Reconfigure Secure Tomcat Container on a New Host

This article describes how to manually update a secure Tomcat container for use on a new host.

It is assumed that this container was configured by the caGrid 1.2 installer.

The first step is to generate new host certificate and key. To do this, use the GAARDS UI to request a new host certificate: Request a Host Certificate.

The second step is to configure the container to use the new host certificate and key. Edit the file $CATALINA_HOME/conf/server.xml and configure the section at the end of the file with your new key and cert. The following is an example of this section (NOTE: do NOT copy/paste the example snippet below into your file. This section varies depending on your Tomcat version. Refer to Manually Configure Tomcat Container for more information.)

<Connector acceptCount="10" autoFlush="true" cert="<LOCATION_TO_CERT>\<host>-cert.pem"
className="org.globus.tomcat.coyote.net.HTTPSConnector" debug="0" disableUploadTimeout="true" enableLookups="true" ke
y="<LOCATION_TO_KEY>\<host>-key.pem" maxSpareThreads="75" maxThreads="150" minSpareT
hreads="25" port="8443" scheme="https"/>

* The third step is to modify the security descriptor to point to your cert and key. Modify $CATALINA_HOME/webapps/wsrf/WEB-INF/etc/globus_wsrf_core/global_security_descriptor.xml

<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns="http://www.globus.org">
    <credential>
        <key-file value="<LOCATION_TO_KEY>\<host>-key.pem"/>
        <cert-file value="<LOCATION_TO_CERT>\<host>-cert.pem"/>
    </credential>
</securityConfig>

This file controls the container's security descriptor: http://www.globus.org/toolkit/docs/4.0/security/authzframe/security_descriptor.html#s-authzframe-secdesc-configCred