[[PageOutline]] == Using iRODS with Grid Security Infrastructure (GSI) == === Overview === This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah. === Configuration === iRODS server: pc475.emulab.net[[BR]] iRODS client: pc321.emulab.net === Installation === ==== Server ==== 1. Software must be installed as a non-root user so I created a "globus" user: {{{ sudo mkuser -m -s /bin/bash globus sudo passwd globus }}} 2. Install the libltdl-dev package {{{ sudo apt-get install libltdl-dev }}} 3. Change to the globus user {{{ su - globus }}} 4. Download iRODS and GSI software to the globus home directory. * iRODS 3.2: http://irods.sdsc.edu/download.html * GSI: http://www.globus.org/ftppub/gt5/5.2/5.2.2/installers/src/gt5.2.2-all-source-installer.tar.gz 5. Build GSI {{{ cd /home/globus tar -zxvf gt5.2.2-all-source-installer.tar.gz cd gt5.2.2-all-source-installer export GLOBUS_LOCATION=/usr/local/globus ./configure --prefix $GLOBUS_LOCATION make globus-gsi }}} 6. A few tweaks I had to make to get iRODS to build {{{ cd /usr/local/globus/include/globus ln -s gcc64dbg/globus_config.h cd /usr/local/globus mv lib/perl lib64 mv lib lib.old ln -s lib64 lib }}} 7. Build iRODS {{{ cd /home/globus/iRODS ./irodssetup }}} Answers to the irods questions: {{{ globus@pc:~/iRODS$ ./irodssetup Include additional prompts for advanced settings [no]? no Build an iRODS server [yes]? yes Make this Server ICAT-Enabled [yes]? yes iRODS zone name [tempZone]? tempZone iRODS login name [rods]? rods Password [rods]? rods Download and build a new Postgres DBMS [yes]? yes New Postgres directory? /home/globus/iRODS/postgres New database login name [globus]? globus Password? globus PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz ODBC version [unixODBC-2.2.12.tar.gz]? unixODBC-2.2.12.tar.gz Include GSI [no]? yes GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus GSI Install Type to use (or 'none')? globus Include Kerberos [no]? no Include the NCCS Auditing extensions [no]? no Save configuration (irods.config) [yes]? yes }}} 8. Add the following to /home/globus/.bashrc {{{ export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH export GLOBUS_LOCATION=/usr/local/globus export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib }}} ==== Client ==== Same as the server only answer "no" to the following question during irodssetup: {{{ Build an iRODS server [yes]? no }}} === Setting up the certificates === I configured two different types of certificates: CILogon and GENI/GCF certificates. In both cases, I needed the following: * Two different cert/key pairs: one for the client and one for the server. * The CA certificates ==== CiLogon ==== I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs. 1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link. This should download a PKCS12 format certificate. 2. You will need to convert the p12 file to the cert and key files: {{{ openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem }}} NOTE: server pair must be named hostcert.pem and hostkey.pem 3. You will need to strip the password from the host key (iRODS does not support host keys with passphrases). {{{ openssl rsa -in /tmp/hostkey.pem -out hostkey.pem }}} 4. Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz You should end up with the following: * A cert/key pair for the iRODS client * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) * The CA certificate tarball ===== Server ===== 1. Create the directory /home/globus/.globus {{{ mkdir /home/globus/.globus }}} 2. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus {{{ mv /tmp/hostkey.pem /home/globus/.globus mv /tmp/hostcert.pem /home/globus/.globus }}} 3. Change the permissions of the hostkey.pem to 0600 {{{ chmod 600 /home/globus/.globus/hostkey.pem }}} Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus {{{ tar -zxvf /tmp/cilogon-ca-certificates.tar.gz mv cilogon-ca/certificates /home/globus/.globus }}} ===== Client ===== You can do this as any user. I used user johren. 1. Create the directory /home/johren/.globus {{{ mkdir /home/johren/.globus }}} 2. Place the userkey.pem and usercert.pem files in /home/johren/.globus {{{ mv /tmp/userkey.pem /home/johren/.globus mv /tmp/usercert.pem /home/johren/.globus }}} 3. Change the permissions of the userkey.pem to 0600 {{{ chmod 600 /home/johren/.globus/userkey.pem }}} Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus {{{ tar -zxvf /tmp/cilogon-ca-certificates.tar.gz mv cilogon-ca/certificates /home/globus/.globus }}} 4. Set the environment {{{ export X509_CERT_DIR=/home/johren/.globus/certificates export X509_USER_CERT=/home/johren/.globus/usercert.pem export X509_USER_KEY=/home/johren/.globus/userkey.pem }}} 4. Create the proxy certificate {{{ cd /home/johren/.globus /usr/local/johren/bin/grid-proxy-init -debug }}} Output should look something like this: {{{ User Cert File: /users/johren/.globus/cilogon/usercert.pem User Key File: /users/johren/.globus/cilogon/userkey.pem Trusted CA Cert Dir: (null) Output File: /tmp/x509up_u20001 Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 }}} 5. Verify the proxy certificate {{{ /usr/local/johren/bin/grid-proxy-init -debug -verify }}} === Configuring iRODS === ==== Server ==== ==== Client ==== === References ===