Version 2 (modified by Jeanne Ohren, 10 years ago) (diff)


Using iRODS with Grid Security Infrastructure (GSI)


This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah.


iRODS server:
iRODS client:



  1. Software must be installed as a non-root user so I created a "globus" user:
        sudo mkuser -m -s /bin/bash globus
        sudo passwd globus
  1. Install the libltdl-dev package
       sudo apt-get install libltdl-dev
  1. Change to the globus user
        su - globus
  1. Download iRODS and GSI software to the globus home directory.
  1. Build GSI
     cd /home/globus
     tar -zxvf gt5.2.2-all-source-installer.tar.gz
     cd gt5.2.2-all-source-installer
     export GLOBUS_LOCATION=/usr/local/globus
     ./configure --prefix $GLOBUS_LOCATION
     make globus-gsi
  1. A few tweaks I had to make to get iRODS to build
    cd /usr/local/globus/include/globus
    ln -s gcc64dbg/globus_config.h 
    cd /usr/local/globus
    mv lib/perl lib64
    mv lib lib.old
    ln -s lib64 lib
  1. Build iRODS
      cd /home/globus/iRODS

Answers to the irods questions:

globus@pc:~/iRODS$ ./irodssetup 

    Include additional prompts for advanced settings [no]? no
    Build an iRODS server [yes]? yes
    Make this Server ICAT-Enabled [yes]?  yes
    iRODS zone name [tempZone]? tempZone 
    iRODS login name [rods]? rods
    Password [rods]? rods
    Download and build a new Postgres DBMS [yes]? yes
    New Postgres directory? /home/globus/iRODS/postgres
    New database login name [globus]? globus
    Password? globus
    PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz
    ODBC version [unixODBC-2.2.12.tar.gz]?  unixODBC-2.2.12.tar.gz
    Include GSI [no]? yes
    GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus
    GSI Install Type to use (or 'none')? globus
    Include Kerberos [no]? no
    Include the NCCS Auditing extensions [no]? no
    Save configuration (irods.config) [yes]? yes
  1. Add the following to /home/globus/.bashrc
    export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH
    export GLOBUS_LOCATION=/usr/local/globus


Same as the server only answer "no" to the following question during irodssetup:

    Build an iRODS server [yes]? no

Setting up the certificates

I configured two different types of certificates: CILogon and GENI/GCF certificates.

In both cases, I needed the following:

  • Two different cert/key pairs: one for the client and one for the server.
  • The CA certificates


I logged into and used two different Google accounts to get the two cert/key pairs.

  1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link.

This should download a PKCS12 format certificate.

  1. You will need to convert the p12 file to the cert and key files:
      openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem
      openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem
      openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem
      openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem

NOTE: server pair must be named hostcert.pem and hostkey.pem

  1. You will need to strip the password from the host key (iRODS does not support host keys with passphrases).
        openssl rsa -in /tmp/hostkey.pem -out hostkey.pem
  1. Download the CA certificates from

You should end up with the following:

  • A cert/key pair for the iRODS client
  • A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
  • The CA certificate tarball
  1. Create the directory /home/globus/.globus
        mkdir /home/globus/.globus
  1. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus
        mv /tmp/hostkey.pem /home/globus/.globus
        mv /tmp/hostcert.pem /home/globus/.globus
  1. Change the permissions of the hostkey.pem to 0600
        chmod 600 /home/globus/.globus/hostkey.pem

Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus

You can do this as any user. I used user johren.

  1. Create the directory /home/johren/.globus
        mkdir /home/johren/.globus
  1. Place the userkey.pem and usercert.pem files in /home/johren/.globus
        mv /tmp/userkey.pem /home/johren/.globus
        mv /tmp/usercert.pem /home/johren/.globus
  1. Change the permissions of the userkey.pem to 0600
        chmod 600 /home/johren/.globus/userkey.pem

Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus
  1. Set the environment
        export X509_CERT_DIR=/home/johren/.globus/certificates
        export X509_USER_CERT=/home/johren/.globus/usercert.pem
        export X509_USER_KEY=/home/johren/.globus/userkey.pem
  1. Create the proxy certificate
        cd /home/johren/.globus
        /usr/local/johren/bin/grid-proxy-init -debug

Output should look something like this:

User Cert File: /users/johren/.globus/cilogon/usercert.pem
User Key File: /users/johren/.globus/cilogon/userkey.pem

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u20001
Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
  1. Verify the proxy certificate
        /usr/local/johren/bin/grid-proxy-init -debug -verify

Configuring iRODS




Attachments (3)

Download all attachments as: .zip