Using iRODS with Grid Security Infrastructure (GSI)

Overview

This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah.

Configuration

iRODS server: pc475.emulab.net
iRODS client: pc321.emulab.net

Installation

Server

1. Software must be installed as a non-root user so I created a "globus" user:

       sudo mkuser -m -s /bin/bash globus
       sudo passwd globus
   

2. Install the libltdl-dev package

      sudo apt-get install libltdl-dev
   

3. Change to the globus user

       su - globus
   

4. Download iRODS and GSI software to the globus home directory.

• iRODS 3.2: ​http://irods.sdsc.edu/download.html
• GSI: ​http://www.globus.org/ftppub/gt5/5.2/5.2.2/installers/src/gt5.2.2-all-source-installer.tar.gz

5. Build GSI

    cd /home/globus
    tar -zxvf gt5.2.2-all-source-installer.tar.gz
    cd gt5.2.2-all-source-installer
    export GLOBUS_LOCATION=/usr/local/globus
    ./configure --prefix $GLOBUS_LOCATION
    make globus-gsi
   

6. A few tweaks I had to make to get iRODS to build

   cd /usr/local/globus/include/globus
   ln -s gcc64dbg/globus_config.h 
   
   cd /usr/local/globus
   mv lib/perl lib64
   mv lib lib.old
   ln -s lib64 lib
   

7. Build iRODS

     cd /home/globus/iRODS
     ./irodssetup
   
   

Answers to the irods questions:

globus@pc:~/iRODS$ ./irodssetup 

    Include additional prompts for advanced settings [no]? no
    Build an iRODS server [yes]? yes
    Make this Server ICAT-Enabled [yes]?  yes
    iRODS zone name [tempZone]? tempZone 
    iRODS login name [rods]? rods
    Password [rods]? rods
    Download and build a new Postgres DBMS [yes]? yes
    New Postgres directory? /home/globus/iRODS/postgres
    New database login name [globus]? globus
    Password? globus
    PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz
    ODBC version [unixODBC-2.2.12.tar.gz]?  unixODBC-2.2.12.tar.gz
    Include GSI [no]? yes
    GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus
    GSI Install Type to use (or 'none')? globus
    Include Kerberos [no]? no
    Include the NCCS Auditing extensions [no]? no
    Save configuration (irods.config) [yes]? yes

8. Add the following to /home/globus/.bashrc

   export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH
   export GLOBUS_LOCATION=/usr/local/globus
   export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib
   
   

Client

Same as the server only answer "no" to the following question during irodssetup:

    Build an iRODS server [yes]? no

Setting up the certificates

I configured two different types of certificates: CILogon and GENI/GCF certificates.

In both cases, I needed the following:

• Two different cert/key pairs: one for the client and one for the server.
• The CA certificates

CiLogon

I logged into ​https://cilogon.org and used two different Google accounts to get the two cert/key pairs.

1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link.

This should download a PKCS12 format certificate.

2. You will need to convert the p12 file to the cert and key files:

     openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem
     openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem
     openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem
     openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem
   

NOTE: server pair must be named hostcert.pem and hostkey.pem

3. You will need to strip the password from the host key (iRODS does not support host keys with passphrases).

       openssl rsa -in /tmp/hostkey.pem -out hostkey.pem
   

4. Download the CA certificates from ​https://cilogon.org/cilogon-ca-certificates.tar.gz

You should end up with the following:

• A cert/key pair for the iRODS client
• A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
• The CA certificate tarball

Server

1. Create the directory /home/globus/.globus

       mkdir /home/globus/.globus
   

2. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus

       mv /tmp/hostkey.pem /home/globus/.globus
       mv /tmp/hostcert.pem /home/globus/.globus
   

3. Change the permissions of the hostkey.pem to 0600

       chmod 600 /home/globus/.globus/hostkey.pem
   

Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus

Client

You can do this as any user. I used user johren.

1. Create the directory /home/johren/.globus

       mkdir /home/johren/.globus
   

2. Place the userkey.pem and usercert.pem files in /home/johren/.globus

       mv /tmp/userkey.pem /home/johren/.globus
       mv /tmp/usercert.pem /home/johren/.globus
   

3. Change the permissions of the userkey.pem to 0600

       chmod 600 /home/johren/.globus/userkey.pem
   

Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus

4. Set the environment

       export X509_CERT_DIR=/home/johren/.globus/certificates
       export X509_USER_CERT=/home/johren/.globus/usercert.pem
       export X509_USER_KEY=/home/johren/.globus/userkey.pem
   

4. Create the proxy certificate

       cd /home/johren/.globus
       /usr/local/johren/bin/grid-proxy-init -debug
   

Output should look something like this:

User Cert File: /users/johren/.globus/cilogon/usercert.pem
User Key File: /users/johren/.globus/cilogon/userkey.pem

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u20001
Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700

5. Verify the proxy certificate

       /usr/local/johren/bin/grid-proxy-init -debug -verify
   

Configuring iRODS

Server

Client

References