wiki:GENIUserWorkspace/ConfigCredentials

Version 7 (modified by Jeanne Ohren, 7 years ago) (diff)

--

Configuring Credentials

The credconfig.sh script can be used to set up all of the credential configuration needed to run your I&M tools. The options used are different depending upon the tool you are using: GIMI or GEMINI.

GIMI configuration

You will need three sets of credentials (two optional) when using the GIMI tools:

  1. A GENI certificate. You can obtain a GENI certificate by submitting a request at http://www.emulab.net or http://pgeni.gpolab.bbn.com Once your request is approved, you can download an SSL certificate (with .pem extension) from this slice authority.
  1. (Optional) An iRODS account. This is only needed if you want to access an iRODS server from the user workspace. You must have the following information in an irods configuration file.
    irodsHost
    irodsPort
    irodsDefResource
    irodsHome
    irodsCwd
    irodsUserName
    irodsZone

Make sure you remember the password for your iRODS account. You will need this when you run credconfig.sh below.

  1. (Optional) A Java Keystore file created from your GENI certificate. This is only needed if you want to use Flukes. See https://geni-orca.renci.org/trac/wiki/flukes/#Userauthorization for instructions on how to generate the keystore file.

Make sure you remember the alias and password that you used when creating the keystore file. You will need this when you run Flukes.

Download/edit these files directly from your user workspace or transfer these files to a location in your home directory. You can do this with ftp, scp, or shared folders.

With these 1-3 files, you can configure your credentials with the credconfig.sh tool.

   $ credconfig.sh -g <path-to-geni-certificate> -i <path-to-irods-config> -f <path-to-jks-file>

The -g parameter is required and the -i and -f parameters are optional.

Example:

   $ credconfig.sh -g /home/geniuser/gpo_ctcert.pem -f /home/geniuser/pgeni.jks -i /home/geniuser/irods.config

The results of running this script:

  • A pair of SSH keys (geni_key and geni_key.pub) will be generated for you using the private key from your GENI certificate. These keys will be placed in /home/geniuser/.ssh.
  • Your certificate will be placed in /home/geniuser/.ssl.
  • An omni_config file will be generated for you and placed in /home/geniuser/.gcf.
  • The SSH key is added to ssh-agent for password-less login to the nodes in your slices.
  • If the -f option is used...
    • Your keystore file (JKS) will be placed in /home/geniuser/.ssl.
    • /home/geniuser/.flukes.properties will be configured to point to your keystore and ssh keys.
  • If the -i option is used...
    • /home/.irods/.irodsEnv will be configured according to your supplied irods config file.
    • iinit will be executed, will prompt you for your iRODS password, and will store your hashed password.

GEMINI configuration

If you are using GEMINI, you will need to download the PKC12 format GENI credential from your slice authority (http://www.emulab.net or http://pgeni.gpolab.bbn.com) and install it in your Firefox browser.

You will need two sets of credentials (one optional) when using the GEMINI tools:

  1. A GENI certificate. You can obtain a GENI certificate by submitting a request at http://www.emulab.net or http://pgeni.gpolab.bbn.com Once your request is approved, you can download your SSL certificate from this slice authority. You will need to download two formats: PEM format and PKCS12 format.
  1. (Optional) An iRODS account. This is only needed if you want to access an iRODS server from the user workspace. You must have the following information in an irods configuration file.
    irodsHost
    irodsPort
    irodsDefResource
    irodsHome
    irodsCwd
    irodsUserName
    irodsZone

Make sure you remember the password for your iRODS account. You will need this when you run credconfig.sh below.

Download/edit these files directly from your user workspace or transfer these files to a location in your home directory. You can do this with ftp, scp, or shared folders.

With these 1-3 files, you can configure your credentials with the credconfig.sh tool.

   $ credconfig.sh -g <path-to-pem-format-geni-certificate> -b <path-to-pkcs12-format-geni-certificate> -i <path-to-irods-config>

The -g parameter is required and the -b and -i parameters are optional.

Example:

   $ credconfig.sh -g /home/geniuser/gpo_cert.pem -b /home/geniuser/gpo_cert.p12 -i /home/geniuser/irods.config

The results of running this script:

  • A pair of SSH keys (geni_key and geni_key.pub) will be generated for you using the private key from your GENI certificate. These keys will be placed in /home/geniuser/.ssh.
  • Your certificate will be placed in /home/geniuser/.ssl.
  • An omni_config file will be generated for you and placed in /home/geniuser/.gcf.
  • The SSH key is added to ssh-agent for password-less login to the nodes in your slices.
  • Your certificate will be added to certificate database for the the Firefox and Chrome browsers.
  • If the -i option is used...
    • /home/.irods/.irodsEnv will be configured according to your supplied irods config file.
    • iinit will be executed, will prompt you for your iRODS password, and will store your hashed password.