3. Getting Connected

1. Configuring the Stone and the remote node

To begin with, you should have a GemStone/S 64 Bit installation on both the Stone’s node and on the remote cache node, and you should have setup and started a Stone process.

Before starting the process of setting up a X509 login, you might want to verify that your system is configured so you can perform a remote, non-X509 login between the remote and Stone’s node.

Since unsecured NetLDIs do not support X509 logins, and vice versa, you must either use a different port to start the X509-secured NetLDI on the Stone and remote nodes, or shut down the unsecured NetLDIs and restart using the process described in this chapter.

2. Setup script and log directories

X509 logins require a number of certificates to be available; some are needed on the Stone’s node, some on the remote node, and some on both nodes.

While there are a number of ways to manage the certificates, the simplest is to create new flat directories in which to place the required certificate files, and access these via an environment variable. These examples use $MyStoneCertDir and $MyRemoteCertDir.

fiji> mkdir $GEMSTONE/logs

fiji> export remoteLogDir=$GEMSTONE/logs

alcatraz> mkdir $GEMSTONE/logs

alcatraz> export stoneLogDir=$GEMSTONE/logs

3. Start certificate-only NetLDI on the Stone’s Node

The Stone must be running before you start the x509-secured NetLDI.

On the Stone’s node, you must start the NetLDI in certificate-only mode, using the arguments -S -U -R -J and -L in addition to any other startnetldi arguments. The -D argument is also required, to set the directory for log files. Do not use the -E argument.

For details on the startnetldi arguments, see Utility details for X509.

This NetLDI should be started as the same user as the one that started the Stone.

  alcatraz> startnetldi -D $stoneLogDir -l $stoneLogDir/54321.log 

-S -U $MyStoneCertDir/alcatraz.chain.pem

-R $MyStoneCertDir/alcatraz.privkey.pem

-J $MyStoneCertDir/stoneCA-devstone.cert.pem

-L $MyStoneCertDir/hostCA-userCA-combined-devstone.crl.pem 54321

4. Start certificate-only NetLDI on the Remote Node

With X509 logins, the certificate-only remote cache on a particular node must be started up and running before it can be used by a Gem to login. This is unlike ordinary logins in which the remote cache is only started up when a Gem logs in.

The NetLDI on the remote node has the responsibility of starting up the remote cache, which it does on instructions by the starthostagent utility on the Stone’s node.

NETLDI_PORT_RANGE = 50000, 50020; 

  fiji> startnetldi -E remote.conf  -S  -D $remoteLogDir

-l $remoteLogDir/54321.log 

-U $MyRemoteCertDir/fiji.chain.pem

-R $MyRemoteCertDir/fiji.privkey.pem

-J $MyRemoteCertDir/stoneCA-devstone.cert.pem 54321

5. Start the HostAgent on the Stone’s node

Once the remote and Stone’s NetLDI are running, you must execute the starthostagent utility, on the Stone’s node, to complete the startup.

Executing starthostagent initiates a number of important tasks. It requests that the Stone’s x509 NetLDI do the following:

• The Stone’s NetLDI mutually authenticates with the remote x509 NetLDI;
• The Host Agent on the Stone’s node starts up and log in;
• The remote NetLDI starts the remote cache

The starthostagent utility requires a number of arguments to allow it to securely connect the local and remote NetLDIs:

• the name (or IP) of the remote node, using argument to -m.
• the name (or port) that the remote NetLDI is listening on, using argument to -n.
• the name (or port) that the Stone’s NetLDI is listening on, using argument to -N.
• credentials to authenticate with the remote NetLDI, using -U -R -J

  alcatraz> starthostagent -m fiji -N 54321 -n 54321

-U $MyStoneCertDir/alcatraz.chain.pem

-R $MyStoneCertDir/alcatraz.privkey.pem

-J $MyStoneCertDir/stoneCA-devstone.cert.pem 

Flow of Operations during HostAgent startup

The following diagram lists the internal steps that occur as a results of starthostagent.

Figure 3.1 Remote Cache and NetLDI startup

---

6. Login

Logins can be done from topaz, GBS, GCI commands, and GemStone Smalltalk external session classes. Only RPC logins can be done using the secure protocol.

The X509 login requires a set of parameters that are distinct from those used for ordinary logins. The Stone name, GemStone user name and password, and host username and password are not required and must not be set, and NetLDI details are not included in the Gem’s NRS (e.g., gemnetid); the NetLDI (of the Gem host) is specified in the form hostname:netldiName.

In topaz, there are commands to set these parameters. For example:

topaz > set cert $MyRemoteCertDir/DataCurator.chain.pem

topaz > set key $MyRemoteCertDir/DataCurator.privkey.pem

topaz > set cacert $MyRemoteCertDir/stoneCA-devstone.cert.pem

topaz > set netldi localhost:54321

topaz > login

Setting any of these X509 login parameters clears the login parameters used for ordinary logins (gemstone, username, password, etc.). Likewise, setting any of the ordinary login parameters unsets the X509 login parameters.

The Gem will run on the host specified by the set netldi command, which does not need to be the same host as the topaz client. Rather than localhost, you may specify the host name or IP of another host that is running a certificate-only NetLDI.

If there are no gems running on the remote cache, after the timeout specified by STN_REMOTE_CACHE_TIMEOUT, the remote cache and HostAgent are shut down. You must execute the starthostagent script again (Step 5., above) to restart the remote cache and HostAgent.

Both ordinary and X509 logins are allowed to the stone, but ordinary logins cannot use the certificate-only NetLDIs. The X509-secured remote shared page cache does not support ordinary Gems, so ordinary logins cannot start a Gem on a node where a certificate-based remote shared page cache exists.

Flow of Operations during Login

The following diagram shows the flow of operations when a remove X509 secured Gem logs in.

Figure 3.2 Remote X509 Login

---

Troubleshooting startup failures

In most cases, details of login failures are not reported, for security reasons.

• If you have trouble starting the Stone’s NetLDI, check the log file, and verify the existence, location, and validity of the certificate files.
• If you have trouble starting the Remote NetLDI, first check the remote NetLDI log file. Note that some errors, such as not being able to find the -E configuration file, are reported earlier in the log; be sure to read the entire log file, not merely the final statements.
• If the starthostagent script fails, verify that the Stone was started using a keyfile that allows X509 logins.

Check the HostAgent log file on the Stone’s node, which may contain error reports. The HostAgent log is located in the directory specified by -D argument to startnetldi, and has the name hostagent-StoneName-RemoteNode-PIDStoneNodeName.log.

• If the topaz login fails, check your parameters. The set netldi hostname must be the name of the Gem’s node, not the Stone’s node. The error message will also let you know if one or another of the required certs is missing.

X509 login parameters

The login command now can be used with two distinct sets of parameters.

• For classic logins, the parameters are unchanged.
• For secure X509 logins, new and distinct parameters are required.

The required parameters for X509 certificate login (RPC only) are:

SET CERT: certfilepath
SET CACERT: cacertfilepath
SET KEY: privkeyfilepath
SET NETLDI: host:port

The following parameters are optional, but if used, apply only to X509 logins:

LOGFILE: gemlogfilepath
EXTRAGEMARGS: gemargs
DIRECTORY: dirname

The GemStone user name and the stone name are specified in the certificates, and are not entered in topaz by the user, and the GemStone user’s password is not needed.

With X509 logins, NRS is not used in any of the parameters. To specify the directory and log file name and any arguments to be passed to the gem, specific set commands are used.

If any of the X509 login parameters are set, the ordinary parameters are cleared, and the login command will perform an X509 login; if any of the ordinary parameters are set, the X509 parameters are cleared, and login performs a classic login.

The full set of new set commands are:

CACERT[:] cacertfilepath
Sets the path to the X509 certificate authority (CA) certificate to be used for login. The certificate must be in PEM format.

CERT[:] certfilepath
Sets the path to the X509 certificate to be used for login. The certificate must be in PEM format.

DIRECTORY[:] dirname
Set the name of the working directory for the RPC gem created by a certificate login. Also specifies the directory in which the Gem log will be written; if not specified, the log file is put into the directory provided in the startnetldi -D argument.

EXTRAGEMARGS[:] gemargs
Sets a list of extra command line arguments to be used when starting an RPC gem for a certificate login.

KEY[:] privkeyfilepath
Sets the path to the private key for the certificate specified by the SET CERT: command. The key must be in PEM format and must not be protected by a passphrase.

LOGFILE[:] gemlogfilepath
Set the name of the RPC gem's log file for certificate logins. If not specified, the default log file name is used.

NETLDI[:] hostname:port
Sets the hostname and port number for the certificate-only NetLDI to be used for X509 login. The format must include a the name or IP of the host, a colon, and the port or NetLDI service name. For example,

topaz> set netldi fiji.gemtalksystems.com:54321 

That this is the Gem host’s NetLDI. The Gem will be started on the specified node fiji. You may use localhost to specify the Gem should be on the same node as the topaz process.

While the user certificate may include an address restriction, using localhost and other addresses 127.x.x.x (loopback addresses) are allowed, for running Gems on the same node. The address restrictions are applied when the Gem authenticates with the HostAgent.

The commands to set X509 parameters may be set in the .topazini file, or may be passed in on the command line using -X -n.

topaz arguments to configure X509 parameters on command line

Rather than specifying the certificates using the set command, you may pass them in on the command line using the topaz -X argument. The -X is only valid for RPC sessions, and takes a string containing three semicolon-delimited paths. For example:

'stoneCA-devstone.cert.pem;DataCurator.chain.pem;DataCurato r.privkey.pem'

The order is significant; the CA, cert, and private key must be in that order.

To set all the X509 login parameters required for login, you must also use the -n argument to specify the NetLDI name and port.

For example:

topaz -X '$MyCertDir/stoneCA-devstone.cert.pem;$MyCertDir/DataCurator.chain.pem;$MyCertDir/DataCurator.privkey.pem' -n localhost:54321

X509 Login Certificate Information:

Certificate________ '$MyRemoteCertDir/DataCurator.chain.pem'

CaCertificate______ '$MyRemoteCertDir/stoneCA-devstone.cert.pem'

Key________________ '$MyRemoteCertDir/DataCurator.privkey.pem'

Netldi_____________ 'localhost:54321'

Directory__________ ''

LogFile____________ ''

ExtraGemArgs_______ ''