Changes between Version 1 and Version 2 of iRODSwithGSI


Ignore:
Timestamp:
11/28/12 19:52:03 (7 years ago)
Author:
Jeanne Ohren
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • iRODSwithGSI

    v1 v2  
    1313
    1414=== Installation ===
     15
    1516==== Server ====
    1617
     181.  Software must be installed as a non-root user so I created a "globus" user:
     19{{{
     20    sudo mkuser -m -s /bin/bash globus
     21    sudo passwd globus
     22}}}
     23
     242.  Install the libltdl-dev package
     25{{{
     26   sudo apt-get install libltdl-dev
     27}}}
     28
     293.  Change to the globus user
     30{{{
     31    su - globus
     32}}}
     33
     344.  Download iRODS and GSI software to the globus home directory.
     35
     36   * iRODS 3.2:  http://irods.sdsc.edu/download.html
     37   * GSI:  http://www.globus.org/ftppub/gt5/5.2/5.2.2/installers/src/gt5.2.2-all-source-installer.tar.gz
     38
     395.  Build GSI
     40{{{
     41 cd /home/globus
     42 tar -zxvf gt5.2.2-all-source-installer.tar.gz
     43 cd gt5.2.2-all-source-installer
     44 export GLOBUS_LOCATION=/usr/local/globus
     45 ./configure --prefix $GLOBUS_LOCATION
     46 make globus-gsi
     47}}}
     48
     496.  A few tweaks I had to make to get iRODS to build
     50{{{
     51cd /usr/local/globus/include/globus
     52ln -s gcc64dbg/globus_config.h
     53
     54cd /usr/local/globus
     55mv lib/perl lib64
     56mv lib lib.old
     57ln -s lib64 lib
     58}}}
     59
     607.  Build iRODS
     61{{{
     62  cd /home/globus/iRODS
     63  ./irodssetup
     64
     65}}}
     66
     67Answers to the irods questions:
     68{{{
     69globus@pc:~/iRODS$ ./irodssetup
     70
     71    Include additional prompts for advanced settings [no]? no
     72    Build an iRODS server [yes]? yes
     73    Make this Server ICAT-Enabled [yes]?  yes
     74    iRODS zone name [tempZone]? tempZone
     75    iRODS login name [rods]? rods
     76    Password [rods]? rods
     77    Download and build a new Postgres DBMS [yes]? yes
     78    New Postgres directory? /home/globus/iRODS/postgres
     79    New database login name [globus]? globus
     80    Password? globus
     81    PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz
     82    ODBC version [unixODBC-2.2.12.tar.gz]?  unixODBC-2.2.12.tar.gz
     83    Include GSI [no]? yes
     84    GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus
     85    GSI Install Type to use (or 'none')? globus
     86    Include Kerberos [no]? no
     87    Include the NCCS Auditing extensions [no]? no
     88    Save configuration (irods.config) [yes]? yes
     89}}}
     90
     918.  Add the following to /home/globus/.bashrc
     92{{{
     93
     94export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH
     95export GLOBUS_LOCATION=/usr/local/globus
     96export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib
     97
     98}}}
     99
    17100==== Client ====
    18101
     102Same as the server only answer "no" to the following question during irodssetup:
     103{{{
     104    Build an iRODS server [yes]? no
     105}}}
     106
    19107=== Setting up the certificates ===
    20108
    21 ==== Server ====
    22 
    23 ==== Client ====
     109I configured two different types of certificates:  CILogon and GENI/GCF certificates.
     110
     111In both cases, I needed the following:
     112   * Two different cert/key pairs:  one for the client and one for the server.
     113   * The CA certificates
     114
     115==== CiLogon ====
     116
     117I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs.
     118
     1191.  For each account, select "Get New Certificate".  When the certificate is generated, click on the "download certificate" link.
     120This should download a PKCS12 format certificate.
     121
     1222.  You will need to convert the p12 file to the cert and key files:
     123{{{
     124  openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem
     125  openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem
     126  openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem
     127  openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem
     128}}}
     129
     130NOTE:  server pair must be named hostcert.pem and hostkey.pem
     131
     1323.  You will need to strip the password from the host key (iRODS does not support host keys with passphrases).
     133{{{
     134    openssl rsa -in /tmp/hostkey.pem -out hostkey.pem
     135}}}
     136
     1374.  Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz
     138
     139You should end up with the following:
     140  * A cert/key pair for the iRODS client
     141  * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
     142  * The CA certificate tarball
     143
     144===== Server =====
     145
     1461.  Create the directory /home/globus/.globus
     147{{{
     148    mkdir /home/globus/.globus
     149}}}
     150
     1512.  Place the hostkey.pem and hostcert.pem files in /home/globus/.globus
     152{{{
     153    mv /tmp/hostkey.pem /home/globus/.globus
     154    mv /tmp/hostcert.pem /home/globus/.globus
     155}}}
     156
     1573.  Change the permissions of the hostkey.pem to 0600
     158{{{
     159    chmod 600 /home/globus/.globus/hostkey.pem
     160}}}
     161
     162Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus
     163{{{
     164    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
     165    mv cilogon-ca/certificates /home/globus/.globus
     166}}}
     167
     168
     169===== Client =====
     170
     171You can do this as any user.  I used user johren.
     172
     1731.  Create the directory /home/johren/.globus
     174{{{
     175    mkdir /home/johren/.globus
     176}}}
     177
     1782.  Place the userkey.pem and usercert.pem files in /home/johren/.globus
     179{{{
     180    mv /tmp/userkey.pem /home/johren/.globus
     181    mv /tmp/usercert.pem /home/johren/.globus
     182}}}
     183
     1843.  Change the permissions of the userkey.pem to 0600
     185{{{
     186    chmod 600 /home/johren/.globus/userkey.pem
     187}}}
     188
     189Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus
     190{{{
     191    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
     192    mv cilogon-ca/certificates /home/globus/.globus
     193}}}
     194
     1954. Set the environment
     196{{{
     197    export X509_CERT_DIR=/home/johren/.globus/certificates
     198    export X509_USER_CERT=/home/johren/.globus/usercert.pem
     199    export X509_USER_KEY=/home/johren/.globus/userkey.pem
     200}}}
     201
     2024.  Create the proxy certificate
     203{{{
     204    cd /home/johren/.globus
     205    /usr/local/johren/bin/grid-proxy-init -debug
     206}}}
     207
     208Output should look something like this:
     209{{{
     210User Cert File: /users/johren/.globus/cilogon/usercert.pem
     211User Key File: /users/johren/.globus/cilogon/userkey.pem
     212
     213Trusted CA Cert Dir: (null)
     214
     215Output File: /tmp/x509up_u20001
     216Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
     217}}}
     218
     2195.  Verify the proxy certificate
     220{{{
     221    /usr/local/johren/bin/grid-proxy-init -debug -verify
     222}}}
     223
     224
    24225
    25226=== Configuring iRODS ===