Setting up Globus Toolkit 4.0.8 Security Infrastructure ¶

Documentation ¶

The following guides are available:

Hint: All documentations are totally outdated!

Provide Folders and Files ¶

Set Folder and Owner ¶

ssh root@dgsi.zah.uni-heidelberg.de
mkdir /etc/grid-security
cd /usr/local/
chown -R globus:globus globus-4.0.8/
exit

Download Files Externally and Copy Them to Virtual Host ¶

Certificates:

Get host.p12 certificate from DFN-PKI, IHEP CA or GridKa-CA. Following instructions refer to the last mentioned certification authority.
scp host.p12 root@dgsi.zah.uni-heidelberg.de:/etc/grid-security/
Get from dist.eugridpma.info/distribution/igtf/current-new/accredited/tgz the most recent version of:
scp ca_*.tar.gz root@dgsi.zah.uni-heidelberg.de:/etc/grid-security/

Shell script for certificate conversion:

Download p12-2-pem-en.sh (German only alternative: p12-2-pem.sh)
scp p12-2-pem-en.sh root@dgsi.zah.uni-heidelberg.de:/etc/grid-security/

Hint: Only necessary if you like to convert host certificate using script.

Gridadmin package:

Download gridadmin.tar.gz
scp gridadmin.tar.gz globus@dgsi.zah.uni-heidelberg.de:

Install Gridadmin Package ¶

ssh globus@dgsi.zah.uni-heidelberg.de
tar -zxf gridadmin.tar.gz
mv gridadmin $GLOBUS_LOCATION

Install Certificates ¶

Install Simple CA ¶

$GLOBUS_LOCATION/setup/globus/setup-simple-ca -noint

WARNING: GPT_LOCATION not set, assuming:
         GPT_LOCATION=/usr/local/globus-4.0.8



    C e r t i f i c a t e    A u t h o r i t y    S e t u p

This script will setup a Certificate Authority for signing Globus
users certificates.  It will also generate a simple CA package
that can be distributed to the users of the CA.

The CA information about the certificates it distributes will
be kept in:

/home/globus/.globus/simpleCA/

The unique subject name for this CA is:

cn=Globus Simple CA, ou=simpleCA-dgsi.zah.uni-heidelberg.de, ou=GlobusTest, o=Grid

...

CA setup complete.

...

Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:

/usr/local/globus-4.0.8/setup/globus_simple_ca_24c3803e_setup/setup-gsi

...

su

/usr/local/globus-4.0.8/setup/globus_simple_ca_24c3803e_setup/setup-gsi

setup-gsi: Configuring GSI security
Making trusted certs directory: /etc/grid-security/certificates/
mkdir /etc/grid-security/certificates/
Installing /etc/grid-security/certificates//grid-security.conf.24c3803e...
Running grid-security-config...
Installing Globus CA certificate into trusted CA certificate directory...
Installing Globus CA signing policy into trusted CA certificate directory...
setup-gsi: Complete

Hint: For the following steps there are two possibilities to achieve the same: Convert host certificate with or without script!

Convert Host Certificate using Script ¶

cd /etc/grid-security/
chmod +x p12-2-pem-en.sh

./p12-2-pem-en.sh host.p12

Waehlen Sie deutsch oder englisch.......(de/en)...[de].>  en

___________________________ ./p12-2-pem-en.sh ___________________________

--- Converting certificates from .p12 to .pem/ ---



Is it a host or user certificate?..............(h/u).[u] .>h
Would you like the extension .crt or .pem? ........[pem] .>pem

_______________________________________________________________________
Inquiry about the browser export password

Please enter the password for the key! ...................>
Export certificates ............................(y/n).[n].>y
MAC verified OK
Succesfully!  -->  host.pem
Export private key? ............................(y/n).[n].>y

_______________________________________________________________________


  Please assign a pem pass phrase of at least 12 characters, so your
  private key is protected effectually.

MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Successfully  -->   host.key

Export CA-certificate? .........................(y/n).[n].>y
MAC verified OK
Successfully  -->   host.ca
_______________________________________________________________________
                            -!-
-->!The following option are only allowed for special hosts in the D-Grid!<--

Export private key without password? ...........(y/n).(n).>y
Enter pass phrase for host.key:
Successfully  -->   host.nopass


The following files where created in the directory /etc/grid-security:
_______________________________________________________________________

 gridka-ca.pem   - The root certificate of your CA
 hostcert.pem    - Your  host-certificate
 hostkey.pem     - Private key without 'PEM pass phrase'

_______________________________________________________________________


  In the next step the orderly rights will be set
  on Your files as follow:

-r--r--r-- 1 root root 2128 Jul 28 09:12 hostcert.pem
-r-------- 1 root root 1679 Jul 28 09:12 hostkey.pem
-r--r--r-- 1 root root 1766 Jul 28 09:12 gridka-ca.pem
_______________________________________________________________________


  Now the certificates can be shown one by one.
  (Abort with Strg + c )

Show user/host certificates ....................(y/n).[n].>n

Show private key? ..........................(y/n).[n].>n

Show CA-certificate? .......................(y/n).[n].>n
________________________________ENDE___________________________________

