This is a list of tips around requests made by administrators when installing/configuring Gateway.
This list is not exhaustive and will be enhanced based on the returns of HPC Gateway usage.


Tip: Signing certificate procedure

Gateway is delivered by default with a self signed certificate generated during installation.
As this self signed certificate is not approved by any known certificate authority, user when accessing to Gateway portal will encounter security warnings.
Anyway this self signed certificate will fully encrypt the communication established between user's browser and Gateway server.\\

Tip: Force a unique wallpaper to allusers

Each Gateway user having administrator capability has the ability to customize his own environment including the ability to upload and configure a personal wallpaper that could also be selected by other users. The following procedure intends to force a unique wallpaper to all users.

Step 1 : Configure a unique wall paper for all users

Logged as hpcgadmin on Gateway portal, open menu Gateway/Settings. Remove all wallpapers one by one:

Upload chosen wallpaper and select it…

Step 2 : Prevent users to upload any new wallpaper

From menu Gateway/Settings, on panel « Configuration » section « Desktop », untick « User Can update and remove wallpaper »:

This self signed certificate can be also intercepted in some circumstances by firewalls or security devices and Gateway web portal can be banned.

In order to avoid those security warnings and related issues, you can ask for an official certificate signed by a private (owned by your company) or public Certificate Authority (CA). \\
Follow the next steps to get a new certificate officially signed by a private or public Certificate Authority (CA):

Step 1: Locate currently used certificate


The self signed certificate generated during installation and used by Gateway jetty web server is stored inside a keystore file named hpcgateway.keystore.
This keystore protected with a password contains a private key and the self signed certificate. You will need to locate the currently used keystore and get also the used password:

[hpcgadmin@head hpcgadmin]# cd /opt/hpcg/repo/etc/sys/root
[hpcgadmin@head hpcgateway]# ls -l hpcgateway.keystore
-rw-r--r--. 1 hpcgadmin hpcgadmin 2232 Oct  1 18:22 hpcgateway.keystore
[hpcgadmin@head hpcgateway]# cat hpcgateway.password
d455345c-2714-4406-8f0e-1d84065703bf

Step 2: Create a new keystore containing a new private key


Our advice is to keep the existing hpcgateway.keystore safe and usable while asking for a new official certificate based on a new private key stored in a new keystore. Assuming that the company is Nintendo and the administrator is Mario Bros. :-)
Let's create in the same location a new private key stored in a new keystore. Use the password set for hpcgateway.keystore.

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -genkey -alias gateway.nintendo.jp -keyalg RSA -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf -keysize 2048
What is your first and last name?
  [Unknown]:  Mario Bros
What is the name of your organizational unit?
  [Unknown]:  Nintendo Corporation Limited
What is the name of your organization?
  [Unknown]:  Nintendo
What is the name of your City or Locality?
  [Unknown]:  Kyoto
What is the name of your State or Province?
  [Unknown]:  Kansai
What is the two-letter country code for this unit?
  [Unknown]:  JP
Is CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP correct?
  [no]:  yes

Enter key password for <gateway.nintendo.jp>
        (RETURN if same as keystore password):

Step 3: Check the private key in the new keystore


List the content of the newly created keystore:

[hpcgadmin@head hpcgateway]$  /opt/hpcg/external/jdk1.8.0_60/bin/keytool -list -v -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: gateway.nintendo.jp
Creation date: 17-Jan-2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP
Issuer: CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP
Serial number: 1169d167
Valid from: Thu Jan 17 17:32:52 CET 2019 until: Wed Apr 17 18:32:52 CEST 2019
Certificate fingerprints:
         MD5:  74:54:5B:66:9B:98:35:31:4D:4F:4F:3A:B9:17:F3:17
         SHA1: 0E:68:D8:EB:E7:37:47:8D:A4:5C:8D:96:D5:06:7F:5F:F2:3F:12:C7
         SHA256: 81:75:B6:A5:9E:54:65:01:75:07:E1:62:4F:D0:68:75:DC:7A:4F:CB:26:A2:5C:70:65:04:87:DE:78:66:8B:08
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 09 1F 96 B4 15 DE 2E AE   93 AA BF 0B 52 E6 E9 07  ............R...
0010: C2 69 16 C6                                        .i..
]
]

*******************************************
*******************************************

Step 4: Create a new CSR


Create a new certificate request based on published domain name or alias of your Gateway service (here gateway.nintendo.fr) :

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -certreq -alias gateway.nintendo.jp -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf -file gateway.nintendo.jp.csr
[hpcgadmin@head hpcgateway]$ cat gateway.nintendo.jp.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAwfTELMAkGA1UEBhMCSlAxDzANBgNVBAgTBkthbnNhaTEOMAwGA1UEBxMFS3lv
dG8xETAPBgNVBAoTCE5pbnRlbmRvMSUwIwYDVQQLExxOaW50ZW5kbyBDb3Jwb3JhdGlvbiBMaW1p
dGVkMRMwEQYDVQQDEwpNYXJpbyBCcm9zMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qEI XmxZ22YCvbe4NJk436gd/TT4kofe9ytCZaRPO1GTRFtXPt5z MqDgD5p5K8wfk UpZpzU7xW
FXtTMFLvyhzN1mtGIJZq2ltzwLQsC3OBkHlfv6 XnWLvCCsIU2I9d7Rp26VypUPH1TsoFxWPNLHs
p1Et5Ndk2lW9dSLMpySWg2YXcORzaE4IPe3AnfaY9HTI8Zu4V6NYY9X8GN1PWDgbgwHf9y2IJ8kQ
KXCYy C5u0n3RXScJue/ZSqsiV4KxIE00cb7zFUfdqVndyP2P003NZiJJArySc4lIEfvkxNdFOX4
rQCK7QwYZfRi96VC8/jDj/RGopg87OmCmRsIGQIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNV
HQ4EFgQUCR WtBXeLq6Tqr8LUubpB8JpFsYwDQYJKoZIhvcNAQELBQADggEBAEfjxecgRnaaVhYS
Q1mMyV9JFDaJtfNzVX8GQ4ee3vE5ofRrzdjI E6XCy6EGQsq4oJcVaf3 lmI1UVCQ488G1ZhRNii
t6Cknjvc87yXGPyvuSVXInWoqQEvtXKtE5hJJ8h4w3Ywu0vDHb6SKEX56h0B7dRmuJF4IhwCM68h
OeOE6zL5APArKv5912IH6EPRW5HmVBdShEe6h1AodBcWiM/5ZulQ5JkxvNUMeqTG1k9J8FavW/7h
zcCv8Fi2dSXlZwMqHJNKpksFMVnMnfUHo3Bz6B2t4is7XWRoB4HNTBHQjkg0SxSyGYzhyXo0ObbA
UygDg CkGFlK0R5M44I33GQ=
-----END NEW CERTIFICATE REQUEST-----

Step 5: Send the CSR to a CA


Submit or the file or the previous content of CSR file to your CA for signing.
You can get a trial certificate from Thawte at https://www.thawte.com/cgi/server/try.exe

Step 6: Check created certificate provided by CA


Once certification authority has created the signed certificate you must save it to a file.
Save the signed certificate from CA to a file like /opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.signed.pem. \ Note: this file must be backed up because it can be re-used if you re-install HPC Gateway.
You can see the content of the signed certificate using the command:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -printcert -v -file /opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.signed.pem

Step 7: Import created certificate provided by CA


Import created certificate into keystore:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -keystore keystore -import -alias gateway.nintendo.jp -file gateway.nintendo.jp.pem -trustcacerts -storepass d455345c-2714-4406-8f0e-1d84065703bf

Notes: The format of the given certificate must be PEM. Depending on the situation, you might not require the -trustcacerts option. Try the operation without it if you like. If the certificate you receive from the CA is not in a format that keytool understands, you can use the openssl command to convert formats:

[hpcgadmin@head hpcgateway]$ openssl x509 -in gateway.nintendo.jp.der -inform DER -outform PEM -out gateway.nintendo.jp.crt

Step 8: Import Root CA certificate provided by CA :


In some cases the Root CA certificate that must approve the given certificate is included with the given certificate file.
If it is not the the case, you will need to download ROOT CA certificate and import them:

[hpcgadmin@head hpcgateway]$  /opt/hpcg/external/jdk1.8.0_60/bin/keytool -import -v -noprompt -trustcacerts -alias cacert -file Nintendo-CA.pem
-keystore gateway.nintendo.jp.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf

Nintendo-CA.pem is the Root Certificate from CA
ex: Regarding Thawte delivered certificates, you can download Thawte Test Root Certificate from http://www.thawte.com/roots/.

