INFSO-RI-223782 ETICS Local Setup Experiences A Case Study for Installation at Customers Location 4th. All Hands MeetingUwe Müller-Wilm VEGA Bologna, Nov.

Slides:

Advertisements

Similar presentations

Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.

Advertisements

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.

Web Visualization Technology Horner APG Ver 1.0.

Calendar Browser is a groupware used for booking all kinds of resources within an organization. Calendar Browser is installed on a file server and in a.

System and Network Security Practices COEN 351 E-Commerce Security.

INFSO-RI An On-Demand Dynamic Virtualization Manager Øyvind Valen-Sendstad CERN – IT/GD, ETICS Virtual Node bootstrapper.

SC7 WG6 Rome Engineering Ingegneria Informatica S.p.A. INFSO-RI Isabel Matranga ETICS Automated Building,Testing and Quality Assurance.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Introducing VMware vSphere 5.0

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

1 Enabling Secure Internet Access with ISA Server.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

© 2009 IBM Corporation 1 ClearQuest Synchronizer and ClearQuest Bridge Tech Enablement for CLM 4.0 Lorelei Ngooi & Yuhong Yin June 2012.

Additional SugarCRM details for complete, functional, and portable deployment.

DONE-10: Adminserver Survival Tips Brian Bowman Product Manager, Data Management Group.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

LANDesk Management Gateway

Chapter 6: Packet Filtering

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

Web Services An introduction for eWiSACWIS May 2008.

SUSE Linux Enterprise Desktop Administration Chapter 12 Administer Printing.

Learningcomputer.com SQL Server 2008 Configuration Manager.

Modification of Pktfilter tool 10/9/2015Pktfilter modification - Brad Baker1 Brad Baker CS591 Spring 2007 Term project.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite IPv6 compliance project tests Further.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

ETICS All Hands meeting Bologna, October 23-25, 2006 NMI and Condor: Status + Future Plans Andy PAVLO Peter COUVARES Becky GIETZEL.

Petteri Soininen Juhana Kraemer Jussi Vähämäki ”Group PJJ”

EGEE-II TCD 22 nd -25 th May 2007 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Multi-Platform Support Presenters:

First attempt for validating/testing Testbed 1 Globus and middleware services WP6 Meeting, December 2001 Flavia Donno, Marco Serra for IT and WPs.

Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Usage of virtualization in gLite certification Andreas Unterkircher.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Update on Windows 7 at CERN & Remote Desktop.

1 Installing and Maintaining ISA Server Planning an ISA Server Deployment Understand the current network infrastructure. Review company security.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

EMI is partially funded by the European Commission under Grant Agreement RI SA2 – Development Tools Andres Abad Rodriguez SA2.4 Tools Activity Leader.

EMI INFSO-RI SA2: Quality Assurance Platforms for EMI 2 Andres Abad Rodriguez SA2.4 EMI All Hands Meeting May 30 th -June 1 ST, Lund (Sweden) Platforms.

CERN IT Department t LHCb Software Distribution Roberto Santinelli CERN IT/GS.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

Module 10: Windows Firewall and Caching Fundamentals.

1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..

Fall CIS 764 Database Systems Engineering L15: Deployment Deploy … to place or arrange for deliberate (intended) purpose.

Client Access – Published applications Control through TEMPLATE.ICA Use SSL Authentication level –Remove: EncRc5-0 EncRc5-40 EncRc5-56.

Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.

Dan Bradley Condor Project CS and Physics Departments University of Wisconsin-Madison CCB The Condor Connection Broker.

Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.

EMI is partially funded by the European Commission under Grant Agreement RI EMI SA2 Report Andres ABAD RODRIGUEZ, CERN SA2.4, Task Leader EMI AHM,

EGI-InSPIRE RI EGI Webinar EGI-InSPIRE RI Porting your application to the EGI Federated Cloud 17 Feb

Spell Checker web service (you build a web client that interacts with the service) The client uses a servlet class and a JSP page. The user passes information.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Dashboard for Operations Cyril L’Orphelin.

Microsoft Installing & Configuring Windows Server Exam Questions Answers Powered By:

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Towards an Information System Product Team.

Windows Vista Configuration MCTS : Network Security.

APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

Windows 10 Common VPN Error Tech Support Number

Status & Strategy for gLite multi-platform Support

Installing TMG & Choosing a Client Type

Securing the Network Perimeter with ISA 2004

ETICS Pool for IPv6 tests

The ETICS Build and Test Service

Future Test Activities SA3 All Hands Meeting Dublin

NET323 D: Network Protocols

11/11/2018 Desktop Virtualization Corey Hynes Kyle Rosenthal President Technical Lead HynesITe Inc Spider Consulting @windowspcguy.

Unit 9 NT1330 Client-Server Networking II Date: 8/9/2016

NET323 D: Network Protocols

SUSE Linux Enterprise Desktop Administration

Presentation transcript:

INFSO-RI ETICS Local Setup Experiences A Case Study for Installation at Customers Location 4th. All Hands MeetingUwe Müller-Wilm VEGA Bologna, Nov. 2009

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences VEGA's Sandbox: 2 Servers: etics.vega.de: ConfigurationWS etics-rep.vega.de: RepositoryWS, both based on SL4 CERN templates 2 Worker nodes: SL4 (CERN template), SLES9: custom made, integrates ESOC patches Works on: VMWare ESX Server Customisation: Access restriction

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences 1. Deployment Scripts Deployment scripts for ETICS WS and Repository WS are fairly OK. Only pitfall: do really only configure one purpose at each of both machines. Else you get a mixture of both services, even if the scripts offer you the option to specify ETICS WS or repository WS. Problems start with installation of ETICS client and NMI scripts needed for remote build (and plugins) if your system is located inside of an isolated environment (no access to etics.cern.ch).

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences 2. NMI Scripts 1. Scripts for nmi are packed in tgz format and are located (on our system) under: /opt/etics/etc/nmi/etics-nmi-scripts.tar.gz on the Configuration WS. They have to be adapted, as they all contain references to Example: there is a script post_all which establishes a link to /afs.cern, something you probably do not have on your local system. Workaround: Untar the scripts, perform a grep for cern and replace accordingly. Then tgz again.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences 3. Adaptation of ETICS Client etics-client-setup.py is (in our case) located under: /var/www/html/archive on the Repository WS: and will be called via: wget have to be adapted as well as there are references to This has to be done everytime a new client is released, so it is recommended to prepare a patch and to do the changes automatically.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences 4. Build System Client Package The etics build-system-client package, which is called from the etics-client-setup.py script must be accessible from the etics configuration server. In our installation it is located under: /var/www/html/archive/org.etics/org.etics.build- system.client-py. It contains a tar.gz file, which includes a template for the etics.conf script, which is used during remote builds. This script by default tries to contact etics.cern.ch, so the remote build always fails. If you have internet access, this server will be used for remote builds, even if you "think" you are working on your local system.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences 5. Plugins All plugins which should be used are of course also expected under: /var/www/html/archive/org.etics/org.etics.plugins... Same procedure: if a plugin fails it is very probable that a reference to is given. This has to be corrected. This is also true for every mail adressing etics.cern.ch etc.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences 6. ETICS Access Filter The Access filter restricts all access to the ETICS server to those users which 1.have a valid certificate and 2.are registered in the ETICS User DB. For this purpose http via port 80 has to be disabled in the apache conf. Works fine, however again some issues have to be reflected for remote builds: etics.conf (see above) has default settings, which: 1.do not point to any certificate 2.but use https as standard protocol. After implementing the access filters, this was now rejected, as no valid certificates had been found and the etics client stopped here, as http access was disabled.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences ETICS Access filter, Solution modify the etics.conf in your local archive in that way that it is by default pointing to the correct certificates of the worker node (which is expected under /etc/grid-security) insert the userDN of the certificate of the WN in the user table and make it active. Now the WN can identify itself at the etics-server as an autorized user and the remote build passes. You can completely disable access via http, port 80.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences Resumee: It Works, but... The deployment scripts for eticsWS and eticsRep are fairly portable, with some minore exceptions (Mail direction etc), however the etics client setup and the plugins need to be reviewed for being really system independent. If I transfer my experiences to a customer who might invest nor more than 14 days to set up the system, I'm pretty sure that we do not get many successful deployed systems without doing concrete improvement of the identified open issues. However, the problems are identified and can be fixed without too much effort, which is a good news.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences 7. Firewall issues Current Firewall Restrictions at VEGA corporate Network: ! No opening of dynamical range of ports allowed from DMZ to Integration Network. 20 Ports for each WN are a minimum for NMI. ==> this disallows the usage of condor master + submitter at DMZ and condor worker at the integration NW (behind the Firewall). ! No Webservers in Corporate Network allowed which are accessible from internet. No Webservers in Integration Network allowed which are accessible from internet.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences Consequences This disallows move of ETICS behind the firewall and to make it accessible via https over ssh port tunneling from DMZ to the Integration Network. This solution would probably be technical possible, but not allowed from security points of view. Current temporary solution which is implemented: WN are in the DMZ ==> no firewall problem. Sufficient for demos, but not a final integration for a production system. Long term solution: Condor web services interface with defined number of open ports (https)? This could be probably established when final decision is taken that VEGA uses ETICS as an official development tool.

INFSO-RI Bologna, Nov. 2009Local SetUp Experiences Topics to Discuss Usage of Generic Connection Brokering (GCB)? Question: Are there any better (and more elegant) configuration alternatives - Condor WS ??? All these topics can be found on the internal SA1 Wiki: