[[PageOutline]] == Using iRODS with Grid Security Infrastructure (GSI) == === Overview === This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah. === Configuration === iRODS server: pc475.emulab.net[[BR]] iRODS client: pc321.emulab.net === Results === I was able to execute an ils command from client to server with each of the following certificate configurations: ==== Using a regular X509 certificate ==== I used both !CiLogon and GENI/GCF certificates to access the "alice" account on the iRODS server. The difference between the two types of certificates was getting the client and host certificates and CA certificates into the appropriate format. In both cases, a certificate and private key pair was installed on both the iRODS client and iRODS server. The client's subject DN was added as a "user authentication-name" to the appropriate account on the iRODS server. [[Image(GENIcert.jpg)]] ==== Using a regular X509 certificate with server authentication ==== Using the same regular X509 certificate configuration, I was able to add server authentication by adding the subject DN of the iRODS server certificate (hostcert.pem) to the irodsEnv on the client. This was specified using the irodsServerDn parameter. [[Image(