etc/dm.openssl.conf

+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Uncomment out to enable OpenSSL configuration see config(3)
+# openssl_conf = openssl_init
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[openssl_init]
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+alg_section = algs
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by any config aware application
+# Add a simple OID like this:
+# shortname=Long Object Identifier Name, 1.2.3.4
+# Or use config file substitution like this:
+# testoid2=OID2 LONG NAME, ${testoid1}.5.6, OTHER OID
+
+[ algs ]
+# Algorithm configuration options. Currently just fips_mode
+fips_mode = no
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= $ENV::DM_INSTALL_DIR/etc/CA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha512		# which md to use.
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= optional
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+#stateOrProvinceName	= optional
+#localityName		= optional
+organizationName	= optional
+#organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_md		= sha512
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+# we use PrintableString+UTF8String mask so if pure ASCII texts are used
+# the resulting certificates are compatible with Netscape
+string_mask = MASK:0x2002
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= US
+countryName_min			= 2
+countryName_max			= 2
+
+#stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= 
+
+#localityName			= Locality Name (eg, city)
+#localityName_default		= 
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Argonne National Laboratory
+
+# we can do this but it is not needed normally :-)
+1.organizationName		= Second Organization Name (eg, company)
+1.organizationName_default	= Advanced Photon Source
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= AES/SSG
+
+commonName          = Common Name (eg, your name or your server\'s hostname)
+commonName_max          = 64
+
+emailAddress            = Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+[ server ]
+
+basicConstraints=CA:FALSE
+nsCertType                      = server
+nsComment                       = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer:always
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+basicConstraints = critical,CA:true
+# So we do this instead.
+#basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

etc/dm.sudo-rules.template

+## DM user sudo functions
+## All strings starting with DM_* have to be replaced with actual values 
+Host_Alias HOST=DM_HOSTNAME
+User_Alias USER=DM_SYSTEM_USER
+Cmnd_Alias SETFACL=/usr/bin/setfacl -m group\:*\:rx DM_DATA_DIR/*
+Cmnd_Alias USERMOD=/usr/sbin/usermod -a -G * *
+Cmnd_Alias GROUPADD=/usr/sbin/groupadd *
+Cmnd_Alias CHOWN=/bin/chown -R \:* *
+
+USER HOST=(root) NOPASSWD: SETFACL,USERMOD,GROUPADD,CHOWN
+
+

etc/dm_dev.deploy.conf

+DM_DB_NAME=dm_dev
+DM_DB_USER=dm_dev
+DM_DB_HOST=127.0.0.1
+DM_DB_PORT=11136
+DM_DB_ADMIN_USER=postgres
+DM_DB_ADMIN_HOSTS="127.0.0.1"
+DM_DB_SCRIPTS_DIR=
+DM_SYSTEM_USER=dm
+DM_STORAGE_DIR=DM_DATA_DIR
+DM_CONTEXT_ROOT=dm_dev
+DM_WEB_SERVICE_PROTOCOL=https
+DM_DS_WEB_SERVICE_HOST=DM_HOSTNAME
+DM_DS_WEB_SERVICE_PORT=22237
+DM_DAQ_WEB_SERVICE_HOST=DM_HOSTNAME
+DM_DAQ_WEB_SERVICE_PORT=33337
+DM_CAT_WEB_SERVICE_HOST=DM_HOSTNAME
+DM_CAT_WEB_SERVICE_PORT=44437
+DM_SOFTWARE_VERSION="Development Snapshot (DM_DATE)"
+
+

etc/ds-web-service.conf.template

+[WebService]
+serviceHost=0.0.0.0
+servicePort=22236
+sslCertFile=DM_INSTALL_DIR/etc/ssl/ds-web-service.crt
+sslKeyFile=DM_INSTALL_DIR/etc/ssl/ds-web-service.key
+sslCaCertFile=DM_INSTALL_DIR/etc/ssl/cacert.pem
+
+[AuthorizationPrincipalManager]
+principalRetriever=DbPrincipalRetriever()
+#principalRetriever=NoOpPrincipalRetriever()
+principalAuthenticator1=CryptedPasswordPrincipalAuthenticator()
+principalAuthenticator2=LdapPasswordPrincipalAuthenticator(serverUrl='ldaps://phoebusldap.aps.anl.gov:636', dnFormat='uid=%s,ou=people,o=aps.anl.gov,dc=aps,dc=anl,dc=gov')
+
+[ExperimentManager]
+storageDirectory=DM_STORAGE_DIR
+manageStoragePermissions=True
+platformUtility=dm.common.utility.linuxUtility.LinuxUtility()
+
+[DbManager]
+dbSchema=DM_DB_NAME
+dbUser=DM_DB_NAME
+dbPasswordFile=DM_INSTALL_DIR/etc/DM_DB_NAME.db.passwd
+
+[FileProcessingManager]
+numberOfProcessingThreads=3
+defaultNumberOfRetries=3
+defaultRetryWaitPeriodInSeconds=60
+#fileProcessor1=
+
+# Available logger levels: debug, info, warn, error, critical
+[ConsoleLogging]
+handler=ConsoleLoggingHandler(sys.stdout,)
+level=debug
+format=%(asctime)s,%(msecs)003d %(levelname)s %(filename)s:%(lineno)d %(process)d:  %(message)s
+dateFormat=%Y/%m/%d %H:%M:%S
+
+[FileLogging]
+handler=TimedRotatingFileLoggingHandler('DM_INSTALL_DIR/var/log/ds-web-service.log')
+level=debug
+format=%(asctime)s,%(msecs)003d %(levelname)s %(filename)s:%(lineno)d %(process)d:  %(message)s
+dateFormat=%Y/%m/%d %H:%M:%S
+

etc/init.d/dm-glassfish

+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          glassfish
+# Required-Start:    $remote_fs $network $syslog
+# Required-Stop:     $remote_fs $network $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Starts GlassFish
+# Description:       Starts GlassFish application server
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Source networking configuration.
+. /etc/sysconfig/network
+
+# Set root to default if needed.
+MY_DIR=`dirname $0` && cd $MY_DIR && MY_DIR=`pwd`
+if [ -z "${DM_ROOT_DIR}" ]; then
+    DM_ROOT_DIR=$MY_DIR/../..
+fi
+        
+# Source environment file.
+DM_USER=`id -nu`
+DM_HOST=`hostname -s`
+DM_ENV_FILE=${DM_ROOT_DIR}/setup.sh
+if [ ! -f ${DM_ENV_FILE} ]; then
+    echo "Environment file ${DM_ENV_FILE} does not exist." 
+    exit 2
+fi
+. ${DM_ENV_FILE} > /dev/null
+
+export AS_JAVA=$DM_SUPPORT_DIR/java/$DM_HOST_ARCH
+DM_GLASSFISH_DIR=$DM_SUPPORT_DIR/glassfish/$DM_HOST_ARCH
+DERBY_DIR=$DM_SUPPORT_DIR/glassfish/$DM_HOST_ARCH/javadb/bin
+
+DM_DAEMON_NAME=glassfish
+DM_DAEMON_CONTROL_CMD=$DM_GLASSFISH_DIR/bin/asadmin
+DM_DAEMON_START_ARGS="start-domain domain1"
+DM_DAEMON_STOP_ARGS="stop-domain domain1"
+DM_DAEMON_STATUS_CMDS="uptime list-domains list-applications list-jdbc-resources"
+
+start() {
+    echo -n $"Starting ${DM_DAEMON_NAME}: "       
+    # Check if we're a privileged user
+    if [ `id -u` = 0 -a ${DM_USER} != "root" ]; then
+        su -m -c "${DM_DAEMON_CONTROL_CMD} ${DM_DAEMON_START_ARGS}" ${DM_USER}
+    else
+        ${DM_DAEMON_CONTROL_CMD} ${DM_DAEMON_START_ARGS}
+    fi
+    RETVAL=$?
+    [ $RETVAL -eq 0 ] && success $"${DM_DAEMON_NAME} startup" || failure $"${DM_DAEMON_NAME} startup"
+    echo
+}
+
+stop() {
+    echo -n $"Stopping ${DM_DAEMON_NAME}: "       
+    # Check if we're a privileged user
+    if [ `id -u` = 0 -a ${DM_USER} != "root" ]; then
+        su -m -c "${DM_DAEMON_CONTROL_CMD} ${DM_DAEMON_STOP_ARGS}" ${DM_USER}
+    else
+        ${DM_DAEMON_CONTROL_CMD} ${DM_DAEMON_STOP_ARGS}
+    fi
+    RETVAL=$?
+    [ $RETVAL -eq 0 ] && success $"${DM_DAEMON_NAME} shutdown" || failure $"${DM_DAEMON_NAME} shutdown"
+    echo
+}
+
+status() {
+    # Check if we're a privileged user
+    if [ `id -u` = 0 -a ${DM_USER} != "root" ]; then
+        for cmd in ${DM_DAEMON_STATUS_CMDS}; do
+            su -m -c "${DM_DAEMON_CONTROL_CMD} ${cmd}" ${DM_USER}
+        done
+    else
+        for cmd in ${DM_DAEMON_STATUS_CMDS}; do
+            ${DM_DAEMON_CONTROL_CMD} ${cmd}
+        done
+    fi
+}
+
+case "$1" in
+    start)
+        start
+    ;;
+    stop)
+        stop
+    ;;
+    restart)
+        stop
+        start
+    ;;
+    status)
+        status
+    ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|status}"
+        exit 1
+    ;;
+esac
+
+

lib/python

+../src/python
\ No newline at end of file

sbin/catWebService.py

+../src/python/dm/cat_web_service/service/catWebService.py
\ No newline at end of file

sbin/daqWebService.py

+../src/python/dm/daq_web_service/service/daqWebService.py
\ No newline at end of file