Configuring your container to use ORCA Actor Registry

As of Camano 3.0 ORCA can automatically build security associations between actors in same or different containers. Prior to Camano 3.0 these security associations were built using <topology> section in actors config.xml file. Starting with Camano 3.0 this section is optional.

  • Edges between SM and Broker actors usually do not need to be declared
  • You can still declare edges between authority actors in your containers and brokers in other containers for the purpose of declaring delegations to specific brokers (so it does not have to be done through the GUI). For example, prior to Camano 3.0 the topology section of a site might look have a following edge:
           <topology>
                      <edges>
                            <edge>
                                    <from name="ndl-broker" guid="25bc9111-9b41-46ab-a96b-3c87f574cfde" type="broker">
                                            <location protocol="soapaxis2" url="http://geni-ben.renci.org:11080/orca/services/ndl-broker" />
    <certificate>
    MIICbTCCAdagAwIBAgIETDtgYzANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJVUzELMAkGA1UE
    CBMCTkMxDzANBgNVBAcTBkR1cmhhbTENMAsGA1UEChMEb3JjYTEQMA4GA1UECxMHc2hpcmFrbzEt
    MCsGA1UEAxMkMjViYzkxMTEtOWI0MS00NmFiLWE5NmItM2M4N2Y1NzRjZmRlMB4XDTEwMDcxMjE4
    MzUxNVoXDTIwMDcwOTE4MzUxNVowezELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMQ8wDQYDVQQH
    EwZEdXJoYW0xDTALBgNVBAoTBG9yY2ExEDAOBgNVBAsTB3NoaXJha28xLTArBgNVBAMTJDI1YmM5
    MTExLTliNDEtNDZhYi1hOTZiLTNjODdmNTc0Y2ZkZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
    gYEAqcyS60d5t9c3eEud529hYmD/0BrIHGkEevwAtqBb7FFD1X98SB1G8y7gzxplt0xr2Hm72Et+
    01qB7YgT6XQHWfJQQW7RUZEnrDbGsS0v6bffY291eeDVd0ZCH1ogzPDlyMqdhSGKsstqZd0CYc2E
    zRFNngOIytBu1m59Jr6/FqsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCpFKta+1JitcfPbti3x3Tj
    WqqINj2f/MzwTVZbxV1eW6gLrwc3FRTX8RgAfqn2sl9Igxfzb+GbQbhY2j5iyBsEV90eKjQQitgv
    KUA1IpJqVMYiGSohX2jL+uXEK7bujv9eRyNG82Rp+ouWCrDKo7kOVLh/iSD1s8Mrk03/wd3qfw==
    </certificate>
    
                                    </from>
                                    <to name="renci-vm-site" guid="5f19992a-674f-4c6a-82f4-9564bb4e7879" type="site" />
                                    <rset>
                                            <type>renci.vm</type>
                                            <units>12</units>
                                    </rset>
                                    <rset>
                                            <type>renci.GEPort</type>
                                            <units>40</units>
                                    </rset>
                                    <rset>
                                            <type>renciEuca.vlan</type>
                                            <units>1000</units>
                                    </rset>
                            </edge>
                   </edges>
           </topology>
    
    

In Camano 3.0 and later this declaration can be shortened to:

       <topology>
               <edges>
                        <edge>
                                <from name="ndl-broker" guid="25bc9111-9b41-46ab-a96b-3c87f574cfde" type="broker"/>
                                <to name="renci-vm-site" guid="5f19992a-674f-4c6a-82f4-9564bb4e7879" type="site" />
                                <rset>
                                        <type>renci.vm</type>
                                        <units>12</units>
                                </rset>
                                <rset>
                                        <type>renci.GEPort</type>
                                        <units>40</units>
                                </rset>
                                <rset>
                                        <type>renciEuca.vlan</type>
                                        <units>1000</units>
                                </rset>
                        </edge>
               </edges>
       </topology>

Note the absence of <location> and <certificate> stanzas. These are gleaned from the XMLRPC registry automatically. Also note that if at the time when a site actor configured as shown above (delegating rsets to a broker) becomes active and the broker in question is not active, the delegation will not take place and will have to be done manually when the broker actor becomes active again.

If a container has no explicit edges, the <topology> section should be omitted completely.

Configuring for Actor Registry

To use this feature, the container.properties file for your container should have the following property declarations:

###############################################
# ORCA global actor registry (uncomment for production deployments)
###############################################
registry.certfingerprint=78:B6:1A:F0:6C:F8:C7:0F:C0:05:10:13:06:79:E0:AC
registry.url=https://geni.renci.org:12443/registry/
registry.method=registryService.insert

Note that the fingerprint above is shown only as an example - the most up-to-date registry certificate fingerprint can be found on this page.

Verifying your actors

Only valid and verified actors can communicate with each other using information from the registry. So once your actor(s) successfully show up in the registry, they must be validated by RENCI staff, so other actors in other containers can communicate with them. Please contact RENCI on geni-orca-users @ googlegroups.coms list to arrange for a phone call with a member of RENCI staff.

During the call you will be asked the name and the GUID of your actor and the MD5 signature of its certificate. To get the MD5 signature of the certificate, locate the keystore of this actor under $ORCA_HOME/runtime/keystores/, which is called <guid>.jks where <guid> is the GUID of the actor in question.

Then issue the following command:

$ keytool -list -alias actorkey -keystore /path/to/guid.jks

the password is 'clientkeystorepass'. The output should contain the MD5 signature of this actor's key, which you will also need to provide.