Hyrax Installation

1
Hyrax Installation

• Advanced Topics

2
Advanced Topics

• THREDDS Catalog Configuration
• Apache Integration
• Configuring for multiple BESs
• Logging
• Authentication and Authorization
• TLS / SSL
• System Security

3
Hyrax

• THREDDS Catalog Configuration

4
Hyrax THREDDS Configuration

• THREDDS catalogs are configured by editing the
  fileCATALINA_HOME/content/opendap/catalog.xml
• Other files may be added to the catalog, but the
  catalog must start with the catalog.xml file.

5
Hyrax THREDDS Configuration

• catalog.xml
• ltcataloggt
• ltservice name"OPeNDAP-Hyrax"
  serviceType"OPeNDAP" base"/opendap/"/gt
• ltdatasetScan location"/bes/data" path"data"
  name"SVN Test Data Archive" serviceName"OPeNDAP-
  Hyrax"gt
• ltmetadata inherited"true"gt
• ltserviceNamegtOPeNDAP-Hyraxlt/serviceNam
  egt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• ltcrawlableDatasetImpl className"opendap.b
  es.BESCrawlableDataset" /gt
• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true"/gt
• ltinclude wildcard""/gt
• lt/filtergt
• ltaddDatasetSize /gt

6
Hyrax THREDDS Configuration

• catalog.xml
• ltcataloggt
• ltservice name"OPeNDAP-Hyrax"
  serviceType"OPeNDAP" base"/opendap/"/gt
• ltdatasetScan location"/bes/data" path"data"
  name"SVN Test Data Archive" serviceName"OPeNDAP-
  Hyrax"gt
• ltmetadata inherited"true"gt
• ltserviceNamegtOPeNDAP-Hyraxlt/serviceNam
  egt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• ltcrawlableDatasetImpl className"opendap.b
  es.BESCrawlableDataset" /gt
• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true"/gt
• ltinclude wildcard""/gt
• lt/filtergt
• ltaddDatasetSize /gt

Defines the service. Do not change this unless
you change the context under which Hyrax is
running.
7
Hyrax THREDDS Configuration
The ltdatasetScangt element is used by THREDDS to
automatically generate catalogs.

• catalog.xml
• ltcataloggt
• ltservice name"OPeNDAP-Hyrax"
  serviceType"OPeNDAP" base"/opendap/"/gt
• ltdatasetScan location"/bes/data" path"data"
  name"SVN Test Data Archive" serviceName"OPeNDAP-
  Hyrax"gt
• ltmetadata inherited"true"gt
• ltserviceNamegtOPeNDAP-Hyraxlt/serviceNam
  egt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• ltcrawlableDatasetImpl className"opendap.b
  es.BESCrawlableDataset" /gt
• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true"/gt
• ltinclude wildcard""/gt
• lt/filtergt
• ltaddDatasetSize /gt

8
Hyrax THREDDS Configuration

• For each collection that appears in the top level
  of the OPeNDAP directory responsehttp//localho
  st8080/opendap/contents.html You MUST create a
  ltdatasetScangt in the catalog.xml file.
• The THREDDS catalog views will NOT include a
  collection for which this is not done! ?

9
Hyrax THREDDS Configuration

• catalog.xml
• ltcataloggt
• ltservice name"OPeNDAP-Hyrax"
  serviceType"OPeNDAP" base"/opendap/"/gt
• ltdatasetScan location"/bes/data" path"data"
  name"SVN Test Data Archive" serviceName"OPeNDAP-
  Hyrax"gt
• ltmetadata inherited"true"gt
• ltserviceNamegtOPeNDAP-Hyraxlt/serviceNam
  egt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• ltcrawlableDatasetImpl className"opendap.b
  es.BESCrawlableDataset" /gt
• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true"/gt
• ltinclude wildcard""/gt
• lt/filtergt

10
Hyrax THREDDS Configuration

• In each ltdatasetScangt element that you create you
  MUST use the following element
• ltcrawlableDatasetImpl className"opendap.bes.BESCr
  awlableDataset" /gt
• This is the only CrawlableDataset implementation
  available in Hyrax!?

11
Hyrax THREDDS Configuration

• The location attribute of the ltdatasetScangt
  element must always begin with the prefix "/bes".
  
• So if you have a top level collection named foo
  then the location attribute will
  belocation/bes/foo

12
Hyrax THREDDS Configuration

• catalog.xml
• ltcataloggt
• ltservice name"OPeNDAP-Hyrax"
  serviceType"OPeNDAP" base"/opendap/"/gt
• ltdatasetScan location"/bes/data" path"data"
  name"SVN Test Data Archive" serviceName"OPeNDAP-
  Hyrax"gt
• ltmetadata inherited"true"gt
• ltserviceNamegtOPeNDAP-Hyraxlt/serviceNam
  egt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• ltcrawlableDatasetImpl className"opendap.b
  es.BESCrawlableDataset" /gt
• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true"/gt
• ltinclude wildcard""/gt
• lt/filtergt

13
Hyrax THREDDS Configuration

• The service attribute in the ltdatasetScangt
  element must be set to "OPeNDAP-Hyrax".
  serviceOPeNDAP-Hyrax

14
Hyrax THREDDS Configuration

• The path attribute in the ltdatasetScangt element
  appears in the URL after the servlet name, and
  MUST be the same as the value of the location
  attribute with the leading "/bes/" removed.
• It MUST NOT start with a "/" character.

15
Hyrax THREDDS Configuration

• For example, if you have a top level collection
  in the BES called foo then the location and path
  attributes would look like thislocation/bes/f
  oopathfoo

16
Hyrax THREDDS Configuration

• catalog.xml
• ltcataloggt
• ltservice name"OPeNDAP-Hyrax"
  serviceType"OPeNDAP" base"/opendap/"/gt
• ltdatasetScan location"/bes/data" path"data"
  name"SVN Test Data Archive" serviceName"OPeNDAP-
  Hyrax"gt
• ltmetadata inherited"true"gt
• ltserviceNamegtOPeNDAP-Hyraxlt/serviceNam
  egt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• ltcrawlableDatasetImpl className"opendap.b
  es.BESCrawlableDataset" /gt
• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true"/gt
• ltinclude wildcard""/gt
• lt/filtergt

17
Hyrax THREDDS Configuration

• You should apply a filter to the data that
  coincides with the value of the
  "BES.Catalog.catalog.TypeMatch" for the data
  types being served.
• Make the filter expose ALL of the data types
  served by the BES and none of the non-data files.

18
Hyrax THREDDS Configuration

• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true" /gt
• ltinclude wildcard"" /gt
• lt/filtergt
• Excludes files starting with a dot (.)
  character and includes everything else. Not as
  sophisticated as you might want.

19
Hyrax THREDDS Configuration

• It would be wise to study the BES configuration
  and make the THREDDS ltfiltergt element and the
  BES.Catalog.catalog.TypeMatch strings resolve the
  same files.

20
Hyrax THREDDS Configuration

• catalog.xml
• ltcataloggt
• ltservice name"OPeNDAP-Hyrax"
  serviceType"OPeNDAP" base"/opendap/"/gt
• ltdatasetScan location"/bes/data" path"data"
  name"SVN Test Data Archive" serviceName"OPeNDAP-
  Hyrax"gt
• ltmetadata inherited"true"gt
• ltserviceNamegtOPeNDAP-Hyraxlt/serviceNam
  egt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• ltcrawlableDatasetImpl className"opendap.b
  es.BESCrawlableDataset" /gt
• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true"/gt
• ltinclude wildcard""/gt
• lt/filtergt

If you want THREDDS to show the sizes of your
data sets you need to add a ltaddDatasetSize /gt
element to your ltdatasetScangt element.
21
Hyrax THREDDS Configuration

