Installation

To deploy an Authn DB Plugin you need:

  1. a suitable container to support EJBs,
  2. databases on a system supported by eclipselink,
  3. to configure glassfish,
  4. to install a copy of authn_db.properties in the correct place,
  5. to deploy the .ear file,
  6. and see if it works.

EJB Container

In principle you can use any EJB container. Testing has been performed with glassfish 3.1.2 and these notes refer to that version.

You must already have a Java SE installed (i.e. the command "java" is known), then you can get Java EE 6 SDK Update 4 with JDK 6 Update 31 or later from http://www.oracle.com/technetwork/java/javaee/downloads/index.html and execute the script.

Request custom installation, install and configure, and enter proxy details if necessary on your site. Request a server domain, set the domain name and set the admin password. For a secure deployment of glassfish you should obtain a trusted certificate rather than using the self-signed one in the distribution.

Databases

The database system must be supported by eclipselink. This includes most database systems you are likely to want as explained at the eclipselink web site. It has been tested with: MySQL, Oracle and Derby. You will need an empty schema/database with permission for data definition operations such as "CREATE TABLE ..." You must place a copy of the "JDBC Connector" for your database in the lib directory below the domain where you will install icat. You should get the connector from the database supplier. In the case of Oracle this is ojdbc14.jar or ojdbc16.jar and for MySQL it is something like mysql-connector-java*.jar. MySQL must be installed with InnoDB support. Eclipselink, which is used by ICAT, will ensure that MySQL tables make use of the InnoDB engine. In the case of Derby the connector comes pre-installed with Glassfish however we do not expect Derby to be used for production work.

Preparing glassfish.props

Obtain authn_db.ear-1.0.0-config.zip and unzip it. You must first edit glassfish.props to match your system.

driver
is the name of the jdbc driver and must match the jar file for your database that you stored in the previous step.
authn_dbProperties
identifies the password database and how to connect to it.
glassfish
is the top level of the glassfish installation. It must contain "glassfish/domains", and will be referred to here as GLASSFISH_HOME as if an environment variable had been set.
port
is the administration port of the chosen glassfish domain which is typically 4848.

For a local oracle-xe installation the following values of driver, authn_dbProperties should be good except for the user and password values:

driver=oracle.jdbc.pool.OracleDataSource
authn_dbProperties=url="'"jdbc:oracle:thin:@//localhost:1521/XE"'":ImplicitCachingEnabled=true:MaxStatements=200:user=authn_db:password=secret

Note the "'" which is needed because the url contains colons which also separate individual properties.

For MySQL:

driver=com.mysql.jdbc.jdbc2.optional.MysqlDataSource
authn_dbProperties=user=icat:password=secret:databaseName=authn_db

Using glassfish.props to configure Glassfish

Having prepared the glassfish.props file you should run the command: asadmin login to login as admin. This might prompt you for your glassfish admin password to avoid being prompted for it later. If you do not do this the next step will fail. You will find the asadmin executable in the bin directory below the directory you have identified in glassfish.props as "glassfish" - i.e. $GLASSFISH_HOME/bin/asadmin. There is no logout command but you can delete ~/.asadminpass if you wish once you have run the create.sh script successfully. Now check that your domain is running with asadmin list-domains and try running create.sh . It expects to find glassfish.props in the current directory. Amongst other things the script will try to "ping" the database. If you have problems, modify the glassfish.props, run drop.sh and then create.sh again.

authn_db.properties

In the unpacked authn_db.ear-1.0.0-config.zip file you will find a property file, authn_db.properties, which should both be copied to the config directory for your chosen glassfish domain. You will find your domain directory at $GLASSFISH_HOME/glassfish/domains. The authn_db.properties file may need changing:

ip
If access to the DB authentication should only be allowed from certain IP addresses then provide a space separated list of allowed values. These take the form of an IPV4 or IPV6 address followed by the number of bits (starting from the most significant) to consider.
mechanism
if specified is a label to appear before the user name as it is made available to ICAT for authorization. For example if this is set to 'db' then the user 'root' will be provided to ICAT as 'db/root', but of no mechanism is specified it will be provided simply as 'root'.

Installing the .ear file

If you already have an authn_db installed then you should first remove it with asadmin --port 4848 undeploy <ear> where the value of "ear" can be found by: asadmin --port 4848 list-applications Obtain authn_db.ear-1.0.0.ear and install it with the command: asadmin --port 4848 deploy authn_db.ear-1.0.0.ear . If you have only one domain you may not need to specify the port and if the admin port is not 4848 then specify the correct value.

As the file is deployed the database is created. There is currently no mechanism to add entries to the password database so you must use a database utility to do this manually. Currently passwords are stored in plain text. The name of the table is dependent upon the RDBMS you have chosen to use, but should be PASSWD (though it may not be in upper case).

Check that authn_db works

There is currently no stand alone mechanism to check that authn_db is working properly. Please use the test.py script that comes with the ICAT installation if one of your root users can be authorized with this plugin.

In case of problems look at the log files: server.log and authn_db.log which can both be found in the logs directory below your domain.