Installing GridShib on Windows
April 30, 2008

This GridShib Installation Guide shows how to install Globus Java WS Core 4.0, GridShib for GT v0.6, and GridShib SAML Tools v0.3 on Windows. We use the GridShib CA v0.5 to bootstrap your X.509 environment, which is required to run a Globus container or issue an X.509-bound SAML token.

Software requirements include JDK 1.4.2 (or higher) and Ant 1.6 (or higher), which we assume are already installed. In addition to these general software requirements, we assume that you have Java Web Start installed so that we can leverage the GridShib CA to obtain credentials via the browser. Please check for a proper installation of Java Web Start before continuing.

A lightweight alternative to installing the full Globus Toolkit (GT) is to install Java WS Core 4.0 and then install GridShib for GT on top of that. In fact, this is the only option under Windows, which does not support the full Globus Toolkit, so this document shows how to layer GridShib for GT on top of Java WS Core on a Windows system.

Contents

Getting Started

We will install each of the software components (JWS Core, GridShib for GT, GridShib SAML Tools) as the globus user:

> echo %USERPROFILE%
C:\Documents and Settings\globus

You may install the software as any user you want as long as that same user starts and stops the container.

Installing JWS Core on Windows

This section shows how to install a JWS Core 4.0 container on a Windows system.

We extract the JWS Core archive into c:\globus. If this folder does not exist on your system, create it now.

  1. Install the binary version of Java WS Core 4.0.7 on Windows.
    The binary version is simplest, but of course the source version works just as well.
    1. Extract the ZIP archive to any folder on your hard drive (say, c:\globus).
    2. Open a Command Prompt window, change directory to the installation directory, and set the GLOBUS_LOCATION environment variable (which is case sensitive, even on Windows in this particular case): 
      > cd c:\globus\ws-core-4.0.7-bin\ws-core-4.0.7
> set GLOBUS_LOCATION=%CD%
> echo %GLOBUS_LOCATION%
    3. For debugging purposes, add the following line to %GLOBUS_LOCATION%\container-log4j.properties: 
      log4j.category.org.globus.gridshib=DEBUG
    4. As an initial but crude test, start the container (with transport-level security disabled): 
      > bin\globus-start-container -nosec
Starting SOAP server at: http://141.142.250.163:8080/wsrf/services/
With the following services:

[1]: http://141.142.250.163:8080/wsrf/services/AdminService
[2]: http://141.142.250.163:8080/wsrf/services/AuthzCalloutTestService
[3]: http://141.142.250.163:8080/wsrf/services/ContainerRegistryEntryService
[4]: http://141.142.250.163:8080/wsrf/services/ContainerRegistryService
[5]: http://141.142.250.163:8080/wsrf/services/CounterService
[6]: http://141.142.250.163:8080/wsrf/services/JWSCoreVersion
[7]: http://141.142.250.163:8080/wsrf/services/ManagementService
[8]: http://141.142.250.163:8080/wsrf/services/NotificationConsumerFactoryService
[9]: http://141.142.250.163:8080/wsrf/services/NotificationConsumerService
[10]: http://141.142.250.163:8080/wsrf/services/NotificationTestService
[11]: http://141.142.250.163:8080/wsrf/services/PersistenceTestSubscriptionManager
[12]: http://141.142.250.163:8080/wsrf/services/SampleAuthzService
[13]: http://141.142.250.163:8080/wsrf/services/SecureCounterService
[14]: http://141.142.250.163:8080/wsrf/services/SecurityTestService
[15]: http://141.142.250.163:8080/wsrf/services/ShutdownService
[16]: http://141.142.250.163:8080/wsrf/services/SubscriptionManagerService
[17]: http://141.142.250.163:8080/wsrf/services/TestAuthzService
[18]: http://141.142.250.163:8080/wsrf/services/TestRPCService
[19]: http://141.142.250.163:8080/wsrf/services/TestService
[20]: http://141.142.250.163:8080/wsrf/services/TestServiceRequest
[21]: http://141.142.250.163:8080/wsrf/services/TestServiceWrongWSDL
[22]: http://141.142.250.163:8080/wsrf/services/Version
[23]: http://141.142.250.163:8080/wsrf/services/WidgetNotificationService
[24]: http://141.142.250.163:8080/wsrf/services/WidgetService
[25]: http://141.142.250.163:8080/wsrf/services/gsi/AuthenticationService
      Press Ctrl-C to abort the container.
    5. [Optional] Complete the test sequence in section 5 of the Globus Java WS Core Admin Guide.
  2. Install a trusted CA certificate.
    In what follows, we will use a GridShib CA-issued end-entity credential (EEC) to authenticate to GT services. We will also issue proxy certificates signed by a GridShib CA-issued EEC. Thus the container needs to be configured to trust certificates issued by the GridShib CA.
    1. Download the public certificate of the GridShib CA.
    2. Extract the ZIP archive to folder "%USERPROFILE%\.globus\certificates". Verify the trusted certificate was extracted to the trusted certificate directory: 
      > dir "%USERPROFILE%\.globus\certificates\bfcd1f28.*"
...
02/19/2007  10:15 PM             1,667 bfcd1f28.0
02/19/2007  10:15 PM               239 bfcd1f28.signing_policy
  3. Obtain a user certificate and stop the container normally.
    Ironically, it is more difficult to stop a container with transport security disabled (-nosec) than to stop a secure container.
    1. In the previous Command Prompt window, start an insecure container again: 
      > echo %GLOBUS_LOCATION%
> bin\globus-start-container -nosec
Starting SOAP server at: http://141.142.250.163:8080/wsrf/services/
With the following services...
    2. Open another Command Prompt window and try to stop the container: 
      > cd c:\globus\ws-core-4.0.5-bin\ws-core-4.0.5
> set GLOBUS_LOCATION=%CD%
> echo %GLOBUS_LOCATION%
> bin\globus-stop-container -m msg
    -s http://localhost:8080/wsrf/services/ShutdownService
2008-04-25 15:23:31,817 ERROR securemsg.X509SignHandler
[main,handleMessage:109] Failed to sign message
org.globus.gsi.GlobusCredentialException: Proxy file
(C:\DOCUME~1\GLOBUS\LOCALS~1\Temp\x509up_u_globus) not found.
    3. Obtain a short-term X.509 end-entity credential (EEC) from the online GridShib CA. This EEC will be written (by the GridShib CA) to the exact path noted in the error message above. 
      > echo %TEMP%\x509up_u_%USERNAME%
C:\DOCUME~1\GLOBUS\LOCALS~1\Temp\x509up_u_globus
> dir "%TEMP%\x509up_u_%USERNAME%"
04/25/2008  03:47 PM             8,051 x509up_u_globus
    4. Finally, stop the container normally, authenticating with your GridShib CA-issued credential via Secure Message: 
      > bin\globus-stop-container -m msg
    -s http://localhost:8080/wsrf/services/ShutdownService
  4. Start and stop a secure container.
    For the rest of this Quick Start, we require a secure container and a valid GridShib CA-issued end-entity credential. If the credential expires, simply obtain another one from the online GridShib CA.
    1. In the first Command Prompt window, start a secure container: 
      > echo %GLOBUS_LOCATION%
> bin\globus-start-container
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...
    2. In the second Command Prompt window, stop the container: 
      > echo %GLOBUS_LOCATION%
> bin\globus-stop-container
  5. Request the SecureCounterService, authenticating with your EEC via Secure Conversation.
    1. In the first Command Prompt window, start a secure container: 
      > echo %GLOBUS_LOCATION%
> bin\globus-start-container
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services...
    2. In the second Command Prompt window, request a service: 
      > echo %GLOBUS_LOCATION%
> bin\counter-client -m conv -z none
    -s https://localhost:8443/wsrf/services/SecureCounterService
Got notification with value: 3
Counter has value: 3
Got notification with value: 13
    3. In the second Command Prompt window, stop the container: 
      > bin\globus-stop-container

Installing GridShib for GT on Windows

This section shows how to deploy GridShib for GT v0.6 into a JWS Core 4.0 container on a Windows system. Follow these steps regardless of the underlying Globus Java WS Core version. The GridShib for GT installer will auto-detect the JWS Core version and install the appropriate files in the correct locations.

  1. Before installing this version of GridShib for GT, be sure to uninstall any previous versions that may have been installed in %GLOBUS_LOCATION%.
    1. In the second Command Prompt window, type the following commands: 
      > cd c:\gridshib\gridshib-gt-X_X_X-src\gridshib-gt-X_X_X
> echo %GLOBUS_LOCATION%
> ant undeploy
> ant undeploy-echoservice
> ant undeploy-tests
  2. Install GridShib for GT v0.6.0 on Windows.
    1. Download the GS4GT v0.6.0 source distribution (ZIP archive) from the GridShib web site.
    2. Double-click the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).
    3. In the second Command Prompt window, type the following commands: 
      > cd c:\gridshib\gridshib-gt-0_6_0-src\gridshib-gt-0_6_0
> echo %GLOBUS_LOCATION%
> ant deploy
> ant deploy-echoservice
  3. Request the SecurityContextEchoService, authenticating with your EEC.
    An EEC obtained from the GridShib CA contains a bound SAML assertion with two attributes. You will see one "identity" in the logs, namely, the value of the NameIdentifier element in the bound assertion. There will also be two attributes in the logs.
    1. Obtain a short-term X.509 end-entity credential from the online GridShib CA.
    2. In the first Command Prompt window, start a secure container: 
      > bin\globus-start-container
Starting SOAP server at: https://141.142.250.163:8443/wsrf/services/
With the following services:

[1]: https://141.142.250.163:8443/wsrf/services/AdminService
[2]: https://141.142.250.163:8443/wsrf/services/AuthzCalloutTestService
[3]: https://141.142.250.163:8443/wsrf/services/ContainerRegistryEntryService
[4]: https://141.142.250.163:8443/wsrf/services/ContainerRegistryService
[5]: https://141.142.250.163:8443/wsrf/services/CounterService
[6]: https://141.142.250.163:8443/wsrf/services/ManagementService
[7]: https://141.142.250.163:8443/wsrf/services/NotificationConsumerFactoryService
[8]: https://141.142.250.163:8443/wsrf/services/NotificationConsumerService
[9]: https://141.142.250.163:8443/wsrf/services/NotificationTestService
[10]: https://141.142.250.163:8443/wsrf/services/PersistenceTestSubscriptionManager
[11]: https://141.142.250.163:8443/wsrf/services/SampleAuthzService
[12]: https://141.142.250.163:8443/wsrf/services/SecureCounterService
[13]: https://141.142.250.163:8443/wsrf/services/SecurityContextEchoService
[14]: https://141.142.250.163:8443/wsrf/services/SecurityTestService
[15]: https://141.142.250.163:8443/wsrf/services/ShutdownService
[16]: https://141.142.250.163:8443/wsrf/services/SubscriptionManagerService
[17]: https://141.142.250.163:8443/wsrf/services/TestAuthzService
[18]: https://141.142.250.163:8443/wsrf/services/TestRPCService
[19]: https://141.142.250.163:8443/wsrf/services/TestService
[20]: https://141.142.250.163:8443/wsrf/services/TestServiceRequest
[21]: https://141.142.250.163:8443/wsrf/services/TestServiceWrongWSDL
[22]: https://141.142.250.163:8443/wsrf/services/Version
[23]: https://141.142.250.163:8443/wsrf/services/WidgetNotificationService
[24]: https://141.142.250.163:8443/wsrf/services/WidgetService
[25]: https://141.142.250.163:8443/wsrf/services/gsi/AuthenticationService
      Note that the SecurityContextEchoService is now running in the container.
    3. In the second Command Prompt window, copy your EEC to a preconfigured location (say, %TEMP%\testcredential.pem), set your environment, and request the service: 
      > copy "%TEMP%\x509up_u_%USERNAME%" %TEMP%\testcredential.pem
> set X509_USER_PROXY=%TEMP%\testcredential.pem
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
    -s https://localhost:8443/wsrf/services/SecurityContextEchoService
      ---------
Response:
---------

Principal {
  name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User
        /OU=https://idp.protectnetwork.org/protectnetwork-idp
        /CN=trscavo@idp.protectnetwork.org'
}
(untrusted) SAMLIdentity {
  issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
  nameID='<NameIdentifier
            xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
            CN=trscavo@idp.protectnetwork.org,
            OU=https://idp.protectnetwork.org/protectnetwork-idp,
            O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu
          </NameIdentifier>'
}
(untrusted) BasicAttribute {
  issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
  name='http://gridshib.globus.org/testAttribute'
  nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
  value #1='testValueTwo'
  value #2='testValue'
}
(untrusted) BasicAttribute {
  issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
  name='http://gridshib.globus.org/testAttributeTwo'
  nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
  value #1='testValue'
}
      There are a total of four (4) items in the above response:
      • One (1) Principal item, the Subject DN of your GridShib CA-issued EEC
      • One (1) SAMLIdentity item, corresponding to the <NameIdentifier> element in the bound SAML assertion
      • Two (2) BasicAttribute items, corresponding to the SAML <Attribute> elements in the bound SAML assertion
      Note that all the items except the Principal item are labeled (untrusted). This is because these items have not yet been subjected to policy and are therefore only provisionally accepted by GridShib for GT.
    4. In the second Command Prompt window, stop the container.

The principal name in the above response is the Subject DN of the authenticated user.

Installing GridShib SAML Tools on Windows

This section shows how to deploy GridShib SAML Tools v0.3 on Windows.

We extract the GridShib SAML Tools archive into c:\gridshib. If this folder does not exist on your system, create it now.

  1. Install GridShib SAML Tools v0.3.x on Windows.
    To install the GridShib SAML Tools, we invoke an ant script that creates a JAR file and runs some tests. The tests use a default issuing credential bundled with the SAML Tools.
    1. Download the GridShib SAML Tools v0.3.x ZIP archive from the GridShib Downloads page.
    2. Open the ZIP archive and extract the source files into a folder of your choice (say, c:\gridshib).
    3. In the second Command Prompt window, type the following commands: 
      > cd c:\gridshib\gridshib-saml-tools-0_3_x
> set GRIDSHIB_HOME=%CD%
> ant install
      See the GridShib SAML Tools Installation Notes for more information.
  2. Configure GridShib SAML Tools v0.3.x on Windows.
    We will configure the SAML Tools to sign proxy certificates using your GridShib CA-issued EEC. So that GridShib for GT recognizes the issuer of the embedded SAML assertion, the software sets the unique identifier of the SAML issuer to the Subject DN of your EEC.
    1. In the second Command Prompt window, type the following command: 
      > echo %TEMP%\x509up_u_%USERNAME%
C:\DOCUME~1\GLOBUS\LOCALS~1\Temp\x509up_u_globus
> echo %USERPROFILE%\Local Settings\Temp\x509up_u_%USERNAME%
C:\Documents and Settings\globus\Local Settings\Temp\x509up_u_globus
    2. Using the output of the above command, create a configuration properties file (%GRIDSHIB_HOME%\etc\test-saml-issuer.properties) with the following lines: 
      # BEGIN test-saml-issuer.properties

# SAML NameIdentifier
NameID.Format=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
NameID.Format.template=%PRINCIPAL%

# FriendlyName="mail"
Attribute.mail.Namespace=urn:mace:shibboleth:1.0:attributeNamespace:uri
Attribute.mail.Name=urn:oid:0.9.2342.19200300.100.1.3
Attribute.mail.Value=trscavo@gmail.com

# X.509 Issuing Credential
certLocation=file:///C:/Documents%20and%20Settings/globus/Local%20Settings/Temp/x509up_u_globus
keyLocation=file:///C:/Documents%20and%20Settings/globus/Local%20Settings/Temp/x509up_u_globus

# END test-saml-issuer.properties
      Be sure to use proper URI syntax by converting backslashes (to forward slashes) and encoding spaces as illustrated above.
  3. Request the SecurityContextEchoService, authenticating with a level 1 proxy credential.
    Since the GridShib SAML Tools issue and bind a SAML assertion to the certificate (like the GridShib CA), the output from the SecurityContextEchoService will be the combined security information from both the GridShib CA-issued EEC and the proxy certificate.
    1. In the second Command Prompt window, issue a level 1 proxy: 
      > %GRIDSHIB_HOME%\bin\gridshib-saml-issuer
    --user trscavo --holder-of-key
    --config %GRIDSHIB_HOME%\etc\test-saml-issuer.properties
    --x509 --outfile %TEMP%\testcredential.pem
      As indicated by the --holder-of-key option, an implicit holder-of-key SAML assertion will be bound to the proxy certificate. Since the requester is the subject (as indicated by the holder-of-key assertion), the security information in the proxy is said to be self-asserted.
    2. In the first Command Prompt window, start a secure container.
    3. In the second Command Prompt window, set the proxy path and request the service: 
      > set X509_USER_PROXY=%TEMP%\testcredential.pem
> %GLOBUS_LOCATION%\bin\gridshibecho -d -z none
    -s https://localhost:8443/wsrf/services/SecurityContextEchoService
---------
Response:
---------

Principal {
  name='/DC=edu/DC=uiuc/DC=ncsa/DC=computer/O=Shibboleth User/
         OU=urn:mace:inqueue:shib13.openidp.org/CN=trscavo@openidp.org'
}
(untrusted) SAMLIdentity {
  issuer='CN=trscavo@openidp.org,
          OU=urn:mace:inqueue:shib13.openidp.org,O=Shibboleth User,
          DC=computer,DC=ncsa,DC=uiuc,DC=edu'
  nameID='<NameIdentifier
            xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
            xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
            xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
            trscavo</NameIdentifier>'
}
(untrusted) SAMLIdentity {
  issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
  nameID='<NameIdentifier
            xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
            xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
            xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
            xmlns:samlsap="urn:oasis:names:tc:SAML:1.1:profiles:assertion:subject"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
            CN=trscavo@openidp.org,OU=urn:mace:inqueue:shib13.openidp.org,
            O=Shibboleth User,DC=computer,DC=ncsa,DC=uiuc,DC=edu</NameIdentifier>'
}
(untrusted) BasicAttribute {
  issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
  name='http://gridshib.globus.org/testAttribute'
  nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
  value #1='testValueTwo'
  value #2='testValue'
}
(untrusted) BasicAttribute {
  issuer='https://test-sp.ncsa.uiuc.edu/shibboleth'
  name='http://gridshib.globus.org/testAttributeTwo'
  nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
  value #1='testValue'
}
(untrusted) BasicAttribute {
  issuer='CN=trscavo@openidp.org,
          OU=urn:mace:inqueue:shib13.openidp.org,O=Shibboleth User,
          DC=computer,DC=ncsa,DC=uiuc,DC=edu'
  name='urn:oid:0.9.2342.19200300.100.1.3'
  nameFormat='urn:mace:shibboleth:1.0:attributeNamespace:uri'
  value #1='trscavo@gmail.com'
}
      As you can see, there are a total of six (6) items in the above response:
      • One (1) Principal item, the Subject DN of your GridShib CA-issued EEC
      • Two (2) SAMLIdentity items, corresponding to the NameIdentifier elements in the bound SAML assertions
      • Three (3) BasicAttribute item, one corresponding to the SAMLAttribute element bound to the proxy certificate and the other two asserted by the GridShib CA
      You will recognize the two items contributed by the proxy certificate by their issuer, which is the Subject DN of your GridShib CA-issued EEC. (Note that the SAMLIdentity items and the BasicAttribute item are labeled (untrusted). This is because these items have not yet been subjected to policy and are therefore only provisionally accepted by GridShib for GT.)
    4. In the second Command Prompt window, stop the container.
The GridShib Project
http://gridshib.globus.org/

Valid XHTML 1.0 Strict