• catalog.xml
• ltcataloggt
• ltservice name"OPeNDAP-Hyrax"
  serviceType"OPeNDAP" base"/opendap/"/gt
• ltdatasetScan location"/bes/data" path"data"
  name"SVN Test Data Archive" serviceName"OPeNDAP-
  Hyrax"gt
• ltmetadata inherited"true"gt
• ltserviceNamegtOPeNDAP-Hyraxlt/serviceNam
  egt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• ltcrawlableDatasetImpl className"opendap.b
  es.BESCrawlableDataset" /gt
• ltfiltergt
• ltexclude wildcard"." atomic"true"
  collection"true"/gt
• ltinclude wildcard""/gt
• lt/filtergt

22
Hyrax THREDDS Configuration

• Add metadata as you see fit
• ltmetadata inherited"true"gt
• ltauthoritygtopendap.orglt/authoritygt
• lt/metadatagt
• Metadata can be inherited by setting the
  inherited attribute to true.
• The content of the ltmetadatagt element is
  controlled by the THREDDS schema and is not an
  open invitation to add random stuff.

23
Hyrax THREDDS Configuration

• Configuration Summary
• Each collection at the top level in the BES must
  have an associated ltdatasetScangt element in the
  catalog.xml file.
• You must use the BESCrawlableDataset
  implementation.
• The location attribute must start with the prefix
  /bes

24
Hyrax THREDDS Configuration

• Configuration Summary
• The service attribute must correspond to the name
  of the OPeNDAP service declared at the top of the
  catalog (typically OPeNDAP-Hyrax)
• The path attribute in ltdatasetScangt must be the
  same value as the location attribute with the
  prefix /bes removed.

25
Hyrax THREDDS Configuration

• Configuration Summary
• You should add a ltfiltergt element to remove items
  from the catalog that the BES does not recognize
  as data. (Such as README files)
• Add a ltaddDatasetSize /gt element if you want the
  catalg to include the sizes of the data sets
  available.
• Add metadata.

26
Hyrax THREDDS Configuration

• Getting your changes recognized by Hyrax (a.k.a.
  Reinitializing THREDDS)
• Change the last modified date of the catalog.xml
  file and request a catalog.
• Or, simply Restart Tomcat.

27
Hyrax Installation

• Apache Integration

28
Hyrax Installation Apache Integration

• Using Hyrax with the Apache server is fairly
  simple.
• Requires both mod_rewrite and mod_proxy Apache
  modules.
• You may need to rebuild/compile your Apache
  installation to enable rewrite and proxy.

29
Hyrax Installation Apache Integration

• Edit Apache's httpd.conf file.
• Add the following lines to enable the rewrite
  module
• Enable the rewrite module
• RewriteEngine on
• Target it's logging somewhere useful
• RewriteLog /usr/local/apache2/logs/rewrite.log
  
• Turn on logging (Set to 0 to disable)
• RewriteLogLevel 2

30
Hyrax Installation Apache Integration

• Add the following lines to enable the proxy
  module
• Configure mod_proxy to disable
• everything except reverse proxies.
• ProxyRequests Off
• ltProxy gt
• Order deny,allow
• Allow from all
• lt/Proxygt

31
Hyrax Installation Apache Integration

• Uses a reverse proxy to enable mapping old
  OPeNDAP URL's to Tomcat
• RewriteRule /cgi-bin/nph-dods(.)
  http//ltltyour.servergtgt8080/opendap/hyrax/1 P
• RewriteRule /opendap(.) http//ltltyour.servergtgt8
  080/opendap/1 P

32
Hyrax Installation Apache Integration

• If you have AddEncoding directives in your Apache
  configuration, those will likely need to be
  replaced with AddType.
• If present, the AddEncoding directives will cause
  Apache 2.x to report that any page, such as the
  HTML form interface, is compressed, even though
  it is not.
• This problem can be very hard to track down.

33
Hyrax Installation Apache Integration

• AddEncoding allows you to have certain browsers
  uncompress
• information on the fly. Note Not all browsers
  support this.
• Despite the name similarity, the following Add
  directives
• have nothing to do with the FancyIndexing
  customization
• directives above
• AddEncoding x-compress .Z
• AddEncoding x-gzip .gz .tgz
• If the AddEncoding directives above are
  commented-out, then you
• probably should define those extensions to
  indicate media types
• AddType application/x-compress .Z
• AddType application/x-gzip .gz .tgz

34
Hyrax Installation Apache Integration

• Restart Apache (assuming Tomcat is already
  running) and you should be on your way.

