Changes between Version 9 and Version 10 of iRODSwithGSI


Ignore:
Timestamp:
12/03/12 18:32:17 (11 years ago)
Author:
Jeanne Ohren
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • iRODSwithGSI

    v9 v10  
    347347     However, a hash link and signing_policy need to be created for each cert.
    348348
    349 2a.  Move the trusted_roots directory to /home/johren/.globus/certificates.
    350 
    351 2b.  Determine the hash for the certificate and create the link
    352 {{{
    353 }}}
    354 
    355 2c.  Create the signing_policy file and create a hash link for this.
    356 {{{
     3492a.  Go to the trusted_)roots directory
     350{{{
     351   cd trusted_roots
     352}}}
     353
     3542b.  For each certificate, determine the hash for the certificate and create the link
     355{{{
     356globus@pc-0:~/irodscerts/trusted_roots$ openssl x509 -in ch-cert.pem -hash -noout
     3570894ffd6
     358globus@pc-0:~/irodscerts/trusted_roots$ ln -s ch-cert.pem 0894ffd6.0
     359}}}
     360
     3612c.  Determine the subject of each certificate
     362{{{
     363  openssl x509 -in <certificate-file> -subject -noout
     364}}}
     365
     3662d.  Create the signing_policy file (e.g. ch-cert.signing_policy) with contents like the following (where access_id_CA is the subject of the CA found in step 2c).
     367{{{
     368access_id_CA   X509    '/CN=geni//gpo//gcf.authority.sa'
     369pos_rights     globus  CA:sign
     370cond_subjects  globus  '/*'
     371}}}
     372
     3732e.  Create a symlink to the signing policy using the hash determined above.
     374{{{
     375   ln -s ch-cert.signing_policy 0894ffd6.0
    357376}}}
    358377
     
    362381  * The CA certificate directory
    363382
     383Your CA certificate directory (e.g. trusted_roots) should looks something like this:
     384{{{
     385pc:~/.globus/certificates% ls -l
     386total 28
     387lrwxrwxrwx 1 johren pgeni-gpolab-bbn   11 Nov 28 09:33 0894ffd6.0 -> ch-cert.pem
     388lrwxrwxrwx 1 johren pgeni-gpolab-bbn   22 Nov 28 09:57 0894ffd6.signing_policy -> ch-cert.signing_policy
     389lrwxrwxrwx 1 johren pgeni-gpolab-bbn   11 Nov 28 09:33 18f0c2ad.0 -> ma-cert.pem
     390lrwxrwxrwx 1 johren pgeni-gpolab-bbn   22 Nov 28 09:57 18f0c2ad.signing_policy -> ma-cert.signing_policy
     391lrwxrwxrwx 1 johren pgeni-gpolab-bbn   10 Nov 28 09:32 aacaba34.0 -> cacert.pem
     392lrwxrwxrwx 1 johren pgeni-gpolab-bbn   21 Nov 28 09:56 aacaba34.signing_policy -> cacert.signing_policy
     393-rw-r--r-- 1 johren pgeni-gpolab-bbn  916 Nov 28 09:31 cacert.pem
     394-rw-r--r-- 1 johren pgeni-gpolab-bbn  111 Nov 28 09:53 cacert.signing_policy
     395-rw-r--r-- 1 johren pgeni-gpolab-bbn 3023 Nov 28 09:31 CATedCACerts.pem
     396-rw-r--r-- 1 johren pgeni-gpolab-bbn  834 Nov 28 12:31 ch-cert.pem
     397-rw-r--r-- 1 johren pgeni-gpolab-bbn  116 Nov 28 09:54 ch-cert.signing_policy
     398-rw-r--r-- 1 johren pgeni-gpolab-bbn 1273 Nov 28 09:31 ma-cert.pem
     399-rw-r--r-- 1 johren pgeni-gpolab-bbn  111 Nov 28 09:55 ma-cert.signing_policy
     400}}}
    364401===== Server =====
    365402