| 363 | {{{ |
| 364 | johren@pc:/tmp$ ils |
| 365 | /tempZone/home/alice: |
| 366 | }}} |
| 367 | |
| 368 | ==== GENI/GCF certificates ==== |
| 369 | |
| 370 | I downloaded the GCF code () to generate GENI certificates from my own clearing house. |
| 371 | |
| 372 | |
| 373 | 1. Ran src/gen-certs.py to generate certificates for both host and client. |
| 374 | {{{ |
| 375 | ./src/gen-certs.py |
| 376 | ./src/gen-certs.py --notAll --exp -u host |
| 377 | ./src/gen-certs.py --notAll --exp -u alice |
| 378 | }}} |
| 379 | |
| 380 | 2. Configure the root CA certificates. These can be found in the trusted_roots directory generated above. |
| 381 | However, a hash link and signing_policy need to be created for each cert. |
| 382 | |
| 383 | 2a. Go to the trusted_roots directory |
| 384 | {{{ |
| 385 | cd trusted_roots |
| 386 | }}} |
| 387 | |
| 388 | 2b. For each certificate, determine the hash for the certificate and create the link |
| 389 | {{{ |
| 390 | globus@pc-0:~/irodscerts/trusted_roots$ openssl x509 -in ch-cert.pem -hash -noout |
| 391 | 0894ffd6 |
| 392 | globus@pc-0:~/irodscerts/trusted_roots$ ln -s ch-cert.pem 0894ffd6.0 |
| 393 | }}} |
| 394 | |
| 395 | 2c. Determine the issuer of each certificate |
| 396 | {{{ |
| 397 | openssl x509 -in <certificate-file> -issuer -noout |
| 398 | }}} |
| 399 | |
| 400 | 2d. Create the signing_policy file (e.g. ch-cert.signing_policy) with contents like the following (where access_id_CA is the issuer of the CA found in step 2c). |
| 401 | {{{ |
| 402 | access_id_CA X509 '/CN=geni//gpo//gcf.authority.sa' |
| 403 | pos_rights globus CA:sign |
| 404 | cond_subjects globus '/*' |
| 405 | }}} |
| 406 | |
| 407 | 2e. Create a symlink to the signing policy using the hash determined above. |
| 408 | {{{ |
| 409 | ln -s ch-cert.signing_policy 0894ffd6.0 |
| 410 | }}} |
| 411 | |
| 412 | You should end up with the following: |
| 413 | * A cert/key pair for the iRODS client |
| 414 | * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) |
| 415 | * The CA certificate directory |
| 416 | |
| 417 | Your CA certificate directory (e.g. trusted_roots) should looks something like this: |
| 418 | {{{ |
| 419 | pc:~/.globus/certificates% ls -l |
| 420 | total 28 |
| 421 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 11 Nov 28 09:33 0894ffd6.0 -> ch-cert.pem |
| 422 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 22 Nov 28 09:57 0894ffd6.signing_policy -> ch-cert.signing_policy |
| 423 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 11 Nov 28 09:33 18f0c2ad.0 -> ma-cert.pem |
| 424 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 22 Nov 28 09:57 18f0c2ad.signing_policy -> ma-cert.signing_policy |
| 425 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 10 Nov 28 09:32 aacaba34.0 -> cacert.pem |
| 426 | lrwxrwxrwx 1 johren pgeni-gpolab-bbn 21 Nov 28 09:56 aacaba34.signing_policy -> cacert.signing_policy |
| 427 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 916 Nov 28 09:31 cacert.pem |
| 428 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 111 Nov 28 09:53 cacert.signing_policy |
| 429 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 3023 Nov 28 09:31 CATedCACerts.pem |
| 430 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 834 Nov 28 12:31 ch-cert.pem |
| 431 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 116 Nov 28 09:54 ch-cert.signing_policy |
| 432 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 1273 Nov 28 09:31 ma-cert.pem |
| 433 | -rw-r--r-- 1 johren pgeni-gpolab-bbn 111 Nov 28 09:55 ma-cert.signing_policy |
| 434 | }}} |
| 435 | ===== Server ===== |
| 436 | |
| 437 | 1. Create the directory /home/globus/.globus (if it doesn't alredy exist) |
| 438 | {{{ |
| 439 | mkdir /home/globus/.globus |
| 440 | }}} |
| 441 | |
| 442 | 2. Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus |
| 443 | {{{ |
| 444 | mv /tmp/hostkey.pem /home/globus/.globus |
| 445 | mv /tmp/hostcert.pem /home/globus/.globus |
| 446 | }}} |
| 447 | |
| 448 | 3. Change the permissions of the hostkey.pem to 0600 |
| 449 | {{{ |
| 450 | chmod 600 /home/globus/.globus/hostkey.pem |
| 451 | }}} |
| 452 | |
| 453 | 4. Copy the CA certificates created above to /home/globus/.globus/certificates |
| 454 | {{{ |
| 455 | mkdir /home/globus/.globus/certificates |
| 456 | cp trusted_roots/* /home/globus/.globus/certificates |
| 457 | }}} |
| 458 | |
| 459 | |
| 460 | |
| 461 | ===== Client ===== |
| 462 | |
| 463 | 1. Create the directory /home/globus/.globus (if it doesn't already exist) |
| 464 | {{{ |
| 465 | mkdir /home/globus/.globus |
| 466 | }}} |
| 467 | |
| 468 | 2. Place the alicekey.pem and alicecert.pem files in /home/globus/.globus |
| 469 | {{{ |
| 470 | mv /tmp/alicekey.pem /home/globus/.globus |
| 471 | mv /tmp/alicecert.pem /home/globus/.globus |
| 472 | }}} |
| 473 | |
| 474 | 3. Change the permissions of the alicekey.pem to 0600 |
| 475 | {{{ |
| 476 | chmod 600 /home/globus/.globus/alicekey.pem |
| 477 | }}} |
| 478 | |
| 479 | 4. Copy the CA certificates created above to /home/globus/.globus/certificates |
| 480 | {{{ |
| 481 | mkdir /home/globus/.globus/certificates |
| 482 | cp trusted_roots/* /home/globus/.globus/certificates |
| 483 | }}} |
| 484 | |
| 485 | 5. Set the environment |
| 486 | {{{ |
| 487 | export X509_CERT_DIR=/home/globus/.globus/certificates |
| 488 | export X509_USER_CERT=/home/globus/.globus/alicecert.pem |
| 489 | export X509_USER_KEY=/home/globus/.globus/alicekey.pem |
| 490 | }}} |
| 491 | |
| 492 | 6. Get the subject DN from the certificate: |
| 493 | {{{ |
| 494 | globus@pc:~$ openssl x509 -in .globus/alice-cert.pem -subject -noout |
| 495 | subject= /CN=geni//gpo//gcf.user.alice |
| 496 | }}} |
| 497 | |
| 498 | 7. Go back to the '''iRODS server''' and add the user authentication id. |
| 499 | {{{ |
| 500 | iadmin aua alice '/CN=geni//gpo//gcf.user.alice' |
| 501 | }}} |
| 502 | |
| 503 | 8. Now you will be able to run ils. |
| 504 | {{{ |
| 505 | johren@pc:/tmp$ ils |
| 506 | /tempZone/home/alice: |
| 507 | }}} |
| 508 | |
| 509 | ==== GENI/GCF certificate with server authentication ==== |
| 510 | |
| 511 | Follow the same steps 1-5 above. |
| 512 | |
| 513 | 6. Get the subject DN from the certificate on the iRODS server |
| 514 | {{{ |
| 515 | globus@pc-0:~$ openssl x509 -in .globus/hostcert.pem -subject -noout |
| 516 | subject= /CN=geni//gpo//gcf.user.irods |
| 517 | }}} |
| 518 | |
| 519 | 7. Add this DN to the .irodsEnv on the iRODS client (/home/globus/.irods/.irodsEnv) |
| 520 | {{{ |
| 521 | irodsHost 'pc201.emulab.net' |
| 522 | # iRODS server port number: |
| 523 | irodsPort 1247 |
| 524 | |
| 525 | # Default storage resource name: |
| 526 | irodsDefResource 'demoResc' |
| 527 | # Home directory in iRODS: |
| 528 | irodsHome '/tempZone/home/alice' |
| 529 | # Current directory in iRODS: |
| 530 | irodsCwd '/tempZone/home/alice' |
| 531 | # Account name: |
| 532 | irodsUserName 'alice' |
| 533 | # Zone: |
| 534 | irodsZone 'tempZone' |
| 535 | |
| 536 | irodsAuthScheme GSI |
| 537 | irodsServerDn '/CN=geni//gpo//gcf.user.irods' |
| 538 | }}} |
| 539 | |
| 540 | 8. Now you will be able to run ils on the client. |