When installing Taverna Server 2.5, you need to decide whether to install in secure or insecure mode. In secure mode, the server enforces logins, ensures that they are done over HTTPS, and applies strong restrictions to what users can see of other users' workflows. In insecure mode, no restrictions are enforced which simplifies configuration but greatly reduces the overall system security. Do not mix up installations between the two types.
You will need:
-
Unix (e.g., Linux, OSX). Running Linux inside a virtual machine works. Running directly on Windows is not supported.
-
Java 7 (or later) installed. See the Java requirements on the Taverna website.
-
Tomcat 6 (recent version).
-
Taverna Server 2.5. Either the "full installation" or WAR will do (the "full installation" zip contains a copy of the WAR) - see the Taverna website for details on downloading the file.
If you are installing in secured mode (default) you will also need:
-
SSL (i.e., HTTPS) host certificate. This should not be self-signed and should have the hostname in the Common Name (CN) field. (Self-signed certificates or ones without the hostname in are exceptionally awkward for clients to work with, and proper single-host certificates are in reality very cheap. Save yourself a lot of work here!)
-
For the simplest operation, you should create a user
tavernathat is a member of the group calledtaverna. This user will be used for executing workflows, and does not need to allow anyone to log in as it.
Taverna Server 2.5 has a long list of things that may be configured, but it comes with “factory” settings that are correct in the majority of cases. Leave them alone for your first installation.
Note that the instructions below do not describe setting up Tomcat users. These are not necessary for Taverna Server, as that needs finer-grained permission control than is normal for a webapp.
You can always find further information by searching the web for “install tomcat6 YourOperatingSystem”.
On Debian Linux (and derivatives), you install Tomcat with:
sudo apt-get install tomcat6 tomcat6-admin tomcat6-common tomcat6-user
You then start Tomcat with:
sudo /etc/init.d/tomcat6 start
And stop it with:
sudo /etc/init.d/tomcat6 stop
It's configuration file (called conf/server.xml in the instructions below) will be in:
/etc/tomcat6/server.xml
It's webapp directory (webapps below) will be in:
/var/lib/tomcat6
On RedHat Linux (and derivatives), you install Tomcat with:
yum install tomcat6-webapps
You then start Tomcat with:
sudo service tomcat6 start
And stop it with:
sudo service tomcat6 stop
It's configuration file (called conf/server.xml in the instructions below) will be in:
/etc/tomcat6/server.xml
It's webapp directory (webapps below) will be in:
/var/lib/tomcat6
On OSX (or if otherwise installing from a standard Apache distribution), you install Tomcat by downloading from the distribution page at:
Both ZIP and .tar.gz download versions include a file RUNNING.txt
that describes how to perform the installation, start the server, and
stop it again.
The normal location of the configuration file (conf/server.xml in
the instructions below) is, for Tomcat 6.0.35:
/usr/local/tomcat6.0/apache-tomcat-6.0.35/conf/server.xml
And its webapps directory is at:
/usr/local/tomcat6.0/apache-tomcat-6.0.35/webapps
This is not the default configuration of Taverna Server because it is insecure; there is no attempt to verify the identity of users or to keep them from interfering with each other's workflows. We recommend that you use the secured version if possible.
The insecure version is installed by:
Use a filename that relates to what URL you want Taverna Server to
appear at within Tomcat (e.g., if you want it to be at
/tavernaserver, use the filename webapps/tavernaserver.war).
At this point, Taverna Server is installed but not usable.
Go to the unpacked WAR, find its WEB-INF/web.xml (with the above
installation path, it would be
webapps/tavernaserver/WEB-INF/web.xml), and change the lines:
<param-value>WEB-INF/secure.xml</param-value>
<!-- <param-value>WEB-INF/insecure.xml</param-value> -->
to read:
<!-- <param-value>WEB-INF/secure.xml</param-value> -->
<param-value>WEB-INF/insecure.xml</param-value>
This changes which part of the rest of the server configuration is
used. It does so by altering what part of that XML file are commented
out. One of those two <param-value> lines must be
uncommented. The overall XML file must be valid.
NB: When accessing an unsecured Taverna Server, for most operations (such as submitting a run) you will need to pass the credentials for the default user. The default user has username
tavernaand passwordtaverna.
Taverna Server 2.5 is installed in secure mode by doing this:
With Tomcat not running, make sure that its conf/server.xml file
contains a <Connector> definition for SSL HTTP/1.1. The file should
contain comments on how to do this. Here's an example:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass="tomcat"
keystoreFile="conf/tavserv.p12" keystoreType="PKCS12" />
This configuration enables secure access on port 8443 (HTTPS-alt;
strongly recommended) with the server using the key-pair that has been
placed in a standard PKCS #12 format file in the file tavserv.p12 in
the same directory as the configuration file; the key-pair file will
be unlocked with the (rather obvious) password “tomcat”.
Note that if the configuration file is located below /etc, it is
recommended that you specify the full path to the PKCS #12 file. You
should also ensure that the file can only be read by the Unix user
that will be running Tomcat.
In particular, it needs to be able to run the Java executable it is
using as other people via sudo. You should take care to lock this
down heavily. You do this by using the program visudo to add these
parts to the sudo configuration. Note that each goes in a separate
part of the overall file, and that we assume below that Tomcat is
running as the user tavserv; you will probably need to change (e.g.,
to tomcat or nobody) as appropriate.
This defines some flags for the main server user:
Defaults:tavserv !lecture, timestamp_timeout=0, passwd_tries=1
This defines a rule for who the server can switch to. Let's say that
they have to be a member of the Unix user group taverna; if a user
isn't in that group, they cannot use Taverna Server. (Note that root
should not be part of the group!)
Runas_Alias TAV = %taverna
This creates the actual permission, saying that the tavserv user may
run anything as any user in the alias above (i.e., in the taverna
group). The NOPASSWD is important because it allows Taverna Server
to do the delegation even when running as a user that can't log in.
tavserv ALL=(TAV) NOPASSWD: ALL
Use a filename that relates to what URL you want Taverna Server to
appear at within Tomcat (e.g., if you want it to be at
/tavernaserver, use the filename webapps/tavernaserver.war).