Convert Host Certificate without Script ¶

cd /etc/grid-security/
openssl pkcs12 -in host.p12 -clcerts -nokeys -out hostcert.pem
```
Enter Import Password:
MAC verified OK
```
chmod 644 hostcert.pem

openssl pkcs12 -in host.p12 -nocerts -out hostkey-pass.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

openssl rsa -in hostkey-pass.pem -out hostkey.pem

Enter pass phrase for hostkey-pass.pem:
writing RSA key

rm hostkey-pass.pem

Install Host Certificate ¶

cp hostcert.pem containercert.pem
cp hostkey.pem containerkey.pem
chown globus:globus containerkey.pem containercert.pem
chmod 600 hostkey.pem

ls -l

total 76
-rw-r--r-- 1 root   root    2296 Jan 12 18:21 ca_DFN-GridGermany-Root-1.44.tar.gz
-rw-r--r-- 1 root   root    2145 Jan 12 18:21 ca_GermanGrid-1.44.tar.gz
-rw-r--r-- 1 root   root    2108 Jan 12 18:21 ca_IHEP-1.44.tar.gz
-rw-r--r-- 1 root   root    1913 Jan 12 18:21 ca_UGRID-1.44.tar.gz
drwxr-xr-x 2 root   root    4096 Jan 12 18:29 certificates
-r--r--r-- 1 globus globus  2128 Jan 12 18:50 containercert.pem
-r-------- 1 globus globus  1679 Jan 12 18:50 containerkey.pem
lrwxrwxrwx 1 root   root      62 Jan 12 18:29 globus-host-ssl.conf -> /etc/grid-security/certificates//globus-host-ssl.conf.24c3803e
lrwxrwxrwx 1 root   root      62 Jan 12 18:29 globus-user-ssl.conf -> /etc/grid-security/certificates//globus-user-ssl.conf.24c3803e
-r--r--r-- 1 root   root    1766 Jan 12 18:48 gridka-ca.pem
lrwxrwxrwx 1 root   root      60 Jan 12 18:29 grid-security.conf -> /etc/grid-security/certificates//grid-security.conf.24c3803e
-r--r--r-- 1 root   root    2128 Jan 12 18:48 hostcert.pem
-rw------- 1 root   root    1679 Jan 12 18:49 hostkey.pem
-rw------- 1 root   root    4455 Jan 12 18:35 host.p12
-rwxr-xr-x 1 root   root   15547 Jan 12 18:23 p12-2-pem-en.sh

Install Certification Authority Certificates ¶

cd certificates/
tar -zxf ../ca_DFN-GridGermany-Root-1.44.tar.gz
tar -zxf ../ca_GermanGrid-1.44.tar.gz
tar -zxf ../ca_UGRID-1.44.tar.gz
tar -zxf ../ca_IHEP-1.44.tar.gz

ln -svf ca_*/* .

create symbolic link `./1149214e.0' to `ca_DFN-GridGermany-Root-1.44/1149214e.0'
create symbolic link `./1149214e.namespaces' to `ca_DFN-GridGermany-Root-1.44/1149214e.namespaces'
create symbolic link `./1149214e.signing_policy' to `ca_DFN-GridGermany-Root-1.44/1149214e.signing_policy'
create symbolic link `./30ffc224.0' to `ca_DFN-GridGermany-Root-1.44/30ffc224.0'
create symbolic link `./30ffc224.namespaces' to `ca_DFN-GridGermany-Root-1.44/30ffc224.namespaces'
create symbolic link `./30ffc224.signing_policy' to `ca_DFN-GridGermany-Root-1.44/30ffc224.signing_policy'
create symbolic link `./DFN-GridGermany-Root.crl_url' to `ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.crl_url'
create symbolic link `./DFN-GridGermany-Root.info' to `ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.info'
create symbolic link `./DFN-GridGermany-Root.namespaces' to `ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.namespaces'
create symbolic link `./DFN-GridGermany-Root.pem' to `ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.pem'
create symbolic link `./DFN-GridGermany-Root.signing_policy' to `ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.signing_policy'
create symbolic link `./7ecb2657.0' to `ca_GermanGrid-1.44/7ecb2657.0'
create symbolic link `./7ecb2657.namespaces' to `ca_GermanGrid-1.44/7ecb2657.namespaces'
create symbolic link `./7ecb2657.signing_policy' to `ca_GermanGrid-1.44/7ecb2657.signing_policy'
create symbolic link `./dd4b34ea.0' to `ca_GermanGrid-1.44/dd4b34ea.0'
create symbolic link `./dd4b34ea.namespaces' to `ca_GermanGrid-1.44/dd4b34ea.namespaces'
create symbolic link `./dd4b34ea.signing_policy' to `ca_GermanGrid-1.44/dd4b34ea.signing_policy'
create symbolic link `./GermanGrid.crl_url' to `ca_GermanGrid-1.44/GermanGrid.crl_url'
create symbolic link `./GermanGrid.info' to `ca_GermanGrid-1.44/GermanGrid.info'
create symbolic link `./GermanGrid.namespaces' to `ca_GermanGrid-1.44/GermanGrid.namespaces'
create symbolic link `./GermanGrid.pem' to `ca_GermanGrid-1.44/GermanGrid.pem'
create symbolic link `./GermanGrid.signing_policy' to `ca_GermanGrid-1.44/GermanGrid.signing_policy'
create symbolic link `./ba2f39ca.0' to `ca_IHEP-1.44/ba2f39ca.0'
create symbolic link `./ba2f39ca.namespaces' to `ca_IHEP-1.44/ba2f39ca.namespaces'
create symbolic link `./ba2f39ca.signing_policy' to `ca_IHEP-1.44/ba2f39ca.signing_policy'
create symbolic link `./d3619baa.0' to `ca_IHEP-1.44/d3619baa.0'
create symbolic link `./d3619baa.namespaces' to `ca_IHEP-1.44/d3619baa.namespaces'
create symbolic link `./d3619baa.signing_policy' to `ca_IHEP-1.44/d3619baa.signing_policy'
create symbolic link `./IHEP.crl_url' to `ca_IHEP-1.44/IHEP.crl_url'
create symbolic link `./IHEP.info' to `ca_IHEP-1.44/IHEP.info'
create symbolic link `./IHEP.namespaces' to `ca_IHEP-1.44/IHEP.namespaces'
create symbolic link `./IHEP.pem' to `ca_IHEP-1.44/IHEP.pem'
create symbolic link `./IHEP.signing_policy' to `ca_IHEP-1.44/IHEP.signing_policy'
create symbolic link `./0a12b607.0' to `ca_UGRID-1.44/0a12b607.0'
create symbolic link `./0a12b607.namespaces' to `ca_UGRID-1.44/0a12b607.namespaces'
create symbolic link `./0a12b607.signing_policy' to `ca_UGRID-1.44/0a12b607.signing_policy'
create symbolic link `./b874affe.0' to `ca_UGRID-1.44/b874affe.0'
create symbolic link `./b874affe.namespaces' to `ca_UGRID-1.44/b874affe.namespaces'
create symbolic link `./b874affe.signing_policy' to `ca_UGRID-1.44/b874affe.signing_policy'
create symbolic link `./UGRID.crl_url' to `ca_UGRID-1.44/UGRID.crl_url'
create symbolic link `./UGRID.info' to `ca_UGRID-1.44/UGRID.info'
create symbolic link `./UGRID.namespaces' to `ca_UGRID-1.44/UGRID.namespaces'
create symbolic link `./UGRID.pem' to `ca_UGRID-1.44/UGRID.pem'
create symbolic link `./UGRID.signing_policy' to `ca_UGRID-1.44/UGRID.signing_policy'

chown -R root:root *

ls -l

total 44
lrwxrwxrwx 1 root root   24 Jan 12 18:52 0a12b607.0 -> ca_UGRID-1.44/0a12b607.0
lrwxrwxrwx 1 root root   33 Jan 12 18:52 0a12b607.namespaces -> ca_UGRID-1.44/0a12b607.namespaces
lrwxrwxrwx 1 root root   37 Jan 12 18:52 0a12b607.signing_policy -> ca_UGRID-1.44/0a12b607.signing_policy
lrwxrwxrwx 1 root root   39 Jan 12 18:52 1149214e.0 -> ca_DFN-GridGermany-Root-1.44/1149214e.0
lrwxrwxrwx 1 root root   48 Jan 12 18:52 1149214e.namespaces -> ca_DFN-GridGermany-Root-1.44/1149214e.namespaces
lrwxrwxrwx 1 root root   52 Jan 12 18:52 1149214e.signing_policy -> ca_DFN-GridGermany-Root-1.44/1149214e.signing_policy
-rw-r--r-- 1 root root  956 Jan 12 18:29 24c3803e.0
-rw-r--r-- 1 root root 1369 Jan 12 18:29 24c3803e.signing_policy
lrwxrwxrwx 1 root root   39 Jan 12 18:52 30ffc224.0 -> ca_DFN-GridGermany-Root-1.44/30ffc224.0
lrwxrwxrwx 1 root root   48 Jan 12 18:52 30ffc224.namespaces -> ca_DFN-GridGermany-Root-1.44/30ffc224.namespaces
lrwxrwxrwx 1 root root   52 Jan 12 18:52 30ffc224.signing_policy -> ca_DFN-GridGermany-Root-1.44/30ffc224.signing_policy
lrwxrwxrwx 1 root root   29 Jan 12 18:52 7ecb2657.0 -> ca_GermanGrid-1.44/7ecb2657.0
lrwxrwxrwx 1 root root   38 Jan 12 18:52 7ecb2657.namespaces -> ca_GermanGrid-1.44/7ecb2657.namespaces
lrwxrwxrwx 1 root root   42 Jan 12 18:52 7ecb2657.signing_policy -> ca_GermanGrid-1.44/7ecb2657.signing_policy
lrwxrwxrwx 1 root root   24 Jan 12 18:52 b874affe.0 -> ca_UGRID-1.44/b874affe.0
lrwxrwxrwx 1 root root   33 Jan 12 18:52 b874affe.namespaces -> ca_UGRID-1.44/b874affe.namespaces
lrwxrwxrwx 1 root root   37 Jan 12 18:52 b874affe.signing_policy -> ca_UGRID-1.44/b874affe.signing_policy
lrwxrwxrwx 1 root root   23 Jan 12 18:52 ba2f39ca.0 -> ca_IHEP-1.44/ba2f39ca.0
lrwxrwxrwx 1 root root   32 Jan 12 18:52 ba2f39ca.namespaces -> ca_IHEP-1.44/ba2f39ca.namespaces
lrwxrwxrwx 1 root root   36 Jan 12 18:52 ba2f39ca.signing_policy -> ca_IHEP-1.44/ba2f39ca.signing_policy
drwxr-xr-x 2 root root 4096 Nov 28 11:07 ca_DFN-GridGermany-Root-1.44
drwxr-xr-x 2 root root 4096 Nov 28 11:07 ca_GermanGrid-1.44
drwxr-xr-x 2 root root 4096 Nov 28 11:08 ca_IHEP-1.44
drwxr-xr-x 2 root root 4096 Nov 28 11:10 ca_UGRID-1.44
lrwxrwxrwx 1 root root   23 Jan 12 18:52 d3619baa.0 -> ca_IHEP-1.44/d3619baa.0
lrwxrwxrwx 1 root root   32 Jan 12 18:52 d3619baa.namespaces -> ca_IHEP-1.44/d3619baa.namespaces
lrwxrwxrwx 1 root root   36 Jan 12 18:52 d3619baa.signing_policy -> ca_IHEP-1.44/d3619baa.signing_policy
lrwxrwxrwx 1 root root   29 Jan 12 18:52 dd4b34ea.0 -> ca_GermanGrid-1.44/dd4b34ea.0
lrwxrwxrwx 1 root root   38 Jan 12 18:52 dd4b34ea.namespaces -> ca_GermanGrid-1.44/dd4b34ea.namespaces
lrwxrwxrwx 1 root root   42 Jan 12 18:52 dd4b34ea.signing_policy -> ca_GermanGrid-1.44/dd4b34ea.signing_policy
lrwxrwxrwx 1 root root   57 Jan 12 18:52 DFN-GridGermany-Root.crl_url -> ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.crl_url
lrwxrwxrwx 1 root root   54 Jan 12 18:52 DFN-GridGermany-Root.info -> ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.info
lrwxrwxrwx 1 root root   60 Jan 12 18:52 DFN-GridGermany-Root.namespaces -> ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.namespaces
lrwxrwxrwx 1 root root   53 Jan 12 18:52 DFN-GridGermany-Root.pem -> ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.pem
lrwxrwxrwx 1 root root   64 Jan 12 18:52 DFN-GridGermany-Root.signing_policy -> ca_DFN-GridGermany-Root-1.44/DFN-GridGermany-Root.signing_policy
lrwxrwxrwx 1 root root   37 Jan 12 18:52 GermanGrid.crl_url -> ca_GermanGrid-1.44/GermanGrid.crl_url
lrwxrwxrwx 1 root root   34 Jan 12 18:52 GermanGrid.info -> ca_GermanGrid-1.44/GermanGrid.info
lrwxrwxrwx 1 root root   40 Jan 12 18:52 GermanGrid.namespaces -> ca_GermanGrid-1.44/GermanGrid.namespaces
lrwxrwxrwx 1 root root   33 Jan 12 18:52 GermanGrid.pem -> ca_GermanGrid-1.44/GermanGrid.pem
lrwxrwxrwx 1 root root   44 Jan 12 18:52 GermanGrid.signing_policy -> ca_GermanGrid-1.44/GermanGrid.signing_policy
-rw-r--r-- 1 root root 2678 Jan 12 18:29 globus-host-ssl.conf.24c3803e
-rw-r--r-- 1 root root 2799 Jan 12 18:29 globus-user-ssl.conf.24c3803e
-rw-r--r-- 1 root root 1409 Jan 12 18:29 grid-security.conf.24c3803e
lrwxrwxrwx 1 root root   25 Jan 12 18:52 IHEP.crl_url -> ca_IHEP-1.44/IHEP.crl_url
lrwxrwxrwx 1 root root   22 Jan 12 18:52 IHEP.info -> ca_IHEP-1.44/IHEP.info
lrwxrwxrwx 1 root root   28 Jan 12 18:52 IHEP.namespaces -> ca_IHEP-1.44/IHEP.namespaces
lrwxrwxrwx 1 root root   21 Jan 12 18:52 IHEP.pem -> ca_IHEP-1.44/IHEP.pem
lrwxrwxrwx 1 root root   32 Jan 12 18:52 IHEP.signing_policy -> ca_IHEP-1.44/IHEP.signing_policy
lrwxrwxrwx 1 root root   27 Jan 12 18:52 UGRID.crl_url -> ca_UGRID-1.44/UGRID.crl_url
lrwxrwxrwx 1 root root   24 Jan 12 18:52 UGRID.info -> ca_UGRID-1.44/UGRID.info
lrwxrwxrwx 1 root root   30 Jan 12 18:52 UGRID.namespaces -> ca_UGRID-1.44/UGRID.namespaces
lrwxrwxrwx 1 root root   23 Jan 12 18:52 UGRID.pem -> ca_UGRID-1.44/UGRID.pem
lrwxrwxrwx 1 root root   34 Jan 12 18:52 UGRID.signing_policy -> ca_UGRID-1.44/UGRID.signing_policy

cd ~globus/globus-helper-v1.3/security/configrootCA/

./ConfigureFZK-CA.pl -i ZAH -g

Attention:: default config will be overwritten, hope you created a tar-file of the old config??
Unpacking the files in /etc/grid-security and creating the right symlinks

Revocation Lists ¶

Install International Grid Trust Federation (IGTF) ¶

cd ~globus/globus-helper-v1.3/security/astro-fetch-crl

./install_fetch-crl.pl

installing README.txt => /usr/local/globus-4.0.8/share/doc/fetch-crl
installing fetch-crl => /usr/local/globus-4.0.8/sbin
installing fetch-crl.8 => /usr/local/globus-4.0.8/man/man8
installing fetch-crl.cron => /etc/cron.daily
installing fetch-crl.sysconfig => /etc/sysconfig/globus
Done installation

Update ¶

No need to do manually, because done regularly by cron job!

CRLDIR=/etc/grid-security/certificates/

$GLOBUS_LOCATION/sbin/fetch-crl --loc $CRLDIR --out $CRLDIR

fetch-crl: [2012/01/12-19:01:05] Using OpenSSL version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 at /usr/bin/openssl
fetch-crl: [2012/01/12-19:01:05] processing '/etc/grid-security/certificates//dd4b34ea.crl_url'
fetch-crl: [2012/01/12-19:01:05] updating CRL 'GridKa-CA (dd4b34ea)'
fetch-crl: [2012/01/12-19:01:05] processing '/etc/grid-security/certificates//DFN-GridGermany-Root.crl_url'
fetch-crl: [2012/01/12-19:01:05] updating CRL 'DFN-Verein PCA Grid - G01 (1149214e)'
fetch-crl: [2012/01/12-19:01:05] processing '/etc/grid-security/certificates//GermanGrid.crl_url'
fetch-crl: [2012/01/12-19:01:06] updating CRL 'GridKa-CA (dd4b34ea)'
fetch-crl: [2012/01/12-19:01:06] File /etc/grid-security/certificates//dd4b34ea.r0 valid: yes
fetch-crl: [2012/01/12-19:01:06] processing '/etc/grid-security/certificates//IHEP.crl_url'
fetch-crl: [2012/01/12-19:01:07] updating CRL 'gridca-cn/emailAddress=gridca@ihep.ac.cn (ba2f39ca)'
fetch-crl: [2012/01/12-19:01:07] processing '/etc/grid-security/certificates//UGRID.crl_url'
fetch-crl: [2012/01/12-19:01:07] updating CRL 'UGRID CA (0a12b607)'

Check if List is Up-To-Date:

cd $CRLDIR

ls -alt

total 268
drwxr-xr-x 6 root root  4096 Jan 12 19:01 .
-rw-r--r-- 1 root root  3822 Jan 12 19:01 0a12b607.r0
-rw-r--r-- 1 root root 48433 Jan 12 19:01 ba2f39ca.r0
-rw-r--r-- 1 root root 25236 Jan 12 19:01 1149214e.r0
-rw-r--r-- 1 root root 97430 Jan 12 19:01 dd4b34ea.r0
...

Create Users ¶

Create Gridmap File ¶

cd $GLOBUS_LOCATION/gridadmin/merge-gridmap

./local-install-grid-mapfile.sh

Read remap list from astrogrid-d.remap:



Merge with local gridmap file local-grid-mapfile:

`grid-mapfile' -> `/etc/grid-security/grid-mapfile'

chmod a+r /etc/grid-security/grid-mapfile

To add a user not part of AstroGrid-D (for example /C=CN/O=HEP/O=NAOC/OU=CIC/CN=Chenzhou Cui), add manually:

vi /etc/grid-security/grid-mapfile

Add at the end of the file (i):

"/C=CN/O=HEP/O=NAOC/OU=CIC/CN=Chenzhou Cui"                                                                             agrid199

Save (ESC :wq)

vi /etc/grid-security/local-grid-mapfile

Add at the end of the file (i):

"/C=CN/O=HEP/O=NAOC/OU=CIC/CN=Chenzhou Cui"                                                                             agrid199

Save (ESC :wq)

Hint: Use every "agrid..." only once!

Setup Universal User Profile ¶

cd /etc/profile.d/

For sh-style shells (sh, ksh, ash, bash):

vi globus.sh

Edit (i)

# User specific environment and startup programs
export GLOBUS_LOCATION=/usr/local/globus-4.0.8

export GLOBUS_PATH=$GLOBUS_LOCATION/sbin:$GLOBUS_LOCATION/bin
export GLOBUS_TCP_PORT_RANGE=20000,25000
PATH=$PATH:$GLOBUS_PATH
export ANT_HOME=/usr/share/ant
export JAVA_HOME=/usr/lib/jvm/java-1.6.0-sun
export PATH=$PATH:/usr/lib/jvm/java-sun/bin
export PATH

Save (ESC :wq)

chmod +x globus.sh

For csh-style shells (csh, tcsh):

vi globus.csh

Edit (i)

# User specific environment and startup programs
setenv GLOBUS_LOCATION /usr/local/globus-4.0.8

setenv GLOBUS_PATH $GLOBUS_LOCATION/sbin:$GLOBUS_LOCATION/bin
setenv GLOBUS_TCP_PORT_RANGE 20000,25000
setenv ANT_HOME /usr/share/ant
setenv JAVA_HOME /usr/lib/jvm/java-1.6.0-sun
set path=($PATH:$GLOBUS_PATH:/usr/lib/jvm/java-sun/bin)

Save (ESC :wq)

chmod +x globus.csh

Hint: Script gets run for each new shell.

Add Group ¶

mkdir /home/agrid
/usr/sbin/groupadd -g 1000 agrid

Add Users ¶

cd /home/globus/

vi user_add.sh

Edit (i)

#!/bin/bash

FILE="all_user_add.sh"
echo "#!/bin/bash" > $FILE

user=0
while [ $user -lt $1 ]
do
  printf "/usr/sbin/useradd -g agrid -d /home/agrid/agrid%03d -p t1o1p2s2e2c2r2e2t agrid%03d\n" $user $user >> $FILE
  user=$(( $user + 1 ))
done

Save (ESC :wq)

chmod +x user_add.sh
./user_add.sh 200
chmod +x all_user_add.sh
./all_user_add.sh

ls /home/agrid/

agrid000  agrid020  agrid040  agrid060  agrid080  agrid100  agrid120  agrid140  agrid160  agrid180
agrid001  agrid021  agrid041  agrid061  agrid081  agrid101  agrid121  agrid141  agrid161  agrid181
agrid002  agrid022  agrid042  agrid062  agrid082  agrid102  agrid122  agrid142  agrid162  agrid182
agrid003  agrid023  agrid043  agrid063  agrid083  agrid103  agrid123  agrid143  agrid163  agrid183
agrid004  agrid024  agrid044  agrid064  agrid084  agrid104  agrid124  agrid144  agrid164  agrid184
agrid005  agrid025  agrid045  agrid065  agrid085  agrid105  agrid125  agrid145  agrid165  agrid185
agrid006  agrid026  agrid046  agrid066  agrid086  agrid106  agrid126  agrid146  agrid166  agrid186
agrid007  agrid027  agrid047  agrid067  agrid087  agrid107  agrid127  agrid147  agrid167  agrid187
agrid008  agrid028  agrid048  agrid068  agrid088  agrid108  agrid128  agrid148  agrid168  agrid188
agrid009  agrid029  agrid049  agrid069  agrid089  agrid109  agrid129  agrid149  agrid169  agrid189
agrid010  agrid030  agrid050  agrid070  agrid090  agrid110  agrid130  agrid150  agrid170  agrid190
agrid011  agrid031  agrid051  agrid071  agrid091  agrid111  agrid131  agrid151  agrid171  agrid191
agrid012  agrid032  agrid052  agrid072  agrid092  agrid112  agrid132  agrid152  agrid172  agrid192
agrid013  agrid033  agrid053  agrid073  agrid093  agrid113  agrid133  agrid153  agrid173  agrid193
agrid014  agrid034  agrid054  agrid074  agrid094  agrid114  agrid134  agrid154  agrid174  agrid194
agrid015  agrid035  agrid055  agrid075  agrid095  agrid115  agrid135  agrid155  agrid175  agrid195
agrid016  agrid036  agrid056  agrid076  agrid096  agrid116  agrid136  agrid156  agrid176  agrid196
agrid017  agrid037  agrid057  agrid077  agrid097  agrid117  agrid137  agrid157  agrid177  agrid197
agrid018  agrid038  agrid058  agrid078  agrid098  agrid118  agrid138  agrid158  agrid178  agrid198
agrid019  agrid039  agrid059  agrid079  agrid099  agrid119  agrid139  agrid159  agrid179  agrid199

Further Configuration ¶

Create Symbolic Links ¶

cd /usr/local/
ln -s globus-4.0.8/ globus

ls -l

total 76
drwxr-xr-x  2 root   root   4096 Oct  7  2009 bin
drwxr-xr-x  2 root   root   4096 Oct  7  2009 etc
drwxr-xr-x  2 root   root   4096 Oct  7  2009 games
lrwxrwxrwx  1 root   root     13 Jan 12 19:08 globus -> globus-4.0.8/
drwxr-xr-x 17 globus globus 4096 Jan 12 18:28 globus-4.0.8
drwxr-xr-x  2 root   root   4096 Oct  7  2009 include
drwxr-xr-x  2 root   root   4096 Oct  7  2009 lib
drwxr-xr-x  2 root   root   4096 Oct  7  2009 libexec
drwxr-xr-x  2 root   root   4096 Oct  7  2009 sbin
drwxr-xr-x  4 root   root   4096 Sep 24  2010 share
drwxr-xr-x  2 root   root   4096 Oct  7  2009 src

cd globus-4.0.8/
ln -s ../globus-4.0.8/ gtk
ln -s ../globus-4.0.8/ gt408

ls -l

total 160
drwxr-xr-x  5 globus globus  4096 Jul 27 17:56 bin
-rw-r--r--  1 globus globus 10948 Jul 27 17:33 client-config.wsdd
-rw-r--r--  1 globus globus  1009 Jul 27 16:55 container-log4j.properties
drwxr-xr-x  3 globus globus  4096 Jul 27 16:54 doc
drwxr-xr-x  2 globus globus  4096 Jul 27 16:54 endorsed
drwxr-xr-x 31 globus globus  4096 Jul 27 18:40 etc
-rw-r--r--  1 globus globus 10174 Jul 27 16:11 GLOBUS_LICENSE
drwxr-xr-x  7 globus globus  4096 Jul 14 09:16 gridadmin
lrwxrwxrwx  1 root   root      16 Jan 12 19:11 gt408 -> ../globus-4.0.8/
lrwxrwxrwx  1 root   root      16 Jan 12 19:10 gtk -> ../globus-4.0.8/
drwxr-xr-x  4 globus globus  4096 Jul 27 16:48 include
drwxr-xr-x  6 globus globus 69632 Jul 27 17:57 lib
drwxr-xr-x  6 globus globus  4096 Jul 27 18:40 libexec
-rw-r--r--  1 globus globus   732 Jul 27 16:55 log4j.properties
drwxr-xr-x  6 globus globus  4096 Jul 27 16:52 man
drwxr-xr-x  5 globus globus  4096 Jan 12 18:57 sbin
drwxr-xr-x  5 globus globus  4096 Jan 12 18:28 setup
drwxr-xr-x 39 globus globus  4096 Jul 27 17:56 share
drwxr-xr-x 37 globus globus  4096 Jul 27 17:54 test
drwxr-xr-x  5 globus globus  4096 Jul 27 18:40 tmp
drwxr-xr-x  3 globus globus  4096 Jul 27 18:40 var

Configure Extended Internet Daemon ¶

vi /etc/services

Search "2222" (?2222)

Change (i)

...
rockwell-csp2   2222/tcp                        # Rockwell CSP2
rockwell-csp2   2222/udp                        # Rockwell CSP2
...

...
gsissh          2222/tcp                        # GSISSH
gsissh          2222/udp                        # GSISSH
...

Save (ESC :wq)

vi $GLOBUS_LOCATION/etc/ssh/ssh_config
- Search "22" (?22)
- Change (i)
```
...
#   Port 22
...
```
  to
```
...
Port 2222
...
```
- Save (ESC :wq)
vi $GLOBUS_LOCATION/etc/ssh/sshd_config
- Search "22" (?22)
- Change (i)
```
...
#Port 22
...
```
  to
```
...
Port 2222
...
```
- Save (ESC :wq)
cd ~globus/globus-helper-v1.3/xinetd.d

vi install_xinet-conf.pl

Search "Config" (?Config)

Change (i)

...
print "Config with Globus location $GLOC";
...

...
print "Config with Globus location $GLOC\n";
...

Save (ESC :wq)

Hint: Don't try to change the directories—it doesn't work! You have to use symbolic links!

Configure and Start XInetD ¶

./install_xinet-conf.pl

Config with Globus location /usr/local/globus/gtk
installing gsiftp => /etc/xinetd.d
installing gsigatekeeper => /etc/xinetd.d
Done installation

/etc/rc.d/init.d/xinetd start

Starting xinetd:                                           [  OK  ]

Configure and Start GsiSshD ¶

ln -s $GLOBUS_LOCATION/sbin/SXXsshd /etc/init.d/gsisshd

ls -l /etc/init.d/gsisshd

lrwxrwxrwx 1 root root 36 Jan 12 19:19 /etc/init.d/gsisshd -> /usr/local/globus-4.0.8/sbin/SXXsshd

/sbin/chkconfig --add gsisshd

/etc/init.d/gsisshd start

Starting up GSI-OpenSSH sshd server... done.

/sbin/chkconfig tomcat5 on

Tests ¶

External Test ¶

Use another Shell for this external test:

grid-proxy-init (valid for 12 hours; use grid-proxy-init -valid 96:00 for 4 days)

Your identity: /C=DE/O=GermanGrid/OU=ZAH/CN=Klaus Rieger
Enter GRID pass phrase for this identity:
Creating proxy .................................................. Done
Your proxy is valid until: Fri Jan 13 07:28:48 2012

echo "TEST" > test.txt
globus-url-copy file:/home/Tux/rieger/test.txt gsiftp://dgsi.zah.uni-heidelberg.de/~/test.txt
gsissh dgsi.zah.uni-heidelberg.de (gsissh -v dgsi.zah.uni-heidelberg.de for additional output, gsissh -p 2222 dgsi.zah.uni-heidelberg.de to specify the port)
```
/usr/bin/xauth:  creating new authority file /home/agrid/agrid107/.Xauthority
```
ls
```
test.txt
```
exit

Hint: Switch back to the shell used previously.

Internal Test ¶

Following checks are only necessary if the external test has failed.

/usr/local/globus-4.0.8/bin/grid-cert-request -ca

nondefaultca=true

The available CA configurations installed on this host are:

1)  0a12b607 - /DC=org/DC=ugrid/CN=UGRID CA
2)  1149214e - /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01
3)  24c3803e - /O=Grid/OU=GlobusTest/OU=simpleCA-dgsi.zah.uni-heidelberg.de/CN=Globus Simple CA
4)  1149214e - /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01
5)  dd4b34ea - /C=DE/O=GermanGrid/CN=GridKa-CA
6)  0a12b607 - /DC=org/DC=ugrid/CN=UGRID CA
7)  ba2f39ca - /C=CN/O=HEP/CN=gridca-cn/emailAddress=gridca@ihep.ac.cn
8)  ba2f39ca - /C=CN/O=HEP/CN=gridca-cn/emailAddress=gridca@ihep.ac.cn
9)  dd4b34ea - /C=DE/O=GermanGrid/CN=GridKa-CA

Enter the index number of the CA you want to sign your cert request:

Exit (Ctrl-Z)

[1]+  Stopped                 ./usr/local/globus-4.0.8/bin/grid-cert-request -ca

/sbin/chkconfig --list tomcat5

tomcat5         0:off   1:off   2:on    3:on    4:on    5:on    6:off

/sbin/chkconfig --list gsisshd

gsisshd         0:off   1:off   2:on    3:on    4:on    5:on    6:off

find /etc/rc* | grep gsissh

/etc/rc.d/rc3.d/S55gsisshd
/etc/rc.d/rc2.d/S55gsisshd
/etc/rc.d/rc5.d/S55gsisshd
/etc/rc.d/rc0.d/K25gsisshd
/etc/rc.d/rc6.d/K25gsisshd
/etc/rc.d/rc1.d/K25gsisshd
/etc/rc.d/rc4.d/S55gsisshd
/etc/rc.d/init.d/gsisshd

grep 2222 $GLOBUS_LOCATION/etc/ssh/ssh_config
```
Port 2222
```
grep 2222 $GLOBUS_LOCATION/etc/ssh/sshd_config
```
Port 2222
```

pgrep -l inetd

6617 xinetd                   (Any process number is OK)

grep 2222 /etc/services

gsissh          2222/tcp                        # GSISSH
gsissh          2222/udp                        # GSISSH

netstat -lnp | grep 2222

tcp        0      0 0.0.0.0:2222                0.0.0.0:*                   LISTEN      14514/sshd
tcp        0      0 :::2222                     :::*                        LISTEN      14514/sshd
                                                                        (Any process number is OK)

telnet dgsi 2222

Trying 129.206.112.253...
Connected to dgsi.zah.uni-heidelberg.de (129.206.112.253).
Escape character is '^]'.
SSH-2.0-OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI

After two minutes:
```
Connection closed by foreign host.
```
tail -f /var/log/messages

After "gsissh dgsi.zah.uni-heidelberg.de" on external shell:

Jan 12 19:41:13 dgsi sshd[13807]: SSH: Server;Ltype: Version;Remote: 129.206.110.177-36016;Protocol: 2.0;Client: OpenSSH_4.5p1-hpn12v14 NCSA_GSSAPI_GPT_3.9 GSI
Jan 12 19:41:13 dgsi sshd[13807]: Invalid user rieger from 129.206.110.177
Jan 12 19:41:13 dgsi sshd[13807]: Failed unknown for invalid user rieger from 129.206.110.177 port 36016 ssh2
Jan 12 19:41:13 dgsi sshd[13807]: Failed none for invalid user rieger from 129.206.110.177 port 36016 ssh2
Jan 12 19:41:13 dgsi sshd[13807]: GSI user /C=DE/O=GermanGrid/OU=ZAH/CN=Klaus Rieger mapped to target user agrid107
Jan 12 19:41:13 dgsi sshd[13807]: GSI user /C=DE/O=GermanGrid/OU=ZAH/CN=Klaus Rieger is authorized as target user agrid107
Jan 12 19:41:13 dgsi sshd[13807]: Accepted gssapi-with-mic for agrid107 from 129.206.110.177 port 36016 ssh2

After "exit" on external shell:

Jan 12 19:42:42 dgsi sshd[13809]: SSH: Server;LType: Throughput;Remote: 129.206.110.177-36016;IN: 848;OUT: 832;Duration: 88.8;tPut_in: 9.5;tPut_out: 9.4

Exit (Ctrl-Z)

[2]+  Stopped                 tail -f /var/log/messages

Prepare and Start Globus Container ¶

Configure PostgreSQL ¶

/sbin/chkconfig postgresql on

/etc/init.d/postgresql start

Initializing database:                                     [  OK  ]
Starting postgresql service:                               [  OK  ]

sudo su - postgres

createdb rftDatabase
```
CREATE DATABASE
```

psql -d rftDatabase -f /usr/local/globus/gtk/share/globus_wsrf_rft/rft_schema.sql

psql:/usr/local/globus/gtk/share/globus_wsrf_rft/rft_schema.sql:6: NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "requestid_pkey" for table "requestid"
CREATE TABLE
psql:/usr/local/globus/gtk/share/globus_wsrf_rft/rft_schema.sql:11: NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "transferid_pkey" for table "transferid"
CREATE TABLE
psql:/usr/local/globus/gtk/share/globus_wsrf_rft/rft_schema.sql:30: NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "request_pkey" for table "request"
CREATE TABLE
psql:/usr/local/globus/gtk/share/globus_wsrf_rft/rft_schema.sql:65: NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "transfer_pkey" for table "transfer"
CREATE TABLE
psql:/usr/local/globus/gtk/share/globus_wsrf_rft/rft_schema.sql:71: NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "restart_pkey" for table "restart"
CREATE TABLE
CREATE TABLE
CREATE INDEX

psql -d rftDatabase -c "create role globus with superuser login encrypted password 'foo'" postgres
```
CREATE ROLE
```
exit
```
logout
```

vi /var/lib/pgsql/data/postgresql.conf

Search "listen_addresses" (?listen_addresses)

Change (i)

...
#listen_addresses = 'localhost'         # what IP address(es) to listen on;
...

...
listen_addresses = '*'                  # what IP address(es) to listen on;
...

Save (ESC :wq)

vi /var/lib/pgsql/data/pg_hba.conf

Go to the end of the file

Change (i)

...
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD

# "local" is for Unix domain socket connections only
local   all         all                               ident sameuser
# IPv4 local connections:
host    all         all         127.0.0.1/32          ident sameuser
# IPv6 local connections:
host    all         all         ::1/128               ident sameuser
#
#

...
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD

# Globus Toolkit 4.0.8:
host    rftDatabase globus      127.0.0.1/32          trust
host    rftDatabase globus      129.206.112.253/32    md5
# "local" is for Unix domain socket connections only
local   all         all                               ident sameuser
# IPv4 local connections:
host    all         all         127.0.0.1/32          ident sameuser
# IPv6 local connections:
host    all         all         ::1/128               ident sameuser
#
#

Save (ESC :wq)

/etc/init.d/postgresql restart

Stopping postgresql service:                               [  OK  ]
Starting postgresql service:                               [  OK  ]

exit
```
exit
There are stopped jobs.
```
exit
```
exit
```

Check PostgreSQL ¶

psql -d rftDatabase -c "\d" globus

           List of relations
 Schema |    Name    | Type  |  Owner
--------+------------+-------+----------
 public | factory    | table | postgres
 public | request    | table | postgres
 public | requestid  | table | postgres
 public | restart    | table | postgres
 public | transfer   | table | postgres
 public | transferid | table | postgres
(6 rows)

/sbin/chkconfig --list postgresql

postgresql      0:off   1:off   2:on    3:on    4:on    5:on    6:off

netstat -l -n | grep 5432

tcp        0      0 0.0.0.0:5432                0.0.0.0:*                   LISTEN
tcp        0      0 :::5432                     :::*                        LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     415789 /tmp/.s.PGSQL.5432

psql -h localhost rftDatabase -U globus

Welcome to psql 8.1.23, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

rftDatabase=#

\q

telnet localhost 5432

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.

After two minutes:
```
Connection closed by foreign host.
```

Set Sudo ¶

su

/usr/sbin/visudo -s

Search "requiretty" (?requiretty)

Change (i)

...
Defaults    requiretty
...

...
## Disable for Globus (no real tty required for using sudo):
## Defaults    requiretty
...

Add at the end of the file:

# Globus settings

Runas_Alias GPOOL=%agrid

Defaults>GPOOL env_keep="GW_LOCATION GLOBUS_LOCATION X509_USER_PROXY GLOBUS_TCP_PORT_RANGE"

globus ALL=(GPOOL) NOPASSWD: \
/usr/local/globus-4.0.8/libexec/globus-gridmap-and-execute -g \
/etc/grid-security/grid-mapfile \
/usr/local/globus-4.0.8/libexec/globus-job-manager-script.pl *

globus ALL=(GPOOL) NOPASSWD: \
/usr/local/globus-4.0.8/libexec/globus-gridmap-and-execute -g \
/etc/grid-security/grid-mapfile \
/usr/local/globus-4.0.8/libexec/globus-gram-local-proxy-tool *

Save (ESC :wq)

Hint: Sudoers allow particular users to run various commands as the root user without needing the root password.

Start Globus Container ¶

export PATH=/sbin:$PATH
cd ~globus/globus-helper-v1.3/init.d/

./install_init-conf.pl -e

Config with Globus location /usr/local/globus-4.0.8 and STARTGSISSH=yes
JAVA=/usr/lib/jvm/java-1.6.0-sun and ANT=/usr/share/ant
installing globus => /etc/init.d
installing globus.sysconfig => /etc/sysconfig/globus
cp: `/usr/local/globus-4.0.8/sbin/SXXsshd' and `/etc/init.d/gsisshd' are the same file
installing gsisshd => /etc/init.d
globus          0:off   1:off   2:off   3:on    4:on    5:on    6:off
gsisshd         0:off   1:off   2:on    3:on    4:on    5:on    6:off

Done installation

/etc/init.d/globus start

In case of

Starting GLOBUS-Container                                  [FAILED]

take a look at $GLOBUS_LOCATION/var/container.log. In case of

Starting GLOBUS-Container                                  [OK]

everything is fine — Congratulation !!!

Back to Setup of Globus Toolkit 4.0.8 (previous item)

Forward to Setup of Information Provider MDS4 and GeoMaint (next item)