GeWorkbench Example

From Informatics

see also: Working Groups, TeraGrid, TeraGrid User Support, CaGrid, CaGrid/TeraGrid/geWorkbench_Integration.

Contents 1 Goal 2 Tools 2.1 geWorkbench 2.2 caGrid 2.3 TeraGrid 2.4 Additional Information 3 Setup 3.1 Security for caGrid-TeraGrid Communication 3.2 Binary Staging on TeraGrid 4 Creating the caGrid Gateway Service 4.1 Introduce and gRAVi 4.2 Gateway Client 4.3 Gateway Service 4.4 Deploying the Gateway Service 5 caGrid-TeraGrid Security 5.1 Runtime Security Flow 5.2 Delegating caGrid Proxy 5.2.1 Obtaining the user certificate 5.2.2 Get the certificate manually and then programmatically delegate 5.2.3 Programmatically getting both the certificate and delegate 5.2.4 Obtaining the Delegation Reference 5.2.5 Delegate to Another Service 5.3 TeraGrid Security 6 Running the geWorkbench-caGrid-TeraGrid Demo 6.1 Setting Up 6.2 Bringing Up Hierarchical Clustering in geWorkbench 6.3 Accessing caGrid Authentication 6.4 Running the TeraGrid-Aware Analysis

Goal

The goals of this initiative are to:

• Submit jobs to TeraGrid via caGrid gateway services. This configuration allows computationally intensive analysis ro run on resources which cater to heavy computation.
• Document best practices on setting up a TeraGrid-Aware caGrid gateway service. (See Deliverables)
• Demonstrate this process using the geWorkbench Hierarchical Clustering analysis component.

Although the new service is TeraGrid-aware, the perspective from geWorkbench does not change. As far as geWorkbench is concerned, it is still connecting to a Hierarchical Clustering caGrid service. The difference is now the caGrid service is a gateway service that submits a TeraGrid job on behalf of geWorkbench. geWorkbench, however, does not notice this difference.

Tools

This section provides links to all the tools we used in this project. It is best to continue reading this wiki to get an idea of how we used these tools before coming back for more information on the tools themselves.

geWorkbench

• GUI.
• Dispatcher.

caGrid

General

• Overview
• How-To

Security

• Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)
• Dorian
• Grid Trust Service (GTS)
• Credential Delegation Service (CDS)
• Grid Grouper
• Depoying a secured container:
  • configure tomcat to be a secured container or
  • install globus as the secured container

Communicating with TeraGrid

• Introduce with gRAVi Plugin

TeraGrid

General

• TeraGrid Overview
• TeraGrid User Support

Logging On

• Logging in/Getting Started
• Logging in (windows)
• Single Sign On Proxy
• Single Sign On Quick Start

Submitting Jobs

• Manually submitting jobs
• Submitting jobs using Java
• Running Jobs
• TeraGrid GRAM Resources

Moving Files

• gridFTP
  • Data Staging
  • Plain old moving files

Additional Information

WS-GRAM

• Grid Resource Allocation and Management
• This is a Globus protocol used for remote job submission and control.

• TeraGrid GRAM Resources

Condor

• There is talk of using Condor to submit jobs to TeraGrid. Condor will use the GRAM protocol for this job submission. Condor has support for java jobs.

Setup

This section references the following caGrid services:

• Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)
• Dorian
• Grid Trust Service (GTS)
• Credential Delegation Service (CDS)
• Grid Grouper

You can set up your own Dorian, GTS, CDS, and Grid Grouper services by following the links above. In this wiki, we use the services available on the caGrid training grid.

Security for caGrid-TeraGrid Communication

Before diving into the setup process, bring up the caGrid GAARDS UI:

• Go to the directory with caGrid 1.1 installed (we will refer to this directory as CAGRID_HOME, for example C:\java\apps\caGrid). If you don't have caGrid 1.1 installed, please do so.
• Under CAGRID_HOME, type

ant security

Obtain caGrid user account for geWorkbench GUI user

On the machine that the geWorkbench GUI is expected to be used,

Synchronize user credentials with caGrid Trust Fabric

On the machine that the geWorkbench GUI is expected to be used, go to CAGRID_HOME, and type

ant -Dtarget.grid=<grid name> configure  (Possible grids names are: nci_prod,nci_qa,nci_stage,nci_dev,osu_dev,training,custom_grid.)

to specify the caGrid with which you wish to work. (For more information on configuring caGrids, see how to change target grids.)

