Islandora Microservices

PHP Pear Soap

apt-get install php-pear

Fits

cd /opt/
git clone https://github.com/harvard-lts/fits

PHP Stomp library

apt-get install libcurl4-openssl-dev pkg-config install libssl-dev libsslcommon2-dev
apt-get install build-essential

pecl install stomp
    (SSL support disabled)

nano -w /etc/php5/apache2/php.ini

     extension=stomp.so
     
nano -w /etc/php5/cli/php.ini

     extension=stomp.so

Islandora listener

apt-get install git

git clone -b taverna-1.x https://github.com/roblib/php_listeners
mv php_listeners /opt/
 
nano -w /opt/php_listeners/config.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
    Document   : config.xml
    Created on : June 11, 2012, 7:38 PM
    Author     : rwincewicz
    Description:
        Configuration file for php-based listeners.
-->
<config>
 
    <listeners>
        <!-- Choose the number of child processes you want to spawn.
         i    A rough estimate is you'll get a load average which is
             1.5 times the number of child processes (eg. load average
             of 12 for 8 child processes --> microservice_users.xml
        <child_processes>2</child_processes>
    </listeners>
 
    <fedora>
        <!-- These are the details for your Fedora server. You should
             make sure that the firewall rules allow the listeners to
             contact the Fedora server and set up any XACML policies
             to allow write access from the listener IP address -->
        <protocol>https</protocol>
        <host>repoURL</host>
        <port>443</port>
        <username>fedoraAdmin</username>
        <password>fedoraadminpassword</password>
    </fedora>
 
    <taverna>
        <protocol>https</protocol>
        <context>tavernaserver</context>
        <host>123.123.123.124</host>
        <port>8443</port>
        <username>tavAdmin</username>
        <password>tavAdminPassword</password>
        <!--if you use a self signed cert you probably want to leave verify ssl to false-->
        <verify_ssl>false</verify_ssl>
        <!-- if you want to limit access to the soap_server this should be true-->
        <needAuth>true</needAuth>
    </taverna>
 
    <stomp>
        <!-- These are the details for the JMS broker. Usually the host
             will be the same as the Fedora server. If the Stomp port on
             the JMS broker has been set up as in the installation
             instructions then you'll connect on port 61613 and use the
             /queue/listener.update channel -->
        <host>123.123.123.123</host>
        <port>61613</port>
        <channel>/queue/listener.update</channel>
    </stomp>
 
    <fits_path>/opt/fits/fits.sh</fits_path>
 
    <log>
        <!-- Specify the file name of the log file.
         the webserver AND the user used to invoke the listeners both need
        to have write access to this file -->
        <file>/var/log/listener.log</file>
    </log>
 
</config>

Islandora listener patches (for Taverna server 2.5.4)

nano -w /opt/php_listeners/connect.php

private function processT2flowOnTaverna($stream, $pid, $dsID, $count = 0) {
    if(empty($dsID)){
      $dsID = 'empty_stream_id';//in order to share workflows with ingest and other methods
      //(like addDatastream) we must always send both a PID and DSID otherwise taverna will complain that
      //the number of inputs don't match what was defined in the workflow.
    }
    try {
      $prot = empty($this->config_xml->taverna->protocol) ? 'http' : $this->config_xml->taverna->protocol;
      $context = empty($this->config_xml->taverna->context) ? 'http' : $this->config_xml->taverna->context;
      $taverna_sender = new TavernaSender($prot, $this->config_xml->taverna->host, $this->config_xml->taverna->port, $context, $this->config_xml->taverna->username, $this->config_xml->taverna->password);
      //Post t2flow
      $result = $taverna_sender->send_Message($stream);
      $uuid = $taverna_sender->parse_UUID($result);
      if (empty($uuid)) {
        //This message should never be seen, as it should break in send message first
        $this->log->lwrite('No UUID was found', "TAVERNA_ERROR");
      }
      else { //uuid has a value
        $this->log->lwrite('uuid = ' . $uuid, "SERVER_INFO");
        $taverna_sender->add_input($uuid, "pid", $pid);
        $taverna_sender->add_input($uuid, "dsid", $dsID);
        $result = $taverna_sender->run_t2flow($uuid);
        $this->log->lwrite('pid = ' . $pid, "SERVER_INFO");
        $this->log->lwrite('dsid = ' . $dsID, "SERVER_INFO");
        $status = $this->pollStatus($uuid, $taverna_sender);
        if ($status) {
          $this->log->lwrite("deleting workflow $uuid $pid $dsID", "SERVER_INFO");
          $taverna_sender->delete_t2flow($uuid);
        }
        return TRUE;
      }
    } catch (Exception $e) {
      $this->log->lwrite($e->getMessage() . ' ' . $e->getCode(), 'TAVERNA_ERROR', $pid, $dsID, NULL, 'ERROR');
-//      $response = $e->getResponse();
-//      $responseString = $response['content'];
+     $responseString = $e->getMessage();
-//      $taverna_sender->delete_t2flow($uuid); //try to delete the failed attempt on the taverna server
+      $response = $taverna_sender->delete_t2flow($uuid); //try to delete the failed attempt on the taverna server
      //we rest and retry here as the most common taverna error will probable be a 403 forbidden
      //due to the server being overloaded.
      sleep(10);
      if ($count <= 10) {
        $this->log->lwrite("Taverna error $responseString, workflow t2flow for $pid $dsID failed, sending agian.", 'SERVER_INFO', $pid, $dsID, NULL, 'INFO');
        $this->processT2flowOnTaverna($stream, $pid, $dsID, ++$count);
      }
      else {
        $this->log->lwrite($e->getMessage() . ' ' . $e->getCode() . " $pid $dsID reached the maximum number of tries giving up", "SERVER_INFO", $pid, $dsID, NULL, 'ERROR');
        $taverna_sender->delete_t2flow($uuid);
      }
      return FALSE; //we return false here so a negative ack will be sent. this probably means (depending on the stomp server configs) that
      //we will get this message again. This prevents us from losing messages but could cause a loop if Taverna is down,
      //inaccesible or just not responding
    }
  }

nano -w /opt/php_listeners/tavernaSender.php

  function run_t2flow($uuid) {
    $auth = $this->check_credentials($uuid);
    if (empty($uuid) || !$auth) {
      throw new TavernaException("Error running t2flow, missing uuid or auth failure");
    }
 
    $url = $this->hostname . $uuid . '/status/';
    $response = $this->curl_connect->tavernaPutRequest($url, 'string', 'Operating', 'text/plain');
-//    if ($response['status'] != 200) {
+    if (($response['status'] != 200) && ($response['status'] != 202)) {
      throw new TavernaException($response['headers'] . $response['content'], $response['status'], 'run t2flow');
    }
    return $response['headers'] . $response['content'];
  }

Disable certificate validation in Tuque module to allow SSL between Listener and repository.

nano -w /opt/php_listeners/tuque/HttpConnection.php
  /**
   * FALSE to stop cURL from verifying the peer's certificate. (Default: TRUE)
   * @var type boolean
   */
  public $verifyPeer = FALSE;

Enable Apache SSL for Soap server

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/soap.key -out /etc/ssl/certs/soap.crt
chmod 400 /etc/ssl/private/soap.key
cd /etc/apache2/
cp sites-available/default-ssl sites-available/default-ssl.ORI
nano -w sites-available/default-ssl

...
     SSLEngine on
     SSLCertificateFile    /etc/ssl/certs/soap.crt
     SSLCertificateKeyFile /etc/ssl/private/soap.key
...

a2enmod ssl
a2ensite default-ssl
a2dissite 000-default
nano -w /etc/apache2/ports.conf

     ##NameVirtualHost *:80
     ##Listen 80

service apache2 restart

Islandora PHP Soap Server

apt-get install php5-curl
service apache2 restart

cp -R /opt/php_listeners/soap_server /var/www/

nano -w /var/www/soap_server/config.xml

<?xml version="1.0" encoding="UTF-8"?>
<config>
  <path>/opt/php_listeners</path>
  <services>
    <service>RoblibServices</service>
  </services>
</config>

Add to microservice file user, password and public cert to use with soap service.

nano -w /opt/php_listeners/microservice_users.xml

<?xml version="1.0" encoding="UTF-8"?>
<users>
    <user username = "soapUser" password="soapPass" serviceUri="http://fc2.to.cnr.it/soap_server/" trustCA="
MIID7zCCAtegAwIBAgIJAP5qgONnCMB+MA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJJVDERMA8GA1UECAwIUGllbW9udGUxDjAMBgNVBAcMBVR1cmluMQ4wDAYD
VQQKDAVDZXJpczEMMAoGA1UECwwDVUlUMRYwFAYDVQQDDA1mYzIudG8uY25yLml0
MSUwIwYJKoZIhvcNAQkBFhZnLmJpcmVsbG9AY2VyaXMuY25yLml0MB4XDTE0MDYw
MzEzMjMxNloXDTI0MDUzMTEzMjMxNlowgY0xCzAJBgNVBAYTAklUMREwDwYDVQQI
DAhQaWVtb250ZTEOMAwGA1UEBwwFVHVyaW4xDjAMBgNVBAoMBUNlcmlzMQwwCgYD
VQQLDANVSVQxFjAUBgNVBAMMDWZjMi50by5jbnIuaXQxJTAjBgkqhkiG9w0BCQEW
FmcuYmlyZWxsb0BjZXJpcy5jbnIuaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDJikyKhZhs7optKdYv03ByVg7KFdxdPBzeJ/5uUa3IEr3ay6lVxf8x
pcUqXpiRxUa9OWZpmGQ+OqSg9fjv0PNsZR763zb30heU+W8/+9WE/YUigpV6cG6i
g1/pZeu+aeZqj4T9ept0NMLPnENKqsaAW6ZRmKfnSq4w20YA9dO1BYjYPB1vM1Xe
kewZMPE35F1opweAd07u4Oodrj0gQly/kg+YVafLmCmCDXSMgfnsnlLpYevFLIFt
pCJ6ipLiqoVupAPRqUWBSEMhapo6FJHLRsDWrKhLzO6C7SzCWMCYarIPqWNKD02Q
wHRt/XBYRr78tuD3PSQq6AjrocjJAQkjAgMBAAGjUDBOMB0GA1UdDgQWBBR/UtHS
/LpbyCjmc/7ARgCT4AC+MzAfBgNVHSMEGDAWgBR/UtHS/LpbyCjmc/7ARgCT4AC+
MzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCcZBKap1gGUKCu6Qya
kD/hBP9A1QAcPVLE/zJJuxAAVxrRnmiL7CGldKsRISWVVeJilW2hJX0X3+rbvMQQ
Z0D67RYQwZn/DoGxEs+xf4dki78obvb2rjng3cuEOJXrl53b9UKBX85vosD34sAg
vnicDDc3/iIzry1UlgUP70V69KedVyNKsHLPdnhRmVhOj7bA48DzNwLY/lxTiKti
yusPoCCL2iRV26RnanerdS7IrgtC8IQfgQTh8GEfRe4ppvH6QP09Pve4W5JUPkdA
q0gaoOrzs93Rpd9PcofXxWe+VqkFDogefxNXkxtsB+EdfgjdhlJZ/ZBaNvO/0CM+
NU61">
  </user>
</users>

Patch php_listener to pass trusted CA to Taverna server

nano -w tavernaSender.php

  function send_credentials($uuid) {
    if (empty($uuid)) {
      throw new TavernaException("no uuid specified when sending credentials ", 'send credentials');
    }
    $microservice_users_file = 'microservice_users.xml';
    $microservice_users_xml = simplexml_load_file($microservice_users_file);
    if ($microservice_users_xml == FALSE) {
      throw new TavernaException("error reading microservice_users.xml using $location/microserice_users.xml", 404, 'send credentials');
    }
    $users = $microservice_users_xml->xpath("//user");
    if ($users == FALSE) {
      throw new TavernaException("Authentication is required, but no users defined in microservice_users_file.xml ", 'send credentials');
    }
    $host = $this->hostname . $uuid . '/security/credentials';
    $hostTrust = $this->hostname . $uuid . '/security/trusts';
 
    foreach ($users as $user) {
      $data = '<credential xmlns="http://ns.taverna.org.uk/2010/xml/server/rest/">
        <userpass xmlns="http://ns.taverna.org.uk/2010/xml/server/">
        <serviceURI xmlns="http://ns.taverna.org.uk/2010/xml/server/">' . $user['serviceUri'] . '</serviceURI>
        <username xmlns="http://ns.taverna.org.uk/2010/xml/server/">' . $user['username'] . '</username>
        <password xmlns="http://ns.taverna.org.uk/2010/xml/server/">' . $user['password'] . '</password>
        </userpass>
        </credential>';
      $response = $this->curl_connect->postRequest($host, 'String', $data, 'application/xml');
      if ($response['status'] != 201) {
        throw new TavernaException('Error sending credentials ' . $response['headers'] . $response['content'], $response['status'], 'send credentials');
      }
      if ($user['trustCA'] != ""){
        $data = '<trustedIdentity xmlns="http://ns.taverna.org.uk/2010/xml/server/">
          <certificateBytes xmlns="http://ns.taverna.org.uk/2010/xml/server/">' . $user['trustCA'] . '</certificateBytes>
          </trustedIdentity>';
        $response = $this->curl_connect->postRequest($hostTrust, 'String', $data, 'application/xml');
        if ($response['status'] != 201) {
          throw new TavernaException('Error sending trusted Identity ' . $response['headers'] . $response['content'], $response['status'], 'send trustedIdentity');
        }
      }
    }
    return TRUE;
  }

Fedora server setup

nano -w $FEDORA_HOME/server/config/fedora.fcfg

<param name="java.naming.provider.url" value="vm:(broker:(tcp://localhost:61616,stomp://IPADDRESS:61613))"/>
 
<param name="datastore3" value="apimListenerMessages">
<comment>A datastore representing a JMS Destination for APIM events used by the JMS listeners</comment>
</param>
 
 
<datastore id="apimListenerMessages">
<comment>Messaging Destination for API-M events which update the repository</comment>
<param name="messageTypes" value="apimUpdate">
  <comment>A space-separated list of message types that will be
        delivered to this Destination. Currently, &quot;apimUpdate&quot; and
        &quot;apimAccess&quot; are the only supported message types.</comment>
</param>
<param name="name" value="listener.update"/>
<param name="type" value="queue">
  <comment>Optional, defaults to topic.</comment>
</param>
</datastore>

Edit XACML and add taverna server IP ADDRESS
Edit Fedora server reverse https proxy to allow taverna server IP ADDRESS access (see Reverse proxy (http and https)
Restart tomcat

Start listener

cd /opt/php_listeners
php listener.php

ps -ef | grep php