Changes between Version 23 and Version 24 of iRODSwithGSI


Ignore:
Timestamp:
12/04/12 12:24:40 (7 years ago)
Author:
Jeanne Ohren
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • iRODSwithGSI

    v23 v24  
    207207=== Setting up the certificates ===
    208208
    209 I configured three different types of certificates:  CILogon, GENI/GCF certificates with grid-proxy-init, and GENI/GCF with openssl generated proxy.
     209I configured four different types of certificates:  CILogon, regular GENI/GCF certificates, GENI/GCF certificates with grid-proxy-init, and GENI/GCF with openssl generated proxy.
    210210
    211211In all cases, I needed the following:
     
    361361
    3623628.  Now you will be able to run ils.
     363{{{
     364johren@pc:/tmp$ ils
     365/tempZone/home/alice:
     366}}}
     367
     368==== GENI/GCF certificates ====
     369
     370I downloaded the GCF code () to generate GENI certificates from my own clearing house.
     371
     372
     3731.  Ran src/gen-certs.py to generate certificates for both host and client.
     374{{{
     375   ./src/gen-certs.py
     376   ./src/gen-certs.py --notAll --exp -u host
     377   ./src/gen-certs.py --notAll --exp -u alice
     378}}}
     379
     3802.  Configure the root CA certificates.  These can be found in the trusted_roots directory generated above.
     381     However, a hash link and signing_policy need to be created for each cert.
     382
     3832a.  Go to the trusted_roots directory
     384{{{
     385   cd trusted_roots
     386}}}
     387
     3882b.  For each certificate, determine the hash for the certificate and create the link
     389{{{
     390globus@pc-0:~/irodscerts/trusted_roots$ openssl x509 -in ch-cert.pem -hash -noout
     3910894ffd6
     392globus@pc-0:~/irodscerts/trusted_roots$ ln -s ch-cert.pem 0894ffd6.0
     393}}}
     394
     3952c.  Determine the issuer of each certificate
     396{{{
     397  openssl x509 -in <certificate-file> -issuer -noout
     398}}}
     399
     4002d.  Create the signing_policy file (e.g. ch-cert.signing_policy) with contents like the following (where access_id_CA is the issuer of the CA found in step 2c).
     401{{{
     402access_id_CA   X509    '/CN=geni//gpo//gcf.authority.sa'
     403pos_rights     globus  CA:sign
     404cond_subjects  globus  '/*'
     405}}}
     406
     4072e.  Create a symlink to the signing policy using the hash determined above.
     408{{{
     409   ln -s ch-cert.signing_policy 0894ffd6.0
     410}}}
     411
     412You should end up with the following:
     413  * A cert/key pair for the iRODS client
     414  * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
     415  * The CA certificate directory
     416
     417Your CA certificate directory (e.g. trusted_roots) should looks something like this:
     418{{{
     419pc:~/.globus/certificates% ls -l
     420total 28
     421lrwxrwxrwx 1 johren pgeni-gpolab-bbn   11 Nov 28 09:33 0894ffd6.0 -> ch-cert.pem
     422lrwxrwxrwx 1 johren pgeni-gpolab-bbn   22 Nov 28 09:57 0894ffd6.signing_policy -> ch-cert.signing_policy
     423lrwxrwxrwx 1 johren pgeni-gpolab-bbn   11 Nov 28 09:33 18f0c2ad.0 -> ma-cert.pem
     424lrwxrwxrwx 1 johren pgeni-gpolab-bbn   22 Nov 28 09:57 18f0c2ad.signing_policy -> ma-cert.signing_policy
     425lrwxrwxrwx 1 johren pgeni-gpolab-bbn   10 Nov 28 09:32 aacaba34.0 -> cacert.pem
     426lrwxrwxrwx 1 johren pgeni-gpolab-bbn   21 Nov 28 09:56 aacaba34.signing_policy -> cacert.signing_policy
     427-rw-r--r-- 1 johren pgeni-gpolab-bbn  916 Nov 28 09:31 cacert.pem
     428-rw-r--r-- 1 johren pgeni-gpolab-bbn  111 Nov 28 09:53 cacert.signing_policy
     429-rw-r--r-- 1 johren pgeni-gpolab-bbn 3023 Nov 28 09:31 CATedCACerts.pem
     430-rw-r--r-- 1 johren pgeni-gpolab-bbn  834 Nov 28 12:31 ch-cert.pem
     431-rw-r--r-- 1 johren pgeni-gpolab-bbn  116 Nov 28 09:54 ch-cert.signing_policy
     432-rw-r--r-- 1 johren pgeni-gpolab-bbn 1273 Nov 28 09:31 ma-cert.pem
     433-rw-r--r-- 1 johren pgeni-gpolab-bbn  111 Nov 28 09:55 ma-cert.signing_policy
     434}}}
     435===== Server =====
     436
     4371.  Create the directory /home/globus/.globus (if it doesn't alredy exist)
     438{{{
     439    mkdir /home/globus/.globus
     440}}}
     441
     4422.  Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus
     443{{{
     444    mv /tmp/hostkey.pem /home/globus/.globus
     445    mv /tmp/hostcert.pem /home/globus/.globus
     446}}}
     447
     4483.  Change the permissions of the hostkey.pem to 0600
     449{{{
     450    chmod 600 /home/globus/.globus/hostkey.pem
     451}}}
     452
     4534.  Copy the CA certificates created above to /home/globus/.globus/certificates
     454{{{
     455mkdir /home/globus/.globus/certificates
     456cp trusted_roots/* /home/globus/.globus/certificates
     457}}}
     458
     459
     460
     461===== Client =====
     462
     4631.  Create the directory /home/globus/.globus (if it doesn't already exist)
     464{{{
     465    mkdir /home/globus/.globus
     466}}}
     467
     4682.  Place the alicekey.pem and alicecert.pem files in /home/globus/.globus
     469{{{
     470    mv /tmp/alicekey.pem /home/globus/.globus
     471    mv /tmp/alicecert.pem /home/globus/.globus
     472}}}
     473
     4743.  Change the permissions of the alicekey.pem to 0600
     475{{{
     476    chmod 600 /home/globus/.globus/alicekey.pem
     477}}}
     478
     4794.  Copy the CA certificates created above to /home/globus/.globus/certificates
     480{{{
     481mkdir /home/globus/.globus/certificates
     482cp trusted_roots/* /home/globus/.globus/certificates
     483}}}
     484
     4855. Set the environment
     486{{{
     487    export X509_CERT_DIR=/home/globus/.globus/certificates
     488    export X509_USER_CERT=/home/globus/.globus/alicecert.pem
     489    export X509_USER_KEY=/home/globus/.globus/alicekey.pem
     490}}}
     491
     4926.  Get the subject DN from the certificate:
     493{{{
     494globus@pc:~$ openssl x509 -in .globus/alice-cert.pem -subject -noout
     495subject= /CN=geni//gpo//gcf.user.alice
     496}}}
     497
     4987.  Go back to the '''iRODS server''' and add the user authentication id.
     499{{{
     500   iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
     501}}}
     502
     5038.  Now you will be able to run ils.
     504{{{
     505johren@pc:/tmp$ ils
     506/tempZone/home/alice:
     507}}}
     508
     509==== GENI/GCF certificate with server authentication ====
     510
     511Follow the same steps 1-5 above.
     512
     5136.  Get the subject DN from the certificate on the iRODS server
     514{{{
     515globus@pc-0:~$ openssl x509 -in .globus/hostcert.pem -subject -noout
     516subject= /CN=geni//gpo//gcf.user.irods
     517}}}
     518
     5197.  Add this DN to the .irodsEnv on the iRODS client (/home/globus/.irods/.irodsEnv)
     520{{{
     521irodsHost 'pc201.emulab.net'
     522# iRODS server port number:
     523irodsPort 1247
     524
     525# Default storage resource name:
     526irodsDefResource 'demoResc'
     527# Home directory in iRODS:
     528irodsHome '/tempZone/home/alice'
     529# Current directory in iRODS:
     530irodsCwd '/tempZone/home/alice'
     531# Account name:
     532irodsUserName 'alice'
     533# Zone:
     534irodsZone 'tempZone'
     535
     536irodsAuthScheme GSI
     537irodsServerDn '/CN=geni//gpo//gcf.user.irods'
     538}}}
     539
     5408.  Now you will be able to run ils on the client.
    363541{{{
    364542johren@pc:/tmp$ ils