Next, go to CAGRID_HOME/projects/syncgts

ant syncWithTrustFabric

For more information on synchronizing with caGrid Trust Fabric, see caGrid Wiki on GTS.

Obtain caGrid host account for geWorkbench dispatcher

On the machine that hosts the geWorkbench dispatcher,

Synchronize host credentials with caGrid Trust Fabric

On the machine that hosts the geWorkbench dispatcher, go to CAGRID_HOME, and type

ant -Dtarget.grid=<grid name> configure  (Possible grids names are: nci_prod,nci_qa,nci_stage,nci_dev,osu_dev,training,custom_grid.)

to specify the caGrid with which you wish to work. The target grid should be the same one you used in step 2. (For more information on configuring caGrids, see how to change target grids.)

Next, go to CAGRID_HOME/projects/syncgts

ant syncWithTrustFabric

For more information on synchronizing with caGrid Trust Fabric, see caGrid Wiki on GTS.

Obtain host proxy for geWorkbench dispatcher

Include user ID in the caGrid Grid Grouper

• Go to the machine running geWorkbench and obtain the user proxy:

Click on "Login" and ask to authenticate with your username and password. Use the appropriate dorian uri, for example, if you obtained your user account on the training grid, get its proxy from the training Dorian. Also set the proxy lifetime to 4 hrs and delegation length to 2. Click "Authenticate".

Note: The 4 hours of proxy lifetime is required to coordinate with the delegation lifetime that is set programmatically in the "Obtaining the Delegation Reference" section.

A "Proxy Manager" dialog pops up --> click on the certificate you just generated listed under "Certificate Chain" --> click on "Set Default"

• Add the user id for geWorkbench user to the grid grouper:

In the GAARDS UI, click on Group Management menu --> Group Browser to bring up the grid grouper UI. Click on "Add Grid Grouper". This brings up the Add Grid Grouper dialog. In the dialog, specify the appropriate grid grouper URL and geWorkbench user credential. Click "Add".

After the grid grouper service loads successfully, go to the service explorer on the left. Choose the grid group for this project, and double click on the group name. This brings up the stem details for that group. Click on the "Members" tab.

Click on "Add Member" at the bottom. This brings up the add member dialog. Choose member type "user" and specify user name in "Member Identity". Click "Add Member".

User name should show up in the members list.

caBIG community account for TeraGrid

Developers of gateway services will use the caBIG Community account to access Teragrid resources. They will not have to obtain individual Teragrid accounts but if interested, these steps can be followed:

• Apply for a TeraGrid account.
• Set up community software area.

Verfiy that you have access to the caBIG community account: Log onto a login node (for example, the San Diego cluster login node)

ssh -X <userNameForSanDiego>@dslogin.sdsc.edu
password:<SanDiegoPassword>

Perform Single Sign On

<userNameForSanDiego>@tg-grid1:~> myproxy-logon -T -l <userNameForUserPortal> 
Enter MyProxy pass phrase:<userPortalPassword>
A credential has been received for user <userNameForUserPortal> in /tmp/x509up_u510.
Trust roots have been installed in /home/<userNameForUserPortal>/.globus/certificates/.

<userNameForUserPortal>@tg-grid1:~> grid-proxy-info
subject  : /C=US/O=National Center for Supercomputing Applications/ CN=<Name of User>
issuer   : /C=US/O=National Center for Supercomputing Applications/ 
OU=Certificate Authorities/CN=MyProxy
identity : /C=US/O=National Center for Supercomputing Applications/ CN=<Name of User>
type     : end entity credential
strength : 1024 bits
path     : /tmp/x509up_u510
timeleft : 11:59:37

<userNameForUserPortal>@tg-grid1:~> gsissh tg-login.ncsa.teragrid.org NCSA Teragrid Cluster (MERCURY) --In Production with 868 nodes--

• For addtional information on available clusters and node, see TeraGrid Resources (Click on "Resources" tab and "Systems Monitor" sub-menu to get a list of host nodes.)

Synchronize caBIG community credentials for TeraGrid with caGrid Trust Fabric

Synchronize caBIG community credentials for TeraGrid with TeraGrid Trust Fabric

Associate the appropriate grid group with the gateway service

Assuming the gateway service has been created -- load it into Introduce (via "Modify Service" button) and go to the "Security" Tab. The authorization sub-tab allows you to specify the grid grouper membership that is allowed to access this gateway service. (If the gateway service has not been created, please skip this step and follow instructions under section #Creating the caGrid Gateway Service.)

In the "Authorization" tab, first specify the authorization mechanism to be "Grid Grouper". Then specify the grid grouper service URL and click "Load" to bring up the list of groups available. Click on "TeragridSample" group and then click on "Add Group". That will add the TeragridSample group to the list of authorized users to invoke the gateway service. For more information, see caGrid Grid Grouper.

Binary Staging on TeraGrid

Make sure you have access to the caBIG community account for TeraGrid or some other valid TeraGrid account. If not, see step 7 from the section above.

For illustration purposes, we use the fat jar file for the hierarchical clustering gateway as an example to follow.

• Stage jar files in the community software area. Argonne is a good machine to use. To transfer jar files, log in using the caBIG account, and use scp or ftp to transfer the jar file.
• Make sure the node you plan to stage the binaries on contains the correct version of the software your binaries will need (i.e. does Argonne has JDK 1.5).
• First, create a command line interface and test it out locally. This should take in an input directory to read the serialized objects from and an output directory to serialize the results to. Running this would look like:

java -Xmx900M -jar HierarchicalClusteringCli_fat.jar -i my/input/dir o- my/output/dir

• Next, test your binary (e.g. HierarchicalClusteringCli_fat.jar) on the Argonne cluster.
  • Log onto to a login node (e.g. sdsc) as detailed in step 7 from the section above.
  • scp your binary (e.g. HierarchicalClusteringCli_fat.jar) to the login machine.
  • Perform single sign on as detailed in step 7 from the section above.
  • scp your binary (e.g. HierarchicalClusteringCli_fat.jar) from the login machine to your chosen cluster machine (e.g. tg-grid1.uc.teragrid.org).
  • Verify that the necessary software is available to you. (For example, to run Run HierarchicalClusteringCli_fat.jar, type java - version to verify that tg-grid1 is running java 1.5.*.)
  • Run your binary again. (In case of HierarchicalClusteringCli_fat.jar, run again the java command from above.)
  • The log output should be the same as the local run.

Creating the caGrid Gateway Service

This section details how to create a caGrid gateway service. For illustration purposes, we use the code for the hierarchical clustering gateway as an example to follow.

Introduce and gRAVi

Use Introduce with the gRAVi plugin to create the basis for the gateway service -- TeragridSample. The generated code should have the following structure:

In Introduce, the data types imported are:

The specified operations method is:

In this case the one method the gateway client calls is execute().

The security options should be:

with "Custom" option, and all three communications security options checked. (All three communications methods should show "Privacy".

The authorization tab allows you to specify the grid grouper membership that is allowed to access this gateway service.

In the "Authorization" tab, first specify the authorization mechanism to be "Grid Grouper". Then specify the grid grouper service URL and click "Load" to bring up the list of groups available. Click on "TeragridSample" group and then click on "Add Group". That will add the TeragridSample group to the list of authorized users to invoke the gateway service. For more information, see caGrid Grid Grouper.

Under the "Service Credentials" tab, choose to import credentials from the file system and run as the system.

Gateway Client

• org.cagrid.introduce.sample.teragrid.client.TeragridSampleClient.java

The gateway client passes the data, getMicroArraySet(), and the user selected parameters, getHierarchicalClusteringParameter(), to the gateway service hosted at GATEWAY_SERVICE_URL. Both the microarray set and parameters are caDSR compliant data structures geWorkbench uses.

TeragridSampleClient client = new TeragridSampleClient(GATEWAY_SERVICE_URL);
HierarchicalCluster hc = client.execute(getMicroArraySet(), getHierarchicalClusteringParameter());

Gateway Service

• org.cagrid.introduce.sample.teragrid.context.service.TeragridSampleImpl.java

• Make sure the following jars are on the classpath:

GLOBUS_LOCATION/lib/axis.jar
GLOBUS_LOCATION/lib/gram-client.jar
GLOBUS_LOCATION/lib/gram-stubs.jar
GLOBUS_LOCATION/lib/gram-util.jar
GLOBUS_LOCATION/lib/gram-monitoring.jar
GLOBUS_LOCATION/lib/wsrf-core.jar
GLOBUS_LOCATION/lib/cog-jglobus.jar
GLOBUS_LOCATION/lib/jgss.jar

• Import the following classes:

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.RandomAccessFile;
import java.net.URL;
import java.rmi.RemoteException;
import java.util.Date;
import org.apache.axis.components.uuid.UUIDGen;
import org.apache.axis.components.uuid.UUIDGenFactory;
import org.apache.axis.message.addressing.EndpointReferenceType;
import org.globus.exec.client.GramJob;
import org.globus.exec.generated.JobDescriptionType;
import org.globus.exec.generated.StateEnumeration;
import org.globus.exec.utils.ManagedJobFactoryConstants;
import org.globus.exec.utils.client.ManagedJobFactoryClientHelper;
import org.globus.wsrf.impl.security.authentication.Constants;
import org.globus.wsrf.impl.security.authorization.Authorization;
import org.globus.wsrf.impl.security.authorization.HostAuthorization;
import org.gridforum.jgss.ExtendedGSSCredential;
import org.gridforum.jgss.ExtendedGSSManager;
import org.ietf.jgss.GSSCredential;
import org.globus.exec.client.GramJobListener;
import org.globus.ftp.DataChannelAuthentication;
import org.globus.ftp.DataSink;
import org.globus.ftp.DataSource;
import org.globus.ftp.FileRandomIO;
import org.globus.ftp.GridFTPClient;
import org.globus.ftp.GridFTPSession;
import org.globus.gsi.GlobusCredential;
import org.globus.gsi.GlobusCredentialException;
import org.globus.gsi.gssapi.GlobusGSSCredentialImpl;

• Make sure the class implements GramJobListener interface.

public class TeragridSampleImpl extends TeragridSampleImplBase  implements GramJobListener {

This interface has one method:

public void stateChanged(GramJob job) {
StateEnumeration jobState = job.getState();
boolean holding = job.isHolding();
printMessage("========== State Notification ==========");
printJobState(jobState, holding);
printMessage("========================================");
synchronized (this) {
if ( jobState.equals(StateEnumeration.Done)|| jobState.equals(StateEnumeration.Failed)) {
printMessage("Exit Code: " + Integer.toString(job.getExitCode()));
// also call code to start processing results, for example gridFTP them from TeraGrid back to gateway service
this.jobCompleted = true;
}
notifyAll();
}
}

• Authenticate with TeraGrid using caBIG community credentials

GlobusCredential globusCred = new GlobusCredential(PROXY_LOCATION);
GlobusGSSCredentialImpl cred = new GlobusGSSCredentialImpl(globusCred, GSSCredential.INITIATE_AND_ACCEPT);

where PROXY_LOCATION is the location of the TeraGrid user certificate.

• set up gridFTP info

String DEST_HOST = <name of the host in TeraGrid with the gridFTP service>
int GRIDFTP_PORT = 2811;

• gridFTP input data and parameters

String FILE_TO_FTP = <full path to the input data file/parameter file>;

GridFTPClient client = new GridFTPClient(DEST_HOST, GRIDFTP_PORT);
client.authenticate(creds);
client.setProtectionBufferSize(16384);
client.setType(GridFTPSession.TYPE_IMAGE);
client.setMode(GridFTPSession.MODE_EBLOCK);
client.setDataChannelAuthentication(DataChannelAuthentication.NONE);
client.setDataChannelProtection(GridFTPSession.PROTECTION_SAFE);
client.setPassive();
client.setLocalActive();
DataSource source = new FileRandomIO(new RandomAccessFile(new File(FILE_TO_FTP), "r"));
client.extendedPut(FILE_TO_FTP, source, null);
client.close();

• Submitting the TeraGrid job (also see TeraGrid wiki on submitting GRAM jobs via Java).

