Reconfigure Secure Tomcat Container on a New Host

This article describes how to manually update a secure Tomcat container for use on a new host.

It is assumed that this container was configured by the caGrid 1.4 installer.

• First, generate a new host certificate and key. Use the GAARDS UI to request a new host certificate: Request a Host Certificate.

• Next, configure the container to use the new host certificate and key. Edit the file $CATALINA_HOME/conf/server.xml, and configure the section at the end of the file with your new key and certificate. Below is an example of this section (NOTE: do NOT copy/paste the example snippet below into your file. This section varies depending on your Tomcat version. Refer to Manually Configure Tomcat Container for more information.)
  
  

  <Connector acceptCount="10" autoFlush="true" cert="<LOCATION_TO_CERT>\<host>-cert.pem"
  className="org.globus.tomcat.coyote.net.HTTPSConnector" debug="0" disableUploadTimeout="true" enableLookups="true" ke
  y="<LOCATION_TO_KEY>\<host>-key.pem" maxSpareThreads="75" maxThreads="150" minSpareT
  hreads="25" port="8443" scheme="https"/>
  

• Finally, modify the security descriptor to point to your certificate and key. Modify "$CATALINA_HOME/webapps/wsrf/WEB-INF/etc/globus_wsrf_core/global_security_descriptor.xml".

<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns="http://www.globus.org">
    <credential>
        <key-file value="<LOCATION_TO_KEY>\<host>-key.pem"/>
        <cert-file value="<LOCATION_TO_CERT>\<host>-cert.pem"/>
    </credential>
</securityConfig>

This file controls the container's security descriptor: http://www.globus.org/toolkit/docs/4.0/security/authzframe/security_descriptor.html#s-authzframe-secdesc-configCred