Table of Contents
In order for the system to know the location of the
Globus Toolkit commands you just installed, you must set
an environment variable and source the globus-user-env.sh
script.
As globus, set GLOBUS_LOCATION to where you installed the Globus Toolkit. This will be one of the following:
Using Bourne shells:
globus$ export GLOBUS_LOCATION=/path/to/install
Using csh:
globus$ setenv GLOBUS_LOCATION /path/to/install
Source
$GLOBUS_LOCATION/etc/globus-user-env.depending on your shell.{sh,csh}Use
.shfor Bourne shell:globus$ . $GLOBUS_LOCATION/etc/globus-user-env.sh
Use
.cshfor C shell.globus$ source $GLOBUS_LOCATION/etc/globus-user-env.csh
You must have X509 certificates to use the GT 4.0 software securely (referred to in this documentation as host certificates). For an overview of certificates for GSI (security) see GSI Configuration Information and GSI Environmental Variables.
Host certificates must:
- consist of the following two files:
hostcert.pemandhostkey.pem - be in the
appropriate directory for secure services:
/etc/grid-security/ - be for a machine which has a consistent name in DNS; you should not run it on a computer using DHCP where a different name could be assigned to your computer.
You have the following options:
Your best option is to use an already existing CA. You may have access to one from the company you work for or an organization you are affiliated with. Some universities provide certificates for their members and affiliates. Contact your support organization for details about how to acquire a certificate. You may find your CA listed in the TERENA Repository.
If you already have a CA, you will need to follow their configuration directions.
If they include a CA setup package, follow the CAs instruction on how to
install the setup package. If they do not, you will need to create an
/etc/grid-security/certificates directory
and include the CA cert and signing policy in that directory. See Configuring
a Trusted CA for more details.
This type of certificate is best for service deployment and Grid inter-operation.
SimpleCA provides a wrapper around the OpenSSL CA functionality and is sufficient for simple Grid services. Alternatively, you can use OpenSSL's CA.sh command on its own. Instructions on how to use the SimpleCA can be found in Chapter 7, SimpleCA Admin Guide.
SimpleCA is suitable for testing or when a certificate authority is not available.
Globus offers a low-trust certificate available at http://gcs.globus.org:8080/gcs. This option should only be used as a last resort because it does not fulfill some of the duties of a real Certificate Authority.
This type of certificate is best suited for short term testing.
The host key (/etc/grid-security/hostkey.pem) is only readable
to root. The container (hosting environment) will be running as a non-root
user (probably the globus user) and in order to have a set of host credentials
which are readable by the container, we need to copy the host certificate and
key and change the ownership to the container user.
![[Note]](../../../../../docbook-images/note.gif) | Note |
|---|---|
This step assumes you have obtained a signed host certificate from your CA. |
As root, run:
root# cd /etc/grid-security root# cp hostkey.pem containerkey.pem root# cp hostcert.pem containercert.pem root# chown globus.globus containerkey.pem containercert.pem
At this point the certificates in /etc/grid-security should look something
like:
root# ls -l *.pem -rw-r--r-- 1 globus globus 1785 Oct 14 14:47 containercert.pem -r-------- 1 globus globus 887 Oct 14 14:47 containerkey.pem -rw-r--r-- 1 root root 1785 Oct 14 14:42 hostcert.pem -r-------- 1 root root 887 Sep 29 09:59 hostkey.pem
Add authorizations for users:
Create /etc/grid-security/grid-mapfile as root.
You need two pieces of information:
- the subject name of a user
- the account name it should map to.
The syntax is one line per user, with the certificate subject followed by the user account name.
Run grid-cert-info to get your subject name, and whoami to get the account name:
bacon$ grid-cert-info -subject /O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon bacon$ whoami bacon
You may add the line by running the following as root:
root# $GLOBUS_LOCATION/sbin/grid-mapfile-add-entry -dn \ "/O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon" \ -ln bacon
The corresponding line in the grid-mapfile should look like:
"/O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon" bacon![[Important]](../../../../../docbook-images/important.gif) | Important |
|---|---|
The quotes around the subject name are important, because it contains spaces. |
Now that you have installed a trusted CA, acquired a hostcert and acquired a usercert, you may verify that your security setup is complete. As your user account, run the following command:
bacon$ grid-proxy-init -verify -debug User Cert File: /home/bacon/.globus/usercert.pem User Key File: /home/bacon/.globus/userkey.pem Trusted CA Cert Dir: /etc/grid-security/certificates Output File: /tmp/x509up_u506 Your identity: /DC=org/DC=doegrids/OU=People/CN=Charles Bacon 332900 Enter GRID pass phrase for this identity: Creating proxy ...++++++++++++ ..................++++++++++++ Done Proxy Verify OK Your proxy is valid until: Fri Jan 28 23:13:22 2005
There are a few things you can notice from this command.
Your usercert and key are located in
$HOME/.globus/.
The proxy certificate is created in
/tmp/.
The "up" stands for "user proxy", and the
_u506 will be your
UNIX userid. It also prints out your
distinguished name (DN), and the proxy is valid
for 12 hours.
If this command succeeds, your single node is correctly configured.
For information on configuring services in the presence of a firewall, see the firewall PDF.
The GT4 webservices container is capable of logging authorization decisions to syslog. This procedure has been documented as a Grid HOWTO at NCSA.