Changes between Version 91 and Version 92 of flukes

Show
Ignore:
Timestamp:
06/23/13 21:45:18 (6 years ago)
Author:
vjo (IP: 98.122.181.149)
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • flukes

    v91 v92  
    1111 * Allows the user to login to provisioned resources 
    1212 
    13 To launch Flukes, be sure Java 6 JRE is installed and double-click on this [http://geni-images.renci.org/webstart/flukes.jnlp link]. Flukes is a Java Webstart application, which means it will update itself every time it is launched. It also requires Internet access to operate (off-line mode is not supported). If Flukes fails to launch automatically from your browser, execute the following command from commandline: 
     13To launch Flukes, be sure that a Java 6 JRE is installed and double-click on this [http://geni-images.renci.org/webstart/flukes.jnlp link]. Flukes is a Java Webstart application, which means it will update itself every time it is launched. It also requires Internet access to operate (off-line mode is not supported). If Flukes fails to launch automatically from your browser, execute the following command from commandline: 
    1414{{{ 
    1515$ curl http://geni-images.renci.org/webstart/flukes.jnlp > ~/Downloads/flukes.jnlp 
    1616$ javaws ~/Downloads/flukes.jnlp 
    1717}}} 
    18 'javaws' executable comes as part of JRE or JDK 1.6. 
     18The 'javaws' executable is included in both JRE or JDK 1.6. 
    1919 
    2020Flukes will ask for permission to access the filesystem, which you should grant. Flukes code is digitally signed by a certificate issued to !IliaBaldine from BEN@RENCI with a certificate that has the following fingerprints: 
     
    6969At a minimum you need to customize the following properties: 
    7070 
    71  * The URL of the SM you will be sending slice requests to (orca.xmlrpc.url - can be a comma-separated list)  
    72  * Locataions of ssh private and public keys (ssh.key and ssh.pubkey) 
    73  * Location of the JKS file with user credentials (user.keystore)  
     71 * The URL of the SM(s) to which you will be sending slice requests (orca.xmlrpc.url - can be a comma-separated list of several)  
     72 * Locations of ssh private and public keys (ssh.key and ssh.pubkey) 
     73 * Location of the JKS file with user credentials (user.keystore), or locations of certificate (user.certfile) and private key (user.certkeyfile) files. 
    7474 
    7575=== Flukes GUI ===  
     
    143143=== Stitch Ports === 
    144144 
    145 A stitch port is a facility that allows to attach your slice to an external network not controlled by ExoGENI. Stitch ports can be connected to nodes and require two pieces of information - a VLAN tag (one has to be known to you as a user prior to trying this; negotiation of these tags happens with campus network operators out of band) and a URL of the port - the name under which ORCA/ExoGENI knows this physical port on the switch in one of the racks or e.g. in BEN. Once both are specified a slice can be created that ends on a given physical port on a specified VLAN that can e.g. connect into a special-purpose campus network segment. 
     145A stitch port is a facility that provides a means for attaching your slice to an external network not controlled by ExoGENI. Stitch ports can be connected to nodes and require two pieces of information - a VLAN tag (one has to be known to you as a user prior to trying this; negotiation of these tags happens with campus network operators out of band) and a URL of the port - the name under which ORCA/ExoGENI knows this physical port on the switch in one of the racks or e.g. in BEN. Once both are specified a slice can be created that ends on a given physical port on a specified VLAN that can e.g. connect into a special-purpose campus network segment. 
    146146 
    147147=== Node dependencies === 
     
