Context Navigation

Changes between Version 2 and Version 3 of iRODSwithGSI

Timestamp:: 11/30/12 10:11:23 (11 years ago)
Author:: Jeanne Ohren
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

iRODSwithGSI

-                      v2
+                      v3
 }}}
+=== Configuring iRODS ===
+==== Server ====
+.  Configure the client to use the rods user on the iRODS server in file /home/globus/.irods/.irodsEnv
+{{{
+# iRODS server host name:
+irodsHost 'pc475.emulab.net'
+# iRODS server port number:
+irodsPort 1247
+# Default storage resource name:
+irodsDefResource 'demoResc'
+# Home directory in iRODS:
+irodsHome '/tempZone/home/rods'
+# Current directory in iRODS:
+irodsCwd '/tempZone/home/rods'
+# Account name:
+irodsUserName 'rods'
+# Zone:
+irodsZone 'tempZone'
+}}}
+.  Create users (I had alice).  Password is not needed since we will be using GSI.
+{{{
+   iadmin mkuser alice rodsuser
+}}}
+.  We will add user authentication ids later after we set up certificates.
+==== Client ====
+.  Configured the irods client to use GSI authentication and the alice user.
+{{{
+irodsHost 'pc475.emulab.net'
+# iRODS server port number:
+irodsPort 1247
+# Default storage resource name:
+irodsDefResource 'demoResc'
+# Home directory in iRODS:
+irodsHome '/tempZone/home/alice'
+# Current directory in iRODS:
+irodsCwd '/tempZone/home/alice'
+# Account name:
+irodsUserName 'alice'
+# Zone:
+irodsZone 'tempZone'
+irodsAuthScheme GSI
+}}}
 === Setting up the certificates ===
 I configured two different types of certificates:  CILogon and GENI/GCF certificates.
+I configured three different types of certificates:  CILogon, GENI/GCF certificates with grid-proxy-init, and GENI/GCF with openssl generated proxy.
 In both cases, I needed the following:
    * Two different cert/key pairs:  one for the client and one for the server.
+   * Proxy certificate
    * The CA certificates
 ==== CiLogon ====
+==== !CiLogon ====
 I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs.
 …
 Output should look something like this:
 {{{
 User Cert File: /users/johren/.globus/cilogon/usercert.pem
 User Key File: /users/johren/.globus/cilogon/userkey.pem
+User Cert File: /users/johren/.globus/usercert.pem
+User Key File: /users/johren/.globus/userkey.pem
 Trusted CA Cert Dir: (null)
 …
 Output File: /tmp/x509up_u20001
 Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
+Enter GRID pass phrase for this identity:
+Creating proxy .++++++++++++
+....................++++++++++++
+ Done
+Your proxy is valid until: Fri Nov 30 19:26:51 2012
 }}}
 …
 }}}
+=== Configuring iRODS ===
+==== Server ====
+==== Client ====
+Output should look something like this:
+{{{
+User Cert File: /users/johren/.globus/usercert.pem
+User Key File: /users/johren/.globus/userkey.pem
+Trusted CA Cert Dir: /users/johren/.globus/certificates/
+Output File: /tmp/x509up_u20001
+Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
+Enter GRID pass phrase for this identity:
+Creating proxy ..............................++++++++++++
+......++++++++++++
+ Done
+Proxy Verify OK
+Your proxy is valid until: Fri Nov 30 19:27:15 2012
+}}}
+.  Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate:
+{{{
+unset X509_USER_CERT
+unset X509_USER_KEY
+}}}
+.  Go back to the '''iRODS server''' and add the user authentication id.
+    Identity is the one specified in the output of grid-proxy-init above.
+{{{
+   iadmin aua alice '/DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700'
+}}}
+.  Now you should be able to run ils.
+{{{
+johren@pc:/tmp$ ils
+/tempZone/home/alice:
+}}}
+==== GCF w/ grid-proxy-init ====
+I downloaded the GCF code () to generate GENI certificates from my own clearing house.
+.  Ran src/gen-certs.py to generate certificates for both host and client.
+{{{
+   ./src/gen-certs.py
+   ./src/gen-certs.py --notAll --exp -u host
+   ./src/gen-certs.py --notAll --exp -u alice
+}}}
+.  Configure the root CA certificates.  These can be found in the trusted_roots directory generated above.