35
Hyrax Installation

• Configuring for multiple BESs

36
Hyrax Installation Configuring for multiple
BESs

• The OLFS can be configured to work with multiple
  BES installations.
• Accomplished through configuration of the
  BESManager (a DispatchHandler) in the olfs.xml
  configuration file CATALINA_HOME/content/o
  pendap/olfs.xml
• Lets open that file now!

37
Hyrax Installation Configuring for multiple
BESs

• Each BES is identified using a separate ltBESgt
  child element inside of the ltHandlergt element
  that references the BESManager class.
• Each ltBESgt element has 4 child elements
• ltprefixgt
• lthostgt
• ltportgt
• ltClientPoolgt

38
Hyrax Installation Configuring for multiple
BESs

• ltprefixgt element
• This element contains the path prefix that the
  OLFS will associate with this BES. This provides
  a mapping for each BES connected to the OLFS to
  URI space serviced by the OLFS.
• There must one (and only one) ltBESgt element in
  the BESManager handler configuration whose prefix
  has a value of "/". There may be more than one
  ltBESgt but there must be at least that one.
• The prefix string must always begin with the
  slash ("/") character.

39
Hyrax Installation Configuring for multiple
BESs

• lthostgt element
• This element contains the host name or IP address
  of the BES.
• ltportgt element
• This element contains the port number on which
  the BES is listening.
• ltClientPoolgt element
• Controls the size of the pool of client
  connections that the OLFS maintains with the BES
  via the maximum attribute.

40
Hyrax Installation Configuring for multiple
BESs

• Single BES example
• ltHandler className"opendap.bes.BESManagergt
• ltBESgt ltprefixgt/lt/prefixgt
  lthostgtlocalhostlt/hostgt ltportgt10002lt/portgt
  ltClientPool maximum"10" /gtlt/BESgt
• lt/Handlergt

41
Hyrax Installation Configuring for multiple
BESs

• Configuring Hyrax to use multiple BESs is
  (almost) as simple as adding more ltBESgt elements
  to the BESManager configuration.
• For example
• ltHandler className"opendap.bes.BESManagergtltBESgt
  ltprefixgt/lt/prefixgt lthostgtserver1.opendap.or
  glt/hostgt ltportgt10002lt/portgt ltClientPool
  maximum"10" /gtlt/BESgtltBESgt
  ltprefixgt/avhrrlt/prefixgt lthostgtserver2.opendap.o
  rglt/hostgt ltportgt10002lt/portgt ltClientPool
  maximum"10" /gtlt/BESgtltBESgt
  ltprefixgt/sstlt/prefixgt lthostgtserver3.opendap.org
  lt/hostgt ltportgt10007lt/portgt ltClientPool
  maximum"10" /gtlt/BESgt
• lt/Handlergt

42
Hyrax Installation Configuring for multiple
BESs

• The first one is running on server1.opendap.org
  (possibly on the same system as the OLFS), the
  second on server2.opendap.org. The second BES is
  mapped to the prefix /avhrr.
• So the URL http//localhost8080/opendap/W
  ill return the directory view at the top level of
  the first BES, running on server1.opendap.org.
• The URL http//localhost8080/opendap/avhrr
  Will return the directory view at the top level
  of the second BES, running on server2.opendap.org.

43
Hyrax Installation Configuring for multiple
BESs

• Mount Points
• In a multiple BES installation each additional
  BES must have a mount point within the exposed
  hierarchy of collections for it to be visible in
  Hyrax.

44
Hyrax Installation Configuring for multiple
BESs

• Consider, if you have this configuration
• ltBESgt ltprefixgt/lt/prefixgt
  lthostgtserver1.opendap.orglt/hostgt
  ltportgt10002lt/portgt ltClientPool maximum"10"
  /gtlt/BESgt
• And the top level directory for the root BES
  looks like this

45
Hyrax Installation Configuring for multiple
BESs

• If you add a second BES. Like this
• ltBESgt ltprefixgt/lt/prefixgt
  lthostgtserver1.opendap.orglt/hostgt
  ltportgt10002lt/portgt ltClientPool maximum"10"
  /gtlt/BESgtltBESgt ltprefixgt/sstlt/prefixgt
  lthostgtserver2.opendap.orglt/hostgt
  ltportgt10002lt/portgt ltClientPool maximum"10"
  /gtlt/BESgt
• It will not appear in the top level directory
  unless you create a mount point.

46
Hyrax Installation Configuring for multiple
BESs

• This simply means that on the file system served
  by the root BES you would need to create a
  directory called "sst" in the top of the
  directory tree that the root BES is exposing.
• In other words, simply create a directory called
  "sst" in the same directory that contains the
  "Test" and "data" directories on
  server1.test.org.

47
Hyrax Installation Configuring for multiple
BESs

• After you did that your top level directory would
  look like this

48
Hyrax Installation Configuring for multiple
BESs

• BE CAREFUL
• Depending on how you organize your Hyrax
  configuration you may have to create multiple
  mount points across multiple systems for Hyrax to
  create the correct linkages between the various
  BES installations.

49
Hyrax Installation

• Logging

50
Hyrax Installation Logging

• Access Logging - Many people will want to record
  access logs for their Hyrax server. We want you
  to keep access logs for your Hyrax server. The
  easiest way to get a simple access log for Hyrax
  is to utilize the Tomcat/Catalina Valve Component
• Informational/Debug Logging - In general you
  shouldn't have to modify the default logging
  configuration for Hyrax. It may become necessary
  if you encounter problems, but otherwise I
  suggest you leave it be. Enabling it can both
  consume disk space and increase your security
  vulnerability.

51
Hyrax Installation Access Logging

• Since Hyrax's public facade is provided by the
  OLFS running inside of the Tomcat servlet
  container you may utilize Tomcat's handy access
  logging which relies on the org.apache.catalina.va
  lves.AccessLogValve class. By default Tomcat
  comes with this turned off. It can be easily
  enabled by editing an XML file in the Tomcat
  distribution.

52
Hyrax Installation Access Logging

• Enabling Access Logging
• Locate the file CATALINA_HOME/conf/servlet.xml
  
• Find the commented out section for the access log
  inside the ltHostgt element. The server.xml file
  contains a good deal of comments, both for
  instruction and containing code examples. The
  part you are looking for is nested inside of the
  ltServicegt and the ltEnginegt elements.

53
Hyrax Installation Access Logging

• ltService ...gt
• ltEngine...gt . . .
• ltHost name"localhost" appBase"webapps"
  unpackWARs"true" autoDeploy"true"
  xmlValidation"false" xmlNamespaceAware"false"
  gt. . .
• lt!-- Access log processes all requests for
  this virtual host. By default,
  log files are created in the "logs"
  directory relative to CATALINA_HOME. If you
  wish, you can specify a
  different directory with the "directory"
  attribute. Specify either a relative (to
  CATALINA_HOME) or absolute path
  to the desired directory. --gt
• lt!--
• ltValve className"org.apache.catalina.valves
  .AccessLogValve"
  directory"logs" prefix"localhost_access_log."
  suffix".txt" pattern"common"
  resolveHosts"false"/gt
• --/gt. . .
• lt/Hostgt
• lt/Enginegt
• lt/Servicegt

54
Hyrax Installation Access Logging

• You can uncomment the ltValvegt element to enable
  it and you can change the values of the various
  attributes to suite your localization.
• For example
• ltValve className"org.apache.catalina.valves.Acce
  ssLogValvedirectory"logsprefix"access_log.
  suffix".logpattern"h l u t quotrquot
  s b D" resolveHosts"false"/gt

55
Hyrax Installation Access Logging

• 3. Save the File
• 4. Restart Tomcat
• 5. Read your access logs.

56
Hyrax Installation Logging

• Informational and Debug Logging
• Hyrax uses the Log4j logging package to provide
  an easily configurable and flexible logging
  environment. All "console" output is routed
  through the Log4j package and can be controlled
  using the Log4j configuration file.
• Log4j allows the user to control logging output
  in a hierarchical manner from the (java) package
  down to the individual class level.

57
Hyrax Installation Debug Logging

• There are several logging levels available
• ?TRACE
• ?DEBUG
• ?INFO
• ?WARN
• ?ERROR
• ?FATAL
• The default logging level is ERROR.

58
Hyrax Installation Debug Logging

• If you want to customize your Hyrax debug
  logging, do it by copying the distributed
  log4j.xml file
• CATALINA_HOME/webapps/opendap/WEB-INF/log4j.xml
• To the in the persistent content directory
• CATALINA_HOME/content/opendap/log4j.xml
• and editing that copy.

59
Hyrax Installation Debug Logging

• Log4j uses Appenders to control the flow of
  logging output. There are a number of Appenders
  defined in the Hyrax log4j.xml file
• stdout - Loggers using this Appender will send
  everything to the console/stdout. In Tomcat this
  environment this will get shunted into the file
  CATALINA_HOME/logs/catalina.out
• devNull - Loggers using this Appender will not
  log. All messages will be discarded.
• ErrorLog - Loggers using this Appender will have
  their ouput placed in the error log file
  CATALINA_HOME/content/opendap/logs/error.log
• HyraxAccessLog - Loggers using this Appender will
  have their ouput placed in the error log file
  CATALINA_HOME/content/opendap/logs/HyraxAccess.lo
  g

60
Hyrax Installation Debug Logging

• You can turn on debugging level logging by
  changing the log level to DEBUG for the software
  components you are interested in. All of the
  OPeNDAP code is in the "opendap" package and all
  of the THREDDS code is in the "thredds" package.
• Thus
• ltlogger name"thredds"gt
• ltlevel valueERROR"/gt
• ltappender-ref ref"ErrorLog"/gt
• lt/loggergt
• ltlogger name"opendap"gt
• ltlevel valueERROR"/gt
• ltappender-ref ref"ErrorLog"/gt
• lt/loggergt
• Will cause all log messages of ERROR level or
  higher to be sent to the error log.

61
Hyrax Installation Debug Logging

• This configuration
• ltlogger name"thredds"gt
• ltlevel valueINFO"/gt
• ltappender-ref refstdout"/gt
• lt/loggergt
• ltlogger name"opendap"gt
• ltlevel valueINFO"/gt
• ltappender-ref refstdout"/gt
• lt/loggergt
• Will cause all messages of level INFO or higher
  to be sent to stdout, which (in Tomcat) means
  that they will get stuck in the
  fileTOMCAT_HOME/logs/catalina.out

62
Hyrax Installation Debug Logging

• This configuration
• ltlogger name"thredds"gt
• ltlevel valueALL"/gt
• ltappender-ref refdevNull"/gt
• lt/loggergt
• ltlogger name"opendap"gt
• ltlevel valueALL"/gt
• ltappender-ref refdevNull"/gt
• lt/loggergt
• Will cause all logging (except Hyrax access
  logging) to be discarded.

63
Hyrax Installation Debug Logging

• Hyrax access logging (not Tomcat access logging)
  can be disabled in a similar manner
• ltlogger nameHyraxAccess"gt
• ltlevel valueALL"/gt
• ltappender-ref refdevNull"/gt
• lt/loggergt
• ltlogger nameDocServletAccess"gt
• ltlevel valueALL"/gt
• ltappender-ref refdevNull"/gt
• lt/loggergt

64
Hyrax Installation Debug Logging

• Hyrax code contains significant debugging
  instrumentation that utilizes the Log4j logging.
• Turning on DEBUG level logging for all of the
  opendap or the thredds packages will result in
  very large log files. Really. Big ones.
• To debug the code it is better to turn on the
  instrumentation for smaller packages, or
  indivdual classes, by making new logger
  definitions in the log4j.xml file

65
Hyrax Installation Debug Logging

• For example, you can define a logger for a single
  class
• ltlogger name"opendap.bes.BES"gt
• ltlevel valueDEBUG"/gt
• lt/loggergt
• It will inherit the Appender of its parent
  package, but just turn up the volume for the
  specific class.

66
Hyrax Installation

• Authentication and Authorization

67
Hyrax Installation Authentication

• Hyrax currently relies on the security features
  implemented by Tomcat for authentication and
  authorization services.
• The Tomcat authentication model is based on
  Realms and roles.
• A Realm is a database of usernames and
  passwords that identify valid users of a web
  application.
• A role is similar to a UNIX group because access
  to to resources is granted to all users possesing
  a particular role. A particular user can have any
  number of roles.

68
Hyrax Installation Authentication

• Tomcat supports 5 standard plug-ins that support
  connections to various sources of authentication
  (Realms)

69
Hyrax Installation Authentication

• JDBCRealm - Accesses authentication information
  stored in a relational database, accessed via a
  JDBC driver.
• DataSourceRealm - Accesses authentication
  information stored in a relational database,
  accessed via a named JNDI JDBC DataSource.
• JNDIRealm - Accesses authentication information
  stored in an LDAP based directory server,
  accessed via a JNDI provider.

70
Hyrax Installation Authentication

• MemoryRealm - Accesses authentication information
  stored in an in-memory object collection, which
  is initialized from an XML document
  (conf/tomcat-users.xml).
• JAASRealm - Accesses authentication information
  through the Java Authentication Authorization
  Service (JAAS) framework.

71
Hyrax Installation Authentication

• Realm and Role configuration is achieved by
  editing XML files in the Tomcat distribution.
• Passwords may be saved as clear text, or if
  desired they may be stored in a digested form.
• The standard Realms support SHA, MD2, and MD5
  digest algorithms.

72
Hyrax Installation Authentication

• MemoryRealm Example
• To configure a MemoryRealm, you must create a
  ltRealmgt element and nest it in your
  CATALINA_HOME/conf/server.xml file.

73
Hyrax Installation AuthenticationMemoryRealm
Example

• The ltRealmgt element can be nested inside any one
  of of the following Container elements. The
  location of the Realm element has a direct impact
  on the "scope" of that Realm (i.e. which web
  applications will share the same authentication
  information)

74
Hyrax Installation AuthenticationMemoryRealm
Example

• Inside an ltEnginegt element - All web
  applications, All virtual hosts.
• Inside a ltHostgt element - All web applications
  for this virtual host.
• Inside a ltContextgt element - Only this web
  application.

75
Hyrax Installation AuthenticationMemoryRealm
Example

• Minimally we need to add this element
• ltRealm className"org.apache.catalina.realm.Memory
  Realm" /gt
• Other configuration attributes are available that
  allow you to
• Specify the digest algorithm for storing
  passwords. Defaults to clear text.
• Specify a custom users file. Defaults to
  CATALINA_HOME/conf/tomcat-users.xml

76
Hyrax Installation AuthenticationMemoryRealm
Example

• tomcat-users.xml
• lt?xml version'1.0' encoding'utf-8'?gt
• lttomcat-usersgt
• ltrole rolename"tomcat"/gt
• ltrole rolenamehyrax-role"/gt
• ltuser username"tomcat" password"tomcat"
  roles"tomcat"/gt
• ltuser usernameuser" password"tomcat"
  roleshyrax-role"/gt
• ltuser username"both" password"tomcat"
  roles"tomcat,hyrax-role"/gt
• lt/tomcat-usersgt

77
Hyrax Installation AuthenticationMemoryRealm
Example

• Now that Authentication is enabled we need to
  modify the web applications web.xml file to
  enable for our context.
• Enabling Tomcat authentication requires fairly
  extensive additions to the web.xml file. (It is
  important to keep in mind that altering the
  ltservletgt definitions may render your Hyrax
  server inoperable)

78
Hyrax Installation AuthenticationMemoryRealm
Example

• In the web.xml file for Hyrax you will need to
  add (at least) 3 elements
• ltsecurity-constraintgt - Defines the scope and
  role of a security constraint.
• ltlogin-configgt - Configure the type of login for
  the web application.
• ltsecurity-rolegt - Each security role referenced
  by the web application need to be called out.

79
Hyrax Installation AuthenticationMemoryRealm
Example

• security-constraint element
• lt!-- Define a security constraint on this
  application --gt
• ltsecurity-constraintgt
• ltweb-resource-collectiongt
• ltweb-resource-namegtEntire Applicationlt/web-res
  ource-namegt
• lturl-patterngt/lt/url-patterngt
• lt/web-resource-collectiongt
• ltauth-constraintgt
• ltrole-namegthyrax-rolelt/role-namegt
• lt/auth-constraintgt
• lt/security-constraintgt

80
Hyrax Installation AuthenticationMemoryRealm
Example

• login-config element
• lt!-- Define the login configuration for this
  application --gt
• ltlogin-configgt
• ltauth-methodgtBASIClt/auth-methodgt
• ltrealm-namegtOPeNDAP Hyraxlt/realm-namegt
• lt/login-configgt

81
Hyrax Installation AuthenticationMemoryRealm
Example

• security-role element
• ltsecurity-rolegt
• ltdescriptiongt
• The role for access to the Hyrax web
  application
• lt/descriptiongt
• ltrole-namegthyrax-rolelt/role-namegt
• lt/security-rolegt

82
Hyrax Installation AuthenticationMemoryRealm
Example

• Adding these three elements to the web.xml will
  cause access to the Hyrax server to be restricted
  to the users who posses the authentication
  credentials for either user or both, as
  defined in the tomcat-users.xml file.

83
Hyrax Installation

• TLS
• (The protocol formerly known as SSL)

84
Hyrax Installation TLS

• It is important to note that configuring Tomcat
  to take advantage of secure sockets is usually
  only necessary when running it as a stand-alone
  web server.

85
Hyrax Installation TLS

• To install and configure SSL support on Tomcat 5,
  you need to follow these simple steps

86
Hyrax Installation TLS

• Create a certificate keystore by executing the
  following commandJAVA_HOME/bin/keytool
  -genkey -alias \tomcat -keyalg RSAand specify
  a password value of "changeit".
• Uncomment the "SSL HTTP/1.1 Connector" entry
  in CATALINA_HOME/conf/server.xml
• Tweak as necessary.

87
Hyrax Installation TLS

• After completing these configuration changes, you
  must restart Tomcat as you normally do, and you
  should be in business. You should be able to
  access any web application supported by Tomcat
  via SSL. For example, try
• https//localhost8443/opendap/and you should
  see the usual Hyrax top level directory. If this
  does not work, then its time to go read the
  Tomcat documentation

88
Hyrax Installation

• Security

89
Hyrax Installation Security

• Best Practices for Secure Installation
• Always use a firewall
• Separate the BES and the OLFS.
• Restrict access to log and configuration files.
• Run Hyrax as a restricted user.

90
Hyrax Installation Security

• Always Use A FirewallKeep your Hyrax server
  behind a firewall and configure the firewall to
  only forward requests to the appropriate port
  (typically 8080 for Tomcat and 80 for Apache) on
  your Hyrax system. Be sure to have the firewall
  block direct access to the BES.

91
Hyrax Installation Security

• Separate the BES and the OLFSWe feel that it is
  better to run the BES on a second machine where
  only the BES port is open, and where the BES
  system is completely blocked by the firewall.

92
Hyrax Installation Security

• Restrict access to log and configuration
  filesIt is an unfortunate fact that many (if
  not most) IT security problems arise from within
  an organization and not from outside attacks.
  Given this situation it is important to restrict
  access to the log files generated, and the
  configuration files used, by Hyrax.

93
Hyrax Installation Security

• Run Hyrax as a restricted userWe strongly
  recommend that you run Hyrax as a restricted
  user. Running Hyrax as root or the super user is
  actively discouraged, as doing so creates the
  potential for dire consequences. What this means
  is that you should create a special user for bot
  the BES and Tomcat. These users should have
  restricted privileges and should only be allowed
  to write to the directories required by Tomcat
  and the BES.

94
Hyrax Installation Security

• Restricting System Access
• One may also choose to restrict user access to
  Hyrax. This can be done by configuring Tomcat to
  demand user authentication, and if required,
  TSL/SSL