Hyrax - Administrators Interface: Difference between revisions

From OPeNDAP Documentation
⧼opendap2-jumptonavigation⧽
No edit summary
Line 100: Line 100:


== OLFS Log Viewer ==
== OLFS Log Viewer ==
== BES Log Viewer ==
== BES Controls ==
== BES Controls ==

Revision as of 23:22, 8 August 2011

Overview

Installation & Configuration

BES

The HAI is a regular part of the BES it is not a module that needs to be added. It just needs to be enabled by editing the BES configuration file and restarting the BES.

how-to

Edit the file $HYRAX_HOME/etc/bes.conf and uncomment this line:

BES.DaemonPort=11002

Restart the BES and you're ready.


OLFS

The HAI is a regular part of the OLFS distribution and simply needs to be enabled by configuring the OLFS to communicate with the BES admin port, and by configuring Tomcat to allow you to access the UI.

olfs.xml

In the $CATALINA_HOME/content/opendap/olfs.xml file you will need to add (or uncomment) the following for each BES:

    <adminPort>11002</adminPort>

You will need to manually verify that the value of the adminPort element is the same as the BES.DaemonPort parameter specified in the bes.conf file for that BES instance.

Tomcat Users

You will need to configure Tomcat to support container-managed security, by connecting to an existing "database" (aka Realm) of usernames, passwords, and user roles. Tomcat supports several authentication Realms including LDAP. What follows are simple instructions for getting a Memory-Realm working. The Memory-Realm is not for production use, and the example is provided only as a means by which to easily demonstrate and allow one to test the HAI features.

Look here from more information on Tomcat and other authentication Realms

how-to
  1. Edit the file $CATALINA_HOME/conf/tomcat-users.xml
  2. Add a user whose role is "manager":
    <user username="admin" password="foo" roles="manager" />
    And be sure to make the password something better than "foo".

Note that because the HAI is a web-based interface, with secure logins using SSL, you can use the interface with your server from anywhere in the world. It might be a godd idea, however, to limit the IP addresses that can access the HAI.

Tomcat SSL

In order to use the HAI you will need to configure your tomcat instance to enable SSL. How to accomplish this is covered in detail here at the Tomcat site.

how-to

From their Quick Start section:

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.
1. Create a certificate keystore by executing the following command:
Windows:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
Unix:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
and specify a password value of "changeit".
2. Uncomment the "SSL HTTP/1.1 Connector" entry in $CATALINA_BASE/conf/server.xml and modify as described in the Configuration section.

Olfs Details

The HAI servlet (as part of the Hyrax web application) utilizes a <security-constraint> element, and a <login-config> element that define how administrators are required to authenticate themselves.

In the case of the HAI we use BASIC authentication over an SSL channel. The <transport-guarantee> ensures that the url's defined <web-resource-collection> can only be accessed via a secure channel:


   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Hyrax Admin Interface</web-resource-name>
           <url-pattern>/hai/*</url-pattern>
           <url-pattern>/docs/admin/*</url-pattern>
       </web-resource-collection>
 
       <auth-constraint>
           <role-name>manager</role-name>
       </auth-constraint>

       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

Using the Hyrax Admin Interface

Note: We often refer to the interface as either the HAI or just the interface.

To access the the interface, use the following URLs:

  • https://localhost:8443/opendap/docs/admin/index.jsp or https://localhost:8443/opendap/docs/admin/
  • http://localhost:8080/opendap/docs/admin

You will need to login using a user who is assigned the manager role as described above.

Once logged in, you will see a page with several links. Each one takes you to a different part of the interface so you can easily open them as tabs or separate windows in you browser.

Note that because the HAI is a web-based interface, with secure logins using SSL, you can use the interface with your server from anywhere in the world. It might be a godd idea, however, to limit the IP addresses that can access the HAI.

OLFS Log Viewer

BES Controls