| 107 | === Configuring iRODS === |
| 108 | |
| 109 | ==== Server ==== |
| 110 | |
| 111 | 1. Configure the client to use the rods user on the iRODS server in file /home/globus/.irods/.irodsEnv |
| 112 | {{{ |
| 113 | # iRODS server host name: |
| 114 | irodsHost 'pc475.emulab.net' |
| 115 | # iRODS server port number: |
| 116 | irodsPort 1247 |
| 117 | |
| 118 | # Default storage resource name: |
| 119 | irodsDefResource 'demoResc' |
| 120 | # Home directory in iRODS: |
| 121 | irodsHome '/tempZone/home/rods' |
| 122 | # Current directory in iRODS: |
| 123 | irodsCwd '/tempZone/home/rods' |
| 124 | # Account name: |
| 125 | irodsUserName 'rods' |
| 126 | # Zone: |
| 127 | irodsZone 'tempZone' |
| 128 | }}} |
| 129 | |
| 130 | 2. Create users (I had alice). Password is not needed since we will be using GSI. |
| 131 | {{{ |
| 132 | iadmin mkuser alice rodsuser |
| 133 | }}} |
| 134 | |
| 135 | 3. We will add user authentication ids later after we set up certificates. |
| 136 | |
| 137 | ==== Client ==== |
| 138 | |
| 139 | 1. Configured the irods client to use GSI authentication and the alice user. |
| 140 | {{{ |
| 141 | irodsHost 'pc475.emulab.net' |
| 142 | # iRODS server port number: |
| 143 | irodsPort 1247 |
| 144 | |
| 145 | # Default storage resource name: |
| 146 | irodsDefResource 'demoResc' |
| 147 | # Home directory in iRODS: |
| 148 | irodsHome '/tempZone/home/alice' |
| 149 | # Current directory in iRODS: |
| 150 | irodsCwd '/tempZone/home/alice' |
| 151 | # Account name: |
| 152 | irodsUserName 'alice' |
| 153 | # Zone: |
| 154 | irodsZone 'tempZone' |
| 155 | |
| 156 | irodsAuthScheme GSI |
| 157 | }}} |
| 158 | |
| 159 | |
224 | | |
225 | | |
226 | | === Configuring iRODS === |
227 | | |
228 | | ==== Server ==== |
229 | | ==== Client ==== |
| 283 | Output should look something like this: |
| 284 | {{{ |
| 285 | User Cert File: /users/johren/.globus/usercert.pem |
| 286 | User Key File: /users/johren/.globus/userkey.pem |
| 287 | |
| 288 | Trusted CA Cert Dir: /users/johren/.globus/certificates/ |
| 289 | |
| 290 | Output File: /tmp/x509up_u20001 |
| 291 | Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 |
| 292 | Enter GRID pass phrase for this identity: |
| 293 | Creating proxy ..............................++++++++++++ |
| 294 | ......++++++++++++ |
| 295 | Done |
| 296 | Proxy Verify OK |
| 297 | Your proxy is valid until: Fri Nov 30 19:27:15 2012 |
| 298 | }}} |
| 299 | |
| 300 | 6. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate: |
| 301 | {{{ |
| 302 | unset X509_USER_CERT |
| 303 | unset X509_USER_KEY |
| 304 | }}} |
| 305 | |
| 306 | 7. Go back to the '''iRODS server''' and add the user authentication id. |
| 307 | Identity is the one specified in the output of grid-proxy-init above. |
| 308 | {{{ |
| 309 | iadmin aua alice '/DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700' |
| 310 | }}} |
| 311 | |
| 312 | 8. Now you should be able to run ils. |
| 313 | {{{ |
| 314 | johren@pc:/tmp$ ils |
| 315 | /tempZone/home/alice: |
| 316 | }}} |
| 317 | |
| 318 | ==== GCF w/ grid-proxy-init ==== |
| 319 | |
| 320 | I downloaded the GCF code () to generate GENI certificates from my own clearing house. |
| 321 | |
| 322 | |
| 323 | 1. Ran src/gen-certs.py to generate certificates for both host and client. |
| 324 | {{{ |
| 325 | ./src/gen-certs.py |
| 326 | ./src/gen-certs.py --notAll --exp -u host |
| 327 | ./src/gen-certs.py --notAll --exp -u alice |
| 328 | }}} |
| 329 | |
| 330 | 2. Configure the root CA certificates. These can be found in the trusted_roots directory generated above. |
| 331 | However, a hash link and signing_policy need to be created for each cert. |
| 332 | |
| 333 | 2a. Move the trusted_roots directory to /home/johren/.globus/certificates. |
| 334 | |
| 335 | 2b. Determine the hash for the certificate and create the link |
| 336 | {{{ |
| 337 | }}} |
| 338 | |
| 339 | 2c. Create the signing_policy file and create a hash link for this. |
| 340 | {{{ |
| 341 | }}} |
| 342 | |
| 343 | You should end up with the following: |
| 344 | * A cert/key pair for the iRODS client |
| 345 | * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) |
| 346 | * The CA certificate directory |
| 347 | |
| 348 | ===== Server ===== |
| 349 | |
| 350 | 1. Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus |
| 351 | {{{ |
| 352 | mv /tmp/hostkey.pem /home/globus/.globus |
| 353 | mv /tmp/hostcert.pem /home/globus/.globus |
| 354 | }}} |
| 355 | |
| 356 | 2. Change the permissions of the hostkey.pem to 0600 |
| 357 | {{{ |
| 358 | chmod 600 /home/globus/.globus/hostkey.pem |
| 359 | }}} |
| 360 | |
| 361 | 3. Copy the CA certificates created above to /home/globus/.globus/certificates |
| 362 | |
| 363 | |
| 364 | ===== Client ===== |
| 365 | |
| 366 | |
| 367 | 1. Place the alicekey.pem and alicecert.pem files in /home/johren/.globus |
| 368 | {{{ |
| 369 | mv /tmp/alicekey.pem /home/johren/.globus |
| 370 | mv /tmp/alicecert.pem /home/johren/.globus |
| 371 | }}} |
| 372 | |
| 373 | 3. Change the permissions of the alicekey.pem to 0600 |
| 374 | {{{ |
| 375 | chmod 600 /home/johren/.globus/alicekey.pem |
| 376 | }}} |
| 377 | |
| 378 | 3. Copy the CA certificates created above to /home/johren/.globus/certificates |
| 379 | |
| 380 | 4. Set the environment |
| 381 | {{{ |
| 382 | export X509_CERT_DIR=/home/johren/.globus/certificates |
| 383 | export X509_USER_CERT=/home/johren/.globus/alicecert.pem |
| 384 | export X509_USER_KEY=/home/johren/.globus/alicekey.pem |
| 385 | }}} |
| 386 | |
| 387 | 4. Create the proxy certificate |
| 388 | {{{ |
| 389 | cd /home/johren/.globus |
| 390 | /usr/local/johren/bin/grid-proxy-init -debug |
| 391 | }}} |
| 392 | |
| 393 | Output should look something like this: |
| 394 | {{{ |
| 395 | |
| 396 | User Cert File: /users/johren/.globus/alice-cert.pem |
| 397 | User Key File: /users/johren/.globus/alice-key.pem |
| 398 | |
| 399 | Trusted CA Cert Dir: (null) |
| 400 | |
| 401 | Output File: /tmp/x509up_u20001 |
| 402 | Your identity: /CN=geni//gpo//gcf.user.alice |
| 403 | Creating proxy .......................................++++++++++++ |
| 404 | .........++++++++++++ |
| 405 | Done |
| 406 | Your proxy is valid until: Fri Nov 30 19:57:41 2012 |
| 407 | }}} |
| 408 | |
| 409 | 5. Verify the proxy certificate |
| 410 | {{{ |
| 411 | /usr/local/johren/bin/grid-proxy-init -debug -verify |
| 412 | }}} |
| 413 | |
| 414 | Output should look something like this: |
| 415 | {{{ |
| 416 | User Cert File: /users/johren/.globus/alice-cert.pem |
| 417 | User Key File: /users/johren/.globus/alice-key.pem |
| 418 | |
| 419 | Trusted CA Cert Dir: /users/johren/.globus/certificates/ |
| 420 | |
| 421 | Output File: /tmp/x509up_u20001 |
| 422 | Your identity: /CN=geni//gpo//gcf.user.alice |
| 423 | Creating proxy .++++++++++++ |
| 424 | .....++++++++++++ |
| 425 | Done |
| 426 | Proxy Verify OK |
| 427 | Your proxy is valid until: Fri Nov 30 19:57:56 2012 |
| 428 | }}} |
| 429 | |
| 430 | 6. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate: |
| 431 | {{{ |
| 432 | unset X509_USER_CERT |
| 433 | unset X509_USER_KEY |
| 434 | }}} |
| 435 | |
| 436 | 7. Go back to the '''iRODS server''' and add the user authentication id. |
| 437 | Identity is the one specified in the output of grid-proxy-init above. |
| 438 | {{{ |
| 439 | iadmin aua alice '/CN=geni//gpo//gcf.user.alice' |
| 440 | }}} |
| 441 | |
| 442 | 8. Now you should be able to run ils. |
| 443 | {{{ |
| 444 | johren@pc:/tmp$ ils |
| 445 | /tempZone/home/alice: |
| 446 | }}} |
| 447 | |
| 448 | ==== GCF w/ openssl proxy cert ==== |
| 449 | |
| 450 | ===== Server ===== |
| 451 | |
| 452 | Same as GCF w/ grid-proxy-init. |
| 453 | |
| 454 | ===== Client ===== |
| 455 | |
| 456 | Steps 1-3 are the same as GCF w/ grid-proxy-init. |
| 457 | |
| 458 | 4. Get the identity from the GCF cert. |
| 459 | |
| 460 | 5. Create the CSR. |
| 461 | {{{ |
| 462 | }}} |
| 463 | |
| 464 | 6. Create the proxy certificate. |
| 465 | |
| 466 | 7. Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the same as the proxy cert generated by grid-proxy-init. |
| 467 | |
| 468 | 8. Copy the concatenated certificate to /tmp. |
| 469 | |
| 470 | 9. Run grid-proxy-info to get the identity of the proxy certificate. |
| 471 | |
| 472 | 10. Go back to the '''iRODS server''' and add the user authentication id. |
| 473 | {{{ |
| 474 | iadmin aua alice '/CN=geni//gpo//gcf.user.alice' |
| 475 | }}} |
| 476 | |
| 477 | 8. Now you should be able to run ils. |
| 478 | {{{ |
| 479 | johren@pc:/tmp$ ils |
| 480 | /tempZone/home/alice: |
| 481 | }}} |