| 142 | | All Globus service (including GridFTP) require a host (or service) certificate to operate. Also every user needs a user certificate do use Globus services. You can use Globus command <code>grid-cert-request to generate</code> host/users certificate request which should be send to your CA to be signed. Make sure that CA configuration files and certificate are in place before generating requests. This command will create 3 files: |
| 143 | | * an empty (file length is 0) /etc/grid-security/hostcert.pem or ~/.globus/usercert.pem, |
| 144 | | * <code>/etc/grid-security/hostkey.pem</code> or <code>~/.globus/userkey.pem file containig</code> host/user private key which must be kept secret - make sure that the unix access mode is set to 0400 or 0600 at most, |
| 145 | | * <code>/etc/grid-security/hostcert_request.pem</code> or <code>~/.globus/usercert_request.pem</code> file containing acctual request to be send to and signed by CA. |
| 146 | | |
| 147 | | {{Note}} Before you can use grid-cert-request command you have to source Globus configuration script appropriate for your shell, i.e. <code>$GLOBUS_LOCATION/etc/globus-user-env.csh</code> or <code>$GLOBUS_LOCATION/etc/globus-user-env.sh</code> |
| 148 | | |
| 149 | | Send newly generated certificate request (i.e. <code>/etc/grid-security/hostcert_request.pem</code> or <code>~/.globus/usercert_request.pem</code> file) to the appropriate CA and wait for the certificate which should be send in return by your CA. Save the new certificate in <code>hostcert.pem</code> or <code>usercert.pem</code>. Now, request file can be deleted. Host certificate and private key should be owned by root user. |
| 150 | | Specify identity mapping information |
| 151 | | Globus services map distinguished names (retrieved from certificates) to local identities (unix account) by means of <code>grid-mapfile</code>. Mappings have the folowing form: |
| 152 | | "Distinguished Name" local_name |
| 153 | | (every line of the file defines one mapping) To let user in, create an account and add mapping to the site's grid-mapfile. Globus looks for the file in the following locations: |
| 154 | | * the value of <code>GRIDMAP</code> environment variable if it is set, |
| 155 | | * otherwise, if service is run as root then grid map file is <code>/etc/grid-security/grid-mapfile</code>, |
| 156 | | * otherwise, the grid map file is <code>$HOME/.gridmap</code> |
| 157 | | * otherwise, in <code>/etc/grid-security/grid-mapfile</code>. |
| 158 | | |
| 159 | | {{Note}} In the QosCosGrid project there is a possibility to generate a new user X.509 certificate in more [http://node2.qoscosgrid.man.poznan.pl:80/gridsphere/gridsphere/guest/security/r/ user-friendly way] |
| | 142 | All Globus service (including GridFTP) require a host (or service) certificate to operate. Also every user needs a user certificate do use Globus services. You can use Globus command `grid-cert-request` to generate `host/users` certificate request which should be send to your CA to be signed. Make sure that CA configuration files and certificate are in place before generating requests. This command will create 3 files: |
| | 143 | * an empty (file length is 0) `/etc/grid-security/hostcert.pem` or `~/.globus/usercert.pem`, |
| | 144 | * `/etc/grid-security/hostkey.pem` or `~/.globus/userkey.pem` file containing `host/use`r private key which must be kept secret - make sure that the unix access mode is set to 0400 or 0600 at most, |
| | 145 | * `/etc/grid-security/hostcert_request.pem` or `~/.globus/usercert_request.pem` file containing acctual request to be send to and signed by CA. |
| | 146 | |
| | 147 | '''Note:''' Before you can use grid-cert-request command you have to source Globus configuration script appropriate for your shell, i.e. `$GLOBUS_LOCATION/etc/globus-user-env.csh` or `$GLOBUS_LOCATION/etc/globus-user-env.sh` |
| | 148 | |
| | 149 | Send newly generated certificate request (i.e. `/etc/grid-security/hostcert_request.pem` or `~/.globus/usercert_request.pem` file) to the appropriate CA and wait for the certificate which should be send in return by your CA. Save the new certificate in `hostcert.pem` or `usercert.pem`. Now, request file can be deleted. Host certificate and private key should be owned by root user. |
| | 150 | Specify identity mapping information. Globus services map distinguished names (retrieved from certificates) to local identities (unix account) by means of `grid-mapfile`. Mappings have the following form: |
| | 151 | `"Distinguished Name" local_name` |
| | 152 | (every line of the file defines one mapping). To let user in, create an account and add mapping to the site's grid-mapfile. Globus looks for the file in the following locations: |
| | 153 | * the value of `GRIDMAP` environment variable if it is set, |
| | 154 | * otherwise, if service is run as root then grid map file is `/etc/grid-security/grid-mapfile`, |
| | 155 | * otherwise, the grid map file is `$HOME/.gridmap` |
| | 156 | * otherwise, in `/etc/grid-security/grid-mapfile`. |
| | 157 | |
| | 158 | '''Note:''' In the QosCosGrid project there is a possibility to generate a new user X.509 certificate in more [[http://node2.qoscosgrid.man.poznan.pl:80/gridsphere/gridsphere/guest/security/r/|user-friendly way]] |
