Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "APEL/SSMInstallation"

From EGIWiki
Jump to navigation Jump to search
Line 23: Line 23:


See [[APEL/SSM07Installation]]
See [[APEL/SSM07Installation]]
=== Prerequisites ===
* Certificates:
** As well as the following the instructions in the 'Certificates' section below, you will need to '''send us the DN of the certificate you are using''', so that we add it to the list of trusted certificates.
* python:
** we use 2.4.3, the standard version with SL5
* stomppy: the python STOMP library
** '''we now recommend that you use the version in the epel repository (3.0.3)'''.  Version 2.0.2 should still work.
** if you have the EPEL repository enabled: <code>yum install stomppy</code>.
** To remove an old manual installation of stomppy, see the bottom of this page.
* openssl:
** we use 0.9.8, the standard version with SL5
* lcg-CA
* if you want to check CRLs when verifying certificates, you need to install fetch-crl.  It is available in the EPEL repository:
** <code>yum install fetch-crl</code>
** <code>service fetch-crl-cron start</code>
** <code>chkconfig fetch-crl-cron on</code>
* fetch-crl must have run once for the certificates to be verified successfully.  You can choose to skip this check - see below.
=== Installation ===
You can't currently download a version of the code, but if you would like a zip file please email apel-ssm-test@mailtalk.ac.uk and we will send you a version. 
* Unzip the file into a directory, which is denoted as $SSM_HOME below.
=== Configuration ===
The environment variable SSM_HOME must be set appropriately (the one ''containing'' bin/, src/, and conf/):
* <code>export SSM_HOME=<directory></code>
There are two other configuration files.
Note that the variable SSM_HOME can be used in ssm.cfg but not ssm.log.cfg.
==== <code>$SSM_HOME/conf/ssm.cfg</code> ====
'''The default values should suffice to send messages to the APEL test system''', but there are notes about the file below.
This SSM will be a producer, so the consumer section can be left out or given dummy values - it doesn't hurt. The file is well commented, it should be straightforward. In this file configure:
* the broker to use (host: dev.msg.cern.ch port: 6163 for testing purposes)
* the message store (suggest: $SSM_HOME/messages)
* the certificate/key settings and CA directory
* the topic to send to (/topic/grid.accounting.cpuTest.CENTRAL is being used for testing)
* The DN of the consumer that messages are sent to(<code>consumerDN: /C=UK/O=eScience/OU=CLRC/L=RAL/CN=raptest.esc.rl.ac.uk/emailAddress=sct-certificates@stfc.ac.uk</code>)
* To skip certificate CRL checks, set <code>check-crls: false</code>
* The acknowledgment topic; a sensible default is already used.
==== <code>$SSM_HOME/conf/ssm.log.cfg</code> ====
The default values should suffice, '''but you must do one of two things:'''
# Create the directory <code>/var/log/apel/</code> and give the user running the SSM access to this directory.
# In the section [handler_fileHander], specify the path to a log file.  The directory must exist and the user running the SSM must have permission to write to it.  You need a full path - you can't use $SSM_HOME. Example: <code>args=('/home/apel/ssm/ssm.log', 'a')</code>
=== Certificates ===
Your SSM '''encrypts''' using our host's (raptest's) certificate.  Before it does this, it tries to verify it against the CA certificates in <code>/etc/grid-security/certificates</code>.  To ensure this works fine, install the lcg-CA package using yum.
Your SSM uses your host key to '''sign''' the messages it sends.  When our version of the SSM receives a message, it retrieves your certificate and attempts to verify it against the CA certificates in the lcg-CA rpm.  It also checks the DN to see if it is from a certificate that we trust.  This is why we need the certificate's DN from you to add to the 'trusted' list.  (In practice, when a message is rejected because the DN isn't trusted, the SSM will store the DN in the log file, so we can find it and add it if necessary.)
If your host certificate is not signed by one of these CAs, discuss this with apel-admins@mailtalk.ac.uk.
In order to encrypt and sign successfully, '''the user running the SSM needs read access to both the host certificate and private key'''.
=== Running the SSM ===
* <code>cd $SSM_HOME/bin</code>
* <code>./run-ssm</code>
If the SSM's messages directory does not exist, it will be created when the SSM starts.  It contains sub-directories accept/, ack/, incoming/, outgoing/, reject/.  For sending purposes you only need the outgoing/ directory.
Once the SSM is running, it will send messages from the directory <code>$SSM_HOME/messages/outgoing</code> automatically. All you need to do is to put the messages in this directory.  If they don't disappear, check the log file to see what it says, check your configuration, then send us an email.
=== Stopping the SSM ===
The easiest way to do this currently is to kill it using its pid.  You can do this something like as follows:
<source lang="bash">
[apelssm@apel-test messages]$ ps ax | grep python
25402 pts/0    Sl+    0:00 python /opt/apelssm/ssm-0.7/src/ssm/ssm_master.py /opt/apelssm/ssm-0.7/conf/ssm.cfg
25459 pts/1    S+    0:00 grep python
[apelssm@apel-test messages]$ kill 25402
[apelssm@apel-test messages]$
</source>
We will add a start-up / shut-down script in a version before production.





Revision as of 11:30, 16 February 2012

The Secure Stomp Messenger (SSM) is used to transmit arbitrary messages using the STOMP protocol. For a description, see SSM Overview.

PLEASE NOTE THIS IS NOT PRODUCTION-LEVEL SOFTWARE This software is distributed as an example and for testing.

WARNING! Version 0.7 of the SSM breaks backwards compatibility. The server is now running version 0.7. Unless you use version 0.7 or greater, your messages won't get through!

  • For details on the testing process, see this page: APEL/APELSSMExternalTesting
  • Expect bugs, and if you find any please let us know about them: apel-ssm-test@mailtalk.ac.uk.

ssm-0.8

The SSM is now available either as a zip file or as a pre-packaged RPM.

Installation and removal instructions are now packaged with the SSM in the README file.

Once you have installed the SSM, see these pages:

ssm-0.7

See APEL/SSM07Installation


ssm-0.4 (no longer supported - use version 0.7 or above)

See APEL/OldSSMInstallation - but don't follow those instructions, install the new version!


Removing stomppy (manual)

If you manually installed stomppy to use an older version of the SSM, you should remove it before using yum to install a newer version. This is how you do it on SL5 with python2.4.

  • cd /var/lib/python2.4/site-packages
  • rm -rf stomp
  • rm -rf test

Note that the test directory only incuded stomp files:


[root@apel-test site-packages]# ll test
total 32
-rw-r--r-- 1 root root  979 Aug 24  2009 basic.py
-rw-r--r-- 1 root root 1564 Oct 25 11:34 basic.pyc
-rw-r--r-- 1 root root   33 May 30  2009 __init__.py
-rw-r--r-- 1 root root  181 Oct 25 11:34 __init__.pyc
-rw-r--r-- 1 root root 1001 Aug 24  2009 rabbitmq.py
-rw-r--r-- 1 root root 1582 Oct 25 11:34 rabbitmq.pyc
-rw-r--r-- 1 root root  603 Aug 24  2009 testlistener.py
-rw-r--r-- 1 root root 1131 Oct 25 11:34 testlistener.pyc
[root@apel-test site-packages]#

You may wish to check this before you delete the directory.