Step 9: Verify contents of keystore


As a last checking you can verify the content of the key:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -list -v -keystore gateway.nintendo.jp.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf
[hpcgadmin@ssf root]$ keytool -list -v -keystore ./hpcgateway.keystore -storepass v3rys3cr3t

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: gateway.nintendo.jp
Creation date: Jan 23, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=gateway.nintendo.jp, OU=Thawte, OU=Domain Control Validated
Issuer: CN=Thawte Standard SSL CA 2, O=Thawte, L=Paris, ST=Paris, C=FR
Serial number: ff15bee7615861260456e70169ecad70
Valid from: Mon Jan 22 01:00:00 CET 2018 until: Thu Jan 23 00:59:59 CET 2020
Certificate fingerprints:
         MD5:  C1:E5:BF:05:33:C2:25:21:EC:34:C8:BA:4D:FB:11:8E
         SHA1: 9B:5E:81:F5:1E:D6:6D:0E:3C:FA:33:26:59:F3:17:40:78:02:F8:5A
         SHA256: CB:0B:73:36:EE:BA:AB:46:FE:86:DE:72:37:21:38:D6:BA:3D:4D:6F:F0:F7:E4:09:57:B9:D7:E4:66:24:AE:D1
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://xxxxxxxxx/ThawteStandardSSLCA2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://xxxxxxxxx
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD   61 3C 9F 7C AD 5D 7F 41  ......N.a<...].A
0010: FD 69 30 EA                                        .i0.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/GandiStandardSSLCA2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 19 68 74 74 70 73 3A   2F 2F 63 70 73 2E 75 73  ..https://cps.us
0010: 65 72 74 72 75 73 74 2E   63 6F 6D                 ertrust.com

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: gateway.nintendo.jp
  DNSName: nintendo.jp
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 06 A5 56 23 A8 48 5F 05   2C BB 3A 4D A5 A2 CB 0E  ..V#.H_.,.:M....
0010: 75 F4 FA 70                                        u..p
]
]

Certificate[2]:
Owner: CN=Thawte Standard SSL CA 2, O=Thawte, L=Paris, ST=Paris, C=FR
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 5e4dc3b9438ab3b8597cba6a19850e3
Valid from: Fri Sep 12 02:00:00 CEST 2014 until: Thu Sep 12 01:59:59 CEST 2024
Certificate fingerprints:
         MD5:  1A:9A:69:A8:1F:6D:A9:2D:87:F7:69:4E:16:D8:B8:79
         SHA1: 24:71:06:A4:05:B2:88:A4:6E:70:A0:26:27:17:16:2D:09:03:E7:34
         SHA256: B9:F2:16:43:23:63:8D:CE:0B:92:21:8B:43:C4:1C:1B:2B:26:96:38:93:29:DB:19:F5:CF:7A:D4:9B:5C:B3:72
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z. J.T.......
0010: B2 03 66 CB                                        ..f.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD   61 3C 9F 7C AD 5D 7F 41  ......N.a<...].A
0010: FD 69 30 EA                                        .i0.
]
]

Certificate[3]:
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 1fd6d30fca3ca51a81bbc640e35032d
Valid from: Mon Feb 01 01:00:00 CET 2010 until: Tue Jan 19 00:59:59 CET 2038
Certificate fingerprints:
         MD5:  1B:FE:69:D1:91:B7:19:33:A3:72:A8:0F:E1:55:E5:B5
         SHA1: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
         SHA256: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z. J.T.......
0010: B2 03 66 CB                                        ..f.
]
]

*******************************************
*******************************************


The most important thing you want to see is that, under the private key alias, additional information is being displayed. You're looking for this: Certificate chain length: 3 Certificate chain must be more than one which will mean that your certificate is approved by minimum 1 third part CA authority.
Note: There are plenty information on the web to get and set a valid certificate.
For example read the following online articles:
https://wiki.eclipse.org/Generating_a_Private_Key_and_a_Keystore.
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
https://support.dnsimple.com/articles/what-is-ssl-certificate-chain

Step 10: Configure Jetty to use the new keystore and contained certificate:

  • You must stop Jetty prior to this change on Jetty configuration:
[hpcgadmin@head hpcgateway]$ source /opt/hpcg/core/etc/profile/sh
[hpcgadmin@head hpcgateway]$ hpcg.sh -s stop -l jetty -c "Before applying official SSL certificate"


  • Then you must modify the jetty ssl configuration located in jetty-ssl-context.xml accordingly:
[root@SuShI root]# vi jetty-ssl-context.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

  <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
  <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
  <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
  <Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set>

  <!-- From SFWAY -->
  <Set name="KeyStorePath">/opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.keystore </Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>
  <Set name="TrustStorePath">/opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.keystore </Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>

  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
  <Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
  <Set name="ExcludeCipherSuites">
   <Array type="String">
    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
   </Array>
  </Set>
  <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>


TODO: Modify the keystore filename in KeyStorePath from hpcgateway.keystore to gateway.nintendo.jp.keystore

  • You must restart Jetty after this change on Jetty configuration:
[hpcgadmin@head hpcgateway]$ hpcg.sh -s start -l jetty -c "After applying official SSL certificate"

Tip: Force a unique wallpaper to allusers

Each Gateway user having administrator capability has the ability to customize his own environment including the ability to upload and configure a personal wallpaper that could also be selected by other users. The following procedure intends to force a unique wallpaper to all users.

Step 1 : Configure a unique wall paper for all users

Logged as hpcgadmin on Gateway portal, open menu Gateway/Settings. Remove all wallpapers one by one:

Upload chosen wallpaper and select it…

Step 2 : Prevent users to upload any new wallpaper

From menu Gateway/Settings, on panel « Configuration » section « Desktop », untick « User Can update and remove wallpaper »:

Tip: Signing certificate procedure

Gateway is delivered by default with a self signed certificate generated during installation.
As this self signed certificate is not approved by any known certificate authority, user when accessing to Gateway portal will encounter security warnings.
Anyway this self signed certificate will fully encrypt the communication established between user's browser and Gateway server.
This self signed certificate can be also intercepted in some circumstances by firewalls or security devices and Gateway web portal can be banned.

In order to avoid those security warnings and related issues, you can ask for an official certificate signed by a private (owned by your company) or public Certificate Authority (CA). \\
Follow the next steps to get a new certificate officially signed by a private or public Certificate Authority (CA):

Step 1: Locate currently used certificate


The self signed certificate generated during installation and used by Gateway jetty web server is stored inside a keystore file named hpcgateway.keystore.
This keystore protected with a password contains a private key and the self signed certificate. You will need to locate the currently used keystore and get also the used password:

[hpcgadmin@head hpcgadmin]# cd /opt/hpcg/repo/etc/sys/root
[hpcgadmin@head hpcgateway]# ls -l hpcgateway.keystore
-rw-r--r--. 1 hpcgadmin hpcgadmin 2232 Oct  1 18:22 hpcgateway.keystore
[hpcgadmin@head hpcgateway]# cat hpcgateway.password
d455345c-2714-4406-8f0e-1d84065703bf


Step 2: Create a new keystore containing a new private key


Our advice is to keep the existing hpcgateway.keystore safe and usable while asking for a new official certificate based on a new private key stored in a new keystore. Assuming that the company is Nintendo and the administrator is Mario Bros. :-)
Let's create in the same location a new private key stored in a new keystore. Use the password set for hpcgateway.keystore.

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -genkey -alias gateway.nintendo.jp -keyalg RSA -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf -keysize 2048
What is your first and last name?
  [Unknown]:  Mario Bros
What is the name of your organizational unit?
  [Unknown]:  Nintendo Corporation Limited
What is the name of your organization?
  [Unknown]:  Nintendo
What is the name of your City or Locality?
  [Unknown]:  Kyoto
What is the name of your State or Province?
  [Unknown]:  Kansai
What is the two-letter country code for this unit?
  [Unknown]:  JP
Is CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP correct?
  [no]:  yes

Enter key password for <gateway.nintendo.jp>
        (RETURN if same as keystore password):


Step 3: Check the private key in the new keystore


List the content of the newly created keystore:

[hpcgadmin@head hpcgateway]$  /opt/hpcg/external/jdk1.8.0_60/bin/keytool -list -v -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: gateway.nintendo.jp
Creation date: 17-Jan-2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP
Issuer: CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP
Serial number: 1169d167
Valid from: Thu Jan 17 17:32:52 CET 2019 until: Wed Apr 17 18:32:52 CEST 2019
Certificate fingerprints:
         MD5:  74:54:5B:66:9B:98:35:31:4D:4F:4F:3A:B9:17:F3:17
         SHA1: 0E:68:D8:EB:E7:37:47:8D:A4:5C:8D:96:D5:06:7F:5F:F2:3F:12:C7
         SHA256: 81:75:B6:A5:9E:54:65:01:75:07:E1:62:4F:D0:68:75:DC:7A:4F:CB:26:A2:5C:70:65:04:87:DE:78:66:8B:08
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 09 1F 96 B4 15 DE 2E AE   93 AA BF 0B 52 E6 E9 07  ............R...
0010: C2 69 16 C6                                        .i..
]
]



*******************************************
*******************************************


Step 4: Create a new CSR


Create a new certificate request based on published domain name or alias of your Gateway service (here gateway.nintendo.fr) :

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -certreq -alias gateway.nintendo.jp -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf -file gateway.nintendo.jp.csr
[hpcgadmin@head hpcgateway]$ cat gateway.nintendo.jp.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAwfTELMAkGA1UEBhMCSlAxDzANBgNVBAgTBkthbnNhaTEOMAwGA1UEBxMFS3lv
dG8xETAPBgNVBAoTCE5pbnRlbmRvMSUwIwYDVQQLExxOaW50ZW5kbyBDb3Jwb3JhdGlvbiBMaW1p
dGVkMRMwEQYDVQQDEwpNYXJpbyBCcm9zMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qEI+XmxZ22YCvbe4NJk436gd/TT4kofe9ytCZaRPO1GTRFtXPt5z+MqDgD5p5K8wfk+UpZpzU7xW
FXtTMFLvyhzN1mtGIJZq2ltzwLQsC3OBkHlfv6+XnWLvCCsIU2I9d7Rp26VypUPH1TsoFxWPNLHs
p1Et5Ndk2lW9dSLMpySWg2YXcORzaE4IPe3AnfaY9HTI8Zu4V6NYY9X8GN1PWDgbgwHf9y2IJ8kQ
KXCYy+C5u0n3RXScJue/ZSqsiV4KxIE00cb7zFUfdqVndyP2P003NZiJJArySc4lIEfvkxNdFOX4
rQCK7QwYZfRi96VC8/jDj/RGopg87OmCmRsIGQIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNV
HQ4EFgQUCR+WtBXeLq6Tqr8LUubpB8JpFsYwDQYJKoZIhvcNAQELBQADggEBAEfjxecgRnaaVhYS
Q1mMyV9JFDaJtfNzVX8GQ4ee3vE5ofRrzdjI+E6XCy6EGQsq4oJcVaf3+lmI1UVCQ488G1ZhRNii
t6Cknjvc87yXGPyvuSVXInWoqQEvtXKtE5hJJ8h4w3Ywu0vDHb6SKEX56h0B7dRmuJF4IhwCM68h
OeOE6zL5APArKv5912IH6EPRW5HmVBdShEe6h1AodBcWiM/5ZulQ5JkxvNUMeqTG1k9J8FavW/7h
zcCv8Fi2dSXlZwMqHJNKpksFMVnMnfUHo3Bz6B2t4is7XWRoB4HNTBHQjkg0SxSyGYzhyXo0ObbA
UygDg+CkGFlK0R5M44I33GQ=
-----END NEW CERTIFICATE REQUEST-----


Step 5: Send the CSR to a CA


Submit or the file or the previous content of CSR file to your CA for signing.
You can get a trial certificate from Thawte at https://www.thawte.com/cgi/server/try.exe

Step 6: Check created certificate provided by CA


Once certification authority has created the signed certificate you must save it to a file.
Save the signed certificate from CA to a file like /opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.signed.pem. \ Note: this file must be backed up because it can be re-used if you re-install HPC Gateway.
You can see the content of the signed certificate using the command:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -printcert -v -file /opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.signed.pem


Step 7: Import created certificate provided by CA


Import created certificate into keystore:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -keystore keystore -import -alias gateway.nintendo.jp -file gateway.nintendo.jp.pem -trustcacerts -storepass d455345c-2714-4406-8f0e-1d84065703bf 

Notes: The format of the given certificate must be PEM. Depending on the situation, you might not require the -trustcacerts option. Try the operation without it if you like. If the certificate you receive from the CA is not in a format that keytool understands, you can use the openssl command to convert formats:

[hpcgadmin@head hpcgateway]$ openssl x509 -in gateway.nintendo.jp.der -inform DER -outform PEM -out gateway.nintendo.jp.crt


Step 8: Import Root CA certificate provided by CA :


In some cases the Root CA certificate that must approve the given certificate is included with the given certificate file.
If it is not the the case, you will need to download ROOT CA certificate and import them:

[hpcgadmin@head hpcgateway]$  /opt/hpcg/external/jdk1.8.0_60/bin/keytool -import -v -noprompt -trustcacerts -alias cacert -file Nintendo-CA.pem
-keystore gateway.nintendo.jp.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf 

Nintendo-CA.pem is the Root Certificate from CA
ex: Regarding Thawte delivered certificates, you can download Thawte Test Root Certificate from http://www.thawte.com/roots/.

Step 9: Verify contents of keystore


As a last checking you can verify the content of the key:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -list -v -keystore gateway.nintendo.jp.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf 
[hpcgadmin@ssf root]$ keytool -list -v -keystore ./hpcgateway.keystore -storepass v3rys3cr3t

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: gateway.nintendo.jp
Creation date: Jan 23, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=gateway.nintendo.jp, OU=Thawte, OU=Domain Control Validated
Issuer: CN=Thawte Standard SSL CA 2, O=Thawte, L=Paris, ST=Paris, C=FR
Serial number: ff15bee7615861260456e70169ecad70
Valid from: Mon Jan 22 01:00:00 CET 2018 until: Thu Jan 23 00:59:59 CET 2020
Certificate fingerprints:
         MD5:  C1:E5:BF:05:33:C2:25:21:EC:34:C8:BA:4D:FB:11:8E
         SHA1: 9B:5E:81:F5:1E:D6:6D:0E:3C:FA:33:26:59:F3:17:40:78:02:F8:5A
         SHA256: CB:0B:73:36:EE:BA:AB:46:FE:86:DE:72:37:21:38:D6:BA:3D:4D:6F:F0:F7:E4:09:57:B9:D7:E4:66:24:AE:D1
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://xxxxxxxxx/ThawteStandardSSLCA2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://xxxxxxxxx
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD   61 3C 9F 7C AD 5D 7F 41  ......N.a<...].A
0010: FD 69 30 EA                                        .i0.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/GandiStandardSSLCA2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 19 68 74 74 70 73 3A   2F 2F 63 70 73 2E 75 73  ..https://cps.us
0010: 65 72 74 72 75 73 74 2E   63 6F 6D                 ertrust.com

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: gateway.nintendo.jp
  DNSName: nintendo.jp
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 06 A5 56 23 A8 48 5F 05   2C BB 3A 4D A5 A2 CB 0E  ..V#.H_.,.:M....
0010: 75 F4 FA 70                                        u..p
]
]

Certificate[2]:
Owner: CN=Thawte Standard SSL CA 2, O=Thawte, L=Paris, ST=Paris, C=FR
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 5e4dc3b9438ab3b8597cba6a19850e3
Valid from: Fri Sep 12 02:00:00 CEST 2014 until: Thu Sep 12 01:59:59 CEST 2024
Certificate fingerprints:
         MD5:  1A:9A:69:A8:1F:6D:A9:2D:87:F7:69:4E:16:D8:B8:79
         SHA1: 24:71:06:A4:05:B2:88:A4:6E:70:A0:26:27:17:16:2D:09:03:E7:34
         SHA256: B9:F2:16:43:23:63:8D:CE:0B:92:21:8B:43:C4:1C:1B:2B:26:96:38:93:29:DB:19:F5:CF:7A:D4:9B:5C:B3:72
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z.+J.T.......
0010: B2 03 66 CB                                        ..f.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD   61 3C 9F 7C AD 5D 7F 41  ......N.a<...].A
0010: FD 69 30 EA                                        .i0.
]
]

Certificate[3]:
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 1fd6d30fca3ca51a81bbc640e35032d
Valid from: Mon Feb 01 01:00:00 CET 2010 until: Tue Jan 19 00:59:59 CET 2038
Certificate fingerprints:
         MD5:  1B:FE:69:D1:91:B7:19:33:A3:72:A8:0F:E1:55:E5:B5
         SHA1: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
         SHA256: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z.+J.T.......
0010: B2 03 66 CB                                        ..f.
]
]



*******************************************
*******************************************


The most important thing you want to see is that, under the private key alias, additional information is being displayed. You're looking for this: Certificate chain length: 3 Certificate chain must be more than one which will mean that your certificate is approved by minimum 1 third part CA authority.
Note: There are plenty information on the web to get and set a valid certificate.
For example read the following online articles:
https://wiki.eclipse.org/Generating_a_Private_Key_and_a_Keystore.
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
https://support.dnsimple.com/articles/what-is-ssl-certificate-chain

Step 10: Configure Jetty to use the new keystore and contained certificate:


  • You must stop Jetty prior to this change on Jetty configuration:


[hpcgadmin@head hpcgateway]$ source /opt/hpcg/core/etc/profile/sh
[hpcgadmin@head hpcgateway]$ hpcg.sh -s stop -l jetty -c "Before applying official SSL certificate"



  • Then you must modify the jetty ssl configuration located in jetty-ssl-context.xml accordingly:


[root@SuShI root]# vi jetty-ssl-context.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

  <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
  <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
  <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
  <Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set>

  <!-- From SFWAY -->
  <Set name="KeyStorePath">/opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.keystore </Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>
  <Set name="TrustStorePath">/opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.keystore </Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>


  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
  <Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
  <Set name="ExcludeCipherSuites">
   <Array type="String">
    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
   </Array>
  </Set>
  <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>


TODO: Modify the keystore filename in KeyStorePath from hpcgateway.keystore to gateway.nintendo.jp.keystore

  • You must restart Jetty after this change on Jetty configuration:


[hpcgadmin@head hpcgateway]$ hpcg.sh -s start -l jetty -c "After applying official SSL certificate"

Tip: Modify Rundir & Runlog location

Gateway has a specific path configuration for default RUNDIR and RUNLOG. RUNDIR is the physical path where the task produces related output files. RUNLOG is the physical path where the task produces related logs.

The RUNDIR & RUNLOG paths have a prefix path and suffix path.
The prefix path is a standard unix path usually located in /home/hpcgadmin/hpcgateway
The suffix path is a combination of Gateway variables computed and replaced on the fly for each Gateway task instances.
Available variables:

  • @@HPCG_USER @@ : the Gateway user account (usually the associated unix/ldap user login account)
  • @@HPCG_PATH_DATE @@ : the task instance creation date
  • task_@@HPCG_TASK_NUM @@ : the task instance number
  • Unordered List Item

ex:

  • default RUNDIR path=“/home/hpcgadmin/hpcgateway/rundir/@@HPCG_USER @@/@@HPCG_PATH_DATE @@/task_@@HPCG_TASK_NUM @@”
  • default RUNLOG path=“/home/hpcgadmin/hpcgateway/runlog/@@_HPCG_USER_NAME_@@”

You can notice that the full combination of variables is available only for RUNDIR suffix path which means that for RUNLOG suffix path this combination is hard coded by Gateway and not configurable.

Modifying the prefix path is authorized to match with your cluster file system requirements.

Modifying the suffix path and mainly changing the combination of the Gateway variables is not recommended. :!: :!: :!:
This combination is made mainly to improve file/folder browsing and minimise slowdown on file system use.

Here after, you will find the procedure to modify the prefix path of RUNDIR & RUNLOG:

Step 1 : Stop all Gateway services

From shell on Gateway host as hpcgadmin:

[hpcgadmin@SuShI ~]$ source /opt/hpcg/core/etc/profile.sh
[hpcgadmin@SuShI ~]$ hpcg.sh -s stop -l all
...

Step 2 : Extract Gateway configuration

Use hpcg_dbaseconfig.py command to extract configuration from Mongo database to file system.

[hpcgadmin@SuShI ~]$ hpcg_dbase_config.py --pull
2019/08/21 12:54:05 - INFO  - Export configs
2019/08/21 12:54:05 - INFO  - Export servers
2019/08/21 12:54:05 - INFO  - Export clusters
2019/08/21 12:54:05 - INFO  - Export gridfs
2019/08/21 12:54:07 - INFO  - Database files are exported in /opt/hpcg/repo/conf/current
hpcgadmin@SuShI ~]$ cd /opt/hpcg/repo/conf/current

Step 2 : Modify RUNDIR prefix path

Edit the cluster configuration file and modify the RUNDIR path

[hpcgadmin@SuShI current]$ cat clusters/sushi.5bb24a19f165aac9482ea018.json
{
    "_id": {
        "$oid": "5bb24a19f165aac9482ea018"
    },
    "cost": 0,
    "creationDate": 1538411033,
    "description": "Cluster sushi",
    "headnode": {
        "id": "5bb24a1920814467fecf4678",
        "name": "sushi"
    },
    "modificationDate": 1538411033,
    "name": "sushi",
    "rundirs": [
        {
            "description": "The rundir will be automatically created in the HPC Gateway home file system (/home/hpcgadmin/hpcgateway)",
            "label": "Automatic creation in HPC Gateway home",
            "num": 1.0,
            "root": "/scratch/@@__HPCG_USER__@@/@@__HPCG_PATH_DATE__@@/task_@@__HPCG_TASK_NUM__@@"
        }
    ],
...

Step 3 : Modify RUNLOG suffix path

Edit the server configuration file and modify the RUNLOG path

[hpcgadmin@SuShI current]$ cat servers/sushi.5bb24a1920814467fecf4678.json
{
    "_id": {
        "$oid": "5bb24a1920814467fecf4678"
    },
    "creationDate": 1538411033,
    "description": "Server sushi",
    "icon": null,
    "ipAddress": "sushi",
    "modificationDate": 1538411033,
    "name": "sushi",
    "settings": {
        "cleanupPeriod": "300",
        "cleanupTimeout": "1200",
        "host": "sushi",
        "maxConnections": "6",
        "port": "22",
        "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA2pLj9BYyK/WAb5qfkoxdG86JRDaQdYj24rdrIVluD/RlDoIv\nK3ZTr5e9zdLTTDRBR1bJl+7zP9dU9exYNpCXvnkqJfRCIP/j5oBkTTI5c6YvMR8p\nVfHUUg+tOAE/w9BcSRGnmC0KtYN5TWLQkjswHGfx62JNDBmkkKtyhhvH+ET6zS8J\nUZ9rbsgmHrujy9E/1xSugKY9qaHkgJh2SqTKOx47kB0rz0to/NzjZ2J5raI+3MAn\nof46KbDFyW10S/CwvPw6g3MlDP/jxn1+76qczwhvqUoJ+YvjU/+HG8ptghjIrN8m\nZv7rxSDfHCMpxoH1NncZV2vxGbH5ejYp3UBJWQIDAQABAoIBABoq18uTFLKak6PI\n2S3MTCFWGqzl82l+2j/OQa8ea8TRN4ADKe6EHgS5n+mSQeWvo9kMlNnxq4GLIArJ\nHs55hREypE8i7P/SYtBnsppjVul3jdLNrj8x0n94jP5Vd/LTcRj2WiAn1E5izRTs\nrZe0KlBcSWQqwpqeP0tqmy1fChO4xbC7wMNAmp1arC9elFOX347rGGSRSvZfnade\n8zK+hAyhUiK+CUua9k7iq+fb2Jb+zHZbR9XxXXlnjLyUMvFx7n0WB2JxuoMmD+l9\nE3PZoy3Hf20+fKoPT9dHfzXT/BWTovZhPqkmBCDkc441v24UuOJPHb9SlJ6r7yOr\nBo2la9kCgYEA4TNU3h2dGjQplgar4BmOiAM9+3MESukT7UYHBaZvefcXwV26nG28\nqYwPipfyBmbS69E2LsfdGL8RyxEnaiTrtSbdJcB3/R3cZBwmtJK5yh6Qlrsz89RQ\nJxSDrZirtt5aaW3gAODtxA1k7F+VIzAg+qTf/1sJlG0CPD8LS1xiOHMCgYEA+HeL\nrpinnZSAGm+LkLnCMOrJmvwWxavIwrsJsEa0mjqVbbsXUYeoqEeX8QkiQj3jxGwx\nFj4gwg1WJhxpSyjAuhnsCRC66aavgPw0CyHZKqx3J8zwXxWB45QDHBhzz3OHRzs0\nff+NS8ZVJ7P2tVlb/OJgnFp5ErLNb9mrWfI34AMCgYBfC9cp173SrWlP1Ij+EEtD\nxHqIgcayByVN41xbWh96jnsMNY7pLreNp3t3tyGC6irjNG112QzLwPi1iAvmlKaW\n0kxL/qulvNCjv+3mEHcxgyzrMR+ALX+WvuXEgscWa0olbSY5uLUhJbYOvViofUut\n/aA8miO07T0gSEtwBxG9WQKBgQCqHfeGIEDK9GzNLMgq2/RoV6iXM7hHuPko0rSs\ne4yV+DxtN+acTLyeEv6l6nIJVqSGzOjC6OC23Di6uUMiUZG7GZpxDoJbDWQmdQcR\nBCjTPegLWRbOk0QuVB3Y86j/RYM+svuatQjB89ZD68Sjn74Ko9gv1QYGVmOwDCF0\n4RF+jwKBgAKynR/h/o+pYOxBWMEReQEesEacifuHNefx4WVDq/4dWN5diKnCoKav\n2L8Y7uFgzPbpSy+F2KWrcQA9lVqq/bnaPiQP3YiNYT/mu7q34cF78U3ZAMe2+a/u\nY1v0+9UNyy91DZFtuuIsbkurHfQKXatzQVuBWTAmUy52rfTmx8fY\n-----END RSA PRIVATE KEY-----",
        "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDakuP0FjIr9YBvmp+SjF0bzolENpB1iPbit2shWW4P9GUOgi8rdlOvl73N0tNMNEFHVsmX7vM/11T17Fg2kJe+eSol9EIg/+PmgGRNMjlzpi8xHylV8dRSD604AT/D0FxJEaeYLQq1g3lNYtCSOzAcZ/HrYk0MGaSQq3KGG8f4RPrNLwlRn2tuyCYeu6PL0T/XFK6Apj2poeSAmHZKpMo7HjuQHSvPS2j83ONnYnmtoj7cwCeh/jopsMXJbXRL8LC8/DqDcyUM/+PGfX7vqpzPCG+pSgn5i+NT/4cbym2CGMis3yZm/uvFIN8cIynGgfU2dxlXa/EZsfl6NindQElZ",
        "runlogDir": "/shared/hpcgateway/runlog",
        "userInitScript": "/opt/hpcg/core/etc/profile.d/user_init.sh"
    },
    "status": "ENABLED",
    "tags": [
        "sushi"
    ],
    "teams": [
        {
            "id": "568e3a3cddff3a6ccdaf92c8",
            "name": "Public"
        }
    ],
    "wikiURI": ""
}

Search for the “runlogDir” key and modify the associated value accordingly.

Step 4 : Push the configuration and restart the Gateway services

[hpcgadmin@SuShI ~]$ hpcg_dbase_config.py --push
...
[hpcgadmin@SuShI ~]$ hpcg.sh -s restart -l all

Step 5 : Modify RUNLOG and RUNDIR mountpoints

This step is mandatory if you have changed RUNDIR and/or RUNLOG prefix path.
You might want to use file explorer to explore a task RUNDIR or RUNLOG by accessing the modified path.

From the Gateway web portal logged as hpcgadmin, open the Admin Dashboard and select the mount point tab:

Right click on the RUNDIR and edit mount point:

Right click on the RUNLOG and edit mount point:

This is a list of tips around requests made by administrators when installing/configuring Gateway.
This list is not exhaustive and will be enhanced based on the returns of HPC Gateway usage.


Tip: Signing certificate procedure

Gateway is delivered by default with a self signed certificate generated during installation.
As this self signed certificate is not approved by any known certificate authority, user when accessing to Gateway portal will encounter security warnings.
Anyway this self signed certificate will fully encrypt the communication established between user's browser and Gateway server.

Tip: Force a unique wallpaper to allusers

Each Gateway user having administrator capability has the ability to customize his own environment including the ability to upload and configure a personal wallpaper that could also be selected by other users. The following procedure intends to force a unique wallpaper to all users.

Step 1 : Configure a unique wall paper for all users

Logged as hpcgadmin on Gateway portal, open menu Gateway/Settings. Remove all wallpapers one by one:

Upload chosen wallpaper and select it…

Step 2 : Prevent users to upload any new wallpaper

From menu Gateway/Settings, on panel « Configuration » section « Desktop », untick « User Can update and remove wallpaper »:

This self signed certificate can be also intercepted in some circumstances by firewalls or security devices and Gateway web portal can be banned.

In order to avoid those security warnings and related issues, you can ask for an official certificate signed by a private (owned by your company) or public Certificate Authority (CA). \\
Follow the next steps to get a new certificate officially signed by a private or public Certificate Authority (CA):

Step 1: Locate currently used certificate


The self signed certificate generated during installation and used by Gateway jetty web server is stored inside a keystore file named hpcgateway.keystore.
This keystore protected with a password contains a private key and the self signed certificate. You will need to locate the currently used keystore and get also the used password:

[hpcgadmin@head hpcgadmin]# cd /opt/hpcg/repo/etc/sys/root
[hpcgadmin@head hpcgateway]# ls -l hpcgateway.keystore
-rw-r--r--. 1 hpcgadmin hpcgadmin 2232 Oct  1 18:22 hpcgateway.keystore
[hpcgadmin@head hpcgateway]# cat hpcgateway.password
d455345c-2714-4406-8f0e-1d84065703bf

Step 2: Create a new keystore containing a new private key


Our advice is to keep the existing hpcgateway.keystore safe and usable while asking for a new official certificate based on a new private key stored in a new keystore. Assuming that the company is Nintendo and the administrator is Mario Bros. :-)
Let's create in the same location a new private key stored in a new keystore. Use the password set for hpcgateway.keystore.

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -genkey -alias gateway.nintendo.jp -keyalg RSA -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf -keysize 2048
What is your first and last name?
  [Unknown]:  Mario Bros
What is the name of your organizational unit?
  [Unknown]:  Nintendo Corporation Limited
What is the name of your organization?
  [Unknown]:  Nintendo
What is the name of your City or Locality?
  [Unknown]:  Kyoto
What is the name of your State or Province?
  [Unknown]:  Kansai
What is the two-letter country code for this unit?
  [Unknown]:  JP
Is CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP correct?
  [no]:  yes

Enter key password for <gateway.nintendo.jp>
        (RETURN if same as keystore password):

Step 3: Check the private key in the new keystore


List the content of the newly created keystore:

[hpcgadmin@head hpcgateway]$  /opt/hpcg/external/jdk1.8.0_60/bin/keytool -list -v -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: gateway.nintendo.jp
Creation date: 17-Jan-2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP
Issuer: CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP
Serial number: 1169d167
Valid from: Thu Jan 17 17:32:52 CET 2019 until: Wed Apr 17 18:32:52 CEST 2019
Certificate fingerprints:
         MD5:  74:54:5B:66:9B:98:35:31:4D:4F:4F:3A:B9:17:F3:17
         SHA1: 0E:68:D8:EB:E7:37:47:8D:A4:5C:8D:96:D5:06:7F:5F:F2:3F:12:C7
         SHA256: 81:75:B6:A5:9E:54:65:01:75:07:E1:62:4F:D0:68:75:DC:7A:4F:CB:26:A2:5C:70:65:04:87:DE:78:66:8B:08
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 09 1F 96 B4 15 DE 2E AE   93 AA BF 0B 52 E6 E9 07  ............R...
0010: C2 69 16 C6                                        .i..
]
]

*******************************************
*******************************************

Step 4: Create a new CSR


Create a new certificate request based on published domain name or alias of your Gateway service (here gateway.nintendo.fr) :

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -certreq -alias gateway.nintendo.jp -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf -file gateway.nintendo.jp.csr
[hpcgadmin@head hpcgateway]$ cat gateway.nintendo.jp.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAwfTELMAkGA1UEBhMCSlAxDzANBgNVBAgTBkthbnNhaTEOMAwGA1UEBxMFS3lv
dG8xETAPBgNVBAoTCE5pbnRlbmRvMSUwIwYDVQQLExxOaW50ZW5kbyBDb3Jwb3JhdGlvbiBMaW1p
dGVkMRMwEQYDVQQDEwpNYXJpbyBCcm9zMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qEI XmxZ22YCvbe4NJk436gd/TT4kofe9ytCZaRPO1GTRFtXPt5z MqDgD5p5K8wfk UpZpzU7xW
FXtTMFLvyhzN1mtGIJZq2ltzwLQsC3OBkHlfv6 XnWLvCCsIU2I9d7Rp26VypUPH1TsoFxWPNLHs
p1Et5Ndk2lW9dSLMpySWg2YXcORzaE4IPe3AnfaY9HTI8Zu4V6NYY9X8GN1PWDgbgwHf9y2IJ8kQ
KXCYy C5u0n3RXScJue/ZSqsiV4KxIE00cb7zFUfdqVndyP2P003NZiJJArySc4lIEfvkxNdFOX4
rQCK7QwYZfRi96VC8/jDj/RGopg87OmCmRsIGQIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNV
HQ4EFgQUCR WtBXeLq6Tqr8LUubpB8JpFsYwDQYJKoZIhvcNAQELBQADggEBAEfjxecgRnaaVhYS
Q1mMyV9JFDaJtfNzVX8GQ4ee3vE5ofRrzdjI E6XCy6EGQsq4oJcVaf3 lmI1UVCQ488G1ZhRNii
t6Cknjvc87yXGPyvuSVXInWoqQEvtXKtE5hJJ8h4w3Ywu0vDHb6SKEX56h0B7dRmuJF4IhwCM68h
OeOE6zL5APArKv5912IH6EPRW5HmVBdShEe6h1AodBcWiM/5ZulQ5JkxvNUMeqTG1k9J8FavW/7h
zcCv8Fi2dSXlZwMqHJNKpksFMVnMnfUHo3Bz6B2t4is7XWRoB4HNTBHQjkg0SxSyGYzhyXo0ObbA
UygDg CkGFlK0R5M44I33GQ=
-----END NEW CERTIFICATE REQUEST-----

Step 5: Send the CSR to a CA


Submit or the file or the previous content of CSR file to your CA for signing.
You can get a trial certificate from Thawte at https://www.thawte.com/cgi/server/try.exe

Step 6: Check created certificate provided by CA


Once certification authority has created the signed certificate you must save it to a file.
Save the signed certificate from CA to a file like /opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.signed.pem. \ Note: this file must be backed up because it can be re-used if you re-install HPC Gateway.
You can see the content of the signed certificate using the command:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -printcert -v -file /opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.signed.pem

Step 7: Import created certificate provided by CA


Import created certificate into keystore:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -keystore keystore -import -alias gateway.nintendo.jp -file gateway.nintendo.jp.pem -trustcacerts -storepass d455345c-2714-4406-8f0e-1d84065703bf

Notes: The format of the given certificate must be PEM. Depending on the situation, you might not require the -trustcacerts option. Try the operation without it if you like. If the certificate you receive from the CA is not in a format that keytool understands, you can use the openssl command to convert formats:

[hpcgadmin@head hpcgateway]$ openssl x509 -in gateway.nintendo.jp.der -inform DER -outform PEM -out gateway.nintendo.jp.crt

Step 8: Import Root CA certificate provided by CA :


In some cases the Root CA certificate that must approve the given certificate is included with the given certificate file.
If it is not the the case, you will need to download ROOT CA certificate and import them:

[hpcgadmin@head hpcgateway]$  /opt/hpcg/external/jdk1.8.0_60/bin/keytool -import -v -noprompt -trustcacerts -alias cacert -file Nintendo-CA.pem
-keystore gateway.nintendo.jp.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf

Nintendo-CA.pem is the Root Certificate from CA
ex: Regarding Thawte delivered certificates, you can download Thawte Test Root Certificate from http://www.thawte.com/roots/.

Step 9: Verify contents of keystore


As a last checking you can verify the content of the key:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -list -v -keystore gateway.nintendo.jp.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf
[hpcgadmin@ssf root]$ keytool -list -v -keystore ./hpcgateway.keystore -storepass v3rys3cr3t

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: gateway.nintendo.jp
Creation date: Jan 23, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=gateway.nintendo.jp, OU=Thawte, OU=Domain Control Validated
Issuer: CN=Thawte Standard SSL CA 2, O=Thawte, L=Paris, ST=Paris, C=FR
Serial number: ff15bee7615861260456e70169ecad70
Valid from: Mon Jan 22 01:00:00 CET 2018 until: Thu Jan 23 00:59:59 CET 2020
Certificate fingerprints:
         MD5:  C1:E5:BF:05:33:C2:25:21:EC:34:C8:BA:4D:FB:11:8E
         SHA1: 9B:5E:81:F5:1E:D6:6D:0E:3C:FA:33:26:59:F3:17:40:78:02:F8:5A
         SHA256: CB:0B:73:36:EE:BA:AB:46:FE:86:DE:72:37:21:38:D6:BA:3D:4D:6F:F0:F7:E4:09:57:B9:D7:E4:66:24:AE:D1
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://xxxxxxxxx/ThawteStandardSSLCA2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://xxxxxxxxx
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD   61 3C 9F 7C AD 5D 7F 41  ......N.a<...].A
0010: FD 69 30 EA                                        .i0.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/GandiStandardSSLCA2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 19 68 74 74 70 73 3A   2F 2F 63 70 73 2E 75 73  ..https://cps.us
0010: 65 72 74 72 75 73 74 2E   63 6F 6D                 ertrust.com

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: gateway.nintendo.jp
  DNSName: nintendo.jp
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 06 A5 56 23 A8 48 5F 05   2C BB 3A 4D A5 A2 CB 0E  ..V#.H_.,.:M....
0010: 75 F4 FA 70                                        u..p
]
]

Certificate[2]:
Owner: CN=Thawte Standard SSL CA 2, O=Thawte, L=Paris, ST=Paris, C=FR
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 5e4dc3b9438ab3b8597cba6a19850e3
Valid from: Fri Sep 12 02:00:00 CEST 2014 until: Thu Sep 12 01:59:59 CEST 2024
Certificate fingerprints:
         MD5:  1A:9A:69:A8:1F:6D:A9:2D:87:F7:69:4E:16:D8:B8:79
         SHA1: 24:71:06:A4:05:B2:88:A4:6E:70:A0:26:27:17:16:2D:09:03:E7:34
         SHA256: B9:F2:16:43:23:63:8D:CE:0B:92:21:8B:43:C4:1C:1B:2B:26:96:38:93:29:DB:19:F5:CF:7A:D4:9B:5C:B3:72
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z. J.T.......
0010: B2 03 66 CB                                        ..f.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD   61 3C 9F 7C AD 5D 7F 41  ......N.a<...].A
0010: FD 69 30 EA                                        .i0.
]
]

Certificate[3]:
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 1fd6d30fca3ca51a81bbc640e35032d
Valid from: Mon Feb 01 01:00:00 CET 2010 until: Tue Jan 19 00:59:59 CET 2038
Certificate fingerprints:
         MD5:  1B:FE:69:D1:91:B7:19:33:A3:72:A8:0F:E1:55:E5:B5
         SHA1: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
         SHA256: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z. J.T.......
0010: B2 03 66 CB                                        ..f.
]
]

*******************************************
*******************************************


The most important thing you want to see is that, under the private key alias, additional information is being displayed. You're looking for this: Certificate chain length: 3 Certificate chain must be more than one which will mean that your certificate is approved by minimum 1 third part CA authority.
Note: There are plenty information on the web to get and set a valid certificate.
For example read the following online articles:
https://wiki.eclipse.org/Generating_a_Private_Key_and_a_Keystore.
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
https://support.dnsimple.com/articles/what-is-ssl-certificate-chain

Step 10: Configure Jetty to use the new keystore and contained certificate:

  • You must stop Jetty prior to this change on Jetty configuration:
[hpcgadmin@head hpcgateway]$ source /opt/hpcg/core/etc/profile/sh
[hpcgadmin@head hpcgateway]$ hpcg.sh -s stop -l jetty -c "Before applying official SSL certificate"
  • Then you must modify the jetty ssl configuration located in jetty-ssl-context.xml accordingly:
[root@SuShI root]# vi jetty-ssl-context.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

  <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
  <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
  <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
  <Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set>

  <!-- From SFWAY -->
  <Set name="KeyStorePath">/opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.keystore </Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>
  <Set name="TrustStorePath">/opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.keystore </Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>

  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
  <Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
  <Set name="ExcludeCipherSuites">
   <Array type="String">
    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
   </Array>
  </Set>
  <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>


TODO: Modify the keystore filename in KeyStorePath from hpcgateway.keystore to gateway.nintendo.jp.keystore

  • You must restart Jetty after this change on Jetty configuration:
[hpcgadmin@head hpcgateway]$ hpcg.sh -s start -l jetty -c "After applying official SSL certificate"

Tip: Force a unique wallpaper to allusers

Each Gateway user having administrator capability has the ability to customize his own environment including the ability to upload and configure a personal wallpaper that could also be selected by other users. The following procedure intends to force a unique wallpaper to all users.

Step 1 : Configure a unique wall paper for all users

Logged as hpcgadmin on Gateway portal, open menu Gateway/Settings. Remove all wallpapers one by one:

Upload chosen wallpaper and select it…

Step 2 : Prevent users to upload any new wallpaper

From menu Gateway/Settings, on panel « Configuration » section « Desktop », untick « User Can update and remove wallpaper »:

Tip: Signing certificate procedure

Gateway is delivered by default with a self signed certificate generated during installation.
As this self signed certificate is not approved by any known certificate authority, user when accessing to Gateway portal will encounter security warnings.
Anyway this self signed certificate will fully encrypt the communication established between user's browser and Gateway server.
This self signed certificate can be also intercepted in some circumstances by firewalls or security devices and Gateway web portal can be banned.

In order to avoid those security warnings and related issues, you can ask for an official certificate signed by a private (owned by your company) or public Certificate Authority (CA).

Follow the next steps to get a new certificate officially signed by a private or public Certificate Authority (CA):

Step 1: Locate currently used certificate


The self signed certificate generated during installation and used by Gateway jetty web server is stored inside a keystore file named hpcgateway.keystore.
This keystore protected with a password contains a private key and the self signed certificate. You will need to locate the currently used keystore and get also the used password:

[hpcgadmin@head hpcgadmin]# cd /opt/hpcg/repo/etc/sys/root
[hpcgadmin@head hpcgateway]# ls -l hpcgateway.keystore
-rw-r--r--. 1 hpcgadmin hpcgadmin 2232 Oct  1 18:22 hpcgateway.keystore
[hpcgadmin@head hpcgateway]# cat hpcgateway.password
d455345c-2714-4406-8f0e-1d84065703bf

Step 2: Create a new keystore containing a new private key


Our advice is to keep the existing hpcgateway.keystore safe and usable while asking for a new official certificate based on a new private key stored in a new keystore. Assuming that the company is Nintendo and the administrator is Mario Bros. :-)
Let's create in the same location a new private key stored in a new keystore. Use the password set for hpcgateway.keystore.

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -genkey -alias gateway.nintendo.jp -keyalg RSA -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf -keysize 2048
What is your first and last name?
  [Unknown]:  Mario Bros
What is the name of your organizational unit?
  [Unknown]:  Nintendo Corporation Limited
What is the name of your organization?
  [Unknown]:  Nintendo
What is the name of your City or Locality?
  [Unknown]:  Kyoto
What is the name of your State or Province?
  [Unknown]:  Kansai
What is the two-letter country code for this unit?
  [Unknown]:  JP
Is CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP correct?
  [no]:  yes

Enter key password for <gateway.nintendo.jp>
        (RETURN if same as keystore password):

Step 3: Check the private key in the new keystore


List the content of the newly created keystore:

[hpcgadmin@head hpcgateway]$  /opt/hpcg/external/jdk1.8.0_60/bin/keytool -list -v -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: gateway.nintendo.jp
Creation date: 17-Jan-2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP
Issuer: CN=Mario Bros, OU=Nintendo Corporation Limited, O=Nintendo, L=Kyoto, ST=Kansai, C=JP
Serial number: 1169d167
Valid from: Thu Jan 17 17:32:52 CET 2019 until: Wed Apr 17 18:32:52 CEST 2019
Certificate fingerprints:
         MD5:  74:54:5B:66:9B:98:35:31:4D:4F:4F:3A:B9:17:F3:17
         SHA1: 0E:68:D8:EB:E7:37:47:8D:A4:5C:8D:96:D5:06:7F:5F:F2:3F:12:C7
         SHA256: 81:75:B6:A5:9E:54:65:01:75:07:E1:62:4F:D0:68:75:DC:7A:4F:CB:26:A2:5C:70:65:04:87:DE:78:66:8B:08
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 09 1F 96 B4 15 DE 2E AE   93 AA BF 0B 52 E6 E9 07  ............R...
0010: C2 69 16 C6                                        .i..
]
]

*******************************************
*******************************************

Step 4: Create a new CSR


Create a new certificate request based on published domain name or alias of your Gateway service (here gateway.nintendo.fr) :

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -certreq -alias gateway.nintendo.jp -keystore ./nintendo.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf -file gateway.nintendo.jp.csr
[hpcgadmin@head hpcgateway]$ cat gateway.nintendo.jp.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAwfTELMAkGA1UEBhMCSlAxDzANBgNVBAgTBkthbnNhaTEOMAwGA1UEBxMFS3lv
dG8xETAPBgNVBAoTCE5pbnRlbmRvMSUwIwYDVQQLExxOaW50ZW5kbyBDb3Jwb3JhdGlvbiBMaW1p
dGVkMRMwEQYDVQQDEwpNYXJpbyBCcm9zMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qEI XmxZ22YCvbe4NJk436gd/TT4kofe9ytCZaRPO1GTRFtXPt5z MqDgD5p5K8wfk UpZpzU7xW
FXtTMFLvyhzN1mtGIJZq2ltzwLQsC3OBkHlfv6 XnWLvCCsIU2I9d7Rp26VypUPH1TsoFxWPNLHs
p1Et5Ndk2lW9dSLMpySWg2YXcORzaE4IPe3AnfaY9HTI8Zu4V6NYY9X8GN1PWDgbgwHf9y2IJ8kQ
KXCYy C5u0n3RXScJue/ZSqsiV4KxIE00cb7zFUfdqVndyP2P003NZiJJArySc4lIEfvkxNdFOX4
rQCK7QwYZfRi96VC8/jDj/RGopg87OmCmRsIGQIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNV
HQ4EFgQUCR WtBXeLq6Tqr8LUubpB8JpFsYwDQYJKoZIhvcNAQELBQADggEBAEfjxecgRnaaVhYS
Q1mMyV9JFDaJtfNzVX8GQ4ee3vE5ofRrzdjI E6XCy6EGQsq4oJcVaf3 lmI1UVCQ488G1ZhRNii
t6Cknjvc87yXGPyvuSVXInWoqQEvtXKtE5hJJ8h4w3Ywu0vDHb6SKEX56h0B7dRmuJF4IhwCM68h
OeOE6zL5APArKv5912IH6EPRW5HmVBdShEe6h1AodBcWiM/5ZulQ5JkxvNUMeqTG1k9J8FavW/7h
zcCv8Fi2dSXlZwMqHJNKpksFMVnMnfUHo3Bz6B2t4is7XWRoB4HNTBHQjkg0SxSyGYzhyXo0ObbA
UygDg CkGFlK0R5M44I33GQ=
-----END NEW CERTIFICATE REQUEST-----

Step 5: Send the CSR to a CA


Submit or the file or the previous content of CSR file to your CA for signing.
You can get a trial certificate from Thawte at https://www.thawte.com/cgi/server/try.exe

Step 6: Check created certificate provided by CA


Once certification authority has created the signed certificate you must save it to a file.
Save the signed certificate from CA to a file like /opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.signed.pem. \ Note: this file must be backed up because it can be re-used if you re-install HPC Gateway.
You can see the content of the signed certificate using the command:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -printcert -v -file /opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.signed.pem

Step 7: Import created certificate provided by CA


Import created certificate into keystore:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -keystore keystore -import -alias gateway.nintendo.jp -file gateway.nintendo.jp.pem -trustcacerts -storepass d455345c-2714-4406-8f0e-1d84065703bf

Notes: The format of the given certificate must be PEM. Depending on the situation, you might not require the -trustcacerts option. Try the operation without it if you like. If the certificate you receive from the CA is not in a format that keytool understands, you can use the openssl command to convert formats:

[hpcgadmin@head hpcgateway]$ openssl x509 -in gateway.nintendo.jp.der -inform DER -outform PEM -out gateway.nintendo.jp.crt

Step 8: Import Root CA certificate provided by CA :


In some cases the Root CA certificate that must approve the given certificate is included with the given certificate file.
If it is not the the case, you will need to download ROOT CA certificate and import them:

[hpcgadmin@head hpcgateway]$  /opt/hpcg/external/jdk1.8.0_60/bin/keytool -import -v -noprompt -trustcacerts -alias cacert -file Nintendo-CA.pem
-keystore gateway.nintendo.jp.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf

Nintendo-CA.pem is the Root Certificate from CA
ex: Regarding Thawte delivered certificates, you can download Thawte Test Root Certificate from http://www.thawte.com/roots/.

Step 9: Verify contents of keystore


As a last checking you can verify the content of the key:

[hpcgadmin@head hpcgateway]$ /opt/hpcg/external/jdk1.8.0_60/bin/keytool -list -v -keystore gateway.nintendo.jp.keystore -storepass d455345c-2714-4406-8f0e-1d84065703bf
[hpcgadmin@ssf root]$ keytool -list -v -keystore ./hpcgateway.keystore -storepass v3rys3cr3t

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: gateway.nintendo.jp
Creation date: Jan 23, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=gateway.nintendo.jp, OU=Thawte, OU=Domain Control Validated
Issuer: CN=Thawte Standard SSL CA 2, O=Thawte, L=Paris, ST=Paris, C=FR
Serial number: ff15bee7615861260456e70169ecad70
Valid from: Mon Jan 22 01:00:00 CET 2018 until: Thu Jan 23 00:59:59 CET 2020
Certificate fingerprints:
         MD5:  C1:E5:BF:05:33:C2:25:21:EC:34:C8:BA:4D:FB:11:8E
         SHA1: 9B:5E:81:F5:1E:D6:6D:0E:3C:FA:33:26:59:F3:17:40:78:02:F8:5A
         SHA256: CB:0B:73:36:EE:BA:AB:46:FE:86:DE:72:37:21:38:D6:BA:3D:4D:6F:F0:F7:E4:09:57:B9:D7:E4:66:24:AE:D1
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://xxxxxxxxx/ThawteStandardSSLCA2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://xxxxxxxxx
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD   61 3C 9F 7C AD 5D 7F 41  ......N.a<...].A
0010: FD 69 30 EA                                        .i0.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/GandiStandardSSLCA2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 19 68 74 74 70 73 3A   2F 2F 63 70 73 2E 75 73  ..https://cps.us
0010: 65 72 74 72 75 73 74 2E   63 6F 6D                 ertrust.com

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: gateway.nintendo.jp
  DNSName: nintendo.jp
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 06 A5 56 23 A8 48 5F 05   2C BB 3A 4D A5 A2 CB 0E  ..V#.H_.,.:M....
0010: 75 F4 FA 70                                        u..p
]
]

Certificate[2]:
Owner: CN=Thawte Standard SSL CA 2, O=Thawte, L=Paris, ST=Paris, C=FR
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 5e4dc3b9438ab3b8597cba6a19850e3
Valid from: Fri Sep 12 02:00:00 CEST 2014 until: Thu Sep 12 01:59:59 CEST 2024
Certificate fingerprints:
         MD5:  1A:9A:69:A8:1F:6D:A9:2D:87:F7:69:4E:16:D8:B8:79
         SHA1: 24:71:06:A4:05:B2:88:A4:6E:70:A0:26:27:17:16:2D:09:03:E7:34
         SHA256: B9:F2:16:43:23:63:8D:CE:0B:92:21:8B:43:C4:1C:1B:2B:26:96:38:93:29:DB:19:F5:CF:7A:D4:9B:5C:B3:72
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z. J.T.......
0010: B2 03 66 CB                                        ..f.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.26]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 90 A7 D8 C9 AF 4E CD   61 3C 9F 7C AD 5D 7F 41  ......N.a<...].A
0010: FD 69 30 EA                                        .i0.
]
]

Certificate[3]:
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 1fd6d30fca3ca51a81bbc640e35032d
Valid from: Mon Feb 01 01:00:00 CET 2010 until: Tue Jan 19 00:59:59 CET 2038
Certificate fingerprints:
         MD5:  1B:FE:69:D1:91:B7:19:33:A3:72:A8:0F:E1:55:E5:B5
         SHA1: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
         SHA256: E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z. J.T.......
0010: B2 03 66 CB                                        ..f.
]
]

*******************************************
*******************************************


The most important thing you want to see is that, under the private key alias, additional information is being displayed. You're looking for this: Certificate chain length: 3 Certificate chain must be more than one which will mean that your certificate is approved by minimum 1 third part CA authority.
Note: There are plenty information on the web to get and set a valid certificate.
For example read the following online articles:
https://wiki.eclipse.org/Generating_a_Private_Key_and_a_Keystore.
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
https://support.dnsimple.com/articles/what-is-ssl-certificate-chain

Step 10: Configure Jetty to use the new keystore and contained certificate:

  • You must stop Jetty prior to this change on Jetty configuration:
[hpcgadmin@head hpcgateway]$ source /opt/hpcg/core/etc/profile/sh
[hpcgadmin@head hpcgateway]$ hpcg.sh -s stop -l jetty -c "Before applying official SSL certificate"


  • Then you must modify the jetty ssl configuration located in jetty-ssl-context.xml accordingly:
[root@SuShI root]# vi jetty-ssl-context.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

  <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
  <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
  <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType" default="JKS"/></Set>
  <Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set>

  <!-- From SFWAY -->
  <Set name="KeyStorePath">/opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.keystore </Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>
  <Set name="TrustStorePath">/opt/hpcg/repo/etc/sys/root/gateway.nintendo.jp.keystore </Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="d455345c-2714-4406-8f0e-1d84065703bf"/></Set>

  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set>
  <Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" deprecated="jetty.ssl.wantClientAuth" default="false"/></Set>
  <Set name="ExcludeCipherSuites">
   <Array type="String">
    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
   </Array>
  </Set>
  <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
</Configure>


TODO: Modify the keystore filename in KeyStorePath from hpcgateway.keystore to gateway.nintendo.jp.keystore

  • You must restart Jetty after this change on Jetty configuration:
[hpcgadmin@head hpcgateway]$ hpcg.sh -s start -l jetty -c "After applying official SSL certificate"

Tip: Modify Rundir & Runlog location

Gateway has a specific path configuration for default RUNDIR and RUNLOG. RUNDIR is the physical path where the task produces related output files. RUNLOG is the physical path where the task produces related logs.

The RUNDIR & RUNLOG paths have a prefix path and suffix path.
The prefix path is a standard unix path usually located in /home/hpcgadmin/hpcgateway
The suffix path is a combination of Gateway variables computed and replaced on the fly for each Gateway task instances.
Available variables:

  • @@HPCG_USER @@ : the Gateway user account (usually the associated unix/ldap user login account)
  • @@HPCG_PATH_DATE @@ : the task instance creation date
  • @@HPCG_TASK_NUM @@ : the task instance number

ex:

  • default RUNDIR path=“/home/hpcgadmin/hpcgateway/rundir/@@HPCG_USER @@/@@HPCG_PATH_DATE @@/task_@@HPCG_TASK_NUM @@”
  • default RUNLOG path=“/home/hpcgadmin/hpcgateway/runlog/@@_HPCG_USER_NAME_@@”

You can notice that the full combination of variables is available only for RUNDIR suffix path which means that for RUNLOG suffix path this combination is hard coded by Gateway and not configurable.

Modifying the prefix path is authorized to match with your cluster file system requirements.

Modifying the suffix path and mainly changing the combination of the Gateway variables is not recommended. :!: :!: :!:
This combination is made mainly to improve file/folder browsing and minimise slowdown on file system use.

Here after, you will find the procedure to modify the prefix path of RUNDIR & RUNLOG:

Step 1 : Stop all Gateway services

From shell on Gateway host as hpcgadmin:

[hpcgadmin@SuShI ~]$ source /opt/hpcg/core/etc/profile.sh
[hpcgadmin@SuShI ~]$ hpcg.sh -s stop -l all
...

Step 2 : Extract Gateway configuration

Use hpcg_dbaseconfig.py command to extract configuration from Mongo database to file system.

[hpcgadmin@SuShI ~]$ hpcg_dbase_config.py --pull
2019/08/21 12:54:05 - INFO  - Export configs
2019/08/21 12:54:05 - INFO  - Export servers
2019/08/21 12:54:05 - INFO  - Export clusters
2019/08/21 12:54:05 - INFO  - Export gridfs
2019/08/21 12:54:07 - INFO  - Database files are exported in /opt/hpcg/repo/conf/current
hpcgadmin@SuShI ~]$ cd /opt/hpcg/repo/conf/current

Step 2 : Modify RUNDIR prefix path

Edit the cluster configuration file and modify the RUNDIR path

[hpcgadmin@SuShI current]$ cat clusters/sushi.5bb24a19f165aac9482ea018.json
{
    "_id": {
        "$oid": "5bb24a19f165aac9482ea018"
    },
    "cost": 0,
    "creationDate": 1538411033,
    "description": "Cluster sushi",
    "headnode": {
        "id": "5bb24a1920814467fecf4678",
        "name": "sushi"
    },
    "modificationDate": 1538411033,
    "name": "sushi",
    "rundirs": [
        {
            "description": "The rundir will be automatically created in the HPC Gateway home file system (/home/hpcgadmin/hpcgateway)",
            "label": "Automatic creation in HPC Gateway home",
            "num": 1.0,
            "root": "/scratch/@@__HPCG_USER__@@/@@__HPCG_PATH_DATE__@@/task_@@__HPCG_TASK_NUM__@@"
        }
    ],
...

Step 3 : Modify RUNLOG suffix path

Edit the server configuration file and modify the RUNLOG path

[hpcgadmin@SuShI current]$ cat servers/sushi.5bb24a1920814467fecf4678.json
{
    "_id": {
        "$oid": "5bb24a1920814467fecf4678"
    },
    "creationDate": 1538411033,
    "description": "Server sushi",
    "icon": null,
    "ipAddress": "sushi",
    "modificationDate": 1538411033,
    "name": "sushi",
    "settings": {
        "cleanupPeriod": "300",
        "cleanupTimeout": "1200",
        "host": "sushi",
        "maxConnections": "6",
        "port": "22",
        "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA2pLj9BYyK/WAb5qfkoxdG86JRDaQdYj24rdrIVluD/RlDoIv\nK3ZTr5e9zdLTTDRBR1bJl 7zP9dU9exYNpCXvnkqJfRCIP/j5oBkTTI5c6YvMR8p\nVfHUUg tOAE/w9BcSRGnmC0KtYN5TWLQkjswHGfx62JNDBmkkKtyhhvH ET6zS8J\nUZ9rbsgmHrujy9E/1xSugKY9qaHkgJh2SqTKOx47kB0rz0to/NzjZ2J5raI 3MAn\nof46KbDFyW10S/CwvPw6g3MlDP/jxn1 76qczwhvqUoJ YvjU/ HG8ptghjIrN8m\nZv7rxSDfHCMpxoH1NncZV2vxGbH5ejYp3UBJWQIDAQABAoIBABoq18uTFLKak6PI\n2S3MTCFWGqzl82l 2j/OQa8ea8TRN4ADKe6EHgS5n mSQeWvo9kMlNnxq4GLIArJ\nHs55hREypE8i7P/SYtBnsppjVul3jdLNrj8x0n94jP5Vd/LTcRj2WiAn1E5izRTs\nrZe0KlBcSWQqwpqeP0tqmy1fChO4xbC7wMNAmp1arC9elFOX347rGGSRSvZfnade\n8zK hAyhUiK CUua9k7iq fb2Jb zHZbR9XxXXlnjLyUMvFx7n0WB2JxuoMmD l9\nE3PZoy3Hf20 fKoPT9dHfzXT/BWTovZhPqkmBCDkc441v24UuOJPHb9SlJ6r7yOr\nBo2la9kCgYEA4TNU3h2dGjQplgar4BmOiAM9 3MESukT7UYHBaZvefcXwV26nG28\nqYwPipfyBmbS69E2LsfdGL8RyxEnaiTrtSbdJcB3/R3cZBwmtJK5yh6Qlrsz89RQ\nJxSDrZirtt5aaW3gAODtxA1k7F VIzAg qTf/1sJlG0CPD8LS1xiOHMCgYEA HeL\nrpinnZSAGm LkLnCMOrJmvwWxavIwrsJsEa0mjqVbbsXUYeoqEeX8QkiQj3jxGwx\nFj4gwg1WJhxpSyjAuhnsCRC66aavgPw0CyHZKqx3J8zwXxWB45QDHBhzz3OHRzs0\nff NS8ZVJ7P2tVlb/OJgnFp5ErLNb9mrWfI34AMCgYBfC9cp173SrWlP1Ij EEtD\nxHqIgcayByVN41xbWh96jnsMNY7pLreNp3t3tyGC6irjNG112QzLwPi1iAvmlKaW\n0kxL/qulvNCjv 3mEHcxgyzrMR ALX WvuXEgscWa0olbSY5uLUhJbYOvViofUut\n/aA8miO07T0gSEtwBxG9WQKBgQCqHfeGIEDK9GzNLMgq2/RoV6iXM7hHuPko0rSs\ne4yV DxtN acTLyeEv6l6nIJVqSGzOjC6OC23Di6uUMiUZG7GZpxDoJbDWQmdQcR\nBCjTPegLWRbOk0QuVB3Y86j/RYM svuatQjB89ZD68Sjn74Ko9gv1QYGVmOwDCF0\n4RF jwKBgAKynR/h/o pYOxBWMEReQEesEacifuHNefx4WVDq/4dWN5diKnCoKav\n2L8Y7uFgzPbpSy F2KWrcQA9lVqq/bnaPiQP3YiNYT/mu7q34cF78U3ZAMe2 a/u\nY1v0 9UNyy91DZFtuuIsbkurHfQKXatzQVuBWTAmUy52rfTmx8fY\n-----END RSA PRIVATE KEY-----",
        "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDakuP0FjIr9YBvmp SjF0bzolENpB1iPbit2shWW4P9GUOgi8rdlOvl73N0tNMNEFHVsmX7vM/11T17Fg2kJe eSol9EIg/ PmgGRNMjlzpi8xHylV8dRSD604AT/D0FxJEaeYLQq1g3lNYtCSOzAcZ/HrYk0MGaSQq3KGG8f4RPrNLwlRn2tuyCYeu6PL0T/XFK6Apj2poeSAmHZKpMo7HjuQHSvPS2j83ONnYnmtoj7cwCeh/jopsMXJbXRL8LC8/DqDcyUM/ PGfX7vqpzPCG pSgn5i NT/4cbym2CGMis3yZm/uvFIN8cIynGgfU2dxlXa/EZsfl6NindQElZ",
        "runlogDir": "/shared/hpcgateway/runlog",
        "userInitScript": "/opt/hpcg/core/etc/profile.d/user_init.sh"
    },
    "status": "ENABLED",
    "tags": [
        "sushi"
    ],
    "teams": [
        {
            "id": "568e3a3cddff3a6ccdaf92c8",
            "name": "Public"
        }
    ],
    "wikiURI": ""
}

Search for the “runlogDir” key and modify the associated value accordingly.

Step 4 : Push the configuration and restart the Gateway services

[hpcgadmin@SuShI ~]$ hpcg_dbase_config.py --push
...
[hpcgadmin@SuShI ~]$ hpcg.sh -s restart -l all

Step 5 : Modify RUNLOG and RUNDIR mountpoints

This step is mandatory if you have changed RUNDIR and/or RUNLOG prefix path.
You might want to use file explorer to explore a task RUNDIR or RUNLOG by accessing the modified path.

From the Gateway web portal logged as hpcgadmin, open the Admin Dashboard and select the mount point tab:

Right click on the RUNDIR and edit mount point:

Right click on the RUNLOG and edit mount point:

Tip: Create a simpler linked folder tree for Rundir & Runlog

Gateway RUNDIR and RUNLOG folders are using a deep folder tree that could be confusing for users. This tip intends to create a simple parallel linked folder tree and a related mountpoint to have access to it.

The simple structure will be for each instantiated task: /scratch/gateway/tasks/<TASK_NUM>/rundir /scratch/gateway/tasks/<TASK_NUM>/runlog

Notice: The RUNDIR & RUNLOG will not change and will stay in their original location. As the parallel folder tree is flat a huge number of tasks can impact the file browsing performances

Step 1 : Stop all Gateway services

From shell on Gateway host as hpcgadmin:

[hpcgadmin@SuShI ~]$ source /opt/hpcg/core/etc/profile.sh
[hpcgadmin@SuShI ~]$ hpcg.sh -s stop -l all
...

Step 2 : Extract Gateway configuration

Use hpcg_dbaseconfig.py command to extract configuration from Mongo database to file system.

[hpcgadmin@SuShI ~]$ hpcg_dbase_config.py --pull
2019/08/21 12:54:05 - INFO  - Export configs
2019/08/21 12:54:05 - INFO  - Export servers
2019/08/21 12:54:05 - INFO  - Export clusters
2019/08/21 12:54:05 - INFO  - Export gridfs
2019/08/21 12:54:07 - INFO  - Database files are exported in /opt/hpcg/repo/conf/current
hpcgadmin@SuShI ~]$ cd /opt/hpcg/repo/conf/current

Step 3 : Create the root path for the parallel folder tree

[hpcgadmin@SuShI current]$ mkdir -p /scratch/gateway

Step 4 : Modify forge to automate linked folder creation path

Edit the script_common file carefully and insert the following blocks:

[hpcgadmin@SuShI current]$ cat clusters/sushi/forge/script_common
...
start_custom ()
{
   # custom function to inject customer specifics

   #
   # set custom link folder tree root definition
   #

   # set custom link folder tree root definition (flat tasks)
   gateway_computing_root=/scratch/gateway/tasks

   # if task folder does not already exist
   env >> /tmp/llv.out
   if [ ! -d "$gateway_computing_root/$HPCG_TASK_NUM" ];then
      mkdir -p $gateway_computing_root/$HPCG_TASK_NUM
      ln -s $HPCG_DATA_DIR  $gateway_computing_root/$HPCG_TASK_NUM/rundir
      ln -s $HPCG_RUN_LOG  $gateway_computing_root/$HPCG_TASK_NUM/runlog
   fi

}


startinit ()
{
   # check stop file
   check_stop

   # check directories
   check_directories

   # write business scripts
   write_scripts

   # start script_custom if exists
   start_custom

   # exit function
   trap "trapexit  >> ${HPCG_LOG_FILE} 2>&1" 0

   # put the tracker
   echo "taskid: ${HPCG_TASK_NUM} - ${HPCG_JOB_NAME}:${HPCG_TASK_PHASE} - $(date +"%Y/%m/%d %H:%M:%S")"  >> ${HPCG_TRK_DIR}/info

   # initiate exit value and message
   hpcg_exit_value="0"
   hpcg_exit_message=""

   # initiate the log file
   log ${sep}
   log "Start task ${HPCG_TASK_NUM} - ${HPCG_JOB_NAME}:${HPCG_TASK_PHASE} on $(hostname)"
   log " runlog  = ${HPCG_RUN_LOG}"
   log " rundir  = ${HPCG_RUN_DIR}"
   log ${sep}

   # set link from ${HPCG_LOG_DIR} to ${HPCG_RUN_DIR}
   logln=${HPCG_RUN_LOG}/rundir
   if [ ! -L ${logln} ]; then
      ln -s ${HPCG_RUN_DIR} ${logln}
   fi

   # check runtime environment
   check_system  "startinit"

   # set runtime informations
   hpcg_runinfo.py RUNDIR_SIZE:start:${HPCG_TASK_PHASE}=$(du -sk ${HPCG_RUN_DIR} | awk '{print $1}')
   log

   # Publish scripts to end user
   publish_scripts

   # Set log files for the task center
   set_log_files

   # Start the monitor if exists
   start_monitor
}
...

Notice: Inject the entire function start_custom. Add a call to the start_custom function within existing startinit function just after call to write_scripts.

Step 5 : Push the configuration and restart the Gateway services

[hpcgadmin@SuShI ~]$ hpcg_dbase_config.py --push
...
[hpcgadmin@SuShI ~]$ hpcg.sh -s restart -l all

Step 5 : Create a new mount point Tasks

You might want to use file explorer to explore a task RUNDIR or RUNLOG by accessing the new folder tree. Create a new folder tree that will directly point out to /scratch/gateway/tasks.

From the Gateway web portal logged as hpcgadmin, open the Admin Dashboard and select the mount point tab:

Step 6 : Explore the new mount point

Launch any application and explore the new mount point TASKS to find the related task: