Creating users

To run the secure examples in a slightly realistic fashion, we will need to have two users created in our machine. Actually, the first one is (quite probably) already there: you user account. In my case, this would be the borja UNIX account. This account will be used to run the client programs.

Later on, we will give this user with a digital certificate with the following distinguished name:

O=Globus, OU=GT3 Tutorial, CN=Borja Sotomayor

Of course, you can change the values of the distinguished name to match your organization, organizational unit, and common name.

The second user you need to create is a generic globus account which will be used to perform administrative tasks such as starting and stopping the container, deploying services, etc. This user will also be in charge of managing the simple CA we are going to install. To be able to do this, make sure this account has read and write permissions in the $GLOBUS_LOCATION directory.

Later on, we will give this user a digital certificate with the following name:

O=Globus, OU=GT3 Tutorial, CN=Globus 3 Administrator

It's quite possible that you already have a separate globus account for this, since it is commonplace in UNIX systems to create generic accounts to run specific services (the www-data account, the proxy account, etc.) However, you might also be using this account to run the client programs. If so, from now on, you should use the globus account only for administrative tasks, and your user account (borja, in my case) to run the clients.

Why it is unwise to run the container and the clients with the same user

At this point, you might be thinking: "Sure, having two separate users seems like the right thing to do, but this is just a tutorial... I guess I can work with just one user". If this is so, vanquish that thought from your head immediately. It is certainly possible to work through all the security examples using just one user (for both the container and the client programs), but doing so might 'mask' errors and pitfalls which might reveal themselves when you run the examples in a more real (and less tutorial-like) situation: having the container on one machine, running under a certain identity, and having the client programs running in a different machine under a completely different identity.

Bottom line: please do take the time to create a globus account to run the container and the Certificate Authority, and a user account to run the example client applications.