| | 363 | {{{ |
| | 364 | johren@pc:/tmp$ ils |
| | 365 | /tempZone/home/alice: |
| | 366 | }}} |
| | 367 | |
| | 368 | ==== GENI/GCF certificates ==== |
| | 369 | |
| | 370 | I downloaded the GCF code () to generate GENI certificates from my own clearing house. |
| | 371 | |
| | 372 | |
| | 373 | 1. Ran src/gen-certs.py to generate certificates for both host and client. |
| | 374 | {{{ |
| | 375 | ./src/gen-certs.py |
| | 376 | ./src/gen-certs.py --notAll --exp -u host |
| | 377 | ./src/gen-certs.py --notAll --exp -u alice |
| | 378 | }}} |
| | 379 | |
| | 380 | 2. Configure the root CA certificates. These can be found in the trusted_roots directory generated above. |
| | 381 | However, a hash link and signing_policy need to be created for each cert. |
| | 382 | |
| | 383 | 2a. Go to the trusted_roots directory |
| | 384 | {{{ |
| | 385 | cd trusted_roots |
| | 386 | }}} |
| | 387 | |
| | 388 | 2b. For each certificate, determine the hash for the certificate and create the link |
| | 389 | {{{ |
| | 390 | globus@pc-0:~/irodscerts/trusted_roots$ openssl x509 -in ch-cert.pem -hash -noout |
| | 391 | 0894ffd6 |
| | 392 | globus@pc-0:~/irodscerts/trusted_roots$ ln -s ch-cert.pem 0894ffd6.0 |
| | 393 | }}} |
| | 394 | |
| | 395 | 2c. Determine the issuer of each certificate |
| | 396 | {{{ |
| | 397 | openssl x509 -in <certificate-file> -issuer -noout |
| | 398 | }}} |
| | 399 | |
| | 400 | 2d. Create the signing_policy file (e.g. ch-cert.signing_policy) with contents like the following (where access_id_CA is the issuer of the CA found in step 2c). |
| | 401 | {{{ |
| | 402 | access_id_CA X509 '/CN=geni//gpo//gcf.authority.sa' |
| | 403 | pos_rights globus CA:sign |
| | 404 | cond_subjects globus '/*' |
| | 405 | }}} |
| | 406 | |
| | 407 | 2e. Create a symlink to the signing policy using the hash determined above. |
| | 408 | {{{ |
| | 409 | ln -s ch-cert.signing_policy 0894ffd6.0 |
| | 410 | }}} |
| | 411 | |
| | 412 | You should end up with the following: |
| | 413 | * A cert/key pair for the iRODS client |
| | 414 | * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) |
| | 415 | * The CA certificate directory |
| | 416 | |
| | 417 | Your CA certificate directory (e.g. trusted_roots) should looks something like this: |
| | 418 | {{{ |
| | 419 | pc:~/.globus/certificates% ls -l |
| | 420 | total 28 |
| | 421 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 11 Nov 28 09:33 0894ffd6.0 -> ch-cert.pem |
| | 422 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 22 Nov 28 09:57 0894ffd6.signing_policy -> ch-cert.signing_policy |
| | 423 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 11 Nov 28 09:33 18f0c2ad.0 -> ma-cert.pem |
| | 424 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 22 Nov 28 09:57 18f0c2ad.signing_policy -> ma-cert.signing_policy |
| | 425 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 10 Nov 28 09:32 aacaba34.0 -> cacert.pem |
| | 426 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 21 Nov 28 09:56 aacaba34.signing_policy -> cacert.signing_policy |
| | 427 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 916 Nov 28 09:31 cacert.pem |
| | 428 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 111 Nov 28 09:53 cacert.signing_policy |
| | 429 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 3023 Nov 28 09:31 CATedCACerts.pem |
| | 430 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 834 Nov 28 12:31 ch-cert.pem |
| | 431 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 116 Nov 28 09:54 ch-cert.signing_policy |
| | 432 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 1273 Nov 28 09:31 ma-cert.pem |
| | 433 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 111 Nov 28 09:55 ma-cert.signing_policy |
| | 434 | }}} |
| | 435 | ===== Server ===== |
| | 436 | |
| | 437 | 1. Create the directory /home/globus/.globus (if it doesn't alredy exist) |
| | 438 | {{{ |
| | 439 | mkdir /home/globus/.globus |
| | 440 | }}} |
| | 441 | |
| | 442 | 2. Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus |
| | 443 | {{{ |
| | 444 | mv /tmp/hostkey.pem /home/globus/.globus |
| | 445 | mv /tmp/hostcert.pem /home/globus/.globus |
| | 446 | }}} |
| | 447 | |
| | 448 | 3. Change the permissions of the hostkey.pem to 0600 |
| | 449 | {{{ |
| | 450 | chmod 600 /home/globus/.globus/hostkey.pem |
| | 451 | }}} |
| | 452 | |
| | 453 | 4. Copy the CA certificates created above to /home/globus/.globus/certificates |
| | 454 | {{{ |
| | 455 | mkdir /home/globus/.globus/certificates |
| | 456 | cp trusted_roots/* /home/globus/.globus/certificates |
| | 457 | }}} |
| | 458 | |
| | 459 | |
| | 460 | |
| | 461 | ===== Client ===== |
| | 462 | |
| | 463 | 1. Create the directory /home/globus/.globus (if it doesn't already exist) |
| | 464 | {{{ |
| | 465 | mkdir /home/globus/.globus |
| | 466 | }}} |
| | 467 | |
| | 468 | 2. Place the alicekey.pem and alicecert.pem files in /home/globus/.globus |
| | 469 | {{{ |
| | 470 | mv /tmp/alicekey.pem /home/globus/.globus |
| | 471 | mv /tmp/alicecert.pem /home/globus/.globus |
| | 472 | }}} |
| | 473 | |
| | 474 | 3. Change the permissions of the alicekey.pem to 0600 |
| | 475 | {{{ |
| | 476 | chmod 600 /home/globus/.globus/alicekey.pem |
| | 477 | }}} |
| | 478 | |
| | 479 | 4. Copy the CA certificates created above to /home/globus/.globus/certificates |
| | 480 | {{{ |
| | 481 | mkdir /home/globus/.globus/certificates |
| | 482 | cp trusted_roots/* /home/globus/.globus/certificates |
| | 483 | }}} |
| | 484 | |
| | 485 | 5. Set the environment |
| | 486 | {{{ |
| | 487 | export X509_CERT_DIR=/home/globus/.globus/certificates |
| | 488 | export X509_USER_CERT=/home/globus/.globus/alicecert.pem |
| | 489 | export X509_USER_KEY=/home/globus/.globus/alicekey.pem |
| | 490 | }}} |
| | 491 | |
| | 492 | 6. Get the subject DN from the certificate: |
| | 493 | {{{ |
| | 494 | globus@pc:~$ openssl x509 -in .globus/alice-cert.pem -subject -noout |
| | 495 | subject= /CN=geni//gpo//gcf.user.alice |
| | 496 | }}} |
| | 497 | |
| | 498 | 7. Go back to the '''iRODS server''' and add the user authentication id. |
| | 499 | {{{ |
| | 500 | iadmin aua alice '/CN=geni//gpo//gcf.user.alice' |
| | 501 | }}} |
| | 502 | |
| | 503 | 8. Now you will be able to run ils. |
| | 504 | {{{ |
| | 505 | johren@pc:/tmp$ ils |
| | 506 | /tempZone/home/alice: |
| | 507 | }}} |
| | 508 | |
| | 509 | ==== GENI/GCF certificate with server authentication ==== |
| | 510 | |
| | 511 | Follow the same steps 1-5 above. |
| | 512 | |
| | 513 | 6. Get the subject DN from the certificate on the iRODS server |
| | 514 | {{{ |
| | 515 | globus@pc-0:~$ openssl x509 -in .globus/hostcert.pem -subject -noout |
| | 516 | subject= /CN=geni//gpo//gcf.user.irods |
| | 517 | }}} |
| | 518 | |
| | 519 | 7. Add this DN to the .irodsEnv on the iRODS client (/home/globus/.irods/.irodsEnv) |
| | 520 | {{{ |
| | 521 | irodsHost 'pc201.emulab.net' |
| | 522 | # iRODS server port number: |
| | 523 | irodsPort 1247 |
| | 524 | |
| | 525 | # Default storage resource name: |
| | 526 | irodsDefResource 'demoResc' |
| | 527 | # Home directory in iRODS: |
| | 528 | irodsHome '/tempZone/home/alice' |
| | 529 | # Current directory in iRODS: |
| | 530 | irodsCwd '/tempZone/home/alice' |
| | 531 | # Account name: |
| | 532 | irodsUserName 'alice' |
| | 533 | # Zone: |
| | 534 | irodsZone 'tempZone' |
| | 535 | |
| | 536 | irodsAuthScheme GSI |
| | 537 | irodsServerDn '/CN=geni//gpo//gcf.user.irods' |
| | 538 | }}} |
| | 539 | |
| | 540 | 8. Now you will be able to run ils on the client. |
