If you wish to install GridFTP without installing the rest of the Globus Toolkit, refer to the Installing GT 4.0 section of the GT 4.0 System Administrator's Guide. Perform steps 1-3, as written (Note that you do not need Ant, a JDK, or a JDBC database to build only GridFTP). However, instead of running "make" as directed in step 4,

Run:

globus$ make gridftp

If you wish to have a log file of the build, use tee:

globus$ make gridftp 2>&1 | tee build.log

The syntax above assumes a Bourne shell. If you are using another shell, redirect stderr to stdout and then pipe it to tee.

If you wish to install only the GridFTP server, refer to the Installing GT 4.0 section of the GT 4.0 System Administrator's Guide for prerequisites. Follow steps 1-3 as written. However, instead of running "make" as directed in step 4,

Run:

globus$ make gpt globus_gridftp_server

If you wish to have a log file of the build, use tee:

globus$ make gpt globus_gridftp_server 2>&1 | tee build.log

The syntax above assumes a Bourne shell. If you are using another shell, redirect stderr to stdout and then pipe it to tee.

If you wish to install only the GridFTP client, refer to the Installing GT 4.0 section of the GT 4.0 System Administrator's Guide for prerequisites. Follow steps 1-3 as written. However, instead of running "make" as directed in step 4,

Run:

globus$ make globus-data-management-client

If you wish to have a log file of the build, use tee:

globus$ make globus-data-management-client 2>&1 | tee build.log

The syntax above assumes a Bourne shell. If you are using another shell, redirect stderr to stdout and then pipe it to tee.

If you wish to install only the GridFTP SDK, refer to the Installing GT 4.0 section of the GT 4.0 System Administrator's Guide for prerequisites. Follow steps 1-3 as written. However, instead of running "make" as directed in step 4,

Run:

globus$ make globus-data-management-sdk

If you wish to have a log file of the build, use tee:

globus$ make globus-data-management-sdk 2>&1 | tee build.log

The syntax above assumes a Bourne shell. If you are using another shell, redirect stderr to stdout and then pipe it to tee.

If you wish to build a combination of GridFTP elements, refer to the Installing GT 4.0 section of the GT 4.0 System Administrator's Guide for prerequisites. Follow steps 1-3 as written. However, instead of running "make" as directed in step 4,

Run:

globus$ make [any combination of the above commands, each separated by a space]

For example, if you just want to install the GridFTP server and client, the command would be:

globus$ make gpt globus_gridftp_server globus-data-management-client

If you wish to have a log file of the build, use tee:

globus$ make [any combination of the above commands, each separated by a space] 2>&1 | tee build.log

The syntax above assumes a Bourne shell. If you are using another shell, redirect stderr to stdout and then pipe it to tee.

If you wish to build and install a statically linked set of GridFTP binaries, refer to the Installing GT 4.0 section of the GT 4.0 System Administrator's Guide for prerequisites. Follow steps 1-2 as written. In step 3, however, you should

Run:

globus$ export GLOBUS_LOCATION=/usr/local/globus-4.0.0
globus$ ./configure --prefix=$GLOBUS_LOCATION --with-buildopts="--static" 

globus$ make gpt globus_gridftp_server

If you wish to have a log file of the build, use tee:

globus$ make gpt globus_gridftp_server 2>&1 | tee build.log

The syntax above assumes a Bourne shell. If you are using another shell, redirect stderr to stdout and then pipe it to tee.

Note: Command line options and configuration file options may both be used, but the command line overrides the config file.

The configuration file for the GridFTP server is read from the following locations, in the given order. Only the first found will be loaded.

Options are one per line, with the format:

<option> <value>

If the value contains spaces, they should be enclosed in double-quotes ("). Flags or boolean options should only have a value of 0 or 1. Blank lines and lines beginning with # are ignored.

For example:

  port 5000
  allow_anonymous 1
  anonymous_user bob
  banner "Welcome!"

The table below lists config file options, associated command line options (if available) and descriptions. Note that any boolean option can be negated on the command line by preceding the specified option with '-no-' or '-n'. example: -no-cas or -nf.

Note: The service name used (gsiftp in this case) should be defined in /etc/services with the desired port.

Here is a sample gridftp server xinetd config entry:

service gsiftp
{
instances               = 100
socket_type             = stream
wait                    = no
user                    = root
env                     += GLOBUS_LOCATION=(globus_location)
env                     += LD_LIBRARY_PATH=(globus_location)/lib
server                  = (globus_location)/sbin/globus-gridftp-server
server_args             = -i
log_on_success          += DURATION
nice                    = 10
disable                 = no
}

Here is a sample gridftp server inetd config entry (read as a single line):

gsiftp   stream   tcp   nowait   root   /usr/bin/env env   \
    GLOBUS_LOCATION=(globus_location)                      \
    LD_LIBRARY_PATH=(globus_location)/lib                  \ 
    (globus_location)/sbin/globus-gridftp-server -i

	Note
	On Mac OS X, you must set DYLD_LIBRARY_PATH instead of LD_LIBRARY_PATH in the above examples. On IRIX, you may need to set either LD_LIBRARYN32_PATH or LD_LIBRARY64_PATH. However, on OS X you could also use launchd, as shown below.

Here is a sample Mac OS X launchd config entry. Create a "/Library/LaunchDaemons/gsiftp.plist" file. An example is below. Edit it to have the right paths for your installation. Then run "sudo launchctl load /Library/LaunchDaemsons/gsiftp.plist".

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http:// www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
         <key>Debug</key>
         <true/>
         <key>EnvironmentVariables</key>
         <dict>
                 <key>DYLD_LIBRARY_PATH</key>
                 <string>/usr/local/gt4/lib</string>
                 <key>GLOBUS_LOCATION</key>
                 <string>/usr/local/gt4</string>
         </dict>
         <key>GroupName</key>
         <string>admin</string>
         <key>Label</key>
         <string>org.globus.gridftp</string>
         <key>OnDemand</key>
         <true/>
         <key>ProgramArguments</key>
         <array>
                 <string>/usr/local/gt4/sbin/globus-gridftp-server</ 
string>
                 <string>-i</string>
         </array>
         <key>ServiceDescription</key>
         <string>GridFTP</string>
         <key>Sockets</key>
         <dict>
                 <key>Listeners</key>
                 <dict>
                         <key>SockFamily</key>
                         <string>IPv4</string>
                         <key>SockPassive</key>
                         <true/>
                         <key>SockServiceName</key>
                         <string>gsiftp</string>
                         <key>SockType</key>
                         <string>stream</string>
                 </dict>
         </dict>
         <key>UserName</key>
         <string>root</string>
         <key>inetdCompatibility</key>
         <dict>
                 <key>Wait</key>
                 <false/>
         </dict>
</dict>
</plist>

The Community Authorization Service (CAS) is used to administer access rights to files and directories and the GridFTP server can be configured to enforce those rights.

For more information, see How to Set Up CAS to Use with GridFTP.

The server should generally be run as root in daemon mode, though it is possible to run it as a user (see below). When run as root you will need to have a host certificate.

Run the server:

globus-gridftp-server < -s | -S > <args>

where:

The following additional steps may be required when running as a user other than root:

The -i command line option enables the server to be run under inetd or xinetd.

See Configuring GridFTP for example xinetd and inetd configuration entries.

The GridFTP server now supports separate front end (client control connection) and back end (data node) processes. In addition, a single front end process may connect to multiple back end data nodes.

When multiple back end data nodes are available, the server is said to be in a striped configuration, or simply, is a striped server. In this mode transfers are divided over all available data nodes, thus allowing the combined bandwidth of all data nodes to be used.

Note: The connection between the front end and data nodes is referred to as the ipc channel.

The ability to use inetd or daemon execution modes applies to both front end servers and data nodes, and the same certificate and user requirements apply.

To start the front end:

globus-gridftp-server <args> -r <host:port>[,<host:port>,...]

To start the data-node:

globus-gridftp-server -p <port> -dn

The -p <port> option used on the data-node is the port that will be used for ipc connections. This is the port that you will register with the front end server.

For example:

machineB> globus-gridftp-server -p 6000 -dn
machineC> globus-gridftp-server -p 7000 -dn
machineA> globus-gridftp-server -p 5000 -r machineB:6000,machineC:7000

The client would only connect to the front end at machineA:5000, for example, using globus-url-copy with the -stripe option:

globus-url-copy -stripe gsiftp://machineA:5000/file file:///destination
   or
globus-url-copy -stripe gsiftp://machineA:5000/file gsiftp://machineX/destination

Where machineX may be another striped server or a standard GridFTP server.

As is illustrated above, the GridFTP server can be separated into front end and data node processes. This is the architecture used to achieve a striped server, but it can also be exploited to achieve a higher level of security.

Running the server as root is often desirable because it allows the server to fork and setuid on a child processes related to an authenticated user. This allows the server to leverage the operating systems file system permissions and other security devices. However, it is not at all desirable to have a root running process listening on a port open to the world. If an attacker were to compromise the process they could obtain root level access to the machine.

To overcome this security risk the gridftp server can be run in a front end/back end manner. The front end can be run as any user, say user globus, that has very limited access to the machine. The front end is the processes open to the outside world. If it is compromised an attacker has only gained access to that limited account. The back end is run as root, but configured to only allow connections from the front end.

To start the front end:

globus-gridftp-server -p 7000 -r localhost:7001

and the back end:

globus-gridftp-server -p 7001 -dn -allow-from 127.0.0.1

We now provide two ways to configuring your server:

There are new authentication options available for the server in GT4.0.0:

	Warning
	WE HIGHLY RECOMMEND YOU NOT USE THIS. YOU WILL BE SENDING YOUR PASSWORD IN CLEAR TEXT OVER THE NETWORK.

We do, however, have some user communities who run only on internal networks for testing purposes and who do not wish to deal with obtaining GSI credentials. If you are considering this, we would recommend that you look at Simple CA and set up your own testbed CA. This can be done in less than an hour and then provides you full GSI security.

If the GridFTP server is behind a firewall:

	Note
	If the server is behind NAT, the --data-interface <real ip/hostname> option needs to be used on the server.

If the GridFTP client is behind a firewall:

Additional information on Globus Toolkit Firewall Requirements is available here.

Verify that you can establish a control channel connection and that the server has started successfully by telnetting to the port on which the server is running:

% telnet localhost 2811
                Trying 127.0.0.1...
                Connected to localhost.
                Escape character is '^]'.
                220 GridFTP Server mldev.mcs.anl.gov 2.0 (gcc32dbg, 1113865414-1) ready.

If you see anything other than a 220 banner such as the one above, the server has not started correctly.

Verify that there are no configuration files being unexpectedly loaded from /etc/grid-security/gridftp.conf or $GLOBUS_LOCATION/etc/gridftp.conf. If those files exist, and you did not intend for them to be used, rename them to .save, or specify -c none on the command line and try again.

If you can log into the machine where the server is, try running the server from the command line with only the -s option:

$GLOBUS_LOCATION/sbin/globus-gridftp-server -s

The server will print the port it is listening on:

Server listening at gridftp.mcs.anl.gov:57764

Now try and telnet to that port. If you still do not get the banner listed above, something is preventing the socket connection. Check firewalls, tcp-wrapper, etc.

If you now get a correct banner, add -p 2811 (you will have to disable (x)inetd on port 2811 if you are using them or you will get port already in use):

$GLOBUS_LOCATION/sbin/globus-gridftp-server -s -p 2811

Now telnet to port 2811. If this does not work, something is blocking port 2811. Check firewalls, tcp-wrapper, etc.

If this works correctly then re-enable your normal server, but remove all options but -i, -s, or -S.

Now telnet to port 2811. If this does not work, something is wrong with your service configuration. Check /etc/services and (x)inetd config, have (x)inetd restarted, etc.

If this works, begin adding options back one at a time, verifying that you can telnet to the server after each option is added. Continue this till you find the problem or get all the options you want.

At this point, you can establish a control connection. Now try running globus-url-copy.

Once you've verified that you can establish a control connection, try to make a transfer using globus-url-copy.

If you are doing a client/server transfer (one of your URLs has file: in it) then try:

globus-url-copy -vb -dbg gsiftp://host.server,running.on/dev/zero file:///dev/null

This will run until you control-c the transfer. If that works, reverse the direction:

globus-url-copy -vb -dbg file:///dev/zero gsiftp://host.server.running.on/dev/null

Again, this will run until you control-c the transfer.

If you are doing a third party transfer, run this command:

globus-url-copy -vb -dbg gsiftp://host.server1.on/dev/zero gsiftp://host.server2.on/dev/null

Again, this will run until you control-c the transfer.

If the above transfers work, try your transfer again. If it fails, you likely have some sort of file permissions problem, typo in a file name, etc.

If the server has started correctly, and your problem is with a security failure or gridmap lookup failure, verify that you have security configured properly here.

If the server is running and your client successfully authenticates but has a problem at some other time during the session, please ask for help on [email protected]. When you send mail or submit bugs, please always include as much of the following information as possible: