Advanced Deployment

Deploying Multiple caGrid Services

There are two primary issues to keep in mind when deploying multiple caGrid services:

• Classpath conflicts
• SyncGTS conflicts

Classpath Issue

The first issue, classpath conflicts, arises because all caGrid services are deployed to the Globus web application inside your container. Recall that each web application in the container has its own classpath. The result is that all caGrid services share one classpath. When two different caGrid services have conflicting jar files, the result is a classpath conflict. This can result in errors that are extremely difficult to track down.

Classpath Recommendation

Thus, our recommendation is to only deploy one caGrid service per container. We emphasize that this is not a requirement but a recommendation. We also note that the "one service per container" recommendation explicitly excludes the SyncGTS service, which is installed to all containers. The recommendation applies to the caGrid service that is deployed to a configured container (resulting in SyncGTS and another Grid service co-existing in one container).

SyncGTS Issue

The second issue, SyncGTS conflicts, arises because SyncGTS modifies the files in the trusted certificates directory. By default, this is the USER_HOME_DIRECTORY/.globus/certificates directory. If you have multiple SyncGTS services that are configured for multiple different target Grids, you can run into a situation where the SyncGTS instances are conflicting and overriding each others certificates. The following situations clearly demonstrate when a problem will arise:

SyncGTS Issue Examples

1. User "joe" installed two caGrid containers and deployed one service to each container. Both containers are configured for the "Community Training Grid", resulting in a SyncGTS service (one per container) that periodically synchronizes with the Training Grid. This setup has no problems, as each time SyncGTS runs, it sees that the certificates in JOE_HOME_DIR/.globus/certificates directory match those from the Community Training Grid GTS service and leaves them in the directory.

1. User "joe" installed two caGrid containers, one that is configured for the caBIG Stage Grid and one that is configured for the caBIG Production Grid. Because these Grids are two separate deployments (meaning they have completely separate trust fabrics), this configuration will exhibit problems. One container, with a SyncGTS service configured for the caBIG Production Grid, will periodically contact the Production Grid GTS and place the certificates in the JOE_HOME_DIR/.globus/certificates directory. The other container, with a SyncGTS services configured for the caBIG Staging Grid, will periodically contact the Staging Grid GTS and place the certificates in the JOE_HOME_DIR/.globus/certificates directory. This will result in unpredictable behavior. It may be that at any give point in time, the JOE_HOME_DIR/.globus/certificates directory has certificates from the Production Grid, from the Staging Grid, or some mix of certificates. Thus, when the services use the certificates directory to perform a trust check for a client that is contacting the service, the check may fail (meaning clients will not be able to contact secure services that are deployed to these containers).

SyncGTS Recommendation

Thus, our recommendation is to ensure that each user account runs caGrid services that have all joined only one target Grid. In the event that you need to run services that join multiple target Grids, you need to create multiple user accounts, one per target Grid.

Manually Editing Configuration Files

Although not recommended, it is sometimes necessary to manually edit some deployment files generated by Introduce. We strongly suggest that you use the Introduce graphical interface to edit any of those files. This is to avoid any simple syntax errors that will prohibit the service from deploying properly. However, if you cannot use Introduce to deploy the service, then you will need to manually edit the files. please remember to follow proper syntax rules for Java properties files (both the deploy,properties file and service.properties files are Java properties files). Additional technical information can be found at the following link:

http://publib.boulder.ibm.com/infocenter/cicsts/v3r1/index.jsp?topic=/com.ibm.cics.ts31.doc/dfha2/dfha2ah.htm

Proxy

You may have a deployment environment where you cannot open up a container port directly through your firewall. Generally, the Globus toolkit which underlies caGrid doesn't support proxied deployments, however it may be workable behind an Apache HTTPD server acting as a proxy.

Apache HTTPd Proxy

Secure caGrid services can be run behind an Apache Web Server acting as a proxy to the Tomcat or JBoss container which actually runs the grid service.

The following instructions use file paths which are specific to Red Hat Linux and CentOS, however the instructions should be generalizable to other configurations of Apache.

1. Deploy your grid service to a secure Tomcat or JBoss instance as normal. You may have to re-configure your Globus deployment to use the port number you'll be connecting to Apache HTTPd with (usually 443), even though the container itself listens on 8443.
2. Turn on the Apache SSL engine
   • Edit /etc/httpd/conf.d/ssl.conf
   • Set SSLEngine On
3. Make Apache use your caGrid host certificate
   • Edit /etc/httpd/conf.d/ssl.conf
   • Set SSLCertificateFile to the location of your <hostname>-cert.pem file
   • Set SSLCertificateKeyFile to the location of your <hostname>-key.pem file
4. Create a config file for Apache to manage the proxy into your grid service at /etc/httpd/conf.d/cagrid.conf

   • SSLProxyEngine On
     ProxyRequests Off
     ProxyPreserveHost On
     
     <Proxy wsrf/services/*>
         Order Deny, Allow
         Allow from all
     </Proxy>
     
     ProxyPass /wsrf/services https://<hostname>:<port>/wsrf/services
     ProxyPassReverse /wsrf/services https://<hostname>:<port>/wsrf/services
     

5. Start your caGrid Tomcat or JBoss instance
6. Start (or re-start) Apache HTTPd

You should now be able to make connections to your grid service on the port Apache is listening to (usually 443, the standard HTTPS port) from the world.

Other Proxy Scenarios

If you absolutely cannot open the container port up directly, or cannot use the instructions for deployments behind Apache, please contact the caGrid Knowledge Center for additional information.