Context Navigation

Changes between Version 17 and Version 18 of iRODSwithGSI

Timestamp:: 12/04/12 00:07:15 (11 years ago)
Author:: Jeanne Ohren
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

iRODSwithGSI

-                      v17
+                      v18
 Steps 1-3 are the same as GCF w/ grid-proxy-init.
+.  Get the identity from the GCF cert.
+.  Create the CSR.
+{{{
+}}}
+.  Create the proxy certificate.
+.  Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the same as the proxy cert generated by grid-proxy-init.
+.  Copy the concatenated certificate to /tmp.
+.  Get the subject from the GCF certificate (alice-cert.pem)
+{{{
+globus@pc:~/.globus$ openssl x509 -in alice-cert.pem -subject -noout
+subject= /CN=geni//gpo//gcf.user.alice
+}}}
+.  Create the CSR using csr.conf provided by Ezra (see attached).  Accept default answer for all except "Common Name" questions.
+Give the subject (from previous step, do not include the 'CN=') and your own 8 digit number.
+{{{
+globus@pc:~/.globus$ openssl req -new -config /tmp/csr.conf -out alice.csr -keyout alice-proxy.key
+Generating a 1024 bit RSA private key
+........++++++
+.................++++++
+writing new private key to 'alice-proxy.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name "C" (2 letter code) []:
+State Name "ST" (full name) []:
+Locality Name "L" (eg, city) []:
+Organization Name "O" (eg, company) []:
+Organizational Unit Name "OU" (eg, section) []:
+Common Name "CN" (eg, YOUR name) []:geni//gpo//gcf.user.alice
+Email Address []:
+Common Name "CN" (unique 8 digit number) []:12345678
+}}}
+This should produce the csr and key files specified on the command line.
+.  Create the proxy certificate using the csr file generated in the previous step as well as alice-cert.pem and alice-key.pem.
+{{{
+globus@pc:~/.globus$ openssl x509 -req -CAcreateserial -in alice.csr -days 7 -out alice_proxy.pem -CA alice-cert.pem -CAkey alice-key.pem -extfile /tmp/csr.conf -extensions v3_proxy
+Signature ok
+subject=/CN=geni//gpo//gcf.user.alice/CN=12345678
+Getting CA Private Key
+}}}
+.  Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the globus user id (id -u).
+{{{
+globus@pc:~/.globus$ cat alice_proxy.pem > x509up_u20002
+globus@pc:~/.globus$ cat alice-proxy.key >> x509up_u20002
+globus@pc:~/.globus$ cat alice-cert.pem >> x509up_u20002
+}}}
+.  Copy the concatenated certificate to /tmp and set the permissions to 0600.
+{{{
+   cp x509up_u20002 /tmp
+   chmod 600 /tmp/x509up_u20002
+}}}
 .  Run grid-proxy-info to get the identity of the proxy certificate.
+.  Go back to the '''iRODS server''' and add the user authentication id.
+{{{
+   iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
+{{{
+globus@pc:~/.globus$ /usr/local/globus/bin/grid-proxy-info -f /tmp/x509up_u20002
+subject  : /CN=geni//gpo//gcf.user.alice/CN=12345678
+issuer   : /CN=geni//gpo//gcf.user.alice
+identity : /CN=geni//gpo//gcf.user.alice/CN=12345678
+type     : RFC 3820 compliant independent proxy
+strength : 1024 bits
+path     : /tmp/x509up_u20002
+timeleft : 167:58:47  (7.0 days)
+}}}
+.  Go back to the '''iRODS server''' and add the user authentication id using the identity from the previous step.
+{{{
+   iadmin aua alice '/CN=geni//gpo//gcf.user.alice/CN=12345678'
 }}}