|
|
| (47 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| The Secure Stomp Messenger (SSM) is used to transmit arbitrary messages using the STOMP protocol. For a description, see [[APEL/SSMOverview|SSM Overview]].
| |
|
| |
| * Back to [[APEL/SSM]]. | | * Back to [[APEL/SSM]]. |
|
| |
|
| '''PLEASE NOTE THIS IS NOT PRODUCTION-LEVEL SOFTWARE''' '''This software is distributed as an example and for testing'''.
| | If you are beginning your testing now please use [[APEL/SSM2Installation|SSM2]] |
|
| |
|
| '''WARNING!''' Version 0.7 of the SSM breaks backwards compatibility. The server is now running version 0.7. Unless you use version 0.7 or greater, your messages won't get through!
| | SSM1 downloads are available at https://github.com/apel/ssm/downloads. |
|
| |
|
| * For details on the testing process, see this page: [[APEL/APELSSMExternalTesting]]
| | '''NOTE:''' Before you can send your messages to the Accounting server you must send your host certificate DN to apel-admins [at] stfc.ac.uk, e.g. output from running |
| * Expect bugs, and if you find any please let us know about them: apel-ssm-test@mailtalk.ac.uk.
| |
|
| |
|
| == ssm-0.8 ==
| | <code>openssl x509 -subject -noout -in hostcert.pem</code> |
|
| |
|
| The SSM is now available either as a zip file or as a pre-packaged RPM.
| | = Installing SSM = |
|
| |
|
| Installation and removal instructions are now packaged with the SSM in the README file.
| | * For details on the testing process, see this page: [[APEL/APELSSMExternalTesting]] |
| | | * If you find any bugs please let us know about them: apel-admins [at] stfc.ac.uk. |
| Once you have installed the SSM, see these pages:
| |
| * [[APEL/SSMConfiguration]]
| |
| * [[APEL/RunningSSM]] | |
| | |
| == ssm-0.7 ==
| |
| | |
| === Prerequisites ===
| |
| | |
| * Certificates:
| |
| ** As well as the following the instructions in the 'Certificates' section below, you will need to '''send us the DN of the certificate you are using''', so that we add it to the list of trusted certificates.
| |
| * python:
| |
| ** we use 2.4.3, the standard version with SL5
| |
| * stomppy: the python STOMP library
| |
| ** '''we now recommend that you use the version in the epel repository (3.0.3)'''. Version 2.0.2 should still work.
| |
| ** if you have the EPEL repository enabled: <code>yum install stomppy</code>.
| |
| ** To remove an old manual installation of stomppy, see the bottom of this page.
| |
| | |
| * openssl:
| |
| ** we use 0.9.8, the standard version with SL5
| |
| * lcg-CA
| |
| * if you want to check CRLs when verifying certificates, you need to install fetch-crl. It is available in the EPEL repository:
| |
| ** <code>yum install fetch-crl</code>
| |
| ** <code>service fetch-crl-cron start</code>
| |
| ** <code>chkconfig fetch-crl-cron on</code>
| |
| * fetch-crl must have run once for the certificates to be verified successfully. You can choose to skip this check - see below.
| |
| | |
| === Installation ===
| |
| | |
| You can't currently download a version of the code, but if you would like a zip file please email apel-ssm-test@mailtalk.ac.uk and we will send you a version.
| |
| | |
| * Unzip the file into a directory, which is denoted as $SSM_HOME below.
| |
| | |
| === Configuration ===
| |
| The environment variable SSM_HOME must be set appropriately (the one ''containing'' bin/, src/, and conf/):
| |
| * <code>export SSM_HOME=<directory></code>
| |
| | |
| There are two other configuration files.
| |
| | |
| Note that the variable SSM_HOME can be used in ssm.cfg but not ssm.log.cfg.
| |
| | |
| ==== <code>$SSM_HOME/conf/ssm.cfg</code> ====
| |
| '''The default values should suffice to send messages to the APEL test system''', but there are notes about the file below.
| |
| | |
| This SSM will be a producer, so the consumer section can be left out or given dummy values - it doesn't hurt. The file is well commented, it should be straightforward. In this file configure:
| |
| | |
| * the broker to use (host: dev.msg.cern.ch port: 6163 for testing purposes)
| |
| * the message store (suggest: $SSM_HOME/messages)
| |
| * the certificate/key settings and CA directory
| |
| * the topic to send to (/topic/grid.accounting.cpuTest.CENTRAL is being used for testing)
| |
| * The DN of the consumer that messages are sent to(<code>consumerDN: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=raptest.esc.rl.ac.uk/emailAddress=sct-certificates@stfc.ac.uk</code>)
| |
| | |
| * To skip certificate CRL checks, set <code>check-crls: false</code>
| |
| | |
| * The acknowledgment topic; a sensible default is already used.
| |
| | |
| ==== <code>$SSM_HOME/conf/ssm.log.cfg</code> ====
| |
| The default values should suffice, '''but you must do one of two things:'''
| |
| # Create the directory <code>/var/log/apel/</code> and give the user running the SSM access to this directory.
| |
| # In the section [handler_fileHander], specify the path to a log file. The directory must exist and the user running the SSM must have permission to write to it. You need a full path - you can't use $SSM_HOME. Example: <code>args=('/home/apel/ssm/ssm.log', 'a')</code>
| |
| | |
| === Certificates ===
| |
| | |
| Your SSM '''encrypts''' using our host's (raptest's) certificate. Before it does this, it tries to verify it against the CA certificates in <code>/etc/grid-security/certificates</code>. To ensure this works fine, install the lcg-CA package using yum.
| |
| | |
| Your SSM uses your host key to '''sign''' the messages it sends. When our version of the SSM receives a message, it retrieves your certificate and attempts to verify it against the CA certificates in the lcg-CA rpm. It also checks the DN to see if it is from a certificate that we trust. This is why we need the certificate's DN from you to add to the 'trusted' list. (In practice, when a message is rejected because the DN isn't trusted, the SSM will store the DN in the log file, so we can find it and add it if necessary.)
| |
| | |
| If your host certificate is not signed by one of these CAs, discuss this with apel-admins@mailtalk.ac.uk.
| |
| | |
| In order to encrypt and sign successfully, '''the user running the SSM needs read access to both the host certificate and private key'''.
| |
| | |
| === Running the SSM ===
| |
| | |
| * <code>cd $SSM_HOME/bin</code>
| |
| * <code>./run-ssm</code>
| |
| | |
| If the SSM's messages directory does not exist, it will be created when the SSM starts. It contains sub-directories accept/, ack/, incoming/, outgoing/, reject/. For sending purposes you only need the outgoing/ directory.
| |
| | |
| Once the SSM is running, it will send messages from the directory <code>$SSM_HOME/messages/outgoing</code> automatically. All you need to do is to put the messages in this directory. If they don't disappear, check the log file to see what it says, check your configuration, then send us an email.
| |
| | |
| === Stopping the SSM ===
| |
| | |
| The easiest way to do this currently is to kill it using its pid. You can do this something like as follows:
| |
| <source lang="bash">
| |
| [apelssm@apel-test messages]$ ps ax | grep python
| |
| 25402 pts/0 Sl+ 0:00 python /opt/apelssm/ssm-0.7/src/ssm/ssm_master.py /opt/apelssm/ssm-0.7/conf/ssm.cfg
| |
| 25459 pts/1 S+ 0:00 grep python
| |
| [apelssm@apel-test messages]$ kill 25402
| |
| [apelssm@apel-test messages]$
| |
| </source>
| |
| | |
| We will add a start-up / shut-down script in a version before production.
| |
| | |
| | |
| | |
| == ssm-0.4 (no longer supported - use version 0.7 or above) ==
| |
|
| |
|
| See [[APEL/OldSSMInstallation]] - but don't follow those instructions, install the new version!
| | == ssm-1.2 == |
|
| |
|
| | The same package is installed for CPU accounting, StAR and Cloud accounting records. |
|
| |
|
| == Removing stomppy (manual) ==
| | Version 1.2 is the current version. |
|
| |
|
| If you manually installed stomppy to use an older version of the SSM, you should remove it before using yum to install a newer version. This is how you do it on SL5 with python2.4.
| | '''It changes the default messages location from the previous version:''' |
| | * OLD: <code>/opt/apel/ssm/messages/</code> |
| | * NEW: <code>/var/opt/apel/messages/</code> |
|
| |
|
| * <code>cd /var/lib/python2.4/site-packages</code>
| | Installation and removal instructions are now packaged with the SSM in the README file. If you would like to read it before you install the SSM, here is the version included with ssm-1.2: [[APEL/SSM/README12]]. |
| * <code>rm -rf stomp</code>
| |
| * <code>rm -rf test</code>
| |
|
| |
|
| Note that the test directory only incuded stomp files:
| | '''Please note''': the default configuration sends messages to the CPU Accounting test server. See [[APEL/SSMConfiguration]] for how to change the configuration. |
|
| |
|
| <code>
| |
| [root@apel-test site-packages]# ll test
| |
| total 32
| |
| -rw-r--r-- 1 root root 979 Aug 24 2009 basic.py
| |
| -rw-r--r-- 1 root root 1564 Oct 25 11:34 basic.pyc
| |
| -rw-r--r-- 1 root root 33 May 30 2009 __init__.py
| |
| -rw-r--r-- 1 root root 181 Oct 25 11:34 __init__.pyc
| |
| -rw-r--r-- 1 root root 1001 Aug 24 2009 rabbitmq.py
| |
| -rw-r--r-- 1 root root 1582 Oct 25 11:34 rabbitmq.pyc
| |
| -rw-r--r-- 1 root root 603 Aug 24 2009 testlistener.py
| |
| -rw-r--r-- 1 root root 1131 Oct 25 11:34 testlistener.pyc
| |
| [root@apel-test site-packages]#
| |
| </code>
| |
|
| |
|
| You may wish to check this before you delete the directory.
| | [[Category:Accounting]] |
The wiki is deprecated and due to be decommissioned by the end of September 2022.