wiki:GENIUserWorkspace/ConfigCredentials

Version 12 (modified by Jeanne Ohren, 11 years ago) (diff)

--

Configuring Credentials

The credconfig.sh script can be used to set up all of the credential configuration needed to run your GIMI I&M tools.

GIMI configuration

You will need four sets of credentials (three optional) when using the GIMI tools:

  1. A GENI certificate. You can obtain a GENI certificate by submitting a request at http://www.emulab.net or http://pgeni.gpolab.bbn.com Once your request is approved, you can download an SSL certificate (with .pem extension) from this slice authority.
  1. (Optional) An iRODS account. This is only needed if you want to access an iRODS server from the user workspace. You must have the following information in an irods configuration file.
    irodsHost
    irodsPort
    irodsDefResource
    irodsHome
    irodsCwd
    irodsUserName
    irodsZone
  1. (Optional) A Java Keystore file created from your GENI certificate. This is only needed if you want to use Flukes. See https://geni-orca.renci.org/trac/wiki/flukes/#Userauthorization for instructions on how to generate the keystore file.

Make sure you remember the alias and password that you used when creating the keystore file. You will need this when you run Flukes.

  1. (Optional) A certificate and key pair for accessing iRODS. These are only needed if you want to use iRODS. These can be created from your GENI certificate by splitting the contents into two separate files.
    csplit -f irods mygenicert.pem "/BEGIN RSA/" "/BEGIN CERTIFICATE/"
    mv irods01 oldkey.pem
    mv irods02 mycert.pem
    

You will also need to remove the passphrase from the private key and make sure the file is only accessible by the user (mode 600).

openssl rsa -in oldkey.pem -out newkey.pem
chmod 600 newkey.pem

Download/edit these files directly from your user workspace or transfer these files to a location in your home directory. You can do this with ftp, scp, or shared folders.

With these 1-5 files, you can configure your credentials with the credconfig.sh tool.

   $ credconfig.sh -g <path-to-geni-certificate> -i <path-to-irods-config> -f <path-to-jks-file> -c <path-to-cert-file> -k <path-to-key-file>

The -g parameter is required and the -i, -f, -c, and -k parameters are optional.

Example:

   $ credconfig.sh -g /home/geni/mygenicert.pem -f /home/geni/pgeni.jks -i /home/geni/irods.config -c /home/geni/mycert.pem -k /home/geni/newkey.pem 

The results of running this script:

  • A pair of SSH keys (geni_key and geni_key.pub) will be generated for you using the private key from your GENI certificate. These keys will be placed in /home/geni/.ssh.
  • Your certificate will be placed in /home/geni/.ssl.
  • An omni_config file will be generated for you and placed in /home/geni/.gcf.
  • The SSH key is added to ssh-agent for password-less login to the nodes in your slices.
  • If the -f option is used...
    • Your keystore file (JKS) will be placed in /home/geni/.ssl.
    • /home/geni/.flukes.properties will be configured to point to your keystore and ssh keys.
  • If the -i option is used...
    • /home/.irods/.irodsEnv will be configured according to your supplied irods config file.
  • If the -c and -k options are used...
    • Your certificate and key will be installed in the appropriate place for iRODS to access your account