JClarens is a grid service framework for hosting and developing new grid services. The Discovery Service is one such grid service. In order to run the Discovery Service, both JClarens and the Discovery Service packages must be installed. Fortunately, the VDT installer makes this easy.

• VDT 1.3.3 contains JClarens 0.5.3-2
• VDT 1.3.2 contains JClarens 0.5.3-1

VDT 1.3.3

1. Install a service certificate and key into /etc/grid-security/http/httpcert.pem, /etc/grid-security/http/httpkey.pem. This should be done before installing the VDT.
2. General VDT installation instructions. At the minimum you will need to install pacman.
3. Install the JClarens and Discovery Service packages from the VDT cache.
   

           pacman -get http://www.cs.wisc.edu/vdt/vdt_133_cache:jClarens-Discovery

4. During the installation, pacman will ask if you want to enable the JClarens web services framework. Answer 'y':

           Would you like to enable the jClarens web services framework?
           Choices: y (yes), n(no), s (skip this question) y
           

5. If you haven't done so yet, copy your service certificate and key to /etc/grid-security/http/httpcert.pem and httpkey.pem.
6. Restart apache and tomcat with
   • % service apache stop
   • % service tomcat-4 stop
   • % service apache start
   • % service tomcat-4 start
7. Perform any necessary Post Install configuration. Tomcat must be restarted after changing the JClarens configuration.

VDT 1.3.2

1. General VDT installation instructions. At the minimum you will need to install pacman.
2. Install the JClarens and Discovery Service packages from the VDT cache.
   

           pacman -get http://www.cs.wisc.edu/vdt/vdt_132_cache:jClarens-Discovery

3. Install a service certificate and key into /etc/grid-security/http/httpcert.pem, /etc/grid-security/http/httpkey.pem. If this is not done then the local Discovery Service will not show up in any service registry.
4. Edit /etc/init.d/tomcat-4 and add the following directly below line 247:

           -Djava.security.manager \
           -Djava.security.policy="$CATALINA_BASE"/conf/all.policy \
           

   The paragraph should now look like

   else
       "$_RUNJAVA" $JAVA_OPTS $CATALINA_OPTS \
         -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
         -Dcatalina.base="$CATALINA_BASE" \
         -Dcatalina.home="$CATALINA_HOME" \
         -Djava.io.tmpdir="$CATALINA_TMPDIR" \
         -Djava.security.manager \
         -Djava.security.policy="$CATALINA_BASE"/conf/all.policy \
         org.apache.catalina.startup.Bootstrap "$@" start \
         >> "$CATALINA_BASE"/logs/catalina.out 2>&1 &
           

5. Comment out the httpd port for tomcat by enclosing it in <!-- --> in the file $VDT_LOCATION/tomcat/v4/conf/server.xml

   <!--
       <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
                  port="8080" minProcessors="5" maxProcessors="75"
                  enableLookups="true" redirectPort="8443"
                  acceptCount="100" debug="0" connectionTimeout="20000"
                  useURIValidationHack="false" disableUploadTimeout="true" />
   -->
           

6. Start both apache and tomcat using the following commands

           service apache start
           service tomcat-4 start
           

• clarens.system.hostCertFile contains the path to your service certificate, if you haven't already copied it to /etc/grid-security/http/httpcert.pem
• clarens.system.hostKeyFile contains the path to your service certificate key, if you haven't already copied it to /etc/grid-security/http/httpkey.pem
• clarens.system.hostKeyPass contains the password used to protect the certificate key. Comment out this property if you are using an unencrypted certificate key.
• monitor.dest points to a MonALISA server that will be used to receive service publications. The MonALISA server must be configured to receive ApMon publications. This is done by adding the following line to $MONALISA_HOME/Service/myFarm/myFarm.conf:

        ^monXDRUDP{ListenPort=8884,ParamTimeout=3600,NodeTimeout=10800,ClusterTimeout=86400}%5
        

• clarens.admin contains a certificate DN fragment for the user who is given full access to all services on this JClarens server. Any user whose certificate contains this exact substring will be allowed full access. Set this to an empty string to give all users access. Comment this property out to remove administrator access completely.
• vo.name contains the name of the virtual organization, such as 'CMS' or 'ATLAS'. The default VO 'GAE' is used for testing purposes.

JClarens uses an internal database to store access control lists. The access control lists allow the server administrator to restrict access to individual services and service methods to specific users and groups. By default, the query methods find and find_server in the Discovery Service are open to everyone; no access control check is performed. The publication method register is by default only accessible to the admin user as defined by the clarens.admin property. There are two ways to open up access to this method. First, you can simply set clarens.admin to an empty string. This is the easiest and least secure way, but is suitable for doing installation testing. Second, you can log into the web browser interface of jclarens and set the access control for the rendezvous.register method. The clarens.admin certificate must be loaded into your web browser in order for this to work.

1. Go to https://localhost:8443/jclarens and click on the 'login' link on the left.
2. Click on the Login button.
3. Select the 'Method ACL Management' link.
4. Browse to the rendezvous.register method, select it, and press the 'Edit ACL' button.
5. In the popup window, press 'ACL Allow User' then 'Add DN'.
6. Type in the certificate subject (or subject substring) for users who are allowed to access this service method.