netcdf-doc 1:4.4.1.1-2 / usr / share / doc / netCDF / html / esg.html

This file is indexed.

/usr/share/doc/netCDF/html/esg.html is in netcdf-doc 1:4.4.1.1-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.13"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>NetCDF: Accessing ESG Data Through netCDF</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="resize.js"></script>
<script type="text/javascript" src="navtreedata.js"></script>
<script type="text/javascript" src="navtree.js"></script>
<script type="text/javascript">
  $(document).ready(initResizable);
</script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
 <tbody>
 <tr style="height: 56px;">
  <td id="projectlogo"><img alt="Logo" src="netcdf-50x50.png"/></td>
  <td id="projectalign" style="padding-left: 0.5em;">
   <div id="projectname">NetCDF
   &#160;<span id="projectnumber">4.4.1.1</span>
   </div>
  </td>
 </tr>
 </tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.13 -->
<script type="text/javascript">
var searchBox = new SearchBox("searchBox", "search",false,'Search');
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
$(function() {
  initMenu('',true,false,'search.php','Search');
  $(document).ready(function() { init_search(); });
});
</script>
<div id="main-nav"></div>
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
  <div id="nav-tree">
    <div id="nav-tree-contents">
      <div id="nav-sync" class="sync"></div>
    </div>
  </div>
  <div id="splitbar" style="-moz-user-select:none;" 
       class="ui-resizable-handle">
  </div>
</div>
<script type="text/javascript">
$(document).ready(function(){initNavTree('esg.html','');});
</script>
<div id="doc-content">
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
     onmouseover="return searchBox.OnSearchSelectShow()"
     onmouseout="return searchBox.OnSearchSelectHide()"
     onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>

<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0" 
        name="MSearchResults" id="MSearchResults">
</iframe>
</div>

<div class="header">
  <div class="headertitle">
<div class="title">Accessing ESG Data Through netCDF </div>  </div>
</div><!--header-->
<div class="contents">
<div class="toc"><h3>Table of Contents</h3>
<ul><li class="level1"><a href="#esg_intro">Introduction </a></li>
<li class="level1"><a href="#esg_term">Terminology </a></li>
<li class="level1"><a href="#esg_initial_steps">Initial Steps </a></li>
<li class="level1"><a href="#esg_keystore">Building the KeyStore </a></li>
<li class="level1"><a href="#esg_truststore">Building the TrustStore </a></li>
<li class="level1"><a href="#esg_c_client">Running the C Client </a></li>
<li class="level1"><a href="#esg_java_client">Running the Java Client </a></li>
<li class="level1"><a href="#esg_script">Script for creating Stores </a></li>
<li class="level1"><a href="#esg_change_log">Change Log </a></li>
<li class="level1"><a href="#esg_doc_info">Document Information </a></li>
</ul>
</div>
<div class="textblock"><h1><a class="anchor" id="esg_intro"></a>
Introduction </h1>
<p>It is possible to access Earth Systems Grid (ESG) datasets from ESG servers through the netCDF API. This requires building the netCDF library with DAP2 protocol support using the "--enable-dap" flag to the configure program.</p>
<p>In order to access ESG datasets, however, it is necessary to register as a user with ESG and to setup your environment so that proper authentication is established between a netCDF client program and the ESG data server. Specifically, it is necessary to use what is called "client-side keys" to enable this authentication. Normally, when a client accesses a server in a secure fashion (using "https"), the server provides an authentication certificate to the client. With client-side keys, the client must also provide a certificate to the server so that the server can know with whom it is communicating.</p>
<p>It is possible to set up the netCDF library to use client-side keys, although the process is somewhat complicated. The DAP2 support in netCDF uses the <em>curl</em> library and it is that underlying library that must be properly configured.</p>
<h1><a class="anchor" id="esg_term"></a>
Terminology </h1>
<p>The key elements for client-side keys requires the constructions of two "stores" on the client side.</p>
<ul>
<li>Keystore - a repository to hold the client side key.</li>
<li>Truststore - a repository to hold a chain of certificates that can be used to validate the certificate sent by the server to the client.</li>
</ul>
<p>The server actually has a similar set of stores, but the client need not be concerned with those.</p>
<h1><a class="anchor" id="esg_initial_steps"></a>
Initial Steps </h1>
<p>The first step is to obtain authorization from ESG. Note that this information may evolve over time, and may be out of date. This discussion is in terms of BADC ESG. You will need to substitute the ESG site for BADC in the following.</p>
<ol type="1">
<li>Register at <a href="http://badc.nerc.ac.uk/register">http://badc.nerc.ac.uk/register</a> to obtain access to badc and to obtain an openid, which will looks something like: <pre class="fragment">https://ceda.ac.uk/openid/Firstname.Lastname
</pre></li>
<li>Ask BADC for access to whatever datasets are of interest.</li>
<li>Obtain short term credentials at <a href="http://grid.ncsa.illinois.edu/myproxy/MyProxyLogon/">http://grid.ncsa.illinois.edu/myproxy/MyProxyLogon/</a> You will need to download and run the MyProxyLogon program. This will create a keyfile in, typically, the directory globus. The keyfile will have a name similar to this: x509up_u13615 The other elements in /.globus are certificates to use in validating the certificate your client gets from the server.</li>
<li>Obtain the program source ImportKey.java from this location: <a href="http://www.agentbob.info/agentbob/79-AB.html">http://www.agentbob.info/agentbob/79-AB.html</a> (read the whole page, it will help you understand the remaining steps).</li>
</ol>
<h1><a class="anchor" id="esg_keystore"></a>
Building the KeyStore </h1>
<p>You will have to modify the keyfile in the previous step and then create a keystore and install the key and a certificate. The commands are these: </p><pre class="fragment">    openssl pkcs8 -topk8 -nocrypt -in x509up_u13615 -inform PEM -out key.der -outform DER

    openssl x509 -in x509up_u13615 -inform PEM -out cert.der -outform DER

    java -classpath  -Dkeypassword="" -Dkeystore=./ key.der cert.der
</pre><p>Note, the file names "key.der" and "cert.der" can be whatever you choose. It is probably best to leave the .der extension, though.</p>
<h1><a class="anchor" id="esg_truststore"></a>
Building the TrustStore </h1>
<p>Building the truststore is a bit tricky because as provided, the certificates in "globus" need some massaging. See the script below for the details. The primary command is this, which is executed for every certificate, c, in globus. It sticks the certificate into the file named "truststore" </p><pre class="fragment">  keytool -trustcacerts -storepass "password" -v -keystore "truststore"  -importcert -file "${c}"
</pre><h1><a class="anchor" id="esg_c_client"></a>
Running the C Client </h1>
<p>The file ".dodsrc" is used to configure curl. This file must reside either in the current directory or in your home directory. It has lines of the form</p>
<ul>
<li>KEY=VALUE, or</li>
<li>[http//x.y/]KEY=VALUE</li>
</ul>
<p>The first form provides a configuration parameter that applies to all DAP2 accesses. The second form only applies to accesses to the server at "x.y".</p>
<p>The following keys must be set in ".dodsrc" to support ESG access.</p>
<ul>
<li>HTTP.SSL.VALIDATE=1</li>
<li>HTTP.COOKIEJAR=.dods_cookies</li>
<li>HTTP.SSL.CERTIFICATE=esgkeystore</li>
<li>HTTP.SSL.KEY=esgkeystore</li>
<li>HTTP.SSL.CAPATH=.globus</li>
</ul>
<p>For ESG, the HTTP.SSL.CERTIFICATE and HTTP.SSL.KEY entries should have same value, which is the file path for the certificate produced by MyProxyLogon. The HTTP.SSL.CAPATH entry should be the path to the "certificates" directory produced by MyProxyLogon.</p>
<h1><a class="anchor" id="esg_java_client"></a>
Running the Java Client </h1>
<p>If you are using the Java netCDF client, then you need to add some parameters to the "java" command. Specifically, add the following flags. </p><pre class="fragment">   -Dkeystore="path to keystore file" -Dkeystorepassword="keystore password"
</pre><h1><a class="anchor" id="esg_script"></a>
Script for creating Stores </h1>
<p>The following script shows in detail how to actually construct the key and trust stores. It is specific to the format of the globus file as it was when ESG support was first added. It may have changed since then, in which case, you will need to seek some help in fixing this script. It would help if you communicated what you changed to the author so this document can be updated.</p>
<pre class="fragment">#!/bin/sh -x
KEYSTORE="esgkeystore"
TRUSTSTORE="esgtruststore"
GLOBUS="globus"
TRUSTROOT="certificates"
CERT="x509up_u13615"
TRUSTROOTPATH="$GLOBUS/$TRUSTROOT"
CERTFILE="$GLOBUS/$CERT"
PWD="password"

D="-Dglobus=$GLOBUS"
CCP="bcprov-jdk16-145.jar"
CP="./build:${CCP}"
JAR="myproxy.jar"

# Initialize needed directories
rm -fr build
mkdir build
rm -fr $GLOBUS
mkdir $GLOBUS
rm -f $KEYSTORE
rm -f $TRUSTSTORE

# Compile MyProxyCmd and ImportKey
javac -d ./build -classpath "$CCP" *.java
javac -d ./build ImportKey.java

# Execute MyProxyCmd
java -cp "$CP myproxy.MyProxyCmd

# Build the keystore
openssl pkcs8 -topk8 -nocrypt -in $CERTFILE -inform PEM -out key.der -outform DER
openssl x509 -in $CERTFILE -inform PEM -out cert.der -outform DER
java -Dkeypassword=$PWD -Dkeystore=./${KEYSTORE} -cp ./build ImportKey key.der cert.der

# Clean up the certificates in the globus directory
for c in ${TRUSTROOTPATH}/*.0 ; do
    alias=`basename $c .0`
    sed -e '0,/---/d' &lt;$c &gt;/tmp/${alias}
    echo "-----BEGIN CERTIFICATE-----" &gt;$c       
    cat /tmp/${alias} &gt;&gt;$c
done

# Build the truststore
for c in ${TRUSTROOTPATH}/*.0 ; do
    alias=`basename $c .0`
    echo "adding: $TRUSTROOTPATH/${c}"
    echo "alias: $alias"
    yes | keytool -trustcacerts -storepass "$PWD" -v -keystore ./$TRUSTSTORE -alias $alias -importcert -file "${c}"
done
exit
</pre><h1><a class="anchor" id="esg_change_log"></a>
Change Log </h1>
<p><b>Version 1.0:</b></p>
<ul>
<li>10/17/2013 – Initial Release</li>
</ul>
<h1><a class="anchor" id="esg_doc_info"></a>
Document Information </h1>
<hr/>
<p> Created: 10/17/2013</p>
<p>Last Revised: 10/17/2013\</p>
<p>Version: 1.0</p>
<p>Author: Dennis Heimbigner</p>
<p>Affiliation: Unidata/UCAR</p>
<p>email: </p><h2><a href="#" onclick="location.href='mai'+'lto:'+'dmh'+'@u'+'nid'+'a.'+'uca'+'r.'+'edu'; return false;">dmh@u<span style="display: none;">.nosp@m.</span>nida<span style="display: none;">.nosp@m.</span>.ucar<span style="display: none;">.nosp@m.</span>.edu</a> </h2>
</div></div><!-- contents -->
</div><!-- doc-content -->
<hr size="2"/>
<address style="text-align: center;">
<a href="http://www.unidata.ucar.edu/software/netcdf/">Return to the Main Unidata NetCDF page.</a><br>
<img src="unidata_logo_cmyk.png">
<address style="text-align: right;"><small>
Generated on Tue Apr 4 2017 06:09:19 for NetCDF. NetCDF is
a <a href="http://www.unidata.ucar.edu/">Unidata</a> library.</small></address>
</body>
</html>

APT Browse - Built by Thomas Orozco.