of course it is also possible to run it without using ant and properties.

So for example if we put our standalone application directly in the '$VINESRC/applications' directory it is possible to run the application in such way on Windows for example (script is run directly in the $VINESRC/applications directory, our application main class is accessible out there):

@echo on

set CLASSPATH=.
for %%i in (.\vine\config\lib\*.jar) do SET CLASSPATH=!CLASSPATH!;%%i
SET CLASSPATH=!CLASSPATH!;.\vine\config\classes

java -Dvine.app.home=$VINESRC\applications\vine -classpath !CLASSPATH! org.vinetoolkit.jobmanagertest.spi.impl.JobManagerTest 
somePasswordForCredential'

It is important to set 'vine.app.home' environment variable to declare Vine home directory. This way Vine Toolkit could be shipped with some standalone application a part of it. It is enough just to copy 'vine' directory form $VINESRC/applications.

IMPORTANT! Always remember about classloaders dependencies - Vine and its projects uses different technologies, different versions of jars - so please be careful with it, with the 'classpath' argument for the java and other jar libraries used by your standalone application.

Vine and Gridsphere

Install steps
In order to install Vine with Gridsphere, you need to install Gridsphere itself first. Then when it is deployed to the Tomcat successfully you can install Vine Toolkit. Note that you don't need to startup Gridsphere beforehand.

  1. Download Apache Tomcat 5.5.26 servlet container.
  2. Download GridSphere 3.1 portlet container.
  3. Unpack apache-tomcat-5.5.26.tar.gz and gridsphere-3.1-src.tgz archives.
  4. Assuming you have your directories created in the following manner: vine_test/tomcat vine_test/gridsphere
  5. Set $CATALINA_HOME environment variable pointing to your tomcat directory ( i.e. export $CATALINA_HOME="/home/user/vine_test/tomcat" ).
  6. Change directory to the vine_test/gridsphere
  7. Install Gridsphere: ant install
  8. After installation is complete you should have gridsphere directory created in the $CATALINA_HOME/webapps location.
  9. Turn off the session serialization. Replace the content of $CATALINA_HOME/webapps/gridsphere/META-INF/context.xml file with:
    
    <Context path="/gridsphere" debug="0" reloadable="false" crossContext="true">
             <Manager pathname=""/>
    </Context>
    
    
  10. Download the latest version of Vine Toolkit from our web page and unpack it.
  11. Alternatively fetch the latest version of Vine Toolkit from the SVN: svn co https://gforge.man.poznan.pl/svn/vine/vine/trunk vine
  12. Assuming you have the VT sources in the following location vine_test/vine.
  13. Change directory to the vine_test/vine
  14. Install Vine: ant install
  15. Choose the BlazeDs installer ( by entering its number ).
  16. After installation is complete you should have vine directory created in the $CATALINA_HOME/webapps location.

Startup procedure

  1. Change directory to the $CATALINA_HOME location.
  2. Startup tomcat: ./bin/startup.sh
  3. Open browser and go to the following url: http://localhost:8080/gridsphere
    Gridsphere db setupGridsphere db setup
  4. Choose the "Embedded database" for Gridsphere
  5. On the next page ( you will be redirected automatically ) create the first user - it will be the super user ( admin )
    Vine super user setupVine super user setup
  6. On the next page you will see the Gridsphere portal running with Vine portlets in the guest layout.
    Gridsphere loginGridsphere login
  7. Log in to the portal with the username/password you have used to create your super user.

Reinstall procedure

  1. Change directory to the $CATALINA_HOME location.
  2. Shut down tomcat: ./bin/shutdown.sh
  3. In order to reinstall Vine successfully before its next startup you have to delete $USER_HOME/.gridsphere directory to recreate Gridsphere's database as well.
  4. Reinstall Vine with: ant install or ant reinstall
  5. Note that your database for VT will be deleted during that procedure.

Vine and Liferay

Vine is designed to work with Liferay 5.2.3 and Tomcat 5.5.

In order to install Vine with Liferay you need:

Unpack your Liferay bundle and perform the following steps:

  1. Turn off the serialization in Tomcat:
    %LIFERAY%/tomcat-5.5.27/conf/Catalina/localhost/ROOT.xml uncomment '<Manager pathname="" />'
  2. Change directory to the %VINE_TOOLKIT_HOME% location.
  3. Install vine: ant install
  4. Choose the BlazeDs installer for Liferay 5.x
  5. Change directory to the %LIFERAY%/tomcat-5.5.27
  6. Start tomcat: ./bin/startup.sh
    Login LiferayLogin Liferay
  7. In the portal default user:password
    • joebloggs:test ( for the default Liferay database)
    • vine:vine ( no Liferay database)

Known issue: Please, note that currently Vine installation process involves creation (or overwriting if any) of Liferay portal-ext.properties file. This file could have been used by you to store e.g. Liferay database settings. If you want to preserve your old settings from this file please backup your portal-ext.properties file before Vine installation and copy its content into file generated by Vine.

Ant targets in Vine

This article depicts Ant targets prepared for the Vine build/deployment.

Each of targets could be executed in the %VINE_TOOLKIT_HOME% location by typing:

ant %TARGET_NAME%

Example:
ant install

Main Targets:

install - Installs the active installer.
It consists of several targets executed sequentially:

  1. ant fetch
  2. ant clean
  3. ant compile
  4. ant compile-flex
  5. ant jar
  6. ant deploy
  7. ant create-database

reinstall - Reinstalls the active installer.
It consists of several targets executed sequentially:

  1. ant clean
  2. ant compile
  3. ant compile-flex
  4. ant jar
  5. ant deploy
  6. ant create-database

upgrade - Upgrades the active installer.
It consists of several targets executed sequentially:

  1. ant fetch
  2. ant update

update - Updates the active installer.
It consists of several targets executed sequentially:

  1. ant clean
  2. ant compile
  3. ant compile-flex
  4. ant jar
  5. ant deploy

uninstall - Uninstalls the active installer from the portlet and servlet containers (vine webapp directory will be deleted).

Installation Targets:

display-installers - Displays available installers
default-installer - Displays current default installer
choose-installer - Changes default installer
clear-installer - Clears current default installer

Additional Targets (Useful for developers):

clean - Cleans the active installer
clean-deploy-jars - Cleans, compiles, jars and deploys jars for the active installer
compile - Compiles the active installer

compile-flex - Compiles Flex sources in the active installer
additional parameters:
-DflexComponent=component_name
-DallContainers=true/false

copy-flex - Copies component's swf to the configured servlet container
required parameter:
-DflexComponent=component_name

compile-deploy-jars - Compiles, jars and deploys jars for the active installer
deploy - Deploys the active installer
create-database - Creates new database for active installer

Compilation and deployment tips & tricks

Compilation options:

compiling specific flex component ( note, you have to deploy it manually ) - provide its name without .mxml suffix:

ant compile-flex -DflexComponent=ReferenceUIBackend

NOTICE: flexComponent option overrides software.installer.excludeFlex flag.

compiling flex components for all containers:

ant compile-flex -DallContainers=true

updating/checking out specific project (i.e. gria project):
ant fetch -Dproject=gria

checking out all projects from vine repository:
ant fetch-all

Custom user properties:

flag in installer preventing from flex sources compilation:

software.installer.excludeFlex=true

That is - if you add this flag to build.properties file in your installer's directory your flex source won't
be compiled, it's useful if you are making changes only in your server side logic. With this flag set to enabled you'll see the following message during the compilation process:

excludeFlex flag has been set - omitting flex sources compilation !!!

adding custom svn url for user project ( rolestest in our example ):

#----------------------------------------------------------
# Application projects
#----------------------------------------------------------
application.projects=rolestest

#----------------------------------------------------------
# Custom project svn url example
#----------------------------------------------------------
project.rolestest.svn.url=https://gforge.man.poznan.pl/svn/vinetoolkitorg/rolestest

Using Vine in a secure mode ( https ):

In order to setup Vine Flex components to work in a secure mode you need to add the application.web.secure flag set to true to your installer properties:

#----------------------------------------------------------
# Web aplication type
#----------------------------------------------------------
application.web.type=portlet

#----------------------------------------------------------
# Web aplication type
#----------------------------------------------------------
application.web.secure=true

In order to get everything working you need to recompile all of your flex components to make them compliant with new BlazeDs configuration file. To do so you need to get FlexSDK and configure it properly.

Last thing is to configure your servlet container properly ( generate valid certificate etc. ).

Preventing from the Flex sources compilation:

add the following line to your mxml source code:

<!--finalVersion-->

Database configuration

MySQL conifguration

## Hibernate setings

hibernate.show_sql=false
#hibernate.connection.pool_size=40
hibernate.connection.autocommit=true
hibernate.connection.shutdown=true
hibernate.cache.provider_class=org.hibernate.cache.EhCacheProvider
hibernate.connection.provider_class=org.hibernate.connection.C3P0ConnectionProvider
hibernate.c3p0.min_size=0
hibernate.c3p0.max_size=100
hibernate.c3p0.timeout=300
hibernate.c3p0.max_statements=100
hibernate.c3p0.idle_test_period=100
hibernate.c3p0.idleConnectionTestPeriod=100

## HSQL database

#hibernate.dialect=org.hibernate.dialect.HSQLDialect
#hibernate.connection.username=sa
#hibernate.connection.password=
#hibernate.connection.url=jdbc:hsqldb:@APPLICATION@@DATABASE@
#hibernate.connection.driver_class=org.hsqldb.jdbcDriver

## MySQL database

hibernate.dialect org.hibernate.dialect.MySQLDialect
#hibernate.connection.driver_class org.gjt.mm.mysql.Driver
hibernate.connection.driver_class com.mysql.jdbc.Driver
hibernate.connection.url=jdbc:mysql://localhost:3306/vine
hibernate.connection.username root
hibernate.connection.password topsecret

## Postresql database

#hibernate.connection.provider_class=org.hibernate.connection.C3P0ConnectionProvider

#hibernate.dialect org.hibernate.dialect.PostgreSQLDialect
#hibernate.connection.driver_class org.postgresql.Driver
#hibernate.connection.url=jdbc:postgresql://localhost/vine
#hibernate.connection.username postgres
#hibernate.connection.password

Vine configuration - HSQL DB tuning

By default Vine uses HSQL database. In general the default settings are used, but if required it is possible to change them after Vine installation.

The HSQL Vine DB configuration file is located here:

$PORTAL_HOME\webapps\vine\WEB-INF\vine\persistence\database\vine.properties

Inside there are numerous HSQL DB settings.

One of it is particularly interesting:

hsqldb.default_table_type=memory

By default is set to 'memory'. It means all tables are loaded to the memory heap during the start up. In case of really big set of data it could be some problem. So if used Vine HSQL DB is getting large the value can be changed to 'cached'. Then most data are stored in DB data file and only some part is instantiated in memory. It could save a lot of heap memory but can slow down DB access a little.

Different HSQL table types are described here.

The HSQL documentation explains other settings, check here (section called 'Individual Database Properties').

External jar handling

Vine has 2 major source trees. It allows user to import external jars which are used by Vine sources. This section depicts how they will be used and deployed assuming two locations:

  • $VINE for the root vine ( or project ) directory,
  • @PROJECT_NAME@ for the current project which is being processed
  • $CATALINA_HOME for the root servlet container directory.
Source location $VINE Destination location $CATALINA_HOME
src/main/app/config/lib webapps/vine/WEB-INF/vine/projects/@PROJECT_NAME@/lib
src/main/app/config/lib/shared webapps/vine/WEB-INF/vine/lib
src/main/app/config/lib/public shared/lib
src/web/app/WEB-INF/lib webapps/vine/WEB-INF/vine/projects/@PROJECT_NAME@/lib
src/web/app/WEB-INF/lib/shared webapps/vine/WEB-INF/vine/lib
src/web/app/WEB-INF/lib/public shared/lib
src/web/app/WEB-INF/lib/webapp webapps/vine/WEB-INF/lib

Note:
For the detailed information concerning this topic look at:

SourceBuild.groovy:deployJars()

Tomcat configuration

Domain.xml configuration

Domain.xml - the basics

Domain.xml is a key configuration point in the Vine ecosystem. Here we'll try to explain all major elements of this file.

Here it's a basic Domain.xml file with the basic resources configured:

<domain name="test" label="Test domain" description="Vine Test domain">

    <!-- Portlet authentication -->
    <authenticationModule key="PortletAuthModule"/>
    <!-- Role resource -->
    <vineRoleResource/>

    <!-- Portal -->
    <hostResource name="portal"
                  hostname="localhost"
                  label="Portal"
                  description="Portal">

        <!-- Portal file system -->
        <portalFileSystem label="Portal File System" description="Portal File System"/>
        
        <accountResource name="AccountManager"
                         label="Account"
                         description="Account Manager"/>
    </hostResource>

</domain>

domain: resembles the name space concept, in the future will extend this to include a support for the cases with multiple domains, domains inheritance etc.

authentication module: logic responsible for the user authentication, we have the basic authentication module "PortletAuthModule" which relies on the GridSphere authentication routines and checks whether user was successfully authenticated by GridSphere. Apart from that, we've developped several authentication modules for the grid applications ( i.e. authentication against MyProxy ) or general one ( i.e. Active Directory authentication module ). You can have several authentication modules configured simultaneously. Detailed description available here.

Bear in mind that currently if at least one authentication module succeed user is being authenticated.

vineRoleResource: it's the mandatory resource required by Vine's authorization system. It manages of users' roles and access rights to the underlying resources. Could have separate plugins to propagate informations to i.e. middleware resources ( currently we're supporting Gria Data Manager and DMS ).

hostResource: this is the most common used resource. It more or less conforms to the physical host machine with some services installed on it.

In our example there is one mandatory hostResource with localhost hostname attribute. It's important to have this one configured because of the portalFileSystem - Vine internal implementation of file system which has to have localhost url ( taken from the hostname attribute from its parent resource ).

Some descriptive attributes of the 'hostResource' could be useful and possible to use in web applications:
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

accountResource: responsible for users management, if you want to have a real authorization of users you should configure such one in your localhost hostResource. In other case Vine will use its mockup component to simulate that process.

So even if your host machine has its own domain name you should leave this element and add another hostResource with the hostname set to you domain.

hostResource acts as a container or parent resource. Thus you're able to define different child resources within it. The main advantage of such solution is that children have an access to their parent's attributes so you don't need to duplicate your attributes for every resource.

Domain.xml - multi-domain configuration

Resources in Vine can be structured as multi-domains. It could be useful if you want to distinguish resources in different locations like departments, cities, countries etc. You can use it to filter visible resources for logged in users. So in general you have one main root domain as so far and you can define additional ones as some kind of sub domains by using general paradigm like "domain rule" - everything is explained below:

Firstly the main Domain.xml (root domain), which is loacated in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\:

<domain name="MAINDOMAIN" label="Main domain" description="Main domain description">

    <!-- Authentication modues - are common for all domains -->
    <!-- Portlet authentication -->
    <authenticationModule key="PortletAuthModule"
                          order="1"/>

    <!-- Credential repository authentication -->
    <authenticationModule key="CredentialRepositoryAuthModule" order="3"/>

    <authenticationModule key="VomsDefaultCredentialAuthModule" order="4"/>

    <!-- Vine Role Manager - if not exists it is added automatically -->
    <vineRoleResource/>

    <!-- Portal - if not exists it is added automatically-->
    <hostResource name="portal"
                  hostname="localhost"
                  label="Localhost Portal"
                  description="Portal">

        <!-- Portal file system -->
        <portalFileSystem label="Portal File System" description="Portal File System"/>

        <!-- Account manager -->
        <accountResource name="GuestAccountManager"
                         label="Guest Account"
                         description="Guest Account Manager">

            <gridsphereRegistrationResource name="GridsphereRegistration"
                                            label="GridsphereRegistration"/>

        </accountResource>

    </hostResource>

    <!-- PSNC organization - resources can be grouped in organizations -->
    <organization name="PSNC"
                  label="PSNC"
                  description="Poznan Supercomputing and Networking Center"
                  image1-small-url="/vineportlets/hpceuropa/psnc/PsncLogo.jpg"
                  image1-small-label="PSNC"
                  image1-url="/vineportlets/hpceuropa/psnc/PsncBuilding.jpg"
                  image1-label="PSNC"
                  html-url="/hpceuropa/psnc/psnc.jsp">

    <!-- Seagrass Cluster -->
    <hostResource name="Seagrass"
                  hostname="seagrass.man.poznan.pl"
                  label="PSNC Seagrass"
                  description="Linux Host (2 CPUs)">

        <!-- GridFtp -->
        <gridftpResource label="PSNC Seagrass (Grid-FTP)"/>

        <!-- MyProxy -->
        <myproxyResource name="PSNC_MyProxy" label="PSNC_MyProxy" useCredential="false" checkConnection="true"
                         timeoutMiliseconds="5000"/>

    <</hostResource>

    <!-- omiidemo -->
    <hostResource name="omiidemo"
                  hostname="omiidemo.man.poznan.pl"
                  label="PSNC OMII Demo Machine"
                  description="Linux Host (2 CPUs)">

        <!-- GridFtp -->
        <gridftpResource label="PSNC OMII-Demo (Grid-FTP)" description="Some description"/>

        <!-- WS-GRAM -->
        <wsGramResource label="PSNC OMII-Demo (WS-GRAM)" port="8443">

            <resourceAttribute name="description" value="GT4"/>
            <!-- possible values: FORK, LSF, PBS, MULTI, CONDOR -->
            <resourceAttribute name="factoryType" value="FORK"/>
            <resourceAttribute name="WsrfResource.AuthorizationType" value="host"/>
            <resourceAttribute name="WsrfResource.DelegationEnabled" value="true"/>
            <resourceAttribute name="WsrfResource.MessageProtectionType" value="2"/>

        </wsGramResource>

    </hostResource>

    </organization>

</domain>
</cite>

The security mechanisms are common for the whole portal - vine role manager, authentication modules and localhost with account manager and registration modules. Special file resource (also configured on localhost) - Portal File System is also shared among domains.

So these things are the same in all defined domains - should be defined in the root domain (Domain.xml in the $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources directory)

So how we can define some sub domain now? This is very simple:

We have to create a new directory for it in location: $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\.
So we will create a directory called "PSNC" like the sub domain name.

And we have to create a file Domain.xml within it with such content:

<domain name="PSNC" label="PSNC Domain">
    <domain-rule value="%PSNC%"/>
</domain>

So as you can see we can define so called domain rules.

Domain rule let you define some substring of the resource distinguish name (resource DN) which will be accessible within the given domain.
Every resource has attribute called "name" which always is included in the DN of the resource. So if we have here rule like this:

    <domain-rule value="%portal%"/>

it means every resource with name containing "portal" will be included here - this is a localhost which is required actually (it is added automatically so it doesn't have to be added manually)

    <domain-rule value="%PSNC%"/>

it means that every resource with name containing "PSNC" will be included or which is contained by the organization with such substring in its name attribute.

Organizations are very useful here. You can group resources within the organizations and then you can build simple domain rule which contains its name as the value
like <domain-rule value="%PSNC%"/> - it will include all resources in the PSNC organization from the root domain.

Apart from domain rules it is possible to specify resources in normal way as in the root domain - all resources are merged later in the root domain (it always sums up all resources spread over all sub domains).

The gridsphere login portlet (GridSphereLoginPortlet) shipped with Vine Toolkit support multi-domain configuration so user can choose the desired domain while logging in (it is set in session pramateres). Then all resource are filtered by use of domain rules and user can see and access only filtered resources.

Portal framework integration

Gridsphere 3.1

Liferay 5.2.3

Secuirity components

Authentication modules

Authentication module (AM) mechanism has been designed to enable portal administrator to add custom policies executed upon user log in action.

As you will see in the following examples, authentication modules can coexist with each other. In order to make sure they are invoked in a desired way we have added an 'order' attribute to the AM element.

Second thing worth to remember is that we assume user is logged in when at least one authentication module performed user authentication successfully.

Below we present authentication modules provided by Vine Toolkit.

CredentialRepositoryAuthModule

Description:

Adds user which already have a portal account to Vine as well ( to enable him to use Vine services ).

Workflow of CredentialRepositoryAuthModule:

  1. Tries to retrieve a credential from MyProxy server with a given name/password pair.
  2. Check credential Dn against user account mapping. If it is correct, enables credential for the user.

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <!-- Credential repository authentication -->
    <authenticationModule key="CredentialRepositoryAuthModule"
                          order="1"/>


    .....
    .....

</domain>

GSSDemoCertAuthModule

Description:

Adds user which already have a portal account to Vine as well ( to enable him to use Vine services ).

Workflow of GSSDemoCertAuthModule:

  1. Check whether user exists in the Vine Toolkit database.
  2. Check for the user certificate/key stored in portal.
  3. Tries to create user credential with given certificate/key and username/password values.

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <!-- Demo GSS certificate authentication -->
    <authenticationModule key="GSSDemoCertAuthModule"
                          order="1"/>


    .....
    .....

</domain>

OnFlyAccountAuthModule

Description:

Adds user which already have a portal account to Vine as well ( to enable him to use Vine services ).

Workflow of OnFlyAccountAuthModule:

  1. Looks in the request for the portletAuthenticatedattribute set to true which means that user has been successfully authentication in the portlet container.
  2. Search for the user in the Vine Toolkit database with a given username. In case there is such a user it finish his work. Opposite it tries to create a new Vine user with given username/passoword.

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <!-- Import portal users to the Vine -->
    <authenticationModule key="OnFlyAccountAuthModule"
                          order="1"/>


    .....
    .....

</domain>

PortletAuthModule

Description:

Looks in the request for the portletAuthenticated and previouslyAuthenticated attributes set to true. In other words it depends on the authentication mechanisms from the hosting portlet container.

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <!-- Portlet authentication -->
    <authenticationModule key="PortletAuthModule"
                          order="1"/>


    .....
    .....

</domain>

VomsDefaultCredentialAuthModule

Description:

Adds user which already have a portal account to Vine as well ( to enable him to use Vine services ).

Workflow of VomsDefaultCredentialAuthModule:

  1. Check whether user exists in the Vine Toolkit database.
  2. Check for the user certificate/key stored in portal.
  3. Tries to create user credential with given certificate/key and username/password values ( with GSIConstants.GSI_2_PROXY type ).

Configuration:

Direct child of domain element in the Domain.xml

Example:

<domain name="blazeds" label="BlazeDs" description="Vine ( Adobe Flex with BlazeDs ) showcase">

    <authenticationModule key="VomsDefaultCredentialAuthModule"
                          order="1"/>


    .....
    .....

</domain>

Registration resources

Vine Toolkit has got a set of registration modules which allows to register users on some resources. These registration resources are:

  • GridsphereRegistrationResource - allows adding new users to Gridsphere portal.
  • GssCertificateRegistrationResource - creates x509 certificate and key pair for a new user.
  • Gt4RegistrationResource - creates a user account on Globus Toolkit 4 host machine.
  • GriaRegistrationResource - create a user account in Gria 5.3 Trade Account Service.
  • Unicore6RegistrationResource - creates a user account on Unicore 6 host machine.
  • DmsRegistrationResource - register a user on Data Management Service.
  • VomsRegistrationResource - register a user to Virtual Organization Membership Service.

To create new users and register them to mentioned resources Domain.xml file should has proper entries. Part of Domain.xml file which describes portal hostResource should has an accountResource added and needed registration resouces entries. Example:

    <hostResource name="portal"
                  hostname="localhost"
                  label="Portal"
                  description="Portal">

	<!-- Account manager -->
        <accountResource name="GuestAccountManager"
                         label="Guest Account"
                         description="Guest Account Manager">
        
            <gridsphereRegistrationResource name="GridsphereRegistration"
                                            label="GridsphereRegistration"/>

            <!-- GSS demo certificate registration -->
            <gssCertificateRegistrationResource name="GssDemoCertRegistration"
                                                label="GssDemoCertRegistration"
                                                caCertFilePath="/home/user/ca/cacert.pem"
                                                caKeyFilePath="/home/user/ca/cakey.pem"
                                                caKeyPassword="secret"/>
            <!-- GT4 registration -->
            <gt4RegistrationResource name="Gt4Registration"
                                     label="Gt4Registration"
                                     targetHost="yourhost.pl"
                                     superUserName="adminuser"
                                     mkdirCmd="/home/adminuser/bin/mkdir"
                                     chownCmd="/home/adminuser/bin/chown"
                                     gridMapfileAddEntryCmd="sudo /usr/local/globus/gt404/sbin/grid-mapfile-add-entry"
                                     gridMapfileDelEntryCmd="sudo /usr/local/globus/gt404/sbin/grid-mapfile-delete-entry"/>
        </accountResource>
    </hostResource>

By default user who creates a new account will be automatically registered to all registration resources which are in Domain.xml file and will have an access to his account. This solution was made just for test purposes. If portal administrator wants to have more control on each user account accountResource should have a flag accountActivationAutomatic set to false:

	<!-- Account manager -->
        <accountResource name="GuestAccountManager"
                         label="Guest Account"
                         accountActivationAutomatic="false"
                         description="Guest Account Manager">
        
                [.....]

        </accountResource>

This option allows portal administrator to activate and deactivate user accounts. If flag accountActivateionAutomatic is set to false newly created user accounts are inactive. User is registered to needed registration resources but his/her account has to be approved by portal administrator.

UserRegistrationApp is an application which allows to create requests for new accounts in Vine.
If flag accountActivateionAutomatic in Domain.xml file isn't set or is set to true users have their accounts activated automatically. Portal administrator in UserManagementApp portlet activate newly created accounts requests. Also in UserManagementApp administrator has got option for deactivate user account and edit his/her profile information.

Services configuration

Vine Toolkit core project

Portal Keystore Resource

It is possible to define global keystore/truststore - so called portal keystore (it could be used for example within unicore6/bes/gria plugin as both keystore and truststore).

Portal keystore is a JKS type file which consist of portal public cert and private key.
If it is used also as a truststore then it should contain all trusted public certificates which are required.

Configuration:

Locate Domain.xml configuration file (in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Localhost entry should be added or exist.

"portalKeystoreResource" should be added to the localhost host entry like this:

    <!-- Portal -->
    <hostResource name="portal"
                  hostname="localhost"
                  label="Portal"
                  description="Portal">

        <!-- some other resources like portalFileSystem, accountResource etc.
        .....
        .....
        -->

        <portalKeystoreResource name="PortalKeystore"
                                portalKeystorePath="/some_path_to_the_portal_keystore/portalKeystore.ks"
                                alias="portalAlias"/>

    </hostResource>

Attributes:
- name - name which can be used within the distinguish names of the resources
- portalKeystorePath - path to the JKS keystore
- alias - alias for the certificate to use from the keystore

Password for security reasons is defined in separate configuration file:
$PORTAL_HOME\webapps\vine\WEB-INF\vine\projects\vine\classes\PortalKeystore.properties
which consist of one line with parameter: portalKeystorePassword=some_keystore_password

Grid

Vine projects:

  • grid

Certificate Manager

Certificate Manager [certman] is a sub-project of Vine Toolkit. It works independently from the main framework to be used when user would like to manage his/her certificate/credential in a convenient way.

Main task of the certman application is creating user credential based on the installed certificate and delegating it to the remote MyProxy server. User certificate can exist as a pair of pem files or a ketstore of the p12 or jks format. It is possible also to load certificate from browser keystore - this functionality works well under windows and linux systems. Under Windows it is possible to load certificate from Internet Explorer or Firefox browser or any other which uses standard system certificate keystore like Chrome. Under Linux system it is possible to use Firefox keystore if it is installed. It should be also possible under Mac OS but it depends strongly from Firefox version and it is hard to predict how it will work - there could be some problems in JWS mode but it should work in standalone mode if DYLD_LIBRARY_PATH is set properly before running the tool.



How to run it:

The certificate manager could be used as Java Web Start or standalone application.

Standalone mode:
The standalone mode is possible after the sources are downloaded (from svn or bundled package).

To get it from svn try this (svn client has to be available):

svn co https://gforge.man.poznan.pl/svn/vine/certman/trunk certman

And later it is enough to run command 'ant run' to run certman in standalone mode.

The certificate selection from Firefox browser should work under Mac OS if DYLD_LIBRARY_PATH environment variable is set before running the tool with directory path pointing to the Firtefox directory, by default it is: /Applications/Firefox.app/Contents/MacOS/

Java Web Start mode:

Such component has to be prepared by the portal administartor and put as separate web application in webapps directory of the portal framework container.

To build the component you can use svn sources as described earlier. And additionally use the prepared bundle of the latest release. The package can be downloaded here:

Latest certman bundle

The bundle contains 3 directories: certman, jarsigner and test

To prepare JWS distribution such steps are required:

1. go to the certman directory (could be bundled version or sources taken from svn)

2. There is a file config.properties in the src directory. MyProxy servers should be added inside properly like this:

myproxy.names=PSNC_Fury_MyProxy
myproxy.PSNC_Fury_MyProxy.hostname=fury.man.poznan.pl
myproxy.PSNC_Fury_MyProxy.description=Computing Cluster

It is possible to add more MyProxy servers - in myproxy.names after comma (,) you can add more names and specify them under accordingly to the example.
After it the properties file will be bundled inside the certman.jar. As the jars are signed later it is required to do this configuration at the beginning of preparing JWS distibution.

3. type 'ant dist'

4. copy all jars from the certman/dist/lib directory to the jarsigner/jars ( except the certificates.jar )

5. go to the jarsigner directory

6. type 'ant stage'

7. type 'ant sign'

8. copy all jars from the jarsigner/signed directory to the test/signed ( except the vine_1.0.2_grid_main-jce-jdk13-131.jar )

9. go to the test/signed directory

10. type './jnlp.pl' ( notice perl interpreter is required here )

11. copy the remaining vine_1.0.2_grid_main-jce-jdk13-131.jar from the jarsigner/signed directory to the test/signed

12. copy the test directory to the $CATALINA_HOME/webapps

13. in the $CATALINA_HOME/webapps directory edit certman.jnlp and jce.jnlp codebase attribute to point to your hostname:port

14. in your browser go to the addres http://HOSTNAME:PORT/test/signed/certman.jnlp to access certificate manager web start application

NOTES:

You need to have yours CA cert file in the /etc/grid-security/certificates in order to send credentials to the myproxy server. This directory is used to create certificates.jar file in the step no 5 ( ant stage ).

If you are using standalone version only, you should recreate certificates.jar file by goint to the jarsigner directory and typing ant stage. As a result you obtain certificates.jar file in the jarsigner/signed directory. Then copy that file to the certman/lib and overwrite the existing one.

So at the and you can copy the content of the test directory to the target portal container webapps location. It is required that paths located in the jnlp files are valid and match the target directory name.



How to use it:

The welcome screen looks like this after running the application:

Welcome screen

The second part of the screen shows information about configured certificate - it means that pem files pair has been found in the user's profile in the ".globus" directory with standard names: usercert.pem and userkey.pem. If the certificate is not detected then apllication shows up with the certificate configuration screen instead.

At the top there is information about target MyProxy server - it is possible to configure many instances if desired in file config.properties available in sources directory.

The Manage Credential tab allows to store proxy certificate in the MyProxy server chosen above. User can set such options:

  • Proxy type - user is able to choose the prxy certificate type - the default one is 'Full legacy globus proxy'. It will be rather rare requirement to change it - depends from given grid infrastructure requirements. The default type should work everywhere the proxies are supported.
  • Username - user name on the MyProxy server under which the proxy will be placed
  • Private Key Password - password for the local user's private key in case of pem certificate; The field is disabled if keystore is used.
  • Credential lifetime - proxy certificate lifetime delegated to the MyProxy server (in hours)
  • Proxy lifetime - proxy certificate lifetime after retrieval from the MyProxy server (in hours) - it is shorter or equal to the credential lifetime
  • Use the same password as certificate password - the same password is used for MyProxy account as for local user's private key, from security reasons it is better to set other password
  • Use DN as username - the username field is not used and the distingiush name of the user's certificate is used instead

Below there are two buttons:

  • Activate credential - proxy certificate is created and put in MyProxy server
  • Deactivate credential - proxy certificate is removed from MyProxy server

During credential activation password dialog is shown up:

MyProxy account password

And after success a confirmation is presented:

MyProxy activation success

In case of deactivation user does not have to set any password. User has to have a valid certificate configured in the certificate manager.

And after successful deactivation a confirmation is presented:

MyProxy account password



Configuration of the user's certificate.

PEM files configuration

This tab let you to configure local user's certificate (IMPORTANT! Local user's key certificate is used only locally).

The 'Certificate status' field shows if certificate is properly loaded showing the CN part of the certificate DN.

There are two paths to set up - one for the public certificate pem file and the second for the private key pem file.
Certman tries to detect the files in a standard location in user's profile ".globus" directory - the default names are: usercert.pem and userkey.pem

If files are not detected the paths could be set manually using the "Get path" buttons. The browse files dialog is shown in that case:

PEM file path setting

After the path are valid the certificate could be loaded by using "Set Certificate / Key Paths".

If the certificate is properly loaded the bottom part of the form is filled up with certificate details.

Keystore

Keystore setting

To configure certificate from keystore "Use certificate keystore" radio button option should be enabled. After this the tab from is changed.
There are two filelds to be set: keystore file path and keystore password. Keystore path is set through browse file dialog activated by the "Get path" button:

Keystore file path setting

After the path and the password is set the "Set keystore" button loads the keystore and sets the certificate.

Other option is to choose keystore from detected browser. In order to do that user should click on "Web browser keystore selector" button.
The browser selection dialog will appear:

Browser selection

After selecting the browser user sees other dialog with a list of certificates available within the browser's keystor.

Cert selection

After successful browser keystore configuration the keystore path and password are disabled to indicate that browser is the source of the certificate. In any moment it is possible to set keystore from regular file by using "Get path" button.

Cert from browser

After the certificate is finally configured user can go back to the "Manage Credential" tab to upload proxy certificate to the MyProxy server. In case of keystore as a source of user's certificate "Private Key Password" is disabled as the keystore password is used instead.

Credential Repository auth module

1. Credential repository authentication uses MyProxy server. User holds his/her delegated credentials in the MyProxy server.
The globus certificate is retrieved from the MyProxy server and used within deployed applications and plugins as user's credentials.

MyProxy resource should be defined - read here.

2. Configuration:

Vine installer must contain grid, gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, ... some other projects

If there is no grid and gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

4.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

The authentication module should be added as a direct child of the root Domain like this:

    <authenticationModule key="CredentialRepositoryAuthModule" order="1"/>

Attributes:
- order - order number, authentication modules can be processed in the order configured by this attribute

It should not exist with VomsCredentialRepositoryAuthModule at the same time as it takes its role.

Default Credential auth module

1. Default Credential authentication creates user proxy certificate locally from user public certificate and private key located in the user's home directory in the ".globus" location (user who runs the vine toolkit instance for example in the portal).
Password of the portal user has to be the same as for private key (passed by the log in action in user's session).

Proxy certificate is used within deployed applications and plugins as user's credentials.

Information rather for developers:
The default location of the user certificate could be changed and set in session parameters:

gssCertificateFile - public cert path
gssPrivateKeyFile - private key path
gssCredentialLifetime - credential life time in ms

2. Configuration:

Vine installer must contain grid, gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, ... some other projects

If there is no grid and gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

4.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

The authentication module should be added as a direct child of the root Domain like this:

    <authenticationModule key="DefaultCredentialAuthModule" order="1"/>

Attributes:
- order - order number, authentication modules can be processed in the order configured by this attribute

It should not exist with VomsDefaultCredentialAuthModule at the same time as it takes its role.

GridSsh resource and applet

1. gridSshResource is used to mark its parent host as a GSI-enabled ssh resource.

2. Configuration:

Vine installer must contain 'grid,gt2' projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid,gt2 ... some other projects

If there is no grid or gt2 project in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

gridSshResource should be defined in the Domain.xml inside a hostResource.

The example below shows the host resource which has gridSshResource configured.

    <hostResource name="omiidemo"
                  hostname="omiidemo.man.poznan.pl"
                  label="Omii Demo Machine"
                  description="Linux Host (2 CPUs)">
        <gridSshResource/>

    </hostResource>

3. SshTerm Applet

GridSsh AppletGridSsh Applet

3.1 In order to use SshTermApplet it's required to have:

  • at least one gridSshResource configured within a hostResource
  • active user credential in a portal ( fetched with the Credential Manager application or obtained automatically when SSO is configured properly )

3.2 Usage

Depending on your installer you will have your SshTermApplet in the default portal layout or you need to add your portlet manually. In Gridsphere you need to go to the Layout tab and add the following portlet 'vine - SshTermApplet'.

Then you should have have your portlet included into the desired layout. While applet is loading you need to grant it with an access to your local environment ( it is signed by us ). After this step applet will attempt to connect to the first resource you have defined in your Domain.xml file.

Note: GSI-SSHTerm uses certificates stored in the $USER_HOME/.globus/certificates directory in order to authenticate against MyProxy server. Make sure to have the required certificates in the mentioned directory.

Project's homepage: GSI-SSHTerm Application.

GssCertConfiguration

1. Gss cert configuration resource is used to configure credentials which can be used by some plugins or Vine sub components.
It could be a proxy certificate or key and public cert pair.

2. Configuration:

Vine installer must contain 'grid' project on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid ... some other projects

If there is no grid project in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

gssCertConfiguration should be defined once in the Domain.xml for example inside some hostResource or directly as a child of the root domain.
The example below shows the WsMDS component which uses gssCertConfiguration configuration to query the MDS service.

    <hostResource name="rumex"
                  hostname="rumex.man.poznan.pl"
                  label="Rumex Demo Machine"
                  description="Linux Host (2 CPUs)">

        <!--WS MDS Globus 4.0.X-->
        <wsMdsResource label="PSNC (WS-MDS)"/>

        <gssCertConfiguration proxyFile="c:\x509up_u_dejw"/>

    </hostResource>

2.1.1. gssCertConfiguration attributes

Attributes:
- order - order number, resources are sorted against "listing order"
- description - some description

Attributes for configuring proxy certificate file or public/private certificate (these are used by WsMDS resource for example):

- proxyFile - proxy certificate file
- applicationCertFile - public certificate
- applicationKeyFile - private key certificate
- passphrase - password for the private key certificate

So it should be defined 'proxyFile' if proxy certificate is accessible or other three attributes to create one from public cert and key pair.

Settings used by MyProxy resource only (MyProxy common account):

- myProxyUserName - MyProxy server user name
- myProxyPassword - MyProxy server user password
- myProxyCredentialName - credential name
- credLifetime - retrieved credential life time

How to configure a custom CA?

Obviously, it is possible to configure the Vine Toolkit to use a custom Certificate Authority.

To take advantage of this possibility portal installer configuration file, build.properties, should be modified. The list of projects must contain grid and gt2. It is very important to add both projects together!
Exemplary list of projects can be seen below:

#----------------------------------------------------------
# Application projects
#----------------------------------------------------------
application.projects=grid,activedirectory,gt2

Necessary modifications should also be introduced into Domain.xml file.
Firstly, the list of authentication modules must be extended by GSSDemoCertAuthModule, as in the example:

    <authenticationModule key="PortletAuthModule" priority="1"/>
    <authenticationModule key="ActiveDirectoryAuthModule" priority="2"/>
    <authenticationModule key="GSSDemoCertAuthModule" priority="3"/>

Secondly, we should load our custom properties file ( explained in details later ):

    <propertiesResource loadDefaultProviders="true">
        <filePropertiesProviderResource name="GSSDemoCertPropertiesProvider" label="GSS Demo Cert Properties Provider"
                                        fileName="gss_demo_cert_properties.properties" order="2" readOnly="true"
                                        confidentialityFilename="gss_demo_cert_properties_confidentiality.properties"/>
    </propertiesResource>

Thirdly, a GssCertificateRegistrationResource should be added and properly configured for the portal in the Domain.xml file.

    <!-- Portal -->
    <hostResource name="portal"
                  hostname="localhost"
                  label="Portal"
                  description="Portal">

        <!-- Account manager -->
        <accountResource name="AuthAccountManager"
                         label="Auth Account"
                         description="Auth Account Manager">

            <!-- GSS demo certificate registration -->
            <gssCertificateRegistrationResource name="GssDemoCertRegistration"
                                                 caCertFilePath="/CustomCA/cacert.pem"
                                                 caKeyFilePath="/CustomCA/private/cakey.pem"
                                                 storeCredentialInRepository="false"/>
                                            
        </accountResource>              				
    </hostResource>

And that is almost everything. Almost, because in the example presented above, the CA password is missing. The password is not read from the Domain.xml file, but from separate gss_demo_cert_properties.properties file. It is located in the grid project in path:

vine/installers/{installer_name}/WEB-INF/vine/properties/gss_demo_cert_properties.properties

And should have the following content:

caKeyPassword=the_CA_password

Technical process of creating a new CA is quite simple. Appropriate example script and its configuration file are attached below. It is enough to edit these files to adapt them to particular requirements and run the script.

GRIA

Vine projects:

  • gria extends grid

GRIA Data Service

Vine supports GRIA 5.3, below you can check how to configure the plugin. We assume the GRIA server is configured well.

1. GRIA 5.3 server version is supported

2. Configuration:

Vine installer must contain gria, grid and gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=gria, grid, gt2, ... some other projects

If there is no gria, grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later gria services have to be defined in such way:

    <hostResource name="some_host_name"
                   hostname="host_dns_name"
                   label="some_host_label"
                   description="some_description">

        <!-- gria data resource -->
        <griaDataResource name="gria53" label="Larix (GRIA)" port="444" protocol="https"
                                servicePath="/gria-basic-app-services/services/DataService">

        </griaDataResource>

    </hostResource>

2.1.1. griaDataResource - defines gria data resource used for data management

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):

JKS keystore ('keystoreFile') is used by the GRIA client for connection

- keystoreFile - relative path to the keystore file, the root directory is: $PORTAL_HOME\webapps\vine\WEB-INF\
custom keystore could be put inside /classes/vine/gria/ directory
for example:

            <resourceAttribute name="keystoreFile" value="/classes/vine/gria/portaltest.ks"/>

The whole final path will be:

$PORTAL_HOME/webapps/vine/WEB-INF/classes/vine/gria/portaltest.ks

The keystore should contain also all required trusted CA certificates.

- keystorePassword - keystore password
- keystoreUser - keystore alias

Additional owner keystore (contains additional owner public certificate, CA certificate for the owner certificate):

- keystore - path to the keystore with additional owner public certificate
- ownerAlias - alias for the additional owner public certificate
- caAlias - alias of the CA certificate in the keystore

Default values for the three attributes could be defined in '$PORTAL_HOME/webapps/vine/WEB-INF/vine/projects/gria/classes/vine/gria/gria.properties'.

If the owner keystore is defined then additional policy rule is created on uploaded data giving access for the owner certificate.

If proxy certificate of the user is accessible also then plugin sets additional policy rule to add user as the owner.

2.1.2 Global portal keystore/truststore

The global keystore/truststore - so called portal keystore could be used within gria plugin as both keystore and truststore.

For details look here

To make gria plugin work with the global keystore the all keystore related attributes must be absent.

GRIA Job Service

Vine supports GRIA 5.3, below you can check how to configure the plugin. We assume the GRIA server is configured well.

1. GRIA 5.3 server version is supported.

Proxy certificates are not supported natively by the GRIA middleware so plugin works with the common keystore for every user connection.

2. Configuration:

Vine installer must contain gria, grid and gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=gria, grid, gt2, ... some other projects

If there is no gria, grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later gria services have to be defined in such way:

    <hostResource name="some_host_name"
                   hostname="host_dns_name"
                   label="some_host_label"
                   description="some_description">

        <!-- GRIA job resource -->
        <griaJobResource name="gria53" label="Larix (GRIA)" port="8787" protocol="https"
                                servicePath="/gria-basic-app-services/services/JobService">

        </griaJobResource>

    </hostResource>

2.1.1. griaJobResource - defines gria job resource used for job submission and control

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):

JKS keystore ('keystoreFile') is used by the GRIA client for connection.

- keystoreFile - relative path to the keystore file, the root directory is: '$PORTAL_HOME\webapps\vine\WEB-INF\'
custom keystore could be put inside '/classes/vine/gria/' directory
for example:

            <resourceAttribute name="keystoreFile" value="/classes/vine/gria/portaltest.ks"/>

The whole final path will be:

$PORTAL_HOME/webapps/vine/WEB-INF/classes/vine/gria/portaltest.ks

The keystore should contain also all required trusted CA certificates.

- keystorePassword - keystore password
- keystoreUser - keystore alias

2.1.2 Global portal keystore/truststore

The global keystore/truststore - so called portal keystore could be used within gria plugin as both keystore and truststore.

For details look here

To make gria plugin work with the global keystore the all keystore related attributes must be absent.

3. JSDL definition

Application to run has to be pointed by the "ApplicationName" JSDL element and must be defined on the server side in the metadata file.

The number and order of the JSDL DataStaging elements must be the same as in the metadata describing given application on the GRIA server side.
Also the names of the files should be the same as in the metadata description.

For example:

The metadata job description looks like this:

<GriaApplicationDescription xmlns="http://www.it-innovation.soton.ac.uk/2007/grid/application">

        <JobServiceMinVersion>5.2</JobServiceMinVersion>

        <Application>
                <Description>Application to swirl an image</Description>
                <ApplicationName>http://it-innovation.soton.ac.uk/grid/imagemagick/swirl</ApplicationName>
                <ApplicationVersion>2.0-1</ApplicationVersion>
                <Group>graphics</Group>
                <Keywords>imagemagick, example</Keywords>
        </Application>

        <DataStagers>
                <DataStager type="input" name="inputImage">
                        <Description>Input image to be swirled</Description>
                        <MimeType>image</MimeType>
                </DataStager>

                <DataStager type="output" name="outputImage">
                        <Description>Swirled image</Description>
                        <MimeType>image</MimeType>
                </DataStager>
        </DataStagers>

</GriaApplicationDescription>

Then input JSDL file should look like this:

<JobDefinition xmlns="http://schemas.ggf.org/jsdl/2005/11/jsdl">
    <JobDescription>
        <Application>
            <ApplicationName>http://it-innovation.soton.ac.uk/grid/imagemagick/swirl</ApplicationName>
        </Application>
        <DataStaging name="outputImage">
            <FileName>outputImage</FileName>
            <CreationFlag>overwrite</CreationFlag>
            <Target>
                <URI>outputImage</URI>
            </Target>
        </DataStaging>
        <DataStaging name="inputImage">
            <FileName>inputImage</FileName>
            <CreationFlag>overwrite</CreationFlag>
            <Source>
                <URI>https://omiidemo.man.poznan.pl:443/gria-basic-app-services/data-stager/167e260c-2162676b-0121-867db0f6-0481</URI>
            </Source>
        </DataStaging>
    </JobDescription>
</JobDefinition>

The URI for the output file is not used in fact but should be present to point the valid data staging element if output should be available after the job is finished.
So it is enough to define it and repeat the output name as its value.

The URI of the input file should contain valid data url for the file existing in the GRIA Data Service. Portal should be authorized while accessing it (the certificate from keystore which is used by the plugin).
The data are copied in before firing the job.

JSDL arguments element should also reflect the list of parameters from the metadata description: "Parameters" element in the GriaApplicationDescription xml document.

Globus Toolkit

Vine projects:

  • gt2 extends grid
  • gt4 extends gt2
  • gt421 extends gt2, uses gt4

Globus MDS

1. Globus GT version supported: 4.0.5 or higher (4.0.X) and 4.2.1

2. Configuration:

Vine installer must contain gt4, gt421, grid, gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, gt4, gt421 ... some other projects

If there is no gt4, gt421, grid, or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later WsMDS services have to be defined in such way:

For the WsMDS 4.0.X and 4.2.1 the entry should be like this:
Of course there should be used one of it on the given host (the example is only for showing configuration differences)

    <hostResource name="rumex"
                  hostname="rumex.man.poznan.pl"
                  label="Rumex Demo Machine"
                  description="Linux Host (2 CPUs)">

        <!--WS MDS Globus 4.0.X-->
        <wsMdsResource label="PSNC (WS-MDS)"/>

        <!--WS MDS Globus 4.2.1-->
        <wsMds421Resource label="PSNC (WS-MDS)" port="8444"/>

        <gssCertConfiguration proxyFile="c:\x509up_u_dejw"/>

    </hostResource>

2.1.1. wsMds421Resource and wsMdsResource attributes

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path, default value: "/wsrf/services/DefaultIndexService"
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

In case of WsMDS in most cases it is enough to set label (used in web apps) and port if different than 8443.

Resource attributes (defined as child entries):
- useGssCertConfiguration - by default: true, tells if gss cert configuration should be used - some valid path to proxy certificate or user cert and key should be present, the proxy cert will be used by the client while accessing the MDS service
if not provided then proxy cert of the currently logged user will be used in the portal
- description - some description of the resource

WSRF resource attributes:
- WsrfResource.AuthorizationType - authorization type, by default "none", possible values: "none", "host", "self", "identity", "hostSelf"
- WsrfResource.MessageProtectionType - message protection type integer value, by default "0", possible values: "2" - ENCRYPTION, "1"- SIGNATURE, "0" - NONE

2.1.2. Authentication modules
Suitable authentication modules should be configured. The general idea of authentication modules is mentioned here.

Two kind of authentication modules could be used for globus related services: CredentialRepositoryAuthModule or DefaultCredentialAuthModule.

VOMS related authentication modules (VomsCredentialRepositoryAuthModule or VomsDefaultCredentialAuthModule) should also work with resources which support globus proxy certificates.

2.1.3. gssCertConfiguration

See the description here.

Globus WsGRAM

1. Globus GT version supported: 4.0.5 or higher (4.0.X) and 4.2.1

2. Configuration:

Vine installer must contain gt4, gt421, grid, gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, gt4, gt421 ... some other projects

If there is no gt4, gt421, grid, or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later WsGRAM services have to be defined in such way:

For the WsGRAM 4.0.X and 4.2.1 the entry should be like this:

     <!-- GridFtp -->
    <hostResource name="rumex"
                  hostname="rumex.man.poznan.pl"
                  label="Rumex Demo Machine"
                  description="Linux Host (2 CPUs)">

        <!-- GridFtp -->
        <gridftpResource label="Rumex (Grid-FTP)" description="Some gt4.2.1 resource" name="gsiftprumex"/>

        <!-- WS-GRAM for GT 4.2.1 -->
        <wsGram421Resource label="Rumex (WS-GRAM421)" port="8444">

            <resourceAttribute name="description" value="WsGRAM GT4.2.1"/>
            <!-- possible values: FORK, LSF, PBS, MULTI, CONDOR -->
            <resourceAttribute name="factoryType" value="FORK"/>
            <resourceAttribute name="WsrfResource.AuthorizationType" value="host"/>
            <resourceAttribute name="WsrfResource.DelegationEnabled" value="true"/>
            <resourceAttribute name="WsrfResource.MessageProtectionType" value="2"/>

        </wsGram421Resource>

        <!-- WS-GRAM for GT 4.0.X -->
        <wsGramResource label="Rumex (WS-GRAM40X)" port="8443">

            <resourceAttribute name="description" value="WsGRAM GT4.0.X"/>
            <!-- possible values: FORK, LSF, PBS, MULTI, CONDOR -->
            <resourceAttribute name="factoryType" value="PBS"/>
            <resourceAttribute name="WsrfResource.AuthorizationType" value="host"/>
            <resourceAttribute name="WsrfResource.DelegationEnabled" value="true"/>
            <resourceAttribute name="WsrfResource.MessageProtectionType" value="2"/>

        </wsGramResource>

    </hostResource>

Grid FTP protocol is used for transferring files in Globus middleware.

2.1.1. wsGram421Resource and wsGramResource attributes

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path, default value: "/"
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

In case of WsGRAM in most cases it is enough to set label (used in web apps) and port if different than 8443.

Resource attributes (defined as child entries):
- factoryType - type of the factory - default is FORK, other possible values are: LSF, PBS, MULTI, CONDOR. It depends from the target configuration of the globus system.
- description - some description of the resource

WSRF resource attributes:
- WsrfResource.AuthorizationType - authorization type, by default "none", possible values: "none", "host", "self", "identity", "hostSelf"
- WsrfResource.DelegationEnabled - specify if delegation is enabled, by default "true", possible values: "true" or "false"
- WsrfResource.MessageProtectionType - message protection type integer value, by default "0", possible values: "2" - ENCRYPTION, "1"- SIGNATURE, "0" - NONE

2.1.2. Authentication modules
Suitable authentication modules should be configured. The general idea of authentication modules is mentioned here.

Two kind of authentication modules could be used for globus related services: CredentialRepositoryAuthModule or DefaultCredentialAuthModule.

VOMS related authentication modules (VomsCredentialRepositoryAuthModule or VomsDefaultCredentialAuthModule) should also work with resources which support globus proxy certificates.

2.1.3. gridftpResource
It defines protocol used for transferring files.

3. Default data storage

JSDL preprocess (see point 4) takes place if default data storage is present.

It is possible to point some gsiftp file resource as the default one using proper resource attribute:

- defaultFileManagerDN - distinguish name of the data resource

Distinguish Name (DN) of the resource is built up using "name" attribute from the resources' definitions in Domain.xml and the resource class names as a chain of pairs separated by commas: "className=name attribute of the resource definition"

for example:

    <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=gsiftprumex,HostResource=rumex,Domain=gt4domain"/>

If the attribute is not present then a gridftp resource is searched on the host where the given WsGRAM resource is defined.

If no gridftp resource is present on the given host then default data resource for the whole system is taken - if it is not a gridftp resource type then it is taken as not present and the JSDL preprocess won't take place.



4. JSDL stage out/in params

JSDL job decription has suitable stage in/out params. If there is no gsiftp url defined in the target or source stage params then some preprocessing is done in the plugin.
First of all the default data storage (see point 3) has to be present and valid. Then values of the Source and Target elements are retrieved from the JSDL definition.
GsiFTP urls are generated against the default data storage and proper values are put into the JSDL. It assures that the job will be executed well in WsGRAM and reveals end user from defining quite complicated GsiFTP data urls.

So for example if such definition is put into the JSDL :

<DataStaging>
             <FileName>output.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>file:///output.txt
             </Target>
</DataStaging>

then plugin will generate proper target url referring to the storage defined by the gridftpResource:
what could bring such value after JSDL preprocess:

<DataStaging>
             <FileName>output3.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>gsiftp://rumex.man.poznan.pl:2811/home/dejw/d1e250ab876daa21c181700b1318a1boutput.txt
             </Target>
</DataStaging>

Additionally as you can see given vine task id is attached as the root directory in the target storage so the outputs of the next jobs won't overwrite it.

GridFTP

1. All versions should work well.

2. Configuration:

Vine installer must contain grid and gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2,... some other projects

If there is no grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

    <hostResource name="TaskSE"
                  hostname="se.grid.task.gda.pl"
                  label="Task SE"
                  description="SE in Task">

        <!-- GridFtp -->
        <gridftpResource name="taskgsiftp" 
                                   label="TaskSE (Grid-FTP)" 
                                   description="Task gsiftp server" 
                                   port="2811" 
                                   protocol="gsiftp" 
                                   servicePath="/dpm/grid.task.gda.pl/home/vo.plgrid.pl"/>

    </hostResource>

2.1.1. gridftpResource attributes:

Attributes:
- port - port of the service, by default: 2811
- protocol - protocol, by default: 'gsiftp', if needed could be specified as 'gridftp' (in case of older gsiftp servers)
- servicePath - the root directory after connection, by default: user's home directory
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

The simplest use case:
Just define label and name if used in some DN for configuring default storage for some job manager.

2.1.2. Authentication modules
Suitable authentication modules should be configured. The general idea of authentication modules is mentioned here.

Two kind of authentication modules could be used for globus related services: CredentialRepositoryAuthModule or DefaultCredentialAuthModule.

VOMS related authentication modules (VomsCredentialRepositoryAuthModule or VomsDefaultCredentialAuthModule) should also work with resources which support globus proxy certificates.

MyProxy server

1. All versions are supported

2. Configuration:

Vine installer must contain grid, gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, ... some other projects

If there is no grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later MyProxy service has to be defined in such way:

    <hostResource name="fury"
                  hostname="fury.man.poznan.pl"
                  label="Fury Demo Machine"
                  description="Linux Host (2 CPUs)">

        <!-- MyProxy - most advanced case -->
        <myproxyResource label="Fury (MyProxy)">

            <resourceAttribute name="useCommonAccount" value="true"/>
            <resourceAttribute name="useApplicationCredential" value="true"/>
            <resourceAttribute name="checkConnectionFlag" value="false"/>
            <resourceAttribute name="timeoutMiliseconds" value="6000"/>

        </myproxyResource>

         <gssCertConfiguration proxyFile="c:\x509up_u_dejw"
         myProxyUserName="someName"
         myProxyPassword="somePass"
         myProxyCredentialName="someCred"
         credLifetime="5200"/>

    </hostResource>

In most cases the simplest definition should be enough (with standard configuration):

<!-- MyProxy - very simple one -->
<myproxyResource label="Fury (MyProxy)"/>

2.1.1. myproxyResource attributes

Attributes:
- port - port of the service, default value: 7512, if other port configured then this attribute has to be defined
- protocol - some protocol, default value: myproxy
- servicePath - service path, in case of MyProxy resource it is not used
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"
- useCredential - by default: false, application credential is used while connecting to MyProxy server for authentication, it is created with proxy certificate or user public cert and kay pair using passphrase
(See point 2.1.2: proxyFile, applicationCertFile , applicationKeyFile, passphrase)
If true then credential from gssCertConfiguration is used for authentication, if false then no local credentials are used for authentication (null value is passed).
- checkConnection - default: true, check connection before creating MyProxy client
- timeoutMiliseconds - default: 5000, timeout in milliseconds while checking connection

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):

- checkConnectionFlag - can be used instead of 'checkConnection' attribute, if uses both it replaces its value
- timeoutMiliseconds - can be used instead of 'timeoutMiliseconds' attribute, if uses both it replaces its value

These two below if set as true require gssCertConfiguration to be configured on the given host or somewhere else in the Domain configuration.

- useApplicationCredential - can be used instead of 'useCredential' attribute, if uses both it replaces its value

- useCommonAccount - by default: false, tells if common MyProxy server should be used for all requests (See point 2.1.2: myProxyUserName, myProxyPassword, myProxyCredentialName, credLifetime)
if true then user name, password, credential name and credential life time is covered by the gss cert configuration.

2.1.2. gssCertConfiguration

See the description here.

QosCosGrid

Vine projects:

  • opendsp extends grid,gt2

GRMS 3

1. GRMS version supported: 3.0

2. Configuration:

Vine installer must contain grms3 and grid projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grms3, grid,... some other projects

If there is no grms3 or grid projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

If the GRMS service url is like this:

https://elder6.man.poznan.pl:8443/

the entry should be like this:

<!-- elder6 -->
    <hostResource name="elder6"
                  hostname="elder6.man.poznan.pl"
                  label="elder6"
                  description="GRMS3 in PSNC">

        <!-- GRMS -->
        <grms3Resource name="grms3" label="elder6 (GRMS at PSNC)" port="8443">
            <resourceAttribute name="description" value="GRMS v3.0"/>
            <resourceAttribute name="serviceTimeout" value="5"/>
            <resourceAttribute name="serviceDN" value="/C=PL/O=GRID/O=PSNC/CN=grms/elder6.man.poznan.pl"/>
            <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=elder1gridftp,HostResource=elder1,Domain=vo.plgrid.pl"/>
        </grms3Resource>

2.1.1. grms3Resource attributes
Attributes:
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- port - port of the service, default value: 8443
- description - description of the service
- serviceTimeout -
- serviceDN - Distinguish Name of the service
- defaultFileManagerDN - Default File Manager service

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):
- serviceDN - Subject of certificate issued for service GRMS on host elder6.man.poznan.pl
- useWSA - default value: 'true'; if 'true' then WS-Addressing headers are sent while communicating with the server, depends from the server's configuration

2.1.2. Authentication modules
Suitable authentication modules should be configured. The general idea of authentication modules is mentioned here.

Two kind of authentication modules could be used for globus related services: CredentialRepositoryAuthModule or DefaultCredentialAuthModule.

VOMS related authentication modules (VomsCredentialRepositoryAuthModule or VomsDefaultCredentialAuthModule) should also work with resources which support globus proxy certificates.

3. See also:

You may also be interested in whole QosCos Grid project and PSNC activities within this project.

OpenDSP/SMOA

1. OpenDSP/SMOA version supported: ???

2. Configuration:

Vine installer must contain opendsp and grid projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=opendsp, grid,... some other projects

If there is no opendsp or grid projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

If the OpenDSP/SMOA service url is like this:

httpg://elder1.man.poznan.pl:19000/

The entry should be like this:

    <!-- elder1 -->
    <hostResource name="elder1"
                  hostname="elder1.man.poznan.pl"
                  label="elder1"
                  description="OpenDSP/SMOA in PSNC">

        <!-- SMOA/OpenDSP -->
        <opendspResource name="opendsp" label="elder1 (SMOA/OpenDSP at PSNC)" port="19000" protocol="httpg" servicePath="/">

            <resourceAttribute name="description" value="OpenDSP v1.0"/>
            <resourceAttribute name="serviceTimeout" value="5"/>
	    <resourceAttribute name="serviceDN" value="/C=PL/O=GRID/O=PSNC/CN=smoa/elder1.man.poznan.pl"/>
        </opendspResource>

    </hostResource>    

It is for situation that secure version of communication is chosen, which is obviously recommended. It is also possible to communicate with OpenDSP/SMOA using http protocol. In such a case all requests are served as if they were submitted by one user. In Domain.xml file it is enough to change protocol into http and port number. Attribute serviceDN is also redundant in such a case.
Port numbers depend on OpenDSP/SMOA service configuration, naturally. By default they are equal to 19000 and 19001 for httpg and http protocols respectively.

2.1.1. opendspResource attributes
Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):
- serviceDN - Subject of certificate issued for service smoa on host elder1.man.poznan.pl
- useWSA - default value: 'true'; if 'true' then WS-Addressing headers are sent while communicating with the server, depends from the server's configuration

2.1.2. Authentication modules
Suitable authentication modules should be configured. The general idea of authentication modules is mentioned here.

Two kind of authentication modules could be used for globus related services: CredentialRepositoryAuthModule or DefaultCredentialAuthModule.

VOMS related authentication modules (VomsCredentialRepositoryAuthModule or VomsDefaultCredentialAuthModule) should also work with resources which support globus proxy certificates.

3. See also:
For more information about OpenDSP/SMOA look at documentation here
You may also be interested in whole QosCos Grid project and PSNC activities within this project.

Unicore

Vine projects:

  • unicore6 extends grid

Unicore 6

Vine supports Unicore6, below you can check how to configure the plugin. We assume the unicore6 server is configured well.
Two kind of resources are presented here: gateway resource to access Unicore/X server in case of job management and Unciore SMS resource to access storage service.

1. Unicore6 server version supported: 6.12 or higher

2. Configuration:

Vine installer must contain unicore6, grid and gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=unicore6, grid, gt2, ... some other projects

If there is no unicore6, grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later unicore services have to be defined in such way:

If the Unicore 6 gateway url is like this:

https://host_dns_name:8099/DEMO-SITE/services

The entry should be like this

    <hostResource name="some_host_name"
                   hostname="host_dns_name"
                   label="some_host_label"
                   description="some_description">

        <!-- Unicore Gateway -->
        <unicoreGatewayResource name="unicore" label="Hostname (UNICORE6)" port="8099" protocol="https"
                                servicePath="/DEMO-SITE/services">

            <resourceAttribute name="description" value="UNICORE Gateway 6.2 version 1.0"/>
            <resourceAttribute name="userKeystore" value="true"/>

        </unicoreGatewayResource>

        <smsResource name="sms_unicore6" label="Hostname (SMS-UNICORE6)" port="8099" protocol="https">
                     <resourceAttribute name="rootContext" value="/DEMO-SITE/services"/>
                     <resourceAttribute name="smsPath" value="u6space"/>
                     <resourceAttribute name="userKeystore" value="true"/>
        </smsResource>

    </hostResource>

2.1.1. unicoreGatewayResource - defines unicore gateway resource used for job submission and control

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):

userKeystore - 'true' means user proxy certificate is used in communication with unicore server,
'false' or lack of attribute means that the common keystore is used, it is located in the directory:
$PORTAL_HOME\webapps\vine\WEB-INF\vine\projects\unicore6\classes\vine\unicore6\portal-unicore6-keystore.jks

Of course the name could be changed and then additional attributes are required in the domain unicore entry:
- keystore - path to the keystore path, absolute is taken as it is,
if relative then portal directory is attached in the beginning, for example if the keystore is located in the unoicre6 project classes sub dir it could be like this:
vine/projects/unicore6/classes/vine/unicore6/portal-unicore6-keystore.jks
- keystoretype - default is JKS
- keystorepass - password to the keystore
- keystorealias - alias of the certificate used to connect to the unicore server

Additionally in both cases (if userKeystore is true or false) the common truststore is used for connection:
by default it is located in:
$PORTAL_HOME\webapps\vine\WEB-INF\vine\projects\unicore6\classes\vine\unicore6\portal-unicore6-truststore.jks

Of course the name could be changed and then additional attributes are required in the domain unicore entry:
- truststore - the same as for keystore
- truststoretype - default is JKS
- truststorepass - password to the truststore

I some attributes like password should be hidden then it could be added to the file located in the unicore project directory:
$PORTAL_HOME\webapps\vine\WEB-INF\vine\projects\unicore6\classes\vine\unicore6\UnicoreGateway.properties
in the java properties style. The values added here became global values for all unicore6 resource instances in the whole environment, so for example the common truststore could be defined here.

- description - some description

- registryServiceName - Unicore Registry service name, default value: "Registry"
- registryServiceID - Unicore Registry id, default value: "default_registry"

2.1.2. smsResource - defines unicore sms resource used for data management

Attributes:

They are exactly the same as for unicoreGatewayResource (see point 2.1.1) with exception:
- servicePath - is not used, use 'rootContext' described below

Resource attributes (defined as child entries):

They are exactly the same as for unicoreGatewayResource (see point 2.1.1) with some additional ones:

smsPath - declares the storage logical name used as the default storage which is managed by the Vine unicore6 plugin
If not provided the default unicore storage is used by default - on the server side it is default storage managed by the unicore6 server.
"Home" or "/" value - on the server side it is home directory of the local user defined in the user entry in the xuudb database.
If there are defined some custom storages in the unicore uas.config file by using "uas.targetsystem.storage.N" entries then one of its logical name could be used within the 'smsPath' parameter.
Proper access rights should be set to allow access for regular users to the chosen storage.

rootContext - should be used instead of servicePath in the portal plugin usage, as servicePath is not included in portal file urls and it allows to identify plugin in proper way, so for example if you want to set up a portal then you should specify such attribute for smsResource:

                     <resourceAttribute name="rootContext" value="/DEMO-SITE/services"/>

and remove servicePath.

Very IMPORTANT!

If user proxy certificates are used then unicore server MUST be configured properly.

There is official web page how to do it for version 6.1X:
http://sourceforge.net/apps/mediawiki/unicore/index.php?title=EnableProx...

It also works well for the latest 6.22 version. In case of any problems you should contact unicore developer or support mail list.

2.1.3 Global portal keystore/truststore

The global keystore/truststore - so called portal keystore could be used within unicore6 plugin as both keystore and truststore.

For details look here

To make unicore6 plugin work with the global keystore the 'userKeystore' attribute must be false or absent, there should be no keystore and truststore entries in Domain.xml unicore6 resource
definition and suitable values related with keystore and truststore in UnicoreGateway.properties should be blank.

2.1.4. Authentication modules
Suitable authentication modules should be configured if 'userKeystore' is enabled. The general idea of authentication modules is mentioned here.

Two kind of authentication modules could be used for globus related services: CredentialRepositoryAuthModule or DefaultCredentialAuthModule.

VOMS related authentication modules (VomsCredentialRepositoryAuthModule or VomsDefaultCredentialAuthModule) should also work with resources which support globus proxy certificates.

3. Default data storage

JSDL preprocess (see point 4) takes place if default data storage is present.

It is possible to point some sms file resource as the default one using proper resource attribute:

- defaultFileManagerDN - distinguish name of the data resource (in case of unicore it must be sms resource)

Distinguish Name (DN) of the resource is built up using "name" attribute from the resources' definitions in Domain.xml and the resource class names as a chain of pairs separated by commas: "className=name attribute of the resource definition"

for example:

<resourceAttribute name="defaultFileManagerDN" 
value="SmsResource=nameOfTheResource,HostResource=nameOfTheHost,Domain=domainName"/>

If the attribute is not present then a sms resource is searched on the host where the given unicore gateway resource is defined.

If no sms resource is present on the given host then default data resource for the whole system is taken - if it is not a sms resource type then it is taken as not present and the JSDL preprocess won't take place.

4. JSDL stage out/in params

JSDL job decription has suitable stage in/out params. If there is no unicore uri addresses defined in the target or source stage params then some preprocessing is done in the plugin.
First of all the default data storage (see point 3) has to be present and valid. Then values of the Source and Target elements are retrieved from the JSDL definition.
Unicore6 valid URIs are generated against the default data storage and proper values are put into the JSDL. It assures that the job will be executed well at the unicore
and reveals end user from defining quite complicated unicore6 data URIs.

So for example if such definition is put into the JSDL :

<DataStaging>
             <FileName>output3.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>file:///testjob/output3.txt
             </Target>
</DataStaging>

then plugin will generate proper target URI for unicore referring to the storage defined by the smsResource:
what could bring such value after JSDL preprocess:

<DataStaging>
             <FileName>output3.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>BFT:https://unicore6_dns_name:port/DEMO-SITE/services/StorageManagement?res=5397df22-8187-4b2a-a01b-d18b18926bb2#//129fe2fe6517c3667b0235c3985066dc/testjob/output3.txt
             </Target>
</DataStaging>

Additionally as you can see given vine task id is attached as the root directory in the target storage so the outputs of the next jobs won't overwrite it.

gLite

Vine projects:

  • glite3 extends grid,gt2, uses voms
  • srm extends grid,gt2, uses voms

SRM

1. gLite SRM version supported: 2.2

VOMS support should be enabled - read here.

2. Configuration:

Vine installer must contain srm, grid and gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=srm, grid, gt2,... some other projects

If there is no srm, grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

If the SRM service url is like this:

httpg://dpm.cyf-kr.edu.pl:8446/srm/managerv2

The entry should be like this:

    <!-- cyfronet SRM -->
    <hostResource name="CyfronetSRM2"
                  hostname="dpm.cyf-kr.edu.pl"
                  label="Cyfronet SRM v. 2"
                  description="SRM v. 2 in Cyfronet">

	<!-- protocol="srm", NOT protocol="httpg" -->
        <srmResource name="srm" label="Cyfronet SRM v. 2.2" port="8446" protocol="srm"
				servicePath="">        
            <resourceAttribute name="description" value="SRM v. 2.2"/>
            <resourceAttribute name="rootContext" value="/srm/managerv2"/>
        </srmResource>
    </hostResource>

2.1.1. srmResource attributes

Attributes:
- port - port of the service, default value: 8443
- protocol - Although httpg protocol is used for communication with SRM servers, protocol property should be "srm", as urls to files start with "srm" prefix. Vine Toolkit SRM plugin knows how to analyze data read from Domain.xml and uses proper protocol for communication and building file addresses.
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):
- rootContext - Context of the SRM service - service path (i.e. part of the url after port number)

2.1.2. User's home directory

During the first connection Vine creates user's directory which name is 'vine_'+user name from the portal where the vine is deployed (user name retrieved from user session). If the creation of the directory fails then user will see the root directory pointed by the srm server.

3. See also
To know more about accessing services using httpg protocol from Vine Toolkit components see article Httpg protocol

gLite CREAM

1. gLite version supported: 3.1

VOMS support should be enabled - read here.

2. Configuration:

Vine installer must contain glite3, grid, gt2 and voms projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=glite3, grid, gt2, voms, ... some other projects

If there is no glite3, grid, gt2 or voms projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later CREAM service has to be defined in such way:

If the CREAM service url is like this:

https://creamce.reef.man.poznan.pl:8443/ce-cream/services/CREAM2

The entry should be like this

    <hostResource name="reefcream"
                  hostname="creamce.reef.man.poznan.pl"
                  label="cream at reef"
                  description="CREAM CE in PSNC">

        <!-- GridFtp -->
        <gridftpResource name="reefgsiftp" label="Reef (Grid-FTP)" description="Reef gsiftp server" port="2811" protocol="gsiftp" servicePath="/dpm/reef.man.poznan.pl/home/vo.plgrid.pl"/>

        <creamResource name="cream" label="Cream in PSNC" port="8443" protocol="https"
                         servicePath="/ce-cream/services/CREAM2">
            <resourceAttribute name="delegationURL" value="https://creamce.reef.man.poznan.pl:8443/ce-cream/services/gridsite-delegation"/>
            <resourceAttribute name="batchSystem" value="pbs"/>
            <resourceAttribute name="queueName" value="plgrid"/>
            <resourceAttribute name="description" value="CREAM in PSNC"/>
            <resourceAttribute name="serviceTimeout" value="3"/>
            <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=reefgsiftp,HostResource=ReefSE,Domain=vo.plgrid.pl"/>
        </creamResource>
    </hostResource>
    <hostResource name="ReefSE"
                  hostname="se.reef.man.poznan.pl"
                  label="Reef Storage Element"
                  description="gLite Storage Element in PSNC">

This example assumes that Grid FTP protocol is used for transferring files.

2.1.1. creamResource attributes

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):

- delegationURL-URL of the CREAM delegation service
- batchSystem- Batch system type (eg. lsf, pbs, etc.)
- queueName- Name of the queue
- description - Description of the resource
- serviceTimeout - Timeout used for connections with the service
- defaultFileManagerDN - Default file manager used for handling files used by jobs submitted to the service. It should point host already defined in the Domain.xml see point 3

Special configuration resource attributes (configured rather by the portal):

- GRIDPP_PORTAL_SECURITY_ROOT - directory which contains gLite configuartion files: vomses, ca directory etc., default value: $PORTAL_HOME/webapps/vine/WEB-INF/vine/persistence/vomses
- CADIR - CA certs location, relative to the 'GRIDPP_PORTAL_SECURITY_ROOT', by default: /certificates/certificate-authorities
- VOMSDIR - directory with voms server's public certificates, relative to the 'GRIDPP_PORTAL_SECURITY_ROOT', by default: /certificates/voms-server-certificates
- VOMSES_LOCATION - location of the 'vomses' text file defining Virtual Organizations, relative to the 'GRIDPP_PORTAL_SECURITY_ROOT', by default: /vomses

2.1.2. gridftpResource
It defines protocol used for transferring files.

3. Default data storage

JSDL preprocess (see point 4) takes place if default data storage is present.

It is possible to point some Storage Element file resource as the default one using proper resource attribute:

- defaultFileManagerDN - distinguish name of the data resource

Distinguish Name (DN) of the resource is built up using "name" attribute from the resources' definitions in Domain.xml and the resource class names as a chain of pairs separated by commas: "className=name attribute of the resource definition"

for example:

    <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=reefgsiftp,HostResource=ReefSE,Domain=vo.plgrid.pl"/>

If the attribute is not present then a gridftp resource is searched on the host where the given gLite CREAM resource is defined.

If no gridftp resource is present on the given host then default data resource for the whole system is taken - if it is not a gridftp resource type then it is taken as not present and the JSDL preprocess won't take place.



4. JSDL stage out/in params

JSDL job decription has suitable stage in/out params. If there is no gsiftp url defined in the target or source stage params then some preprocessing is done in the plugin.
First of all the default data storage (see point 3) has to be present and valid. Then values of the Source and Target elements are retrieved from the JSDL definition.
GsiFTP urls are generated against the default data storage and proper values are put into the JSDL. It assures that the job will be executed well in gLite CREAM and reveals end user from defining quite complicated GsiFTP data urls.

So for example if such definition is put into the JSDL :

<DataStaging>
             <FileName>output.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>file:///output.txt
             </Target>
</DataStaging>

then plugin will generate proper target URI referring to the storage defined by the gridFtpResource:
what could bring such value after JSDL preprocess:

<DataStaging>
             <FileName>output3.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>gsiftp://se.reef.man.poznan.pl:2811/dpm/reef.man.poznan.pl/home/vo.plgrid.pl/80465f278640878cb7c29b1c1363d92output.txt
             </Target>
</DataStaging>

Additionally as you can see given vine task id is attached as the root directory in the target storage so the outputs of the next jobs won't overwrite it.

gLite LFC

1. gLite LFC

VOMS support should be enabled - read here.

2. Configuration:

Vine installer must contain glite3, grid and gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, glite3, ... some other projects

If there is no glite3, grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

If the LFC service url is like this:

lfn://lfc.grid.cyf-kr.edu.pl:5010/

The entry should be like this:

    <hostResource name="LFC"
                  hostname="lfc.grid.cyf-kr.edu.pl"
                  label="LFC at cyf-kr"
                  description="LFC in plgrid">

        <lfcResource name="lfcsrv" label="LFC in plgrid" port="5010" protocol="lfn">
        </lfcResource>
    </hostResource>

2.1.1. lfcResource attributes

Attributes:
- port - port of the service, default value: 5010
- protocol - some protocol, default value: "lfn"
- servicePath - by default is empty ("/grid/"+VO name taken form Domain name is used), if other value needed then is should be defined as an attribute of the lfcResource
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

gLite WMProxy

1. gLite version supported: 3.1

VOMS support should be enabled - read here.

2. Configuration:

Vine installer must contain glite3, grid, gt2 and voms projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=glite3, grid, gt2, voms, ... some other projects

If there is no glite3, grid, gt2 or voms projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later WMProxy service has to be defined in such way:

If the WMProxy service url is like this:

https://rb1.cyf-kr.edu.pl:7443/glite_wms_wmproxy_server

The entry should be like this

    <!-- cyfronet -->
    <hostResource name="cyfronet"
                  hostname="rb1.cyf-kr.edu.pl"
                  label="cyfronet"
                  description="Resource broker in Cyfronet">

        <!-- GridFtp -->
        <gridftpResource label="Cyfronet Rb1 (Grid-FTP)" description="Cyfronet Rb1 gsiftp server" port="2811" protocol="gsiftp"/>

        <wmproxyResource name="wmproxy" label="Cyfronet (WM-Proxy)" port="7443" protocol="https"
                         servicePath="/glite_wms_wmproxy_server">
            <resourceAttribute name="monitoringURL" value="https://lb.grid.cyf-kr.edu.pl:9003"/>
            <resourceAttribute name="description" value="WM-Proxy 3.1"/>
            <resourceAttribute name="serviceTimeout" value="3"/>
            <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=reefgsiftp,HostResource=ReefSE,Domain=vo.plgrid.pl"/>
        </wmproxyResource>
    </hostResource>
    <hostResource name="ReefSE"
                  hostname="se.reef.man.poznan.pl"
                  label="Reef Storage Element"
                  description="gLite Storage Element in PSNC">

This example assumes that Grid FTP protocol is used for transferring files.

2.1.1. wmproxyResource attributes

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):
- monitoringUrl - Address of LB service, used for job monitoring
- description - Description of the resource
- serviceTimeout - Timeout used for connections with the service
- defaultFileManagerDN - Default file manager used for handling files used by jobs submitted to the service. It should point host already defined in the Domain.xml - see point 3

These below are completely optional and can be used in some special use cases:

- jdlMyProxyServerHost - myproxy server dns name which should be attached to the JDL job description as MyProxyServer element
The presence of this attribute in the JDL triggers the WMS proxy renewal mechanism that is very useful when submitting long-running jobs to avoid job failure because it outlived the validity of the initial proxy used for the submission.
WMS is able to add this clause automatically to the JDL if configured properly.
The proxy should be inited with such command: myproxy-init -d -n [-s <myproxy_server>]
This means the proxy certificate is recognized by user's DN and there is no passphrase to let WMS access it without any problems.

- jdlVOName - VO name which should be attached to the JDL job description as VirtualOrganisation element
It is always set to the default VO name (i.e. the first one) read from the proxy credential. So there won't be rather use cases for that
but added in any case.

- jdlUseDefaultMyProxyServer- the default myproxy server (first from the list retrieved from Domain.xml) should be attached to the JDL job description
- jdlUseDomainAsVO - the Domain should be used as VO name which should be attached to the JDL job description

Special configuration resource attributes (configured rather by the portal):

- GRIDPP_PORTAL_SECURITY_ROOT - directory which contains gLite configuartion files: vomses, ca directory etc., default value: $PORTAL_HOME/webapps/vine/WEB-INF/vine/persistence/vomses
- CADIR - CA certs location, relative to the 'GRIDPP_PORTAL_SECURITY_ROOT', by default: /certificates/certificate-authorities
- VOMSDIR - directory with voms server's public certificates, relative to the 'GRIDPP_PORTAL_SECURITY_ROOT', by default: /certificates/voms-server-certificates
- VOMSES_LOCATION - location of the 'vomses' text file defining Virtual Organizations, relative to the 'GRIDPP_PORTAL_SECURITY_ROOT', by default: /vomses

2.1.2. gridftpResource
It defines protocol used for transferring files.

3. Default data storage

JSDL preprocess (see point 4) takes place if default data storage is present.

It is possible to point some Storage Element file resource as the default one using proper resource attribute:

- defaultFileManagerDN - distinguish name of the data resource

Distinguish Name (DN) of the resource is built up using "name" attribute from the resources' definitions in Domain.xml and the resource class names as a chain of pairs separated by commas: "className=name attribute of the resource definition"

for example:

    <resourceAttribute name="defaultFileManagerDN" value="GridFtpResource=reefgsiftp,HostResource=ReefSE,Domain=vo.plgrid.pl"/>

If the attribute is not present then a gridftp resource is searched on the host where the given gLite WMProxy resource is defined.

If no gridftp resource is present on the given host then default data resource for the whole system is taken - if it is not a gridftp resource type then it is taken as not present and the JSDL preprocess won't take place.



4. JSDL stage out/in params

JSDL job decription has suitable stage in/out params. If there is no gsiftp url defined in the target or source stage params then some preprocessing is done in the plugin.
First of all the default data storage (see point 3) has to be present and valid. Then values of the Source and Target elements are retrieved from the JSDL definition.
GsiFTP urls are generated against the default data storage and proper values are put into the JSDL. It assures that the job will be executed well in gLite WMProxy and reveals end user from defining quite complicated GsiFTP data urls.

So for example if such definition is put into the JSDL :

<DataStaging>
             <FileName>output.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>file:///output.txt
             </Target>
</DataStaging>

then plugin will generate proper target URI referring to the storage defined by the gridFtpResource:
what could bring such value after JSDL preprocess:

<DataStaging>
             <FileName>output3.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>gsiftp://se.reef.man.poznan.pl:2811/dpm/reef.man.poznan.pl/home/vo.plgrid.pl/80465f278640878cb7c29b1c1363d92output.txt
             </Target>
</DataStaging>

Additionally as you can see given vine task id is attached as the root directory in the target storage so the outputs of the next jobs won't overwrite it.

Basic Execution Service (BES)

Vine projects:

  • bes extends grid,voms, uses voms

BES configuration

Vine supports BES (Basic Execution Service) standard, below you can check how to configure the plugin. We assume some BES compliant service is accessible and well configured.
For example unicore server could be used as it has BES compliant interface.

1. Latest official BES standard version 1.0 is supported.

2. Configuration:

Vine installer must contain grid,gt2 and bes projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, bes some other projects

If there is no bes, grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command.
Additionally if some kind of default storage is used then suitable project should be added (for example srm if srm protocol is used).

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later bes service has to be defined in such way:

    <hostResource name="some_host_name"
                   hostname="host_dns_name"
                   label="some_host_label"
                   description="some_description">

        <!-- BES service for Unicore server -->
        <besResource name="bes" label="Seagrass (BES)" port="8099" protocol="https"
                                servicePath="/TEST-SITE/services">
            <resourceAttribute name="description" value="BES-UNICORE Gateway 6.22"/>
            <resourceAttribute name="applicationExtension" value="POSIXApplication"/>
            <resourceAttribute name="userKeystore" value="true"/>

        </besResource>

        <smsResource name="sms_unicore6" label="Seagrass (SMS-UNICORE6)" port="8099" protocol="https">
                     <resourceAttribute name="smsPath" value="u622space"/>
                     <resourceAttribute name="userKeystore" value="true"/>
                     <resourceAttribute name="rootContext" value="/TEST-SITE/services"/>
        </smsResource>

    </hostResource>

2.1.1. besResource - defines BES resource used for job submission and control

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):

userKeystore - 'true' means user proxy certificate is used in communication with unicore server,
'false' or lack of attribute means that the common keystore is used, it is located in the directory:
$PORTAL_HOME\webapps\vine\WEB-INF\vine\projects\bes\classes\vine\bes\portal-bes-keystore.jks

Of course the name could be changed and then additional attributes are required in the domain bes entry:
- keystore - path to the keystore path, absolute is taken as it is,
if relative then portal directory is attached in the beginning, for example if the keystore is located in the bes project classes sub dir it could be like this:
vine/projects/bes/classes/vine/bes/portal-bes-keystore.jks
- keystoretype - default is JKS
- keystorepass - password to the keystore
- keystorealias - alias of the certificate used to connect to the BES service

Additionally in both cases (if userKeystore is true or false) the common truststore is used for connection:
by default it is located in:
$PORTAL_HOME\webapps\vine\WEB-INF\vine\projects\bes\classes\vine\bes\portal-bes-truststore.jks

Of course the name could be changed and then additional attributes are required in the domain unicore entry:
- truststore - the same as for keystore
- truststoretype - default is JKS
- truststorepass - password to the truststore

I some attributes like password should be hidden then it could be added to the file located in the unicore project directory:
$PORTAL_HOME\webapps\vine\WEB-INF\vine\projects\bes\classes\vine\bes\BesResource.properties
in the java properties style. The values added here became global values for all bes resource instances in the whole environment, so for example the common truststore could be defined here.

description - some description of the service
applicationExtension - defines what kind of application extension is used by the JSDL processor, for BES plugin default value is: "HPCProfileApplication", possible values are: "HPCProfileApplication", "POSIXApplication", "SPMDApplication"
defaultFileManagerDN - see point 3
besuser - defines bes user name (for authorization while contacting the service)
bespass - defines bes user password
useAssertion - if user assertions should be used (VOMS SAML Assertion server resource has to be defined - for details look here)

'besuser', 'bespass' pair and useAssertion attribute are used interchangeably - if 'useAssertion' is 'true' then assertions are used even 'besuser' and 'bespass' attributes are present. If 'useAssertion' is 'false' or absent and 'besuser' and 'bespass' attributes are present then username authorization takes place. Always some kind of keystore is used - it could be one defined for the resource (contains X509 cert and key) or containing the user proxy certificate ('userKeystore' attribute) or portal global keystore.

2.1.2. Default storage in the example

smsResource - defines unicore sms resource used for data management

This is example storage which is used by the BES plugin to generate data urls used in data staging sections.

For details look here

2.1.3 Global portal keystore/truststore

The global keystore/truststore - so called portal keystore could be used within bes plugin as both keystore and truststore.

For details look here

To make bes plugin work with the global keystore the 'userKeystore' attribute must be false or absent, there should be no keystore and truststore entries in Domain.xml bes resource
definition and suitable values related with keystore and truststore in BesResource.properties should be blank.

2.1.4. Authentication modules
Suitable authentication modules should be configured if 'userKeystore' is enabled. The general idea of authentication modules is mentioned here.

Two kind of authentication modules could be used for globus related services: CredentialRepositoryAuthModule or DefaultCredentialAuthModule.

VOMS related authentication modules (VomsCredentialRepositoryAuthModule or VomsDefaultCredentialAuthModule) should also work with resources which support globus proxy certificates. They should be used instead of the first two mentioned earlier if 'useAssertion' is used.

3. Default data storage

In case of BES resource the default storage type depends from the service itself - so it could be gsiftp, srm, .... etc.

JSDL preprocess (see point 4) takes place if default data storage is present.

It is possible to point some data resource as the default one using proper resource attribute:

- defaultFileManagerDN - distinguish name of the data resource (in case of BES for unicore server it must be sms resource)

Distinguish Name (DN) of the resource is built up using "name" attribute from the resources' definitions in Domain.xml and the resource class names as a chain of pairs separated by commas: "className=name attribute of the resource definition"

for example:

<resourceAttribute name="defaultFileManagerDN" 
value="SmsResource=nameOfTheResource,HostResource=nameOfTheHost,Domain=domainName"/>

If the attribute is not present then a data resource is searched on the host where the given BES resource is defined.

If no data resource is present on the given host then default data resource for the whole system is taken.

If there is no data resource type then it is taken as not present and the JSDL preprocess won't take place.

4. JSDL stage out/in params

JSDL job decription has suitable stage in/out params. If there is no data urls defined in the target or source stage params then some preprocessing is done in the plugin.
First of all the default data storage (see point 3) has to be present and valid. Then values of the Source and Target elements are retrieved from the JSDL definition.
Valid data urls are generated against the default data storage and proper values are put into the JSDL. It assures that the job will be executed well at the bes service
and reveals end user from defining quite complicated data urls.

So for example if such definition is put into the JSDL :

<DataStaging>
             <FileName>output3.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>file:///testjob/output3.txt
             </Target>
</DataStaging>

then plugin will generate proper target URI for unicore referring to the storage defined by the smsResource:
what could bring such value after JSDL preprocess:

<DataStaging>
             <FileName>output3.txt
             <CreationFlag>overwrite
             <Target>
                     <URI>BFT:https://unicore6_dns_name:port/DEMO-SITE/services/StorageManagement?res=5397df22-8187-4b2a-a01b-d18b18926bb2#//129fe2fe6517c3667b0235c3985066dc/testjob/output3.txt
             </Target>
</DataStaging>

Additionally as you can see given vine task id is attached as the root directory in the target storage so the outputs of the next jobs won't overwrite it.

VOMS

Vine projects:

  • voms extends grid

VOMS SAML Assertion server

1. VOMS SAML Assertion server created within OMII-Europe project is supported, serves SAML assertions with VOMS extension using voms proxy certificates for connection and authorization.
VOMS SAML assertions could be used optionally in conjunction with BES plugin (here) for user authorization.

VOMS support should be enabled - read here.

2. Configuration:

Vine installer must contain grid, gt2, voms projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, voms ... some other projects

If there is no grid, gt2 and voms projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later VOMS SAML server service has to be defined in such way:

    <hostResource name="rumex"
                  hostname="rumex.man.poznan.pl"
                  label="Rumex Demo Machine"
                  description="Linux Host (2 CPUs)">

        <!--VOMS SAML server resource-->
        <vomsSamlResource name="vomssamlsrv" label="PSNC (VomsSamlServer)"
             servicePath="/voms/saml/omiieurope/services/AttributeAuthorityPortType"/>

    </hostResource>

2.1.1. vomsSamlResource attributes

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

VOMS SAML server works well if client uses valid voms proxy certificates (VOMS support must be enabled in the portal).

VOMS support

1. Virtual Organization Membership Service (VOMS) support is required while accessing gLite resources (WmProxy, CREAM, SRM, LFC) or using BES resources with support for VOMS SAML assertions (details here).

2. Configuration:

It is important that 'tmp' directory should be present at the root directory (/tmp under linux/unix and c:\tmp under windows)
VOMS libraries require this directory to work properly.

Vine installer must contain grid, gt2, voms projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, voms ... some other projects

If there is no grid, gt2 and voms projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

2. CA certificates, VOMS server certificates and vomses definitions

Vine puts creates location for any VOMS related configuration files and certificates in such sub directory:

$PORTAL_HOME\webapps\vine\WEB-INF\vine\persistence\vomses

The directory content is:

- 'certificates' directory which contains all required certificates in sub directories:

- 'certificate-authorities' - CA certificates, here should be all required CA certificates to allow valid connections to services

- 'voms-server-certificates' - all supported VOMS servers' public certificates

- 'vomses' - directory with vomses definitions

It contains one text file called 'vomses'. It looks like this:

"voce" "voms1.egee.cesnet.cz" "7001" "/DC=cz/DC=cesnet-ca/O=CESNET/CN=voms1.egee.cesnet.cz" "voce"
"vo.plgrid.pl" "voms.cyf-kr.edu.pl" "15004" "/C=PL/O=GRID/O=Cyfronet/CN=voms.cyf-kr.edu.pl" "vo.plgrid.pl"
............
............

As you can see every line defines some voms server:

name, DNS name of server, service port, DN (distinguish name) of the service, and finally the name again

All supported VO servers must be defines in this file.

The location can be overridden by using proper settings for the gLite WmProxy or CREAM resource.

3. MyProxy - supported proxy type

If MyProxy server is used then proper type of delegated proxy certificate is required - it has to be old style format.

If you put credentials manually you have to set environment variable 'GT_PROXY_MODE':

export GT_PROXY_MODE=old

And then you can use 'myproxy-init' command to delegate proxy, for example:

myproxy-init -s some_myproxy_dns_server_name -l user_name

Other way is to use our Credential manager Java Web Start tool.
It can be downloaded from here. It allows to delegate old style proxies to the MyProxy server.

4.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

4.1.1. VO name

First of all target VO name must be present - currently it is just the name of the root domain in Domain.xml resource configuration file.
So all voms proxy certificates are created against the VO reprersented by the Domain name.

For example here you can see Domain with the name "vo.plgrid.pl" what means users will use the VO with such name:

<domain name="vo.plgrid.pl" label="PLGrid" description="Polish Grid">

VO name retrieved from the Domain name could be overridden by setting session parameter called "VOName". This is useful rather for developers.

4.1.2. Authentication modules

Suitable authentication modules should be configured. The general idea of authentication modules is mentioned here.

Two kind of authentication modules could be used if VOMS is enabled: VomsCredentialRepositoryAuthModule or VomsDefaultCredentialAuthModule.

VOMS related authentication modules should also work with other non-glite resources which support proxy certificates like Globus related for example.

Voms Credential Repository auth module

1. VOMS Credential repository authentication uses both MyProxy and VOMS servers. User holds his/her delegated credentials in the MyProxy server.
The globus certificate is retrieved from the MyProxy server and then voms proxy certificate is created with help of the VOMS server identified by the Domain name acting as the VO name.

Later the voms proxy certificates are used within deployed applications and plugins as user's credentials.

VOMS support should be enabled - read here.

MyProxy resource should be defined - read here.

2. Configuration:

Vine installer must contain grid, gt2, voms projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, voms ... some other projects

If there is no grid, gt2 and voms projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

4.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

The authentication module should be added as a direct child of the root Domain like this:

    <authenticationModule key="VomsCredentialRepositoryAuthModule" order="1"/>

Attributes:
- order - order number, authentication modules can be processed in the order configured by this attribute

It should not exist with CredentialRepositoryAuthModule at the same time as it takes its role.

Voms Default Credential auth module

1. VOMS Default Credential authentication creates user proxy certificate locally and uses VOMS server.
The globus certificate is created locally from user public certificate and private key located in the user's home directory in the ".globus" location (user who runs the vine toolkit instance for example in the portal).
Password of the portal user has to be the same as for private key (passed by the log in action in user's session). Then voms proxy certificate is created with help of the VOMS server identified by the Domain name acting as the VO name.

Later the voms proxy certificate is used within deployed applications and plugins as user's credentials.

VOMS support should be enabled - read here.

Information rather for developers:
The default location of the user certificate could be changed and set in session parameters:

gssCertificateFile - public cert path
gssPrivateKeyFile - private key path
gssCredentialLifetime - credential life time in ms

2. Configuration:

Vine installer must contain grid, gt2, voms projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=grid, gt2, voms ... some other projects

If there is no grid, gt2 and voms projects in the Vine 'projects' subdirectory then do 'ant fetch' command.

4.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

The authentication module should be added as a direct child of the root Domain like this:

    <authenticationModule key="VomsDefaultCredentialAuthModule" order="1"/>

Attributes:
- order - order number, authentication modules can be processed in the order configured by this attribute

It should not exist with DefaultCredentialAuthModule at the same time as it takes its role.

MS Active Directory

Vine projects:

  • activedirectory

Active Directory configuration

New project, activedirectory, has been added to the Vine Toolkit.
In first version, it provides Active Directory authentication module (org.vinetoolkit.activedirectory.spi.impl.app.ActiveDirectoryAuthModule) and an auxiliary class for retrieving data from the Active Directory database (org.vinetoolkit.activedirectory.spi.impl.app.ActiveDirectoryUtils). It can be checked out from https://gforge.man.poznan.pl/svn/vine/activedirectory

How to configure a new Active Directory authentication module?
1. Add new line to the Domain.xml

The general idea of this configuration file is described here.

<!-- Active Directory authentication -->
<authenticationModule key="ActiveDirectoryAuthModule" priority="1"/>

Vine Toolkit supports using more than one authentication module. They are called in a sequence, according to priorities set to each module in Domain.xml.

2. Create a truststore and add there the certificate of the CA, host where AD database is stored uses to prove its identity. Then modify activedirectory.properties file.

# Truststore properties
truststorePath=path-to-the-truststore
truststoreType=type_of_the_truststore
truststorePassword=the_password

The truststore probably can be of any type. JKS is the default option.
This step can be omitted if ldap protocol is enough. If it is necessary to use ldaps, the truststore is obligatory. Otherwise, trustore entries can be commented out. In such a case it is also necessary to modify activedirectoryContext.xml file and comment out truststoreConfigurator bean.

