From 14b399f803ff3f711ab287c409a046df8c8decf3 Mon Sep 17 00:00:00 2001 From: posophe Date: Sat, 18 Apr 2015 13:07:04 +0200 Subject: [PATCH 01/18] codecleanup --- ncgen3/load.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ncgen3/load.c b/ncgen3/load.c index 401dd3d2b..c02c4b412 100644 --- a/ncgen3/load.c +++ b/ncgen3/load.c @@ -15,6 +15,10 @@ #include "ncgen.h" #include "genlib.h" +#ifndef HAVE_STRLCAT +extern size_t strlcat(char *dst, const char *src, size_t siz); +#endif + extern int netcdf_flag; extern int c_flag; extern int fortran_flag; From 327731852e384eefc34b03ab0e964b96867d4e4c Mon Sep 17 00:00:00 2001 From: posophe Date: Sat, 18 Apr 2015 13:09:46 +0200 Subject: [PATCH 02/18] correct casting --- libsrc/posixio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libsrc/posixio.c b/libsrc/posixio.c index ce05dce6f..be72c7848 100644 --- a/libsrc/posixio.c +++ b/libsrc/posixio.c @@ -667,7 +667,7 @@ done: pxp->bf_rflags |= rflags; pxp->bf_refcount++; - *vpp = (char *)pxp->bf_base + diff; + *vpp = (void *)((char *)pxp->bf_base + diff); return ENOERR; } From a6b6ea54da61fd6a273f08232015af7c7cc591e6 Mon Sep 17 00:00:00 2001 From: posophe Date: Sat, 18 Apr 2015 13:12:13 +0200 Subject: [PATCH 03/18] Use pkgconfig for libs --- nc-config.in | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nc-config.in b/nc-config.in index 4a243a345..c9345fef7 100644 --- a/nc-config.in +++ b/nc-config.in @@ -6,12 +6,10 @@ prefix=@prefix@ exec_prefix=${prefix} -libdir=${exec_prefix}/lib includedir=${prefix}/include cc="@CC@" cflags=" -I${includedir} @CPPFLAGS@" -libs="-L${libdir} @NC_LIBS@" has_dap="@HAS_DAP@" has_nc2="@HAS_NC2@" has_nc4="@HAS_NC4@" @@ -182,7 +180,7 @@ while test $# -gt 0; do ;; --libs) - echo $libs + pkg-config netcdf --libs ;; --prefix) From 4c07e22ae4e3ec1d5029512ae2ea61a040c215db Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Tue, 21 Apr 2015 13:52:43 -0600 Subject: [PATCH 04/18] Progress working towards [NCF-329] --- CMakeLists.txt | 22 +++++++++++++++++++--- config.h.cmake.in | 1 + libsrc4/nc4file.c | 9 ++++++++- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index d7167cd56..ca2b68792 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -461,9 +461,8 @@ IF(USE_HDF5 OR ENABLE_NETCDF_4) # Find out if HDF5 was built with parallel support. # Do that by checking for the targets H5Pget_fapl_mpiposx and # H5Pget_fapl_mpio in ${HDF5_LIB}. - CHECK_LIBRARY_EXISTS(${HDF5_hdf5_LIBRARY} H5Pget_fapl_mpiposix "" HDF5_IS_PARALLEL_MPIPOSIX) - CHECK_LIBRARY_EXISTS(${HDF5_hdf5_LIBRARY} H5Pget_fapl_mpio "" HDF5_IS_PARALLEL_MPIO) - + CHECK_LIBRARY_EXISTS(hdf5 H5Pget_fapl_mpiposix "" HDF5_IS_PARALLEL_MPIPOSIX) + CHECK_LIBRARY_EXISTS(hdf5 H5Pget_fapl_mpio "" HDF5_IS_PARALLEL_MPIO) IF(HDF5_IS_PARALLEL_MPIPOSIX OR HDF5_IS_PARALLEL_MPIO) SET(HDF5_IS_PARALLEL ON) ENDIF() @@ -483,6 +482,9 @@ IF(USE_HDF5 OR ENABLE_NETCDF_4) ENDIF(NOT MSVC) + CHECK_LIBRARY_EXISTS(hdf5 H5free_memory "" HDF5_HAS_H5FREE) + + # Assert HDF5 version. SET(HDF5_VERSION_REQUIRED 1.8.10) @@ -549,6 +551,20 @@ IF(USE_HDF5 OR ENABLE_NETCDF_4) ENDIF() SET(USE_ZLIB ON) INCLUDE_DIRECTORIES(${ZLIB_INCLUDE_DIRS}) + + ## + # Check to see if libhdf5 contains + # 'H5free_memory'. + ## +# CHECK_C_SOURCE_COMPILES(" +# #include +# int main() {H5free_memory(NULL);}" HDF5_HAS_H5FREE) +# CHECK_SYMBOL_EXISTS(H5free_memory "H5public.h" HDF5_HAS_H5FREE) +# CHECK_LIBRARY_EXISTS(hdf5 H5free_memory "-L${HDF5_hdf5_LIBRARY}" HDF5_HAS_H5FREE) +# MESSAGE(STATUS "HDF5_HAS_H5FREE: ${HDF5_HAS_H5FREE}") + + + ENDIF() # Option to Build DAP Client diff --git a/config.h.cmake.in b/config.h.cmake.in index ec2761728..07db7b554 100644 --- a/config.h.cmake.in +++ b/config.h.cmake.in @@ -88,6 +88,7 @@ are set when opening a binary file on Windows. */ #cmakedefine USE_FFIO 1 #cmakedefine USE_PARALLEL_POSIX 1 #cmakedefine USE_PARALLEL_MPIO 1 +#cmakedefine HDF5_HAS_H5FREE 1 #cmakedefine USE_PARALLEL 1 #cmakedefine USE_PNETCDF 1 #cmakedefine USE_MMAP 1 diff --git a/libsrc4/nc4file.c b/libsrc4/nc4file.c index 35a8ccb86..3292880ad 100644 --- a/libsrc4/nc4file.c +++ b/libsrc4/nc4file.c @@ -1284,12 +1284,19 @@ read_type(NC_GRP_INFO_T *grp, hid_t hdf_typeid, char *type_name) } #ifndef JNA + /* Free the member name (which HDF5 allocated for us). */ /* On Windows using the microsoft runtime, it is an error - for one library to free memory allocated by a different library. */ + for one library to free memory allocated by a different library. + IF it is available, we should use H5free_memory*/ + +#ifdef HDF5_HAS_H5FREE + if(member_name != NULL) H5free_memory(member_name); +#else #ifndef _MSC_VER if(member_name != NULL) free(member_name); #endif +#endif #endif member_name = NULL; } From 08b5f2d66e273f9e4fa4047ee1bfc46acabbbf93 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Tue, 21 Apr 2015 15:25:05 -0600 Subject: [PATCH 05/18] Added a check for H5free_memory in configure.ac. --- configure.ac | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index aecc8f934..4a3e4ed03 100644 --- a/configure.ac +++ b/configure.ac @@ -839,7 +839,7 @@ if test "x$enable_netcdf_4" = xyes; then [AC_MSG_ERROR([Can't find or link to the hdf5 high-level. Use --disable-netcdf-4, or see config.log for errors.])]) AC_CHECK_HEADERS([hdf5.h], [], [AC_MSG_ERROR([Compiling a test with HDF5 failed. Either hdf5.h cannot be found, or config.log should be checked for other reason.])]) - AC_CHECK_FUNCS([H5Pget_fapl_mpiposix H5Pget_fapl_mpio H5Pset_deflate H5Z_SZIP]) + AC_CHECK_FUNCS([H5Pget_fapl_mpiposix H5Pget_fapl_mpio H5Pset_deflate H5Z_SZIP H5free_memory]) # The user may have parallel HDF5 based on MPI POSIX. if test "x$ac_cv_func_H5Pget_fapl_mpiposix" = xyes; then @@ -874,6 +874,12 @@ if test "x$enable_netcdf_4" = xyes; then AC_DEFINE([USE_SZIP], [1], [if true, compile in szip compression in netCDF-4 variables]) fi + if test "x$ac_cv_func_H5free_memory" = xyes; then + AC_DEFINE([HDF5_HAS_H5FREE], [1], [if true, H5free_memory() will be used to free hdf5-allocated memory in nc4file.]) + fi + + + # If the user wants hdf4 built in, check it out. if test "x$enable_hdf4" = xyes; then AC_CHECK_HEADERS([mfhdf.h], [], [nc_mfhdf_h_missing=yes]) From 5c471c2f314600695c6db02b55cd42a2db4ac896 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Tue, 21 Apr 2015 15:57:19 -0600 Subject: [PATCH 06/18] Updated release notes. --- RELEASE_NOTES.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 2da439b93..18120715e 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -7,6 +7,8 @@ This file contains a high-level description of this package's evolution. Release ## 4.3.X Released ???? +* Addressed in issue in netcdf4 files on Windows, built with Microsoft Visual Studio, which could result in a memory leak. See [NCF-329](https://bugtracking.unidata.ucar.edu/browse/NCF-329) for more information. + * Addressed an issue in netcdf4 files where writing unlimited dimensions that were not declared at head of the dimensions list, as reported by Ellen Johnson at Mathworks. See [NCF-326](https://bugtracking.unidata.ucar.edu/browse/NCF-326) for more information. * Added an authorization reference document as oc2/ocauth.html. From 218bd4a25995cbae67cd9dcba4a066e7406c6f06 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Tue, 21 Apr 2015 16:04:39 -0600 Subject: [PATCH 07/18] Corrected logic error. --- CMakeLists.txt | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index ca2b68792..0bb868d9a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -786,13 +786,14 @@ IF(ENABLE_PNETCDF) IF(NOT PNETCDF) MESSAGE(STATUS "Cannot find pNetCDF library. Disabling pNetCDF support.") SET(USE_PNETCDF OFF CACHE BOOL "") + ELSE() + SET(STATUS_PNETCDF "ON") + INCLUDE_DIRECTORIES(${PNETCDF_INCLUDE_DIR}) + SET(HAVE_LIBPNETCDF ON) + # pnetcdf => parallel + SET(STATUS_PARALLEL "ON") + SET(USE_PARALLEL ON) ENDIF() - SET(STATUS_PNETCDF "ON") - INCLUDE_DIRECTORIES(${PNETCDF_INCLUDE_DIR}) - SET(HAVE_LIBPNETCDF ON) - # pnetcdf => parallel - SET(STATUS_PARALLEL "ON") - SET(USE_PARALLEL ON) ENDIF() # Enable Parallel Tests. From 23e4079480ec03ce6e92bf2e15fc9cba62b7d9c2 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Wed, 22 Apr 2015 09:59:39 -0600 Subject: [PATCH 08/18] Relocated a check for mremap so that MMAP support can be properly enabled via cmake. --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 0bb868d9a..3e274c9a4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -286,6 +286,7 @@ OPTION(BUILD_UTILITIES "Build ncgen, ncgen3, ncdump." ON) # Option to use MMAP OPTION(ENABLE_MMAP "Use MMAP." OFF) IF(ENABLE_MMAP) + CHECK_FUNCTION_EXISTS(mremap HAVE_MREMAP) IF(NOT HAVE_MREMAP) MESSAGE(WARNING "mremap not found: disabling MMAP support.") SET(ENABLE_MMAP OFF) @@ -974,7 +975,6 @@ CHECK_FUNCTION_EXISTS(MPI_Comm_f2C HAVE_MPI_COMM_F2C) CHECK_FUNCTION_EXISTS(memmove HAVE_MEMMOVE) CHECK_FUNCTION_EXISTS(getpagesize HAVE_GETPAGESIZE) CHECK_FUNCTION_EXISTS(sysconf HAVE_SYSCONF) -CHECK_FUNCTION_EXISTS(mremap HAVE_MREMAP) CHECK_FUNCTION_EXISTS(getrlimit HAVE_GETRLIMIT) CHECK_FUNCTION_EXISTS(_filelengthi64 HAVE_FILE_LENGTH_I64) From 28908d9cfe3e56c61ace51cfa1f0c5910b2e854b Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Wed, 22 Apr 2015 15:47:19 -0600 Subject: [PATCH 09/18] Modified some tests to work on Windows when a bash shell is available. --- ncdump/CMakeLists.txt | 4 ++-- ncdump/tst_output.sh | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ncdump/CMakeLists.txt b/ncdump/CMakeLists.txt index bad66a87d..47e0f1299 100644 --- a/ncdump/CMakeLists.txt +++ b/ncdump/CMakeLists.txt @@ -130,10 +130,10 @@ ENDIF() # Known failure on MSVC; the number of 0's padding # is different, but the result is actually correct. - IF(NOT MSVC) + #IF(NOT MSVC) add_sh_test(ncdump tst_netcdf4) add_bin_test(ncdump tst_h_rdc0) - ENDIF() + #ENDIF() add_bin_test(ncdump tst_unicode) diff --git a/ncdump/tst_output.sh b/ncdump/tst_output.sh index 0ec4a74df..f47102d99 100755 --- a/ncdump/tst_output.sh +++ b/ncdump/tst_output.sh @@ -10,11 +10,11 @@ fi echo "" echo "*** Testing ncgen and ncdump test output for classic format." echo "*** creating ctest1.cdl from ctest0.nc..." -./ncdump -n c1 ctest0.nc > ctest1.cdl +./ncdump -n c1 ctest0.nc | sed 's/e+0/e+/g' > ctest1.cdl echo "*** creating c0.nc from c0.cdl..." ../ncgen/ncgen -b -o c0.nc $srcdir/../ncgen/c0.cdl echo "*** creating c1.cdl from c0.nc..." -./ncdump -n c1 c0.nc > c1.cdl +./ncdump -n c1 c0.nc | sed 's/e+0/e+/g' > c1.cdl echo "*** comparing ncdump of C program output (ctest1.cdl) with c1.cdl..." diff -b c1.cdl ctest1.cdl echo "*** test output for ncdump -k" @@ -42,11 +42,11 @@ echo "*** All ncgen and ncdump test output for classic format passed!" echo "*** Testing ncgen and ncdump test output for 64-bit offset format." echo "*** creating ctest1.cdl from test0_64.nc..." -./ncdump -n c1 ctest0_64.nc > ctest1_64.cdl +./ncdump -n c1 ctest0_64.nc | sed 's/e+0/e+/g' > ctest1_64.cdl echo "*** creating c0.nc from c0.cdl..." ../ncgen/ncgen -k nc6 -b -o c0.nc $srcdir/../ncgen/c0.cdl echo "*** creating c1.cdl from c0.nc..." -./ncdump -n c1 c0.nc > c1.cdl +./ncdump -n c1 c0.nc | sed 's/e+0/e+/g' > c1.cdl echo "*** comparing ncdump of C program output (ctest1_64.cdl) with c1.cdl..." diff -b c1.cdl ctest1_64.cdl echo "*** test output for ncdump -k" @@ -58,7 +58,7 @@ echo "*** test output for ncdump -s" echo "*** creating tst_mslp_64.nc from tst_mslp.cdl" ../ncgen/ncgen -k nc6 -b -o tst_mslp_64.nc $srcdir/tst_mslp.cdl echo "*** creating tst_format_att_64.cdl from tst_mslp_64.nc" -./ncdump -s tst_mslp_64.nc > tst_format_att_64.cdl +./ncdump -s tst_mslp_64.nc | sed 's/e+0/e+/g' > tst_format_att_64.cdl echo "*** comparing ncdump -s of generated file with ref_tst_format_att_64.cdl ..." diff -b tst_format_att_64.cdl $srcdir/ref_tst_format_att_64.cdl From b5ef92dc5f5371c105a3ec0641648dddd511ba94 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Thu, 23 Apr 2015 11:03:26 -0600 Subject: [PATCH 10/18] Added BUILDNAME_PREFIX and BUILDNAME_SUFFIX options to cmake build system, to make it easier to customize the build name displayed on the CDash dashboard. --- CMakeLists.txt | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 3e274c9a4..2e2dd5a91 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -44,8 +44,35 @@ IF(UNAME) getuname(osname -s) getuname(osrel -r) getuname(cpu -m) - set(BUILDNAME "${osname}-${osrel}-${cpu}" CACHE STRING "Build name variable for CDash") + set(TMP_BUILDNAME "${osname}-${osrel}-${cpu}") ENDIF() + +### +# Allow for some customization of the buildname. +# This will make it easier to identify different builds, +# based on values passed from command line/shell scripts. +# +# For ctest scripts, we can use CTEST_BUILD_NAME. +### + +SET(BUILDNAME_PREFIX "" CACHE STRING "") +SET(BUILDNAME_SUFFIX "" CACHE STRING "") + +IF(BUILDNAME_PREFIX) + SET(BUILDNAME "${BUILDNAME_PREFIX}-${TMP_BUILDNAME}" CACHE STRING "Build name variable for CDash") +ENDIF() + +IF(BUILDNAME_SUFFIX) + SET(BUILDNAME "${TMP_BUILDNAME}-${BUILDNAME_SUFFIX}" CACHE STRING "Build name variable for CDash") +ENDIF() + +IF(NOT BUILDNAME) + SET(BUILDNAME "${TMP_BUILDNAME}" CACHE STRING "Build name variable for CDash") +ENDIF() +### +# End BUILDNAME customization. +### + # For CMAKE_INSTALL_LIBDIR INCLUDE(GNUInstallDirs) @@ -117,6 +144,8 @@ SET(EXTRA_DEPS "") # Set CTest Properties ################################ + + ENABLE_TESTING() INCLUDE(CTest) From d80300b565f9e65e73e47e72b35bea74298f8946 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Thu, 23 Apr 2015 11:13:50 -0600 Subject: [PATCH 11/18] Corrected logic error in buildname prefix/suffix. --- CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 2e2dd5a91..1fe77f2d7 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -59,11 +59,11 @@ SET(BUILDNAME_PREFIX "" CACHE STRING "") SET(BUILDNAME_SUFFIX "" CACHE STRING "") IF(BUILDNAME_PREFIX) - SET(BUILDNAME "${BUILDNAME_PREFIX}-${TMP_BUILDNAME}" CACHE STRING "Build name variable for CDash") + SET(TMP_BUILDNAME "${BUILDNAME_PREFIX}-${TMP_BUILDNAME}") ENDIF() IF(BUILDNAME_SUFFIX) - SET(BUILDNAME "${TMP_BUILDNAME}-${BUILDNAME_SUFFIX}" CACHE STRING "Build name variable for CDash") + SET(TMP_BUILDNAME "${TMP_BUILDNAME}-${BUILDNAME_SUFFIX}") ENDIF() IF(NOT BUILDNAME) From b44b687f4b56b425d76efe81ee85b4773066d609 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Thu, 23 Apr 2015 15:40:19 -0600 Subject: [PATCH 12/18] Modified auth.md to remove a bunch of warnings. --- docs/auth.md | 826 ++++++++++++++++++++++++++------------------------- 1 file changed, 428 insertions(+), 398 deletions(-) diff --git a/docs/auth.md b/docs/auth.md index c27047ead..81a056b85 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -1,449 +1,479 @@ -Authorization Support in the netDF-C Libraries {#auth} -================================================== +OC Authorization Support {#auth} +======================== -\brief It is possible to support a number of authorization schemes -in the netCDF-C library. +[TOC] -With one exception, authorization in the netCDF-C library is -delegated to the oc2 code, which in turn delegates it to the -libcurl library. The exception is that the location of the rc -file can be specified by setting the environment variable *NCRCFILE*. -Note that the value of this environment variable should be the -absolute path of the rc file, not the path to its containing directory. +###### Author: Dennis Heimbigner\ + dmh at ucar dot edu -Following is the authorization documentation. +###### Draft: 11/21/2014\ + Last Revised: 12/23/2014\ + OC Version 2.1 + +###### Table of Contents {.break} + +1. [Introduction](#Introduction) +2. [URL-Based Authentication](#URL-AUTH) +3. [RC File Authentication](#DODSRC) +4. [Redirection-Based Authentication](#REDIR) +5. [URL Constrained RC File Entries](#URLCONS) +6. [Client-Side Certificates](#CLIENTCERTS) +7. [Appendix A. All RC-File Keys](#allkeys) +8. [Appendix B. ESG Access in Detail](#ESGDETAIL) + +Introduction {.break} +------------ - - - - - - -
-

OC Authorization Support

-
Author: Dennis Heimbigner
-dmh at ucar dot edu
-
Draft: 11/21/2014
-Last Revised: 12/23/2014
-OC Version 2.1
-
- -
Table of Contents
-
    -
  1. Introduction -
  2. URL-Based Authentication -
  3. RC File Authentication -
  4. Redirection-Based Authentication -
  5. URL Constrained RC File Entries -
  6. Client-Side Certificates -
  7. Appendix A. All RC-File Keys -
  8. Appendix B. ESG Access in Detail -
- -

Introduction

OC can support user authorization using those provided by the curl library. This includes basic password authentication as well as certificate-based authorization. -

-With some exceptions (e.g. see the section on redirection) -The libcurl authorization mechanisms can be accessed in two ways -

    -
  1. Inserting the username and password into the url, or -
  2. Accessing information from a so-called rc file named either -.daprc or .dodsrc -
-

URL-Based Authentication

-For simple password based authentication, it is possible to -directly insert the username and the password into a url in this form. -
-    http://username:password@host/...
-
+With some exceptions (e.g. see the section on [redirection](#REDIR)) The +libcurl authorization mechanisms can be accessed in two ways + +1. Inserting the username and password into the url, or +2. Accessing information from a so-called *rc* file named either + *.daprc* or *.dodsrc* + +URL-Based Authentication {.break} +------------------------ + +For simple password based authentication, it is possible to directly +insert the username and the password into a url in this form. + + http://username:password@host/... + This username and password will be used if the server asks for -authentication. Note that only simple password authentication -is supported in this format. -Specifically note that redirection based -authorization will not work with this. +authentication. Note that only simple password authentication is +supported in this format. Specifically note that [redirection](#REDIR) +based authorization will not work with this. + +RC File Authentication {.break} +---------------------- + +The oc library supports an *rc* file mechanism to allow the passing of a +number of parameters to liboc and libcurl. + +The file must be called one of the following names: ".daprc" or +".dodsrc" If both .daprc and .dodsrc exist, then the .daprc file will +take precedence. + +Searching for the rc file first looks in the current directory and then +in the home directory (as defined by the HOME environment variable). It +is also possible to specify a direct path using the *-R* option to +ocprint or using the *oc\_set\_rcfile* procedure (see oc.h). Note that +for these latter cases, the path must be to the file itself, not to the +containing directory. -

RC File Authentication

-The oc library supports an rc file mechanism to allow the passing -of a number of parameters to liboc and libcurl. -

-The file must be called one of the following names: -".daprc" or ".dodsrc" -If both .daprc and .dodsrc exist, then -the .daprc file will take precedence. -

-Searching for the rc file first looks in the current directory -and then in the home directory (as defined by the HOME environment -variable). It is also possible to specify a direct path using -the -R option to ocprint or using the oc_set_rcfile -procedure (see oc.h). Note that for these latter cases, the path -must be to the file itself, not to the containing directory. -

The rc file format is a series of lines of the general form: -

-[<host:port>]<key>=<value>
-
-where the bracket-enclosed host:port is optional and will be discussed + + []= + +where the bracket-enclosed host:port is optional and will be discussed subsequently. -

+ The currently defined set of authorization-related keys are as follows. -The second column is the affected curl_easy_setopt option(s). - -
Keycurl_easy_setopt Option -
HTTP.COOKIEJARCURLOPT_COOKIEJAR, CURLOPT_COOKIEFILE -
HTTP.PROXY_SERVERCURLOPT_PROXY, CURLOPT_PROXYPORT, CURLOPT_PROXYUSERPWD -
HTTP.SSL.CERTIFICATECURLOPT_SSLCERT -
HTTP.SSL.KEYCURLOPT_SSLKEY -
HTTP.SSL.KEYPASSWORDCURLOPT_KEYPASSWORD -
HTTP.SSL.CAINFOCURLOPT_SSLCAINFO -
HTTP.SSL.CAPATHCURLOPT_SSLCAPATH -
HTTP.SSL.VERIFYPEERCURLOPT_SSL_VERIFYPEER -
HTTP.CREDENTIALS.USERPASSWORDCURLOPT_USERPASSWORD -
- +The second column is the affected curl\_easy\_setopt option(s). -

Password Authentication

-The key -HTTP.CREDENTIALS.USERPASSWORD -can be used to set the simple password authentication. -This is an alternative to setting it in the url. -The value must be of the form "username:password". +Key -

Cookie Jar

-The HTTP.COOKIEJAR key -specifies the name of file from which -to read cookies (CURLOPT_COOKIEJAR) and also -the file into which to store cookies (CURLOPT_COOKIEFILE). -The same value is used for both CURLOPT values. -It defaults to in-memory storage. +curl\_easy\_setopt Option + +HTTP.COOKIEJAR + +CURLOPT\_COOKIEJAR, CURLOPT\_COOKIEFILE + +HTTP.PROXY\_SERVER + +CURLOPT\_PROXY, CURLOPT\_PROXYPORT, CURLOPT\_PROXYUSERPWD -

Certificate Authentication

HTTP.SSL.CERTIFICATE -specifies a file path for a file containing a PEM cerficate. -This is typically used for client-side authentication. -

-HTTP.SSL.KEY is essentially the same as HTTP.SSL.CERTIFICATE -and should usually have the same value. -

+ +CURLOPT\_SSLCERT + +HTTP.SSL.KEY + +CURLOPT\_SSLKEY + HTTP.SSL.KEYPASSWORD -specifies the password for accessing the HTTP.SSL.KEY/HTTP.SSL.CERTIFICATE -file. -

+ +CURLOPT\_KEYPASSWORD + +HTTP.SSL.CAINFO + +CURLOPT\_SSLCAINFO + HTTP.SSL.CAPATH -specifies the path to a directory containing -trusted certificates for validating server sertificates. -

-HTTP.SSL.VALIDATE -is a boolean (1/0) value that if true (1) -specifies that the client should verify the server's presented certificate. -

-HTTP.PROXY_SERVER -specified the url for accessing the proxy: + +CURLOPT\_SSLCAPATH + +HTTP.SSL.VERIFYPEER + +CURLOPT\_SSL\_VERIFYPEER + +HTTP.CREDENTIALS.USERPASSWORD + +CURLOPT\_USERPASSWORD + +### Password Authentication + +The key HTTP.CREDENTIALS.USERPASSWORD can be used to set the simple +password authentication. This is an alternative to setting it in the +url. The value must be of the form "username:password". + +### Cookie Jar + +The HTTP.COOKIEJAR key specifies the name of file from which to read +cookies (CURLOPT\_COOKIEJAR) and also the file into which to store +cookies (CURLOPT\_COOKIEFILE). The same value is used for both CURLOPT +values. It defaults to in-memory storage. + +### Certificate Authentication + +HTTP.SSL.CERTIFICATE specifies a file path for a file containing a PEM +cerficate. This is typically used for client-side authentication. + +HTTP.SSL.KEY is essentially the same as HTTP.SSL.CERTIFICATE and should +usually have the same value. + +HTTP.SSL.KEYPASSWORD specifies the password for accessing the +HTTP.SSL.KEY/HTTP.SSL.CERTIFICATE file. + +HTTP.SSL.CAPATH specifies the path to a directory containing trusted +certificates for validating server sertificates. + +HTTP.SSL.VALIDATE is a boolean (1/0) value that if true (1) specifies +that the client should verify the server's presented certificate. + +HTTP.PROXY\_SERVER specified the url for accessing the proxy: (e.g.http://[username:password@]host[:port]) -

Redirection-Based Authentication

-Some sites provide authentication by using a third party site -to to the authentication. One example is -URS, -the EOSDIS User Registration System. -

-The process is usually as follows. -

    -
  1. The client contacts the server of interest (SOI), the actual data provider. -
  2. The SOI sends a redirect to the client to connect to the URS system. -
  3. The client authenticates with URS. -
  4. URS sends a redirect (with authorization information) to send -the client back to the SOI to actually obtain the data. -
-

-In order for this to work with libcurl, the client will usually need -to provide a .netrc file so that the redirection will work correctly. -The format of this .netrc file will contain content that -typically look like this. -

-machine uat.urs.earthdata.nasa.gov login xxxxxx password yyyyyy
-
-where the machine is the one to which the client is redirected -for authorization, and the login and password are those -needed to authenticate. -

-The .netrc file can be specified in two ways. -

    -
  1. Specify the netrc file to liboc using the procedure in oc.h: -
    -oc_set_netrc(OClink* link, const char* file)
-
    -(This is equivalent to the -N flag to ocprint). -

    -

  2. Put the following line in your .daprc/.dodsrc file. -
    -HTTP.NETRC=<path to netrc file>
-
    -
-

-One final note. In using this, it is probable that you will -need to specify a cookie jar (HTTP.COOKIEJAR) so that the -redirect site can pass back authorization information. +Redirection-Based Authentication {.break} +-------------------------------- -

URL Constrained RC File Entries

-Each line of the rc file can begin with -a host+port enclosed in square brackets. -The form is "host:port". If the port is not specified -then the form is just "host". -The reason that more of the url is not used is that +Some sites provide authentication by using a third party site to to the +authentication. One example is +[URS](https://uat.urs.earthdata.nasa.gov), the EOSDIS User Registration +System. + +The process is usually as follows. + +1. The client contacts the server of interest (SOI), the actual data + provider. +2. The SOI sends a redirect to the client to connect to the URS system. +3. The client authenticates with URS. +4. URS sends a redirect (with authorization information) to send the + client back to the SOI to actually obtain the data. + +In order for this to work with libcurl, the client will usually need to +provide a .netrc file so that the redirection will work correctly. The +format of this .netrc file will contain content that typically look like +this. + + machine uat.urs.earthdata.nasa.gov login xxxxxx password yyyyyy + +where the machine is the one to which the client is redirected for +authorization, and the login and password are those needed to +authenticate. + +The .netrc file can be specified in two ways. + +1. Specify the netrc file to liboc using the procedure in oc.h: + + oc_set_netrc(OClink* link, const char* file) + + (This is equivalent to the -N flag to ocprint). + +2. Put the following line in your .daprc/.dodsrc file. + + HTTP.NETRC= + +One final note. In using this, it is probable that you will need to +specify a cookie jar (HTTP.COOKIEJAR) so that the redirect site can pass +back authorization information. + +URL Constrained RC File Entries {.break} +------------------------------- + +Each line of the rc file can begin with a host+port enclosed in square +brackets. The form is "host:port". If the port is not specified then the +form is just "host". The reason that more of the url is not used is that libcurl's authorization grain is not any finer than host level. -

+ Examples. -

-[remotetest.unidata.ucar.edu]HTTP.VERBOSE=1
-or
-[fake.ucar.edu:9090]HTTP.VERBOSE=0
-
-If the url request from, say, the oc_open method -has a host+port matchine one of the prefixes in the rc file, then -the corresponding entry will be used, otherwise ignored. -

+ + [remotetest.unidata.ucar.edu]HTTP.VERBOSE=1 + or + [fake.ucar.edu:9090]HTTP.VERBOSE=0 + +If the url request from, say, the *oc\_open* method has a host+port +matchine one of the prefixes in the rc file, then the corresponding +entry will be used, otherwise ignored. + For example, the URL -

-http://remotetest.unidata.ucar.edu/thredds/dodsC/testdata/testData.nc
-
+ + http://remotetest.unidata.ucar.edu/thredds/dodsC/testdata/testData.nc + will have HTTP.VERBOSE set to 1. -

-Similarly, -

-http://fake.ucar.edu:9090/dts/test.01
-
+ +Similarly, + + http://fake.ucar.edu:9090/dts/test.01 + will have HTTP.VERBOSE set to 0. -

Client-Side Certificates

-Some systems, notably ESG (Earth System Grid), requires -the use of client-side certificates, as well as being -re-direction based. +Client-Side Certificates {.break} +------------------------ + +Some systems, notably ESG (Earth System Grid), requires the use of +client-side certificates, as well as being [re-direction based](#REDIR). This requires setting the following entries: -
    -
  • HTTP.COOKIEJAR — a file path for storing cookies across re-direction. -
  • HTTP.NETRC — the path to the netrc file. -
  • HTTP.SSL.CERTIFICATE — the file path for the client side certificate file. -
  • HTTP.SSL.KEY — this should have the same value as HTTP.SSL.CERTIFICATE. -
  • HTTP.SSL.CAPATH — the path to a "certificates" directory. -
  • HTTP.SSL.VALIDATE — force validation of the server certificate. -
-Note that the first two are to support re-direction based authentication. -
Appendix A. All RC-File Keys
+- HTTP.COOKIEJAR — a file path for storing cookies across + re-direction. +- HTTP.NETRC — the path to the netrc file. +- HTTP.SSL.CERTIFICATE — the file path for the client side certificate + file. +- HTTP.SSL.KEY — this should have the same value as + HTTP.SSL.CERTIFICATE. +- HTTP.SSL.CAPATH — the path to a "certificates" directory. +- HTTP.SSL.VALIDATE — force validation of the server certificate. + +Note that the first two are to support re-direction based +authentication. + +##### Appendix A. All RC-File Keys {.break} + For completeness, this is the list of all rc-file keys. - -
Keycurl_easy_setopt Option -
HTTP.DEFLATECUROPT_DEFLATE
with value "deflate,gzip" -
HTTP.VERBOSE CUROPT_VERBOSE -
HTTP.TIMEOUTCUROPT_TIMEOUT -
HTTP.USERAGENTCUROPT_USERAGENT -
HTTP.COOKIEJARCUROPT_COOKIEJAR -
HTTP.COOKIE_JARCUROPT_COOKIEJAR -
HTTP.PROXY_SERVERCURLOPT_PROXY,
CURLOPT_PROXYPORT,
CURLOPT_PROXYUSERPWD -
HTTP.SSL.CERTIFICATECUROPT_SSLCERT -
HTTP.SSL.KEYCUROPT_SSLKEY -
HTTP.SSL.KEYPASSWORDCUROPT_KEYPASSWORD -
HTTP.SSL.CAINFOCUROPT_SSLCAINFO -
HTTP.SSL.CAPATHCUROPT_SSLCAPATH -
HTTP.SSL.VERIFYPEERCUROPT_SSL_VERIFYPEER -
HTTP.CREDENTIALS.USERPASSWORDCUROPT_USERPASSWORD -
HTTP.NETRCCURLOPT_NETRC,CURLOPT_NETRC_FILE -
- -
Appendix B. ESG Access in Detail
-It is possible to access Earth Systems Grid (ESG) datasets -from ESG servers through the OC API using the techniques -described in the section on Client-Side Certificates. -

-In order to access ESG datasets, however, it is necessary to -register as a user with ESG and to setup your environment -so that proper authentication is established between an oc -client program and the ESG data server. Specifically, it -is necessary to use what is called "client-side keys" to -enable this authentication. Normally, when a client accesses -a server in a secure fashion (using "https"), the server -provides an authentication certificate to the client. -With client-side keys, the client must also provide a -certificate to the server so that the server can know with -whom it is communicating. -

-The oc library uses the curl library and it is that -underlying library that must be properly configured. +Key -

Terminology

-The key elements for client-side keys requires the constructions of -two "stores" on the client side. -
    -
  • Keystore - a repository to hold the client side key. -
  • Truststore - a repository to hold a chain of certificates - that can be used to validate the certificate - sent by the server to the client. -
-The server actually has a similar set of stores, but the client -need not be concerned with those. +curl\_easy\_setopt Option -

Initial Steps

+HTTP.DEFLATE -The first step is to obtain authorization from ESG. -Note that this information may evolve over time, and -may be out of date. -This discussion is in terms of BADC and NCSA. You will need -to substitute as necessary. -
    -
  1. Register at http://badc.nerc.ac.uk/register - to obtain access to badc and to obtain an openid, - which will looks something like: - 
    https://ceda.ac.uk/openid/Firstname.Lastname
    -
  2. Ask BADC for access to whatever datasets are of interest. -

    -

  3. Obtain short term credentials at - http://grid.ncsa.illinois.edu/myproxy/MyProxyLogon/ - You will need to download and run the MyProxyLogon - program. - This will create a keyfile in, typically, the directory ".globus". - The keyfile will have a name similar to this: "x509up_u13615" - The other elements in ".globus" are certificates to use in - validating the certificate your client gets from the server. -

    -

  4. Obtain the program source ImportKey.java - from this location: http://www.agentbob.info/agentbob/79-AB.html - (read the whole page, it will help you understand the remaining steps). -
+CUROPT\_DEFLATE\ +with value "deflate,gzip" -

Building the KeyStore

-You will have to modify the keyfile in the previous step -and then create a keystore and install the key and a certificate. -The commands are these: -
-    openssl pkcs8 -topk8 -nocrypt -in x509up_u13615 -inform PEM -out key.der -outform DER
+HTTP.VERBOSE
 
-    openssl x509 -in x509up_u13615 -inform PEM -out cert.der -outform DER
+CUROPT\_VERBOSE
 
-    java -classpath  -Dkeypassword="" -Dkeystore=./ key.der cert.der
-
-Note, the file names "key.der" and "cert.der" can be whatever you choose. -It is probably best to leave the .der extension, though. +HTTP.TIMEOUT + +CUROPT\_TIMEOUT + +HTTP.USERAGENT + +CUROPT\_USERAGENT + +HTTP.COOKIEJAR + +CUROPT\_COOKIEJAR + +HTTP.COOKIE\_JAR + +CUROPT\_COOKIEJAR + +HTTP.PROXY\_SERVER + +CURLOPT\_PROXY,\ +CURLOPT\_PROXYPORT,\ +CURLOPT\_PROXYUSERPWD + +HTTP.SSL.CERTIFICATE + +CUROPT\_SSLCERT + +HTTP.SSL.KEY + +CUROPT\_SSLKEY + +HTTP.SSL.KEYPASSWORD + +CUROPT\_KEYPASSWORD + +HTTP.SSL.CAINFO + +CUROPT\_SSLCAINFO + +HTTP.SSL.CAPATH + +CUROPT\_SSLCAPATH + +HTTP.SSL.VERIFYPEER + +CUROPT\_SSL\_VERIFYPEER + +HTTP.CREDENTIALS.USERPASSWORD + +CUROPT\_USERPASSWORD + +HTTP.NETRC + +CURLOPT\_NETRC,CURLOPT\_NETRC\_FILE + +##### Appendix B. ESG Access in Detail {.break} + +It is possible to access Earth Systems Grid (ESG) datasets from ESG +servers through the OC API using the techniques described in the section +on [Client-Side Certificates](#CLIENTCERTS). + +In order to access ESG datasets, however, it is necessary to register as +a user with ESG and to setup your environment so that proper +authentication is established between an oc client program and the ESG +data server. Specifically, it is necessary to use what is called +"client-side keys" to enable this authentication. Normally, when a +client accesses a server in a secure fashion (using "https"), the server +provides an authentication certificate to the client. With client-side +keys, the client must also provide a certificate to the server so that +the server can know with whom it is communicating. + +The oc library uses the *curl* library and it is that underlying library +that must be properly configured. + +### Terminology + +The key elements for client-side keys requires the constructions of two +"stores" on the client side. + +- Keystore - a repository to hold the client side key. +- Truststore - a repository to hold a chain of certificates that can + be used to validate the certificate sent by the server to the + client. + +The server actually has a similar set of stores, but the client need not +be concerned with those. + +### Initial Steps + +The first step is to obtain authorization from ESG. Note that this +information may evolve over time, and may be out of date. This +discussion is in terms of BADC and NCSA. You will need to substitute as +necessary. + +1. Register at http://badc.nerc.ac.uk/register to obtain access to badc + and to obtain an openid, which will looks something like: + + https://ceda.ac.uk/openid/Firstname.Lastname + +2. Ask BADC for access to whatever datasets are of interest. +3. Obtain short term credentials at + http://grid.ncsa.illinois.edu/myproxy/MyProxyLogon/ You will need to + download and run the MyProxyLogon program. This will create a + keyfile in, typically, the directory ".globus". The keyfile will + have a name similar to this: "x509up\_u13615" The other elements in + ".globus" are certificates to use in validating the certificate your + client gets from the server. +4. Obtain the program source ImportKey.java from this location: + http://www.agentbob.info/agentbob/79-AB.html (read the whole page, + it will help you understand the remaining steps). + +### Building the KeyStore + +You will have to modify the keyfile in the previous step and then create +a keystore and install the key and a certificate. The commands are +these: + + openssl pkcs8 -topk8 -nocrypt -in x509up_u13615 -inform PEM -out key.der -outform DER + + openssl x509 -in x509up_u13615 -inform PEM -out cert.der -outform DER + + java -classpath -Dkeypassword="" -Dkeystore=./ key.der cert.der + +Note, the file names "key.der" and "cert.der" can be whatever you +choose. It is probably best to leave the .der extension, though. + +### Building the TrustStore -

Building the TrustStore

Building the truststore is a bit tricky because as provided, the -certificates in ".globus" need some massaging. See the script below -for the details. The primary command is this, which is executed for every -certificate, c, in globus. It sticks the certificate into the file -named "truststore" -
-  keytool -trustcacerts -storepass "password" -v -keystore "truststore"  -importcert -file "${c}"
-
+certificates in ".globus" need some massaging. See the script below for +the details. The primary command is this, which is executed for every +certificate, c, in globus. It sticks the certificate into the file named +"truststore" -

Running the C Client

+ keytool -trustcacerts -storepass "password" -v -keystore "truststore" -importcert -file "${c}" -Refer to the section on Client-Side Certificates. -The keys specified there must be set in the rc file to support -ESG access. -
    -
  • HTTP.COOKIEJAR=~/.dods_cookies -
  • HTTP.NETRC=~/.netrc -
  • HTTP.SSL.CERTIFICATE=~/esgkeystore -
  • HTTP.SSL.KEY=~/esgkeystore -
  • HTTP.SSL.CAPATH=~/.globus -
  • HTTP.SSL.VALIDATE=1 -
-Of course, the file paths above are suggestions only; -you can modify as needed. -The HTTP.SSL.CERTIFICATE and HTTP.SSL.KEY -entries should have same value, which is the file path for the -certificate produced by MyProxyLogon. The HTTP.SSL.CAPATH entry -should be the path to the "certificates" directory produced by -MyProxyLogon. -

-As noted, also uses re-direction based authentication. -So, when it receives an initial connection from a client, it -redirects to a separate authentication server. When that -server has authenticated the client, it redirects back to -the original url to complete the request. +### Running the C Client + +Refer to the section on [Client-Side Certificates](#CLIENTCERTS). The +keys specified there must be set in the rc file to support ESG access. + +- HTTP.COOKIEJAR=\~/.dods\_cookies +- HTTP.NETRC=\~/.netrc +- HTTP.SSL.CERTIFICATE=\~/esgkeystore +- HTTP.SSL.KEY=\~/esgkeystore +- HTTP.SSL.CAPATH=\~/.globus +- HTTP.SSL.VALIDATE=1 + +Of course, the file paths above are suggestions only; you can modify as +needed. The HTTP.SSL.CERTIFICATE and HTTP.SSL.KEY entries should have +same value, which is the file path for the certificate produced by +MyProxyLogon. The HTTP.SSL.CAPATH entry should be the path to the +"certificates" directory produced by MyProxyLogon. + +As noted, also uses re-direction based authentication. So, when it +receives an initial connection from a client, it redirects to a separate +authentication server. When that server has authenticated the client, it +redirects back to the original url to complete the request. + +### Script for creating Stores -

Script for creating Stores

The following script shows in detail how to actually construct the key -and trust stores. It is specific to the format of the globus file -as it was when ESG support was first added. It may have changed -since then, in which case, you will need to seek some help -in fixing this script. It would help if you communicated -what you changed to the author so this document can be updated. -
-#!/bin/sh -x
-KEYSTORE="esgkeystore"
-TRUSTSTORE="esgtruststore"
-GLOBUS="globus"
-TRUSTROOT="certificates"
-CERT="x509up_u13615"
-TRUSTROOTPATH="$GLOBUS/$TRUSTROOT"
-CERTFILE="$GLOBUS/$CERT"
-PWD="password"
+and trust stores. It is specific to the format of the globus file as it
+was when ESG support was first added. It may have changed since then, in
+which case, you will need to seek some help in fixing this script. It
+would help if you communicated what you changed to the author so this
+document can be updated.
 
-D="-Dglobus=$GLOBUS"
-CCP="bcprov-jdk16-145.jar" 
-CP="./build:${CCP}" 
-JAR="myproxy.jar"
+    #!/bin/sh -x
+    KEYSTORE="esgkeystore"
+    TRUSTSTORE="esgtruststore"
+    GLOBUS="globus"
+    TRUSTROOT="certificates"
+    CERT="x509up_u13615"
+    TRUSTROOTPATH="$GLOBUS/$TRUSTROOT"
+    CERTFILE="$GLOBUS/$CERT"
+    PWD="password"
 
-# Initialize needed directories
-rm -fr build
-mkdir build
-rm -fr $GLOBUS
-mkdir $GLOBUS
-rm -f $KEYSTORE
-rm -f $TRUSTSTORE
+    D="-Dglobus=$GLOBUS"
+    CCP="bcprov-jdk16-145.jar" 
+    CP="./build:${CCP}" 
+    JAR="myproxy.jar"
 
-# Compile MyProxyCmd and ImportKey
-javac -d ./build -classpath "$CCP" *.java
-javac -d ./build ImportKey.java
+    # Initialize needed directories
+    rm -fr build
+    mkdir build
+    rm -fr $GLOBUS
+    mkdir $GLOBUS
+    rm -f $KEYSTORE
+    rm -f $TRUSTSTORE
 
-# Execute MyProxyCmd
-java -cp "$CP myproxy.MyProxyCmd
+    # Compile MyProxyCmd and ImportKey
+    javac -d ./build -classpath "$CCP" *.java
+    javac -d ./build ImportKey.java
 
-# Build the keystore
-openssl pkcs8 -topk8 -nocrypt -in $CERTFILE -inform PEM -out key.der -outform DER
-openssl x509 -in $CERTFILE -inform PEM -out cert.der -outform DER
-java -Dkeypassword=$PWD -Dkeystore=./${KEYSTORE} -cp ./build ImportKey key.der cert.der
+    # Execute MyProxyCmd
+    java -cp "$CP myproxy.MyProxyCmd
 
-# Clean up the certificates in the globus directory
-for c in ${TRUSTROOTPATH}/*.0 ; do
-    alias=`basename $c .0`
-    sed -e '0,/---/d' <$c >/tmp/${alias}
-    echo "-----BEGIN CERTIFICATE-----" >$c       
-    cat /tmp/${alias} >>$c
-done
- 
-# Build the truststore
-for c in ${TRUSTROOTPATH}/*.0 ; do
-    alias=`basename $c .0`
-    echo "adding: $TRUSTROOTPATH/${c}"
-    echo "alias: $alias"
-    yes | keytool -trustcacerts -storepass "$PWD" -v -keystore ./$TRUSTSTORE -alias $alias -importcert -file "${c}"
-done
-exit
-
+ # Build the keystore + openssl pkcs8 -topk8 -nocrypt -in $CERTFILE -inform PEM -out key.der -outform DER + openssl x509 -in $CERTFILE -inform PEM -out cert.der -outform DER + java -Dkeypassword=$PWD -Dkeystore=./${KEYSTORE} -cp ./build ImportKey key.der cert.der - - + # Clean up the certificates in the globus directory + for c in ${TRUSTROOTPATH}/*.0 ; do + alias=`basename $c .0` + sed -e '0,/---/d' <$c >/tmp/${alias} + echo "-----BEGIN CERTIFICATE-----" >$c + cat /tmp/${alias} >>$c + done + + # Build the truststore + for c in ${TRUSTROOTPATH}/*.0 ; do + alias=`basename $c .0` + echo "adding: $TRUSTROOTPATH/${c}" + echo "alias: $alias" + yes | keytool -trustcacerts -storepass "$PWD" -v -keystore ./$TRUSTSTORE -alias $alias -importcert -file "${c}" + done + exit From 078013c0d1813876a54d67fbc2b7f617d9356e42 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Thu, 23 Apr 2015 15:42:41 -0600 Subject: [PATCH 13/18] Corrected an undefined reference warning in install.md --- docs/auth.md | 6 +++--- docs/install.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/auth.md b/docs/auth.md index 81a056b85..8861c73e8 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -3,11 +3,11 @@ OC Authorization Support {#auth} [TOC] -###### Author: Dennis Heimbigner\ +###### Author: Dennis Heimbigner dmh at ucar dot edu -###### Draft: 11/21/2014\ - Last Revised: 12/23/2014\ +###### Draft: 11/21/2014 + Last Revised: 12/23/2014 OC Version 2.1 ###### Table of Contents {.break} diff --git a/docs/install.md b/docs/install.md index 320e89838..1c4eab073 100644 --- a/docs/install.md +++ b/docs/install.md @@ -175,7 +175,7 @@ Building netCDF with Classic Library Only {#build_classic} It is possible to build the netCDF C libraries and utilities so that only the netCDF classic and 64-bit offset formats are supported, or -the remote data access client is not built. (See \ref netCDF_format +the remote data access client is not built. (See \ref netcdf_format for more information about the netCDF format variants. See the DAP documentation and support site for more information about remote client access to From 55da4d296ec06be2d44cbc34dbf44add1ef3c0ab Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Fri, 24 Apr 2015 10:20:38 -0600 Subject: [PATCH 14/18] Added hdf5/netcdf-4 back to travis-ci tests. --- .travis.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index c83c600e9..ab6f3e063 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,10 +9,16 @@ before_install: - sudo apt-get update -qq - sudo apt-get install -y -qq libcurl4-openssl-dev m4 wget autoconf libtool clang + # We need to install hdf5. + # hdf5-1.8.14.tar.bz2 + - wget http://www.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8.14/hdf5-1.8.14.tar.bz2 + - tar -jxf hdf5-1.8.14.tar.bz2 + - cd hdf5-1.8.14 && ./configure --enable-shared --disable-static --disable-fortran --enable-hl --disable-fortran --prefix=/usr && make -j 4 && make install + before_script: - autoreconf -if - - ./configure --disable-netcdf-4 + - ./configure --enable-extra-tests script: - - make + - make -j 4 - LD_LIBRARY_PATH=/usr/local/lib make check From 39665005dfb4ca36d42fe9fcdb2d13193a7dd9ff Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Fri, 24 Apr 2015 10:36:35 -0600 Subject: [PATCH 15/18] Corrected typo in hdf5 download path. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ab6f3e063..369bd10d1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,7 +11,7 @@ before_install: # We need to install hdf5. # hdf5-1.8.14.tar.bz2 - - wget http://www.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8.14/hdf5-1.8.14.tar.bz2 + - wget http://www.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8.14/src/hdf5-1.8.14.tar.bz2 - tar -jxf hdf5-1.8.14.tar.bz2 - cd hdf5-1.8.14 && ./configure --enable-shared --disable-static --disable-fortran --enable-hl --disable-fortran --prefix=/usr && make -j 4 && make install From 6f4ecdc2d0849580d6eef12521da3f7d773a2066 Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Fri, 24 Apr 2015 10:53:44 -0600 Subject: [PATCH 16/18] Travis-ci tweak. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 369bd10d1..778a147bd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,7 @@ before_install: # hdf5-1.8.14.tar.bz2 - wget http://www.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8.14/src/hdf5-1.8.14.tar.bz2 - tar -jxf hdf5-1.8.14.tar.bz2 - - cd hdf5-1.8.14 && ./configure --enable-shared --disable-static --disable-fortran --enable-hl --disable-fortran --prefix=/usr && make -j 4 && make install + - cd hdf5-1.8.14 && ./configure --enable-shared --disable-static --disable-fortran --enable-hl --disable-fortran --prefix=/usr && make -j 4 && sudo make install before_script: - autoreconf -if From 434a2c92ffaebabacd87716a54a23bb423b723bc Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Fri, 24 Apr 2015 11:16:27 -0600 Subject: [PATCH 17/18] Travis-ci tweaks. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 778a147bd..7d38e11c2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,7 +18,7 @@ before_install: before_script: - autoreconf -if - ./configure --enable-extra-tests - + - cd .. script: - make -j 4 - LD_LIBRARY_PATH=/usr/local/lib make check From 79360d871aef89279a87d876b7c0b45fdda8692a Mon Sep 17 00:00:00 2001 From: Ward Fisher Date: Fri, 24 Apr 2015 11:28:16 -0600 Subject: [PATCH 18/18] Fixed yet another travis-ci typo. --- .travis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 7d38e11c2..ade04a81d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,11 +14,12 @@ before_install: - wget http://www.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8.14/src/hdf5-1.8.14.tar.bz2 - tar -jxf hdf5-1.8.14.tar.bz2 - cd hdf5-1.8.14 && ./configure --enable-shared --disable-static --disable-fortran --enable-hl --disable-fortran --prefix=/usr && make -j 4 && sudo make install + - cd .. before_script: - autoreconf -if - ./configure --enable-extra-tests - - cd .. + script: - make -j 4 - LD_LIBRARY_PATH=/usr/local/lib make check