Changes between Version 4 and Version 5 of installation_GridFTP

Show
Ignore:
Timestamp:
05/16/11 14:58:46 (11 years ago)
Author:
bartek
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • installation_GridFTP

    v4 v5  
    130130}}} 
    131131}}} 
    132   it accepts "C=PL/O=GRID/OU=PSNC/CN=Bogdan Ludwiczak", but it rejects "O=GRID/OU=PSNC/CN=Bogdan Ludwiczak". '"*"' pattern accepts all certificates. 
     132  it accepts "C=PL/O=GRID/OU=PSNC/CN=Bogdan Ludwiczak", but it rejects "O=GRID/OU=PSNC/CN=Bogdan Ludwiczak". "*" pattern accepts all certificates. 
    133133 
    134134* Configure appropriate default values for use by the grid-cert-request command which is used to generate certificates requests. The following files have to be properly configured to enable Globus tools to generate valid certificate requests: 
     
    137137 * `/etc/grid-security/grid-security.conf` - is a main configuration file that contains the name and email address for the given CA. 
    138138 
    139  These files are usually provided by the CA, particularly [[QosCosGrid CA]] or [http://www.man.poznan.pl/plgrid-ca/ PL-Grid] does provides these files. Typically, CA configuration files are placed in <code>/etc/grid-security/certificates/</code> directory with additional extension .CA_hash_name and only appropriate symbolic links are created in /etc/grid-security/. Globus Toolkit provides grid-default-ca command which can be used to automatically create appropriate links. 
     139 These files are usually provided by the CA, particularly [[!QosCosGrid|CA]] or [[http://www.man.poznan.pl/plgrid-ca/|PL-Grid]] does provides these files. Typically, CA configuration files are placed in `/etc/grid-security/certificates/` directory with additional extension `.CA_hash_name` and only appropriate symbolic links are created in `/etc/grid-security/`. Globus Toolkit provides `grid-default-ca` command which can be used to automatically create appropriate links. 
    140140 
    141141== Requesting host and user X.509 certificates == 
    142 All Globus service (including GridFTP) require a host (or service) certificate to operate. Also every user needs a user certificate do use Globus services. You can use Globus command <code>grid-cert-request to generate</code> host/users certificate request which should be send to your CA to be signed. Make sure that CA configuration files and certificate are in place before generating requests. This command will create 3 files: 
    143 * an empty (file length is 0) /etc/grid-security/hostcert.pem or ~/.globus/usercert.pem, 
    144 * <code>/etc/grid-security/hostkey.pem</code> or <code>~/.globus/userkey.pem file containig</code> host/user private key which must be kept secret - make sure that the unix access mode is set to 0400 or 0600 at most, 
    145 * <code>/etc/grid-security/hostcert_request.pem</code> or <code>~/.globus/usercert_request.pem</code> file containing acctual request to be send to and signed by CA. 
    146  
    147 {{Note}} Before you can use grid-cert-request command you have to source Globus configuration script appropriate for your shell, i.e. <code>$GLOBUS_LOCATION/etc/globus-user-env.csh</code> or <code>$GLOBUS_LOCATION/etc/globus-user-env.sh</code> 
    148  
    149 Send newly generated certificate request (i.e. <code>/etc/grid-security/hostcert_request.pem</code> or <code>~/.globus/usercert_request.pem</code> file) to the appropriate CA and wait for the certificate which should be send in return by your CA. Save the new certificate in <code>hostcert.pem</code> or <code>usercert.pem</code>. Now, request file can be deleted. Host certificate and private key should be owned by root user. 
    150 Specify identity mapping information 
    151 Globus services map distinguished names (retrieved from certificates) to local identities (unix account) by means of <code>grid-mapfile</code>. Mappings have the folowing form: 
    152 "Distinguished Name" local_name 
    153 (every line of the file defines one mapping) To let user in, create an account and add mapping to the site's grid-mapfile. Globus looks for the file in the following locations: 
    154 * the value of <code>GRIDMAP</code> environment variable if it is set, 
    155 * otherwise, if service is run as root then grid map file is <code>/etc/grid-security/grid-mapfile</code>, 
    156 * otherwise, the grid map file is <code>$HOME/.gridmap</code> 
    157 * otherwise, in <code>/etc/grid-security/grid-mapfile</code>. 
    158  
    159 {{Note}} In the QosCosGrid project there is a possibility to generate a new user X.509 certificate in more [http://node2.qoscosgrid.man.poznan.pl:80/gridsphere/gridsphere/guest/security/r/ user-friendly way] 
     142All Globus service (including GridFTP) require a host (or service) certificate to operate. Also every user needs a user certificate do use Globus services. You can use Globus command `grid-cert-request` to generate `host/users` certificate request which should be send to your CA to be signed. Make sure that CA configuration files and certificate are in place before generating requests. This command will create 3 files: 
     143* an empty (file length is 0) `/etc/grid-security/hostcert.pem` or `~/.globus/usercert.pem`, 
     144* `/etc/grid-security/hostkey.pem` or `~/.globus/userkey.pem` file containing `host/use`r private key which must be kept secret - make sure that the unix access mode is set to 0400 or 0600 at most, 
     145* `/etc/grid-security/hostcert_request.pem` or `~/.globus/usercert_request.pem` file containing acctual request to be send to and signed by CA. 
     146 
     147'''Note:''' Before you can use grid-cert-request command you have to source Globus configuration script appropriate for your shell, i.e. `$GLOBUS_LOCATION/etc/globus-user-env.csh` or `$GLOBUS_LOCATION/etc/globus-user-env.sh` 
     148 
     149Send newly generated certificate request (i.e. `/etc/grid-security/hostcert_request.pem` or `~/.globus/usercert_request.pem` file) to the appropriate CA and wait for the certificate which should be send in return by your CA. Save the new certificate in `hostcert.pem` or `usercert.pem`. Now, request file can be deleted. Host certificate and private key should be owned by root user. 
     150Specify identity mapping information. Globus services map distinguished names (retrieved from certificates) to local identities (unix account) by means of `grid-mapfile`. Mappings have the following form: 
     151`"Distinguished Name" local_name` 
     152(every line of the file defines one mapping). To let user in, create an account and add mapping to the site's grid-mapfile. Globus looks for the file in the following locations: 
     153* the value of `GRIDMAP` environment variable if it is set, 
     154* otherwise, if service is run as root then grid map file is `/etc/grid-security/grid-mapfile`, 
     155* otherwise, the grid map file is `$HOME/.gridmap` 
     156* otherwise, in `/etc/grid-security/grid-mapfile`. 
     157 
     158'''Note:''' In the QosCosGrid project there is a possibility to generate a new user X.509 certificate in more [[http://node2.qoscosgrid.man.poznan.pl:80/gridsphere/gridsphere/guest/security/r/|user-friendly way]] 
    160159 
    161160== Firewall configuration ==