<bean id="truststoreConfigurator" class="org.vinetoolkit.activedirectory.spi.impl.app.ActiveDirectoryClientTruststoreConfigurator">
  <constructor-arg>
  	<list>
  		<value>${truststorePath}</value>
  		<value>${truststoreType}</value>
  		<value>${truststorePassword}</value>
  	</list>	
  </constructor-arg>
</bean>

3. Modify the rest of the activedirectory.properties file.
Make sure address of the AD database, manager DN and their password are correct.

# General properties
ldapURLs=ldaps://host_name.some.domain:636
managerDN=DN_of_the_manager
managerPassword=manager's_password

Obviously ldaps protocol can be changed into ldap, and port 636 changed into 389 (in default configuration of the AD database) if security requirements are not very strong.

Add all domains, where the users who should be successfuly authenticated, are stored.

# All domains containing users to authenticate should be listed here
domain0=dn_of_the_first_domain
domain1=dn_of_the_second_domain
The domains should be numbered starting from 0.

Add all patterns of user's DNS in the AD database. Variables can be used, as in the example:

# Patterns of user full names (Common name + Group + domain name)
pattern0=cn={0},cn=Users,${domain0}
pattern1=cn={0},cn=Users,CN=Group_Name,${domain1}
The patterns should be numbered starting from 0.

Define filter used for retrieving an user from the AD database:

# User search filter
userSearchFilter=(cn={0})

4. Modify activedirectoryContext.xml file in order to add there all patterns, defined in activedirectory.properties

<bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
  <constructor-arg>
    <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
      <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
      <property name="userDnPatterns">
      	<list>
      		<value>${pattern0}</value>
      		<value>${pattern1}</value>
      	</list>
      </property>
    </bean>
  </constructor-arg>	  
</bean>

BEinGrid License Management

Vine supports BEinGrid License Management services, below you can check how to configure this resource. We assume all License Management Architecture server components are configured well (see BEinGrid License Management Architecture).
Two kind of resources are presented here: license management service resource to access LM enabled server in case of job management and license management client to manage all LM services components.

1. License Management server version supported: 1.0

2. Configuration:

Vine installer must contain licenseman, grid and gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects= grid, gt2, licenseman ... some other projects

If there is no licenseman, grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command

For your convenience there is "BEinGRID Demonstration for Tomcat 5.X and GridSphere 3.1" installer prepared which contains proper settings in all build properties and configuration files.

2.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

Host entry should be added or exist for the given dns name, later license management resources have to be defined in such way:

If the License Management service url is like this:

https://host_dns_name:8443/axis/services/accounts

The entry should be like this

    <hostResource name="some_host_name"
                   hostname="host_dns_name"
                   label="some_host_label"
                   description="some_description">

        <!-- License Management resources -->
        <licenseManagementResource name="LicenseManagement"
			useStaticValues="true"
			licenseManagementTANListsPath="./TANlists"
			protocol="https"
			servicePath="axis/services/accounts"
			port="8443"
			 />
	<lmClientResource name="LicenseManagementClient"
			 />


    </hostResource>

2.1.1. licenseManagementResource - defines license management account service resource used for job submission

Attributes:
- port - port of the service, default value: 8443
- protocol - some protocol, default value: https
- servicePath - service path
- useStaticValues - when set to "true" Vine access database and files in 'licenseManagementTANListsPath' folder, otherwise the account service client is used to get the account list from Accounts Webservice
- licenseManagementTANListsPath - path to folder with TAN lists for all accounts, optionally or for testing purposes it points also to folder with AccountList.txt file containing information about accounts used when database is not accessible. The example TAN lists folder content can be found in your Vine
\projects\licenseman\src\main\app\config\classes\vine\licenseman\TANlists\ folder.

2.1.2. lmClientResource - defines license managemnt client resource used for all LM services management.
Attributes:
- db.connectString - the database connection string used to connect to the LM database, the default value is "jdbc:mysql://localhost:3306/licenses?autoReconnect=true&jdbcCompliantTruncation=false"
- db.user - user name used to connect to database
- db.password - password used to connect to database.
For information about database creation please check the BEinGrid License Management Architecture installation guide.

2.1.3 In order to make advantage of license management authentication module, which check the provided by user username and password against the LM user database, please add such line to your Domain.xml authentications modules section:

                     <authenticationModule key="LicenseManagementAuthModule"/>

The provided by the user username and password are used by LM services client in Vine to access services (this can be changed manually in settings dialog of License Management Client portlet (see the BEinGRID portal license management demonstration/user guide for more details )

Liferay

Vine projects:

  • liferay

Document Library File System integration

1. Configuration
Vine installer must contain liferay project on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=liferay, ... some other projects

2. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):
Document Library Resource for File Manager should be defined once in the Domain.xml inside hostResource like a resource for Portal file system:

<liferayDocumentLibraryFileResource label="Liferay Document Library Manager" description="Liferay Document Library Manager"/>

3. Using
After configuration, in File Manager App portlet should be visible new item on file managers list.
This file manager connects to Liferay Document Library File System and:

  • Directory item represents:
    • Group : only the first directory level shows Groups (the filesize shows Group ID like in MB and Wiki File Manager)
    • DL Folder: the next levels of directories represent Document Library Folders like in DL portlet in Liferay, folders are labeled with '[FOLDER]' label
    • DL File Entry: the next levels of directories represent also Document Library File Entries like in DL portlet in Liferay, files are labeled with '[FILE]' label, each file directory contains a set of files which are labeled with the number of file version, for rename DL File Entry, rename file folder name
  • File item represents file in DL Folder, it can be managed as a normal file like in other file managers (add, delete, exchange with other file manager operations allowed) except rename, because it can be only accessible from renaming file folder name. File Manger append file version number to each file.

4.Optional configuration
To change labels for folders to difference file folder and real folder, edit this file:
\Liferay\vine\projects\liferay\src\main\app\config\classes\vine\liferay\DL.properties (in project sources)
<TOMCAT ROOT>\webapps\vine\WEB-INF\vine\projects\liferay\classes\vine\liferay\DL.properties (in tomcat)
Document Library screenshotDocument Library screenshot

Image Gallery File System integration

1. Configuration
Vine installer must contain liferay project on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=liferay, ... some other projects

2. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):
Image Gallery Resource for File Manager should be defined once in the Domain.xml inside hostResource like a resource for Portal file system:

<liferayImageGalleryFileResource label="Liferay Image Gallery Manager" description="Liferay Image Gallery Manager"/>

3. Using
After configuration, in File Manager App portlet should be visible new item on file managers list.
This file manager connects to Liferay Image Gallery File System and:

  • Directory item represents:
    • Group : only the first directory level shows Groups (the filesize shows Group ID like in MB and Wiki File Manager)
    • IG Folder: the next levels of directories represent Image Gallery Folders like in IG portlet in Liferay
  • File item represents image file in IG Folder, it can be managed as a normal file like in other file managers (add, delete, rename, exchange with other file manager operations allowed). Because of Image Gallery is a container for image files, only image files(extensions) are allowed.

Image Gallery File ManagerImage Gallery File Manager

Message Board File System integration

1. Configuration
Vine installer must contain liferay project on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=liferay, ... some other projects

2. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):
Wiki Resource for File Manager should be defined once in the Domain.xml inside hostResource like a resource for Portal file system:

<liferayMessageBoardFileResource label="Liferay Message Board Manager" description="Liferay Message Board Manager"/>

3. Using
After configuration, in File Manager App portlet should be visible new item on file managers list.
This file manager connects to Liferay Message Board File System and:

  • Directory item represents:
    • Group : it's one of main parts of Liferay (Community, Layout, Organization, User)
    • MB Category : if there is any instance of Message Board in selected group, it represents Message Board Main Category in this instance
    • MB Thread: represents Message Board Thread in selected Category
    • MB Message: represents Message Board Message in selected Thread

    Names are presented as a directory names.
    Bacause of above items have uniqe IDs in Liferay database, in directory/file size cell there is ID.
    Directory item is read-only, it can't be modified(so to change name of group, node or page use Liferay portlets)

  • File item represents file attached to MB Message, it can be managed as a normal file like in other file managers (add, delete, rename, exchange with other file manager operations allowed).

Message Board Manager: Example of Message Board ManagerMessage Board Manager: Example of Message Board Manager

Wiki File System integration

1. Configuration
Vine installer must contain liferay project on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=liferay, ... some other projects

2. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):
Wiki Resource for File Manager should be defined once in the Domain.xml inside hostResource like a resource for Portal file system:

<liferayWikiFileResource label="Liferay Wiki Manager" description="Liferay Wiki File Manager"/>

3. Using
After configuration, in File Manager App portlet should be visible new item on file managers list.
This file manager connects to Liferay Wiki File System and:

  • Directory item represents:
    • Group : it's one of main parts of Liferay (Community, Layout, Organization, User)
    • Wiki Node : if there is any instance of Wiki in selected group, it represents Wiki Node in this instance
    • Wiki Page: represents Page in selected Wiki Node

    Names are presented as a directory names.
    Bacause of above items have uniqe IDs in Liferay database, in directory/file size cell there is ID.
    Directory item is read-only, it can't be modified(so to change name of group, node or page use Liferay portlets)

  • File item represents file attached to Wiki Page, it can be managed as a normal file like in other file managers (add, delete, rename, exchange with other file manager operations allowed).

Wiki File Manager: Example of Wiki ManagerWiki File Manager: Example of Wiki Manager

about Liferay integration

The point of integration Vine with Liferay is to connect to Liferay portlets' file systems.
Four Portlets from Liferay was integrated:

  • Message Board
  • Wiki
  • Image Gallery
  • Document Library

WebDav server

Vine Toolkit supports also WebDav protocol. More info about WebDav on project home page. All features of WebDav can be exploited in File Manager application.

1. Configuration:

Vine installer must contain webdav, grid and gt2 projects on the list in the build.properties file:

#----------------------------------------------------------
# Projects
#----------------------------------------------------------
application.projects=webdav, grid, gt2, ... some other projects

If there is no webdav, grid or gt2 projects in the Vine 'projects' subdirectory then do 'ant fetch' command

1.1. Domain.xml configuration file (located in $PORTAL_HOME\webapps\vine\WEB-INF\vine\resources\):

The general idea of this configuration file is described here.

Host entry should be added or exist for the given dns name, later webdav service has to be defined in such way:

    <hostResource name="somehost"
                  hostname="somehost_dns_name"
                  label="some_host_label"
                  description="Free WebDav">

        <webdavFileSystem name="WebDav" label="some WebDav" servicePath="/username/">

    </hostResource>

1.1.1. webdavFileSystem - defines WebDav data resource used for data management

Attributes:
- port - port of the service, default value: 80
- protocol - some protocol, default value: 'webdav'
- servicePath - service path
- name - name which can be used within the distinguish names of the resources
- label - some label, labels are used in web applications
- order - order number, resources are sorted against "listing order"

Descriptive attributes (used rarely, most useful with 'hostResource' for example):
- description - some description
- image1-small-url - url of the small image which represents current resource
- image1-small-label - label for the small image which represents current resource
- image1-url - url of the big image which represents current resource
- image1-label - label for the big image which represents current resource
- html-url - url of html page which describes current resource

Resource attributes (defined as child entries):
- username - user name for WebDav account, account is common for all Vine users
- password - password for the WebDav account

Common values for all webdav resources for user name and password is held in the file:
$PORTAL_HOME/webapps/vine/WEB-INF/vine/projects/webdav/classes/vine/webdav/webdav.properties

Administration components

Application manager

Prerequisites:

Component is available only for administrators - user with vine-admin role granted.

Adding portlet to the portal in Liferay:

User menu -> Add application -> unfold Vine Admin category -> drag ApplicationManagerApp into the workspace

Default view for the ApplicationManagerApp is a list of components provided by the Vine instance.

ApplicationManagerApp default viewApplicationManagerApp default view

After selecting specific component a detailed view is being shown.

ApplicationManagerApp detailed viewApplicationManagerApp detailed view

Clicking 'Edit Roles' button will enable us to change role requirements for the selected component.

ApplicationManagerApp edit roles viewApplicationManagerApp edit roles view

Properties Manager Application

Prerequisites:

Component is available only for administrators - user with vine-admin role granted.

Adding portlet to the portal in Liferay:

User menu -> Add application -> unfold Vine Admin category -> drag PropertiesManagerApp into the workspace

Default view for the PropertiesManagerApp is a list of property name/value pairs.

PropertiesManagerAppPropertiesManagerApp

Selecting property will bring its detailed view where we can edit it.

PropertiesManagerApp detailed viewPropertiesManagerApp detailed view

Role manager application

Prerequisites:

Component is available only for administrators - user with vine-admin role granted.

Adding portlet to the portal in Liferay:

User menu -> Add application -> unfold Vine Admin category -> drag RoleManagerApp into the workspace

Default view for the RoleManagerApp is a list of roles and users assigned to them.

RoleManagerApp default viewRoleManagerApp default view

After selecting specific role a detailed view is being shown.

RoleManagerApp detailed viewRoleManagerApp detailed view

Using 'Edit users' button on the right-bottom triggers new dialog where we can edit user to role relations.

RoleManagerApp edit user role viewRoleManagerApp edit user role view

In the main view we can add new role by clicking 'Add New Role' Button.

RoleManagerApp add new role viewRoleManagerApp add new role view

User management application

Prerequisites:

Component is available only for administrators - user with vine-admin role granted.

Adding portlet to the portal in Liferay:

User menu -> Add application -> unfold Vine Admin category -> drag UserManagerApp into the workspace

Default view for the UserManagerApp is a list of user in the portal.

UserManagerApp default viewUserManagerApp default view

We can edit user attributes by selecting row in the user list.

UserManagerApp details viewUserManagerApp details view

We can add a new user from in the UserManagerApp by clicking 'Add new user' button.

UserManagerApp create user viewUserManagerApp create user view

Reporting issues and asking for help

In order to report a bug ask for help we encourage you to use vine-users mailing list. If you are unsure about what to include in your submission feel free to use the following template:

Issue description:

Description
Fresh install ? :

Environment:

Vine version ( stable release version, svn trunk ):
Installer name ( if custom, or modified please attach installer's build.properties file ):
Java SDK version:
Apache Ant version:
Apache Tomcat version:
Portlet container version: