mirror/netcdf-c
2
0
Fork 0
mirror of https://github.com/Unidata/netcdf-c.git synced 2024-12-15 08:30:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
4bf7e6f964
netcdf-c/docs/esg.md
Ward Fisher 530ff30ae1 More doxygen tweaks.
2016-01-15 12:23:56 -07:00

224 lines
7.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Accessing ESG Data Through netCDF {#esg}
=================================
[TOC]
Introduction {#esg_intro}
==================
It is possible to access Earth Systems Grid (ESG) datasets from ESG
servers through the netCDF API. This requires building the netCDF
library with DAP2 protocol support using the "--enable-dap" flag to the
configure program.
In order to access ESG datasets, however, it is necessary to register as
a user with ESG and to setup your environment so that proper
authentication is established between a netCDF client program and the
ESG data server. Specifically, it is necessary to use what is called
"client-side keys" to enable this authentication. Normally, when a
client accesses a server in a secure fashion (using "https"), the server
provides an authentication certificate to the client. With client-side
keys, the client must also provide a certificate to the server so that
the server can know with whom it is communicating.
It is possible to set up the netCDF library to use client-side keys,
although the process is somewhat complicated. The DAP2 support in netCDF
uses the *curl* library and it is that underlying library that must be
properly configured.
Terminology {#esg_term}
==================
The key elements for client-side keys requires the constructions of two
"stores" on the client side.
- Keystore - a repository to hold the client side key.
- Truststore - a repository to hold a chain of certificates that can
be used to validate the certificate sent by the server to
the client.
The server actually has a similar set of stores, but the client need not
be concerned with those.
Initial Steps {#esg_initial_steps}
==================
The first step is to obtain authorization from ESG. Note that this
information may evolve over time, and may be out of date. This
discussion is in terms of BADC ESG. You will need to substitute the ESG
site for BADC in the following.
1. Register at http://badc.nerc.ac.uk/register to obtain access to badc
and to obtain an openid, which will looks something like:
https://ceda.ac.uk/openid/Firstname.Lastname
2. Ask BADC for access to whatever datasets are of interest.
3. Obtain short term credentials at
http://grid.ncsa.illinois.edu/myproxy/MyProxyLogon/ You will need to
download and run the MyProxyLogon program. This will create a
keyfile in, typically, the directory globus. The keyfile will have a
name similar to this: x509up\_u13615 The other elements in
\~/.globus are certificates to use in validating the certificate
your client gets from the server.
4. Obtain the program source ImportKey.java from this location:
http://www.agentbob.info/agentbob/79-AB.html (read the whole page,
it will help you understand the remaining steps).
Building the KeyStore {#esg_keystore}
==================
You will have to modify the keyfile in the previous step and then create
a keystore and install the key and a certificate. The commands are
these:
openssl pkcs8 -topk8 -nocrypt -in x509up_u13615 -inform PEM -out key.der -outform DER
openssl x509 -in x509up_u13615 -inform PEM -out cert.der -outform DER
java -classpath -Dkeypassword="" -Dkeystore=./ key.der cert.der
Note, the file names "key.der" and "cert.der" can be whatever you
choose. It is probably best to leave the .der extension, though.
Building the TrustStore {#esg_truststore}
==================
Building the truststore is a bit tricky because as provided, the
certificates in "globus" need some massaging. See the script below for
the details. The primary command is this, which is executed for every
certificate, c, in globus. It sticks the certificate into the file named
"truststore"
keytool -trustcacerts -storepass "password" -v -keystore "truststore" -importcert -file "${c}"
Running the C Client {#esg_c_client}
==================
The file ".dodsrc" is used to configure curl. This file must reside
either in the current directory or in your home directory. It has lines
of the form
- KEY=VALUE, or
- \[http//x.y/\]KEY=VALUE
The first form provides a configuration parameter that applies to all
DAP2 accesses. The second form only applies to accesses to the server at
"x.y".
The following keys must be set in ".dodsrc" to support ESG access.
- HTTP.SSL.VALIDATE=1
- HTTP.COOKIEJAR=.dods\_cookies
- HTTP.SSL.CERTIFICATE=esgkeystore
- HTTP.SSL.KEY=esgkeystore
- HTTP.SSL.CAPATH=.globus
For ESG, the HTTP.SSL.CERTIFICATE and HTTP.SSL.KEY entries should have
same value, which is the file path for the certificate produced by
MyProxyLogon. The HTTP.SSL.CAPATH entry should be the path to the
"certificates" directory produced by MyProxyLogon.
Running the Java Client {#esg_java_client}
==================
If you are using the Java netCDF client, then you need to add some
parameters to the "java" command. Specifically, add the following flags.
-Dkeystore="path to keystore file" -Dkeystorepassword="keystore password"
Script for creating Stores {#esg_script}
==================
The following script shows in detail how to actually construct the key
and trust stores. It is specific to the format of the globus file as it
was when ESG support was first added. It may have changed since then, in
which case, you will need to seek some help in fixing this script. It
would help if you communicated what you changed to the author so this
document can be updated.
#!/bin/sh -x
KEYSTORE="esgkeystore"
TRUSTSTORE="esgtruststore"
GLOBUS="globus"
TRUSTROOT="certificates"
CERT="x509up_u13615"
TRUSTROOTPATH="$GLOBUS/$TRUSTROOT"
CERTFILE="$GLOBUS/$CERT"
PWD="password"
D="-Dglobus=$GLOBUS"
CCP="bcprov-jdk16-145.jar"
CP="./build:${CCP}"
JAR="myproxy.jar"
# Initialize needed directories
rm -fr build
mkdir build
rm -fr $GLOBUS
mkdir $GLOBUS
rm -f $KEYSTORE
rm -f $TRUSTSTORE
# Compile MyProxyCmd and ImportKey
javac -d ./build -classpath "$CCP" *.java
javac -d ./build ImportKey.java
# Execute MyProxyCmd
java -cp "$CP myproxy.MyProxyCmd
# Build the keystore
openssl pkcs8 -topk8 -nocrypt -in $CERTFILE -inform PEM -out key.der -outform DER
openssl x509 -in $CERTFILE -inform PEM -out cert.der -outform DER
java -Dkeypassword=$PWD -Dkeystore=./${KEYSTORE} -cp ./build ImportKey key.der cert.der
# Clean up the certificates in the globus directory
for c in ${TRUSTROOTPATH}/*.0 ; do
alias=`basename $c .0`
sed -e '0,/---/d' <$c >/tmp/${alias}
echo "-----BEGIN CERTIFICATE-----" >$c
cat /tmp/${alias} >>$c
done
# Build the truststore
for c in ${TRUSTROOTPATH}/*.0 ; do
alias=`basename $c .0`
echo "adding: $TRUSTROOTPATH/${c}"
echo "alias: $alias"
yes | keytool -trustcacerts -storepass "$PWD" -v -keystore ./$TRUSTSTORE -alias $alias -importcert -file "${c}"
done
exit
Change Log {#esg_change_log}
==================
**Version 1.0:**
- 10/17/2013 Initial Release
Document Information {#esg_doc_info}
==================
------------------------------------------------------------------------
Created:
10/17/2013
Last Revised:
10/17/2013\
Version:
1.0
Author:
Dennis Heimbigner
Affiliation:
Unidata/UCAR
email:
dmh@unida.ucar.edu
------------------------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink