Changes between Version 1 and Version 2 of iRODSwithGSI

Timestamp:

11/28/12 19:52:03 (11 years ago)

Author:

Jeanne Ohren

Comment:

--

iRODSwithGSI

@@ -13 +13 @@
 
 === Installation ===
+
 ==== Server ====
 
+1.  Software must be installed as a non-root user so I created a "globus" user:
+{{{
+    sudo mkuser -m -s /bin/bash globus
+    sudo passwd globus
+}}}
+
+2.  Install the libltdl-dev package
+{{{
+   sudo apt-get install libltdl-dev
+}}}
+
+3.  Change to the globus user
+{{{
+    su - globus
+}}}
+
+4.  Download iRODS and GSI software to the globus home directory.
+
+   * iRODS 3.2:  http://irods.sdsc.edu/download.html
+   * GSI:  http://www.globus.org/ftppub/gt5/5.2/5.2.2/installers/src/gt5.2.2-all-source-installer.tar.gz 
+
+5.  Build GSI
+{{{
+ cd /home/globus
+ tar -zxvf gt5.2.2-all-source-installer.tar.gz
+ cd gt5.2.2-all-source-installer
+ export GLOBUS_LOCATION=/usr/local/globus
+ ./configure --prefix $GLOBUS_LOCATION
+ make globus-gsi
+}}}
+
+6.  A few tweaks I had to make to get iRODS to build
+{{{
+cd /usr/local/globus/include/globus
+ln -s gcc64dbg/globus_config.h 
+
+cd /usr/local/globus
+mv lib/perl lib64
+mv lib lib.old
+ln -s lib64 lib
+}}}
+
+7.  Build iRODS
+{{{
+  cd /home/globus/iRODS
+  ./irodssetup
+
+}}}
+
+Answers to the irods questions:
+{{{
+globus@pc:~/iRODS$ ./irodssetup 
+
+    Include additional prompts for advanced settings [no]? no
+    Build an iRODS server [yes]? yes
+    Make this Server ICAT-Enabled [yes]?  yes
+    iRODS zone name [tempZone]? tempZone 
+    iRODS login name [rods]? rods
+    Password [rods]? rods
+    Download and build a new Postgres DBMS [yes]? yes
+    New Postgres directory? /home/globus/iRODS/postgres
+    New database login name [globus]? globus
+    Password? globus
+    PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz
+    ODBC version [unixODBC-2.2.12.tar.gz]?  unixODBC-2.2.12.tar.gz
+    Include GSI [no]? yes
+    GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus
+    GSI Install Type to use (or 'none')? globus
+    Include Kerberos [no]? no
+    Include the NCCS Auditing extensions [no]? no
+    Save configuration (irods.config) [yes]? yes
+}}}
+
+8.  Add the following to /home/globus/.bashrc
+{{{
+
+export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH
+export GLOBUS_LOCATION=/usr/local/globus
+export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib
+
+}}}
+
 ==== Client ====
 
+Same as the server only answer "no" to the following question during irodssetup:
+{{{
+    Build an iRODS server [yes]? no
+}}}
+
 === Setting up the certificates ===
 
-==== Server ====
-
-==== Client ====
+I configured two different types of certificates:  CILogon and GENI/GCF certificates.
+
+In both cases, I needed the following:
+   * Two different cert/key pairs:  one for the client and one for the server.
+   * The CA certificates
+
+==== CiLogon ====
+
+I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs.
+
+1.  For each account, select "Get New Certificate".  When the certificate is generated, click on the "download certificate" link.
+This should download a PKCS12 format certificate.
+
+2.  You will need to convert the p12 file to the cert and key files:
+{{{
+  openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem
+  openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem
+  openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem
+  openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem
+}}}
+
+NOTE:  server pair must be named hostcert.pem and hostkey.pem
+
+3.  You will need to strip the password from the host key (iRODS does not support host keys with passphrases).
+{{{
+    openssl rsa -in /tmp/hostkey.pem -out hostkey.pem
+}}}
+
+4.  Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz 
+
+You should end up with the following:
+  * A cert/key pair for the iRODS client
+  * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
+  * The CA certificate tarball
+
+===== Server =====
+
+1.  Create the directory /home/globus/.globus
+{{{
+    mkdir /home/globus/.globus
+}}}
+
+2.  Place the hostkey.pem and hostcert.pem files in /home/globus/.globus
+{{{
+    mv /tmp/hostkey.pem /home/globus/.globus
+    mv /tmp/hostcert.pem /home/globus/.globus
+}}}
+
+3.  Change the permissions of the hostkey.pem to 0600
+{{{
+    chmod 600 /home/globus/.globus/hostkey.pem
+}}}
+
+Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus
+{{{
+    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
+    mv cilogon-ca/certificates /home/globus/.globus
+}}}
+
+
+===== Client =====
+
+You can do this as any user.  I used user johren.
+
+1.  Create the directory /home/johren/.globus
+{{{
+    mkdir /home/johren/.globus
+}}}
+
+2.  Place the userkey.pem and usercert.pem files in /home/johren/.globus
+{{{
+    mv /tmp/userkey.pem /home/johren/.globus
+    mv /tmp/usercert.pem /home/johren/.globus
+}}}
+
+3.  Change the permissions of the userkey.pem to 0600
+{{{
+    chmod 600 /home/johren/.globus/userkey.pem
+}}}
+
+Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus
+{{{
+    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
+    mv cilogon-ca/certificates /home/globus/.globus
+}}}
+
+4. Set the environment
+{{{
+    export X509_CERT_DIR=/home/johren/.globus/certificates
+    export X509_USER_CERT=/home/johren/.globus/usercert.pem
+    export X509_USER_KEY=/home/johren/.globus/userkey.pem
+}}}
+
+4.  Create the proxy certificate
+{{{
+    cd /home/johren/.globus
+    /usr/local/johren/bin/grid-proxy-init -debug
+}}}
+
+Output should look something like this:
+{{{
+User Cert File: /users/johren/.globus/cilogon/usercert.pem
+User Key File: /users/johren/.globus/cilogon/userkey.pem
+
+Trusted CA Cert Dir: (null)
+
+Output File: /tmp/x509up_u20001
+Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
+}}}
+
+5.  Verify the proxy certificate
+{{{
+    /usr/local/johren/bin/grid-proxy-init -debug -verify
+}}}
+
+
 
 === Configuring iRODS ===