wiki:iRODSwithGSI

Version 2 (modified by Jeanne Ohren, 7 years ago) (diff)

--

Using iRODS with Grid Security Infrastructure (GSI)

Overview

This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah.

Configuration

iRODS server: pc475.emulab.net
iRODS client: pc321.emulab.net

Installation

Server

  1. Software must be installed as a non-root user so I created a "globus" user:
        sudo mkuser -m -s /bin/bash globus
        sudo passwd globus
    
  1. Install the libltdl-dev package
       sudo apt-get install libltdl-dev
    
  1. Change to the globus user
        su - globus
    
  1. Download iRODS and GSI software to the globus home directory.
  1. Build GSI
     cd /home/globus
     tar -zxvf gt5.2.2-all-source-installer.tar.gz
     cd gt5.2.2-all-source-installer
     export GLOBUS_LOCATION=/usr/local/globus
     ./configure --prefix $GLOBUS_LOCATION
     make globus-gsi
    
  1. A few tweaks I had to make to get iRODS to build
    cd /usr/local/globus/include/globus
    ln -s gcc64dbg/globus_config.h 
    
    cd /usr/local/globus
    mv lib/perl lib64
    mv lib lib.old
    ln -s lib64 lib
    
  1. Build iRODS
      cd /home/globus/iRODS
      ./irodssetup
    
    

Answers to the irods questions:

globus@pc:~/iRODS$ ./irodssetup 

    Include additional prompts for advanced settings [no]? no
    Build an iRODS server [yes]? yes
    Make this Server ICAT-Enabled [yes]?  yes
    iRODS zone name [tempZone]? tempZone 
    iRODS login name [rods]? rods
    Password [rods]? rods
    Download and build a new Postgres DBMS [yes]? yes
    New Postgres directory? /home/globus/iRODS/postgres
    New database login name [globus]? globus
    Password? globus
    PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz
    ODBC version [unixODBC-2.2.12.tar.gz]?  unixODBC-2.2.12.tar.gz
    Include GSI [no]? yes
    GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus
    GSI Install Type to use (or 'none')? globus
    Include Kerberos [no]? no
    Include the NCCS Auditing extensions [no]? no
    Save configuration (irods.config) [yes]? yes
  1. Add the following to /home/globus/.bashrc
    export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH
    export GLOBUS_LOCATION=/usr/local/globus
    export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib
    
    

Client

Same as the server only answer "no" to the following question during irodssetup:

    Build an iRODS server [yes]? no

Setting up the certificates

I configured two different types of certificates: CILogon and GENI/GCF certificates.

In both cases, I needed the following:

  • Two different cert/key pairs: one for the client and one for the server.
  • The CA certificates

CiLogon

I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs.

  1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link.

This should download a PKCS12 format certificate.

  1. You will need to convert the p12 file to the cert and key files:
      openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem
      openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem
      openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem
      openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem
    

NOTE: server pair must be named hostcert.pem and hostkey.pem

  1. You will need to strip the password from the host key (iRODS does not support host keys with passphrases).
        openssl rsa -in /tmp/hostkey.pem -out hostkey.pem
    
  1. Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz

You should end up with the following:

  • A cert/key pair for the iRODS client
  • A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
  • The CA certificate tarball
Server
  1. Create the directory /home/globus/.globus
        mkdir /home/globus/.globus
    
  1. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus
        mv /tmp/hostkey.pem /home/globus/.globus
        mv /tmp/hostcert.pem /home/globus/.globus
    
  1. Change the permissions of the hostkey.pem to 0600
        chmod 600 /home/globus/.globus/hostkey.pem
    

Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus
Client

You can do this as any user. I used user johren.

  1. Create the directory /home/johren/.globus
        mkdir /home/johren/.globus
    
  1. Place the userkey.pem and usercert.pem files in /home/johren/.globus
        mv /tmp/userkey.pem /home/johren/.globus
        mv /tmp/usercert.pem /home/johren/.globus
    
  1. Change the permissions of the userkey.pem to 0600
        chmod 600 /home/johren/.globus/userkey.pem
    

Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus
  1. Set the environment
        export X509_CERT_DIR=/home/johren/.globus/certificates
        export X509_USER_CERT=/home/johren/.globus/usercert.pem
        export X509_USER_KEY=/home/johren/.globus/userkey.pem
    
  1. Create the proxy certificate
        cd /home/johren/.globus
        /usr/local/johren/bin/grid-proxy-init -debug
    

Output should look something like this:

User Cert File: /users/johren/.globus/cilogon/usercert.pem
User Key File: /users/johren/.globus/cilogon/userkey.pem

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u20001
Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
  1. Verify the proxy certificate
        /usr/local/johren/bin/grid-proxy-init -debug -verify
    

Configuring iRODS

Server

Client

References

Attachments (3)

Download all attachments as: .zip