Configuring the GRAM.NET Server
Towards the end of the GRAM
installation process, the GRAM Configuration Tool will be run automatically. These
instructions will help you use this tool to configure your GRAM server. If at
any time after installing the GRAM server, you wish to change its
configuration, you can do so by running the GRAMConfig.exe program
located in the Bin sub-directory of the directory where GRAM was installed and
again following these instructions.
The configuration tool sets
parameters in configuration files located in C:\Inetpub\wwwroot\GridTools. The configuration file can be inspected or edited
by hand, but we recommend it only be modified with the configuration tool.
Here is a description of the
.NET GRAM server settings you can configure with the configuration tool:
Server Name:
The host name the GRAM server should use in the EndpointReferences (EPRs) it
creates to identify jobs.
Scratch Directory: A directory in which temporary files will be created.
Server Certificate: The host certificate the server should use. This is required for GRAM’s
GSI authentication which is based on PKI and SSL. Clicking the Select button will bring up the Certificate
Selection Dialog which lets you choose a certificate from the Windows
Certificate Store to use as the host certificate:
Depending on where the
certificate you want to use resides, you might need to change the Certificate
Location and Store Name settings. Local Machine/Personal is the most common location for host certificates.
For instructions on importing a host certificate into the
store, click here.
The certificate you select
as the host certificate must have an associated private key and the private key
must be marked ‘exportable’ for GRAM to be able to use it. If there is a
problem with the host certificate you selected, this will be indicated below
the subject name in the Configuration Tool:
If you do not see an error
message, it is a good indication that the selected certificate will work with
the server.
Authorization Type: GRAM.NET supports a number of different authorization mechanisms through
the Authorization Handler Framework
whose parameters can be set using the GRAM Configuration Tool. We recommend the
use of the GridMap authorization type. You can configure your GridMap
authorization system based on how you want your GRAM service to be used. Follow
the instructions for the scenario that most closely resembles the way in which
you wish to use your GRAM service.
·
I want all grid jobs to run under a single local computer account
o
Create a Grid User account
§
On Windows XP:
·
From the Start
Menu, select “Control Panel”, then “User Accounts”
·
Select “Create a
new account”
·
Type the user
name you wish to use into the dialog box (we suggest “Grid User”) and click
Next
·
Set the account
type to “Limited” and click “Create Account”
§
On Windows
Server:
·
From the Start
Menu, select “Control Panel”, then “Administrative Tools”, then “Computer
Management”
·
Expand the “Local
Users and Groups” folder on the left side of the control panel
·
Right-click on
the “Users” folder that appears and select “Create new user”
·
Type a username
and password into the “User name” and “Password” fields of the dialog box that
appears. Make sure that the boxes for “User must change password at next logon”
and “Account is disabled” are *NOT*
checked. We suggest checking the boxes for “User cannot change password” and “Password
never expires”.
·
Click the “Create”
button and then the “Close” button.
o
Create a Gridmap file in which each line contain a
Distinguished Name (DN) you wish to authorize, followed by the username and
password for the account you just created. Example.
·
I want grid users to run jobs under separate local accounts which I
configure
o
Create local accounts as needed using the procedure
above. Then modify the privileges of those accounts as necessary. Information
on user
rights in Windows Server can be found here. Information on user
rights in Windows XP can be found here.
o
Create a Gridmap file in which each line contains a
Distinguished Name (DN) you wish to authorize, followed by the username and
password of the account you wish the user associated with that DN to run under.
Example.
The Authorization handler
can be configured in several other ways including “Simple”, “SAML” and “XACML”.
Documentation on each of these can he found here. If you find that you wish to
use one of these other authorization modes, please contact us – we can help you with
system configuration issues.
NOTE:
You have to put account passwords in clear-text in the gridmap file. Make sure
that file is protected. Does it need to be readable by ‘Network Service’?
Do
we really need this note below?????
NOTE: The authorization
mechanism you configure can affect the account under which the GRAM server
carries out certain file operations. If the configured authorization mechanism supports
username/password lookup in addition to retrieval of an authorization decision,
the GRAM server will use these credentials to run file manipulation operations
under the target account. For authorization mechanisms that cannot or are not
configured to return such account information, operations will be executed
under the same account as the GRAM server is running (usually NETWORK SERVICE on Windows Server and ASPNET on Windows XP).