Break up the original command line to invoke the staged hierarchical clustering jar

java -Xmx900M -jar HierarchicalClusteringCli_fat.jar -i my/input/dir o- my/output/dir

to

String [] arguments = new String [7];
arguments [0] = "-Xmx900M";
arguments [1] = "-jar";
arguments [2] = "<gateway_bin>/HierarchicalClusteringCli_fat.jar";
arguments [3] = "-i";
arguments [4] = "<gateway_input_directory>";
arguments [5] = "-o";
arguments [6] = "<gateway_output_directory>";

Allow delegeation from client -> gRAVi service -> GRAM

boolean limitedDelegation = true;	
boolean delegationEnabled = true;

Set service dates

Date serviceDuration = <set service duration>
Date serviceTermination= <set service termination date>

Submit the job

JobDescriptionType jobDescription = createJobDescription(PATH_TO_JAVA_BIN + "/java", arguments);
GramJob job = new GramJob(jobDescription);
job.setTimeOut(GramJob.DEFAULT_TIMEOUT);
job.setAuthorization(HostAuthorization.getInstance());
job.setMessageProtectionType(Constants.ENCRYPTION);
job.setDelegationEnabled(delegationEnabled);
job.setDuration(serviceDuration);
job.setTerminationTime(serviceTermination);
// GRAMContact and GRAMType are both specified in rave.properties
EndpointReferenceType factoryEndpoint = getFactoryEPR(GRAMContact, GRAMType);
ExtendedGSSManager manager = (ExtendedGSSManager) ExtendedGSSManager.getInstance();
// proxyPath is specified in rave.properties
String handle = "X509_USER_PROXY=" + proxyPath.toString();  
GSSCredential proxy = manager.createCredential(handle.getBytes(), ExtendedGSSCredential.IMPEXP_MECH_SPECIFIC, GSSCredential.DEFAULT_LIFETIME, null, GSSCredential.INITIATE_AND_ACCEPT);
job.setCredentials(proxy);
String submissionID = "uuid:" + uuidgen.nextUUID();
job.addListener(this);  
job.submit(factoryEndpoint, false, limitedDelegation, submissionID);

Note: for details on rave.properties, see wiki on gRAVi pluging.

• gridFTP to retrieve results

String FILE_TO_FTP = <full path to the result data file>;

GridFTPClient client = new GridFTPClient(DEST_HOST, GRIDFTP_PORT);
client.authenticate(cred);
client.setProtectionBufferSize(16384);
client.setType(GridFTPSession.TYPE_IMAGE);
client.setMode(GridFTPSession.MODE_EBLOCK);
client.setDataChannelAuthentication(DataChannelAuthentication.SELF);
client.setDataChannelProtection(GridFTPSession.PROTECTION_SAFE);
client.setLocalPassive();
client.setActive();
DataSink sink = new FileRandomIO(new RandomAccessFile(new File(FILE_TO_FTP), "rw"));
client.get(FILE_TO_FTP, sink, null);
client.close();

Deploying the Gateway Service

• A gateway services must be deployed in a secured caGrid container. You can either configure tomcat to be a secured container or install globus as the secured container.

• If you intend to connect your component to this gateway service from geWorkbench, you would also need to register the gateway service with an index service geWorkbench can reach. In Introduce's Deploy dialog, be sure to set "perform.index.service.registration" to be true, and specify the appropriate index service URL in "index.service.url" before clicking "Deploy".

• If you are not using geWorkbench, you can skip the index service registration and click "Deploy". Then simply use the URL to the gateway service when you instantiate your gateway client. (See #Gateway Client).

caGrid-TeraGrid Security

Before continuing through this section, be sure that you have already performed the one-time security setups for both caGrid and TeraGrid. If not, please see #Security for caGrid-TeraGrid Communication.

This section references the following caGrid services:

• Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)
• Dorian
• Grid Trust Service (GTS)
• Credential Delegation Service (CDS)
• Grid Grouper

Again, the geWorkbench Hierarchical Clustering example uses these services on caGrid's training grid.

Runtime Security Flow

Delegating caGrid Proxy

With caGrid 1.2, an entity that successfully obtains a grid proxy can delegate the actual execution request to another entity. (In our case, we would be getting the grid proxy with the machine running geWorkbench and delegating the grid execution request to our dispatcher service.)

• caGrid Delegation Service Wiki

• Delegation Service Developer's Guide

While we are still working with caGrid 1.1, we can download the delegation service jars. A good place to put the cds-client folder is under CAGRID_HOME/projects/.

(Steps 1 through 6 is done before the #Gateway Client invokes the #Gateway Service.)

Obtaining the user certificate

Geworkbench stores the user’s grid proxy generated from #1 locally. There are two approaches for getting the certificate: #Get the certificate manually and then programmatically delegate or #Programmatically getting both the certificate and delegate. Choose the option that is appropriate.

Get the certificate manually and then programmatically delegate

Bring up the GAARDS UI (CAGRID_HOME/ant security or with geWorkbench by following the step above)

Click on "Login" and ask to authenticate with your username and password. For our purposes, use the training dorian uri, as specified in the following image. Also set the proxy lifetime to 4 hrs and delegation length to 2. Click "Authenticate".

Note: The 4 hours of proxy lifetime is required to coordinate with the delegation lifetime that is set programmatically in the "Obtaining the Delegation Reference" section.

A "Proxy Manager" dialog pops up --> click on the certificate you just generated listed under "Certificate Chain" --> click on "Set Default"

To access the manually created default certificate in geWorkbench or in any java program,

Put the following jars on the classpath:
CAGRID_HOME/projects/dorian/ext/lib/caGrid-1.1-core.jar
GLOBUS_LOCATION/lib/cog-jglobus.jar

import org.globus.gsi.GlobusCredential;
import org.cagrid.gaards.cds.common.core.ProxyUtil;

GlobusCredential proxy = ProxyUtil.getDefaultProxy();

If you print out your certificate info, it should look like

2007-12-20 10:02:40,685 INFO [edu.columbia.geworkbench.cagrid.security.SecurityTest] - Testing authentication against:    https://dorian.cagrid.org:6443/wsrf/services/cagrid/Dorian
2007-12-20 10:02:41,622 WARN [org.apache.axis.utils.JavaUtils] - Unable to find required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart).  Attachment support is disabled.
2007-12-20 10:02:46,169 INFO [edu.columbia.geworkbench.cagrid.security.SecurityTest] - id: _7fca807b473d9f235c5575fe07e37fe6
2007-12-20 10:02:46,169 INFO [edu.columbia.geworkbench.cagrid.security.SecurityTest] - issuer: O=caBIG,OU=caGrid,OU=Training,CN=Dorian IdP Authentication Asserter
2007-12-20 10:02:46,185 INFO [edu.columbia.geworkbench.cagrid.security.SecurityTest] - cert type: sun.security.x509.X509CertImpl
2007-12-20 10:02:46,201 INFO [edu.columbia.geworkbench.cagrid.security.SecurityTest] - cert: [
[
 Version: V3
 Subject: CN=Dorian IdP Authentication Asserter, OU=Training, OU=caGrid, O=caBIG
 Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
...

Programmatically getting both the certificate and delegate

Put the following jars on the classpath:
CAGRID_HOME/projects/dorian/ext/lib/caGrid-1.1-authentication-service-stubs.jar
CAGRID_HOME/projects/dorian/ext/lib/caGrid-1.1-authentication-service-client.jar
CAGRID_HOME/projects/dorian/build/lib/caGrid-1.1-dorian-client.jar
CAGRID_HOME/projects/dorian/ext/lib/caGrid-1.1-opensaml-1.1.jar
GLOBUS_LOCATION/lib/cog-jglobus.jar

import gov.nih.nci.cagrid.authentication.bean.BasicAuthenticationCredential;
import gov.nih.nci.cagrid.authentication.bean.Credential;
import gov.nih.nci.cagrid.authentication.client.AuthenticationClient;
import gov.nih.nci.cagrid.dorian.client.IFSUserClient;
import gov.nih.nci.cagrid.opensaml.SAMLAssertion;
import org.globus.gsi.GlobusCredential;

BasicAuthenticationCredential userPass = new BasicAuthenticationCredential(password, username);
Credential credential = new Credential();
credential.setBasicAuthenticationCredential(userPass);
AuthenticationClient authenticationClient = new AuthenticationClient(dorianUri, credential);
SAMLAssertion samlAssertion = authenticationClient.authenticate();
assertNotNull(samlAssertion);
gov.nih.nci.cagrid.dorian.ifs.bean.ProxyLifetime lifetime = new gov.nih.nci.cagrid.dorian.ifs.bean.ProxyLifetime();
lifetime.setHours(4);
lifetime.setMinutes(0);
lifetime.setSeconds(0);
IFSUserClient dorian = new IFSUserClient(dorianUri);
GlobusCredential proxy = dorian.createProxy(samlAssertion, lifetime, 2);

Note: There are various ProxyLifetime classes in different caGrid jar files. It is best to use fully qualified name for this class.

Obtaining the Delegation Reference

Geworkbench uses the default proxy to contact the delegation service, and delegate the credentials to the dispatcher service (will return a delegationreference).

Put the following jars on the classpath:
CAGRID_HOME/projects/cds-client/ext/lib/caGrid-1.2M1-cds-client.jar  
CAGRID_HOME/projects/cds-client/ext/lib/caGrid-1.2M1-cds-common.jar  
CAGRID_HOME/projects/cds-client/ext/lib/caGrid-1.2M1-cds-stubs.jar
GLOBUS_LOCATION/lib/cog-jglobus.jar 

import org.cagrid.gaards.cds.client.ClientConstants;
import org.cagrid.gaards.cds.client.DelegationUserClient;
import org.cagrid.gaards.cds.common.IdentityDelegationPolicy;
import org.cagrid.gaards.cds.common.Utils;
import org.cagrid.gaards.cds.delegated.stubs.types.DelegatedCredentialReference;
import org.globus.gsi.GlobusCredential;

// Specify which host machine to delegate the user credentials.
// This is usually in the form of...
String party = "/O=caBIG/OU=caGrid/OU=Training/OU=Services/CN=host/<host name>";
// Specifies the path length of the credential being delegate the minumum is 1.
int delegationPathLength = 1;
// Specifies the how long credentials issued to allowed parties will be valid for.
org.cagrid.gaards.cds.common.ProxyLifetime issuedCredentialLifetime = new org.cagrid.gaards.cds.common.ProxyLifetime();
issuedCredentialLifetime.setHours(4);
issuedCredentialLifetime.setMinutes(0);
issuedCredentialLifetime.setSeconds(0);
// Specifies how long the delegation service can delegated this credential to other parties.
org.cagrid.gaards.cds.common.ProxyLifetime delegationLifetime = new org.cagrid.gaards.cds.common.ProxyLifetime();
delegationLifetime.setHours(1);
delegationLifetime.setMinutes(0);
delegationLifetime.setSeconds(0);
// Specifies the path length of the credentials issued to allowed parties. A path length of 0 means that the requesting party cannot further delegate the credential.
int issuedCredentialPathLength = 0;
// Specifies the key length of the delegated credential
int keySize = ClientConstants.DEFAULT_KEY_SIZE;
// The policy stating which parties will be allowed to obtain a delegated credential. The CDS will only issue credentials to parties listed in this policy.
List<String> parties = new ArrayList<String>();
parties.add(party);
IdentityDelegationPolicy policy = Utils.createIdentityDelegationPolicy(parties);
// Create an instance of the delegation client, specifies the CDS Service URL and the credential to be delegated.
DelegationUserClient client1 = new DelegationUserClient(cdsURL, proxy);
// Delegates the credential and returns a reference which can later be used by allowed parties to obtain a credential.
DelegatedCredentialReference delegatedCredentialReference = client1.delegateCredential(delegationLifetime, delegationPathLength, policy,issuedCredentialLifetime, issuedCredentialPathLength, keySize);

Note:

• There are various ProxyLifetime classes in different caGrid jar files. It is best to use fully qualified name for this class.
• The variable "proxy" is defined in the previous section, "obtaining the user certificate".

Delegate to Another Service

Put the following jars on the classpath:
CAGRID_HOME/projects/cds-client/ext/lib/caGrid-1.2M1-cds-client.jar  
CAGRID_HOME/projects/cds-client/ext/lib/caGrid-1.2M1-cds-common.jar  
CAGRID_HOME/projects/cds-client/ext/lib/caGrid-1.2M1-cds-stubs.jar
GLOBUS_LOCATION/lib/cog-jglobus.jar 

import org.cagrid.gaards.cds.client.ClientConstants;
import org.cagrid.gaards.cds.client.DelegationUserClient;
import org.cagrid.gaards.cds.common.IdentityDelegationPolicy;
import org.cagrid.gaards.cds.common.Utils;
import org.cagrid.gaards.cds.delegated.stubs.types.DelegatedCredentialReference;
import org.globus.gsi.GlobusCredential;

As an example, geWorkbench GUI delegates the delegatedCredentialReference to the geWorkbench dispatcher service.

Pass along "DelegatedCredentialReference delegatedCredentialReference" from above to the process running the #Gateway Client. In case of geWorkbench, the GUI must pass this "ref" to the dispatcher service.

dispatcherClient.submit(..., delegatedCredentialReference);

The machine hosting the service running the gateway client (in this case the dispatcher service called upon in the previous step) on behalf of the user (in this case geWorkbench GUI) should load its own certificates first before asking for the delegated certificate.

//Service certificate file
File certFile = new File(pathToHostCertificate);
File keyFile = new File(pathToHostKey);
//Load Dispatcher service’s certificate
X509Certificate cert = CertUtil.loadCertificate(certFile);
//Load Dispatcher service’s private key
PrivateKey key = KeyUtil.loadPrivateKey(keyFile, null);
X509Certificate[] chain = new X509Certificate[]{cert};		
//Create Credential for dispatcher service
GlobusCredential credential = new GlobusCredential(key,chain);

Using the service host's own credentials as well as the delegated credential reference the service received (e.g. the dispatcher service would have its own proxy and the delegatedCredentialReference passed from the dispatcher client), contact the Credential Delegation Service (CDS) for the delegation certificate.

//Create and Instance of the delegate credential client, specifying the 
//DelegatedCredentialReference and the credential of the delegatee.  The 
//DelegatedCredentialReference specifies which credential to obtain.  The 
//delegatee's credential is required to authenticate with the CDS such 
//that the CDS may determing if the the delegatee has been granted access 
//to the credential in which they wish to obtain.
DelegatedCredentialUserClient client = new DelegatedCredentialUserClient(delegatedCredentialReference, credential);
//The get credential method obtains a signed delegated credential from the CDS.
GlobusCredential delegatedCredential = client.getDelegatedCredential();

The result should be:

Set the delegated credential as the default proxy for the machine running the #Gateway Client. When the #Gateway Service is in turn invoked, the delegated credential is automatically checked against the grid grouper service. (See step 7.)

ProxyUtil.saveProxyAsDefault(delegatedCredential);

TeraGrid Security

As long as #Introduce and gRAVi step was performed appropriately (specifically in Introduce's "Modify Service" --> Security --> Authorization tab), this step is automatic when the gateway client invokes the gateway service.

As long as #Gateway Service includes code to authenticate either the caBIG community account or some other valid TeraGrid account, this step is automatic when the gateway service is invoked.

As long as #Gateway Service includes code to obtain proxy after authenticate with TeraGrid, this step is automatic when the gateway service is invoked.

Running the geWorkbench-caGrid-TeraGrid Demo

Setting Up

• If caGrid is not installed, please do so .
• Download geWorkbench demo source. Follow instructions on the geWorkbench getting started page.
• Make sure to follow instructions in the #Setup section.
• Specify the home directories of Ant and caGrid.
  

Note: After setting the environmental variables, you must restart the process used to run geworkbench (ie. the console, eclipse, etc.).

Bringing Up Hierarchical Clustering in geWorkbench

Right click on "Workspace" --> "New Project".

Right click on "Project" --> "Open File(s)".

Choose a .exp file.

Click "Don't show this again" and click "Continue".

Click "Cancel" on the annotation dialog.

When the data file loads, clicking on "Hierarchical Clustering" will display its analysis component.

Accessing caGrid Authentication

From geWorkbench, the user can click on the "caGrid Authentication" button to bring up the GAARDS UI.


The GAARDS UI will take a second or two to come up.


Then you can invoke your desired Dorian function.

Assuming that the user has a valid caGrid account, click on "Login" and ask to authenticate with caGrid username and password. Use the training dorian URL, as specified in the following image. Also set the proxy lifetime to 4 hrs and delegation length to 2. Click "Authenticate".

A "Proxy Manager" dialog pops up --> click on the certificate you just generated listed under "Certificate Chain" --> click on "Set Default"

Running the TeraGrid-Aware Analysis

Click on "Service" tab --> Click on "Grid" radio button --> Click on "Change Index Service". A dialog will allow the user to specify the host and port of the index service. Click on "Grid Services" to find the appropriate hierarchical clustering services registered.

Click on the radio button designating the desired grid service. Click on the "Parameters" tab to go back to the main analysis panel.

Click on project folder, specify the hierarchical clustering analysis parameters and click "Analyze". Wait for the analysis to complete.