    236236 * A private key and a certificate provided by BEN (a .key '''and''' a .crt file) 
    237237 
    238 This section explains how to convert these credentials for use with Flukes. It presumes you have one of the credentials described above.  
    239  
    240 We will need to create a 'Java keystore' that Flukes can understand that will include the credentials issued to you in the form of .key and .pem files.  
    241  
    242 Unlike the .pem file, a Java keystore can contain multiple private key entries under different '''aliases'''. A user can select the key alias to be used for submitting a specific request at the time of the submission.  
    243  
    244 A note on storing the various files (.key, .pem, .p12, .jks): since these represent secrets belonging to you, it is best to store them in a single directory (e.g. $HOME/.ssl) that only you are allowed to read and write. 
    245  
    246 In order to make these credentials usable by Flukes, a user must create a Java JKS keystore and import at least one of the credentials into it. Java's command-line tool for manipulating keystores does not permit importing an existing private key. The easiest way to import a key/certificate is to download a tool like [http://portecle.sourceforge.net/ Portecle]. Portecle is Java-based and works across multiple platforms. Importing a .pem file containing a key and a certificate issued by either Emulab or GPO is straightforward and shown in this [http://youtu.be/-iTmgdNSJgk screen capture].  
     238This section explains how to use these credentials with Flukes. It presumes you have one of the credentials described above.  
     239 
     240There are two ways in which these credentials can be used. The first is simpler, and the second is more flexible. 
     241 
     242Before we describe either, a quick note on regarding the storage of the various files (.key, .pem, .p12, .jks) referenced in these procedures: since these files represent secrets belonging to you, it is best to store them in a single directory (e.g. $HOME/.ssl) that only you are allowed to read and write. 
     243 
     244=== Specifying a certificate and private key directly === 
     245 
     246The process for accomplishing this is: 
     247 
     248 * Obtain a .pem (GENI, Emulab) or .crt (BEN) file. You may have generated your own .key file.  
     249 * Check it using openssl: 
     250{{{ 
     251$ openssl x509 -text -in mycredential.pem 
     252}}} 
     253* Enter the path to the file containing your certificate into the "user.certfile" property 
     254* Enter the path to the file containing your private key into the "user.certkeyfile" property; this may be the same file as is specified in the "user.certfile" property. 
     255 
     256When you submit a request through Flukes, it will ask you for a key alias and password. The alias that you choose to use is immaterial (it is *not*, if you are using the second, more flexible, method for specifying user credentials, that is described below), but you should enter the password associated with you private key.  
     257 
     258=== Creating a Java keystore, and adding credentials to it === 
     259 
     260Unlike a .pem file, a Java keystore can contain multiple private key entries under different '''aliases'''. A user can select the key alias to be used for submitting a specific request at the time of the submission.  
     261 
     262In order to convert these credentials into a keystore usable by Flukes, a user must create the keystore, and then import at least one of the credentials into it. The easiest way to import a key/certificate is to download a tool like [http://portecle.sourceforge.net/ Portecle]. Portecle is Java-based and works across multiple platforms. Importing a .pem file containing a key and a certificate issued by either Emulab or GPO is straightforward and shown in this [http://youtu.be/-iTmgdNSJgk screen capture].  
    247263 
    248264{{{ 
     
    273289 * Enter the path to the keystore file into .flukes.properties "user.keystore" property 
    274290 
    275 '''A note about keystore passwords: ''' a java keystore always has a password protecting its integrity. Each key within a keystore can also have a password. Flukes currently assumes both the keystore and key passwords are '''the same'''.  
     291If you prefer to use a command-line, the process is: 
     292 
     293 * Obtain a .pem (GENI, Emulab) or .crt (BEN) file. You may have generated your own .key file.  
     294 * Check it using openssl: 
     295{{{ 
     296$ openssl x509 -text -in mycredential.pem 
     297}}} 
     298 * Convert your certificate and private key files (which may be a single PEM file) into a single PKCS12 store: 
     299{{{ 
     300$ openssl pkcs12 -export -in username.[crt|pem] -inkey username.[key|pem] -name username -out username.p12 
     301}}} 
     302 * You will be prompted for the password for the private key first, and then prompted for the password to be 
     303used for the PKCS12 store. Enter your private key password at each of these prompts. 
     304 * Convert the PKCS12 store into a Java keystore: 
     305{{{ 
     306$ keytool -importkeystore -srckeystore username.p12 -destkeystore username.jks -srcstoretype pkcs12 
     307}}} 
     308* You will be prompted twice for a password to protect the new Java keystore, and once for the password protecting 
     309the PKCS12 store. Enter your private key password at each of these prompts. 
     310 * Enter the path to the Java keystore file into .flukes.properties "user.keystore" property 
     311 
     312When using the command-line method, please note that the value you use for the "-name" parameter 
     313(while creating the PKCS12 store) will be the value used for the key alias. 
     314 
     315'''A note about keystore passwords: ''' a Java keystore always has a password protecting its integrity. Each key within a keystore can also have a password. Flukes currently assumes both the keystore and key passwords are '''the same'''.  
    276316 
    277317When you submit a request through Flukes, it will ask you for the key alias and password. You should use the alias you assigned to this new key and the password used for keystore and keys. Note that you can have multiple key/certificate pairs under different aliases within the same keystore (e.g. one from GPO and one from BEN).