| 18 | 1. Software must be installed as a non-root user so I created a "globus" user: |
| 19 | {{{ |
| 20 | sudo mkuser -m -s /bin/bash globus |
| 21 | sudo passwd globus |
| 22 | }}} |
| 23 | |
| 24 | 2. Install the libltdl-dev package |
| 25 | {{{ |
| 26 | sudo apt-get install libltdl-dev |
| 27 | }}} |
| 28 | |
| 29 | 3. Change to the globus user |
| 30 | {{{ |
| 31 | su - globus |
| 32 | }}} |
| 33 | |
| 34 | 4. Download iRODS and GSI software to the globus home directory. |
| 35 | |
| 36 | * iRODS 3.2: http://irods.sdsc.edu/download.html |
| 37 | * GSI: http://www.globus.org/ftppub/gt5/5.2/5.2.2/installers/src/gt5.2.2-all-source-installer.tar.gz |
| 38 | |
| 39 | 5. Build GSI |
| 40 | {{{ |
| 41 | cd /home/globus |
| 42 | tar -zxvf gt5.2.2-all-source-installer.tar.gz |
| 43 | cd gt5.2.2-all-source-installer |
| 44 | export GLOBUS_LOCATION=/usr/local/globus |
| 45 | ./configure --prefix $GLOBUS_LOCATION |
| 46 | make globus-gsi |
| 47 | }}} |
| 48 | |
| 49 | 6. A few tweaks I had to make to get iRODS to build |
| 50 | {{{ |
| 51 | cd /usr/local/globus/include/globus |
| 52 | ln -s gcc64dbg/globus_config.h |
| 53 | |
| 54 | cd /usr/local/globus |
| 55 | mv lib/perl lib64 |
| 56 | mv lib lib.old |
| 57 | ln -s lib64 lib |
| 58 | }}} |
| 59 | |
| 60 | 7. Build iRODS |
| 61 | {{{ |
| 62 | cd /home/globus/iRODS |
| 63 | ./irodssetup |
| 64 | |
| 65 | }}} |
| 66 | |
| 67 | Answers to the irods questions: |
| 68 | {{{ |
| 69 | globus@pc:~/iRODS$ ./irodssetup |
| 70 | |
| 71 | Include additional prompts for advanced settings [no]? no |
| 72 | Build an iRODS server [yes]? yes |
| 73 | Make this Server ICAT-Enabled [yes]? yes |
| 74 | iRODS zone name [tempZone]? tempZone |
| 75 | iRODS login name [rods]? rods |
| 76 | Password [rods]? rods |
| 77 | Download and build a new Postgres DBMS [yes]? yes |
| 78 | New Postgres directory? /home/globus/iRODS/postgres |
| 79 | New database login name [globus]? globus |
| 80 | Password? globus |
| 81 | PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz |
| 82 | ODBC version [unixODBC-2.2.12.tar.gz]? unixODBC-2.2.12.tar.gz |
| 83 | Include GSI [no]? yes |
| 84 | GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus |
| 85 | GSI Install Type to use (or 'none')? globus |
| 86 | Include Kerberos [no]? no |
| 87 | Include the NCCS Auditing extensions [no]? no |
| 88 | Save configuration (irods.config) [yes]? yes |
| 89 | }}} |
| 90 | |
| 91 | 8. Add the following to /home/globus/.bashrc |
| 92 | {{{ |
| 93 | |
| 94 | export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH |
| 95 | export GLOBUS_LOCATION=/usr/local/globus |
| 96 | export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib |
| 97 | |
| 98 | }}} |
| 99 | |
21 | | ==== Server ==== |
22 | | |
23 | | ==== Client ==== |
| 109 | I configured two different types of certificates: CILogon and GENI/GCF certificates. |
| 110 | |
| 111 | In both cases, I needed the following: |
| 112 | * Two different cert/key pairs: one for the client and one for the server. |
| 113 | * The CA certificates |
| 114 | |
| 115 | ==== CiLogon ==== |
| 116 | |
| 117 | I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs. |
| 118 | |
| 119 | 1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link. |
| 120 | This should download a PKCS12 format certificate. |
| 121 | |
| 122 | 2. You will need to convert the p12 file to the cert and key files: |
| 123 | {{{ |
| 124 | openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem |
| 125 | openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem |
| 126 | openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem |
| 127 | openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem |
| 128 | }}} |
| 129 | |
| 130 | NOTE: server pair must be named hostcert.pem and hostkey.pem |
| 131 | |
| 132 | 3. You will need to strip the password from the host key (iRODS does not support host keys with passphrases). |
| 133 | {{{ |
| 134 | openssl rsa -in /tmp/hostkey.pem -out hostkey.pem |
| 135 | }}} |
| 136 | |
| 137 | 4. Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz |
| 138 | |
| 139 | You should end up with the following: |
| 140 | * A cert/key pair for the iRODS client |
| 141 | * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) |
| 142 | * The CA certificate tarball |
| 143 | |
| 144 | ===== Server ===== |
| 145 | |
| 146 | 1. Create the directory /home/globus/.globus |
| 147 | {{{ |
| 148 | mkdir /home/globus/.globus |
| 149 | }}} |
| 150 | |
| 151 | 2. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus |
| 152 | {{{ |
| 153 | mv /tmp/hostkey.pem /home/globus/.globus |
| 154 | mv /tmp/hostcert.pem /home/globus/.globus |
| 155 | }}} |
| 156 | |
| 157 | 3. Change the permissions of the hostkey.pem to 0600 |
| 158 | {{{ |
| 159 | chmod 600 /home/globus/.globus/hostkey.pem |
| 160 | }}} |
| 161 | |
| 162 | Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus |
| 163 | {{{ |
| 164 | tar -zxvf /tmp/cilogon-ca-certificates.tar.gz |
| 165 | mv cilogon-ca/certificates /home/globus/.globus |
| 166 | }}} |
| 167 | |
| 168 | |
| 169 | ===== Client ===== |
| 170 | |
| 171 | You can do this as any user. I used user johren. |
| 172 | |
| 173 | 1. Create the directory /home/johren/.globus |
| 174 | {{{ |
| 175 | mkdir /home/johren/.globus |
| 176 | }}} |
| 177 | |
| 178 | 2. Place the userkey.pem and usercert.pem files in /home/johren/.globus |
| 179 | {{{ |
| 180 | mv /tmp/userkey.pem /home/johren/.globus |
| 181 | mv /tmp/usercert.pem /home/johren/.globus |
| 182 | }}} |
| 183 | |
| 184 | 3. Change the permissions of the userkey.pem to 0600 |
| 185 | {{{ |
| 186 | chmod 600 /home/johren/.globus/userkey.pem |
| 187 | }}} |
| 188 | |
| 189 | Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus |
| 190 | {{{ |
| 191 | tar -zxvf /tmp/cilogon-ca-certificates.tar.gz |
| 192 | mv cilogon-ca/certificates /home/globus/.globus |
| 193 | }}} |
| 194 | |
| 195 | 4. Set the environment |
| 196 | {{{ |
| 197 | export X509_CERT_DIR=/home/johren/.globus/certificates |
| 198 | export X509_USER_CERT=/home/johren/.globus/usercert.pem |
| 199 | export X509_USER_KEY=/home/johren/.globus/userkey.pem |
| 200 | }}} |
| 201 | |
| 202 | 4. Create the proxy certificate |
| 203 | {{{ |
| 204 | cd /home/johren/.globus |
| 205 | /usr/local/johren/bin/grid-proxy-init -debug |
| 206 | }}} |
| 207 | |
| 208 | Output should look something like this: |
| 209 | {{{ |
| 210 | User Cert File: /users/johren/.globus/cilogon/usercert.pem |
| 211 | User Key File: /users/johren/.globus/cilogon/userkey.pem |
| 212 | |
| 213 | Trusted CA Cert Dir: (null) |
| 214 | |
| 215 | Output File: /tmp/x509up_u20001 |
| 216 | Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 |
| 217 | }}} |
| 218 | |
| 219 | 5. Verify the proxy certificate |
| 220 | {{{ |
| 221 | /usr/local/johren/bin/grid-proxy-init -debug -verify |
| 222 | }}} |
| 223 | |
| 224 | |