Context Navigation

Changes between Version 2 and Version 3 of installation_GridFTP

Timestamp:: 05/16/11 14:37:24 (13 years ago)
Author:: bartek
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

installation_GridFTP

v2	v3
58	58	}}}
59	59	}}}
60		* GT4 unlike other software packages is made directly to target location (~~<code>$GLOBUS_LOCATION</code>~~)
61		* If you omit ~~<code>gridftp</code> for <code>make</code>~~ the entire Globus Toolkit will be build what can take several hours to complete.
62		* during ~~<code>make install</code>~~ phase Globus configuration will be initialized
63		* You can also choose to build GridFTP server or client tools be specifying ~~<code>globus_gridftp_server</code> or <code>globus-data-management-client</code>~~ respectively.
	60	* GT4 unlike other software packages is made directly to target location (`$GLOBUS_LOCATION`)
	61	* If you omit `gridftp` for `make` the entire Globus Toolkit will be build what can take several hours to complete.
	62	* during `make install` phase Globus configuration will be initialized
	63	* You can also choose to build GridFTP server or client tools be specifying `globus_gridftp_server` or `globus-data-management-client` respectively.
64	64
65	65	The belowe steps completes Globus Toolkit/GridFTP installation. The following figure summarizes shell commands used during typical installation process:
	66	{{{
	67	#!div style="font-size: 90%"
	68	{{{#!sh
66	69	bogdanl@cress ~ $ su -
67	70	cress ~ # useradd -m globus
…	…
79	82	Your build completed successfully. Please run make install.
80	83	globus@cress ~/gt4.2.1-all-source-installer $ make install
81
82		=Globus Toolkit/GridFTP - basic configuration=
83
84		==Security==
	84	}}}
	85	}}}
	86
	87	= Globus Toolkit/GridFTP - basic configuration =
	88
	89	== Security ==
85	90	After Globus Toolkit installation, but before starting Globus services several aspects of GSI security need to be configured:
86		*configure Globus (and thus GridFTP daemon) to trust a particular set of CAs (Certificate Authorities), i.e. place certificates of trusted CAs into designated directory - CA is trusted only if its CA certificate exists with the appropriate name in an appropriate directory. Moreover, for pre-ws services (including GridFTP), signing policy file must exist in the same location as CA certificate. In other words, one needs two files to trust given CA:
87		:* <code>cert_hash.0</code> - the trusted CA certificate and
88		:* <code>cert_hash.signing_policy</code> - the signing policy.
89		:Globus services and tools looks for that directory in following locations:
90		:* the value of <code>$X509_CERT_DIR</code> environment variable if it is set and the directory exists,
91		:* otherwise, in <code>$HOME/.globus/certificates</code> if it exists,
92		:* otherwise, in <code>/etc/grid-security/certificates</code> if it exists,
93		:* otherwise, in <code>$GLOBUS_LOCATION/share/certificates</code> if it exists.
94
95		{{Note}} We suggest to use <code>/etc/grid-security/certificates</code> as system wide trusted CAs directory, but remember that <code>$X509_CERT_DIR</code> and <code>$HOME/.globus/certificates</code> have higher priority.
96
97		The "cert_hash.0", i.e. certificate of the CA, is provided by CA, usually with appropriate hash name. Hash name consists of 8 hex-digits and suffix ".0" (<code>e. g. 8a661490.0 </code>). Valid hash can be obtained with following command (available in <code>$GLOBUS_LOCATION/bin/)</code>:
98
	91	* configure Globus (and thus GridFTP daemon) to trust a particular set of CAs (Certificate Authorities), i.e. place certificates of trusted CAs into designated directory - CA is trusted only if its CA certificate exists with the appropriate name in an appropriate directory. Moreover, for pre-ws services (including GridFTP), signing policy file must exist in the same location as CA certificate. In other words, one needs two files to trust given CA:
	92	* `cert_hash.0` - the trusted CA certificate and
	93	* `cert_hash.signing_policy` - the signing policy.
	94	Globus services and tools looks for that directory in following locations:
	95	* the value of `$X509_CERT_DIR` environment variable if it is set and the directory exists,
	96	* otherwise, in `$HOME/.globus/certificates` if it exists,
	97	* otherwise, in `/etc/grid-security/certificates` if it exists,
	98	* otherwise, in `$GLOBUS_LOCATION/share/certificates` if it exists.
	99
	100	'''Note:''' We suggest to use `/etc/grid-security/certificates` as system wide trusted CAs directory, remember that `$X509_CERT_DIR` and `$HOME/.globus/certificates` have higher priority.
	101
	102	The `cert_hash.0`, i.e. certificate of the CA, is provided by CA, usually with appropriate hash name. Hash name consists of 8 hex-digits and suffix ".0" (e.g. `8a661490.0`). Valid hash can be obtained with following command (available in `$GLOBUS_LOCATION/bin/`):
	103	{{{
	104	#!div style="font-size: 90%"
	105	{{{#!sh
99	106	openssl x509 -hash -noout -in ca_certificate
100
	107	}}}
	108	}}}
101	109	* cert_hash.signing_policy usually is also provided by CA, but it can be constructed manually. The signing policy file has the following format:
	110	{{{
	111	#!div style="font-size: 90%"
	112	{{{#!default
102	113	access_id_CA X509 'CA Distinguished Name'
103	114	pos_rights globus CA:sign
104	115	cond_subjects globus '"Name Pattern1" "Name Pattern2" ...'
105
106		: to get 'CA Distinguished Name' execute:
107
	116	}}}
	117	}}}
	118	to get 'CA Distinguished Name' execute:
	119	{{{
	120	#!div style="font-size: 90%"
	121	{{{#!sh
108	122	openssl x509 -subject -noout -in cert_hash.0
109
	123	}}}
	124	}}}
110	125	* "name pattern" is a string used to match the distinguished names of certificates granted by the given CA. Usually, it is a CA name with common name replaced by wild card '*', e.g.:
111	126