+     However, a hash link and signing_policy need to be created for each cert.
+a.  Move the trusted_roots directory to /home/johren/.globus/certificates.
+b.  Determine the hash for the certificate and create the link
+{{{
+}}}
+c.  Create the signing_policy file and create a hash link for this.
+{{{
+}}}
+You should end up with the following:
+  * A cert/key pair for the iRODS client
+  * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
+  * The CA certificate directory
+===== Server =====
+.  Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus
+{{{
+    mv /tmp/hostkey.pem /home/globus/.globus
+    mv /tmp/hostcert.pem /home/globus/.globus
+}}}
+.  Change the permissions of the hostkey.pem to 0600
+{{{
+    chmod 600 /home/globus/.globus/hostkey.pem
+}}}
+.  Copy the CA certificates created above to /home/globus/.globus/certificates
+===== Client =====
+.  Place the alicekey.pem and alicecert.pem files in /home/johren/.globus
+{{{
+    mv /tmp/alicekey.pem /home/johren/.globus
+    mv /tmp/alicecert.pem /home/johren/.globus
+}}}
+.  Change the permissions of the alicekey.pem to 0600
+{{{
+    chmod 600 /home/johren/.globus/alicekey.pem
+}}}
+.  Copy the CA certificates created above to /home/johren/.globus/certificates
+. Set the environment
+{{{
+    export X509_CERT_DIR=/home/johren/.globus/certificates
+    export X509_USER_CERT=/home/johren/.globus/alicecert.pem
+    export X509_USER_KEY=/home/johren/.globus/alicekey.pem
+}}}
+.  Create the proxy certificate
+{{{
+    cd /home/johren/.globus
+    /usr/local/johren/bin/grid-proxy-init -debug
+}}}
+Output should look something like this:
+{{{
+User Cert File: /users/johren/.globus/alice-cert.pem
+User Key File: /users/johren/.globus/alice-key.pem
+Trusted CA Cert Dir: (null)
+Output File: /tmp/x509up_u20001
+Your identity: /CN=geni//gpo//gcf.user.alice
+Creating proxy .......................................++++++++++++
+.........++++++++++++
+ Done
+Your proxy is valid until: Fri Nov 30 19:57:41 2012
+}}}
+.  Verify the proxy certificate
+{{{
+    /usr/local/johren/bin/grid-proxy-init -debug -verify
+}}}
+Output should look something like this:
+{{{
+User Cert File: /users/johren/.globus/alice-cert.pem
+User Key File: /users/johren/.globus/alice-key.pem
+Trusted CA Cert Dir: /users/johren/.globus/certificates/
+Output File: /tmp/x509up_u20001
+Your identity: /CN=geni//gpo//gcf.user.alice
+Creating proxy .++++++++++++
+.....++++++++++++
+ Done
+Proxy Verify OK
+Your proxy is valid until: Fri Nov 30 19:57:56 2012
+}}}
+.  Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate:
+{{{
+unset X509_USER_CERT
+unset X509_USER_KEY
+}}}
+.  Go back to the '''iRODS server''' and add the user authentication id.
+    Identity is the one specified in the output of grid-proxy-init above.
+{{{
+   iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
+}}}
+.  Now you should be able to run ils.
+{{{
+johren@pc:/tmp$ ils
+/tempZone/home/alice:
+}}}
+==== GCF w/ openssl proxy cert ====
+===== Server =====
+Same as GCF w/ grid-proxy-init.
+===== Client =====
+Steps 1-3 are the same as GCF w/ grid-proxy-init.
+.  Get the identity from the GCF cert.
+.  Create the CSR.
+{{{
+}}}
+.  Create the proxy certificate.
+.  Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the same as the proxy cert generated by grid-proxy-init.
+.  Copy the concatenated certificate to /tmp.
+.  Run grid-proxy-info to get the identity of the proxy certificate.
+.  Go back to the '''iRODS server''' and add the user authentication id.
+{{{
+   iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
+}}}
+.  Now you should be able to run ils.
+{{{
+johren@pc:/tmp$ ils
+/tempZone/home/alice:
+}}}
 === References ===
+https://code.renci.org/gf/project/jargon/tracker/?action=TrackerItemEdit&tracker_item_id=132
+http://www.nordugrid.org/documents/certificate_howto.html
+https://cilogon.org/
+https://www.irods.org/index.php/Grid_Security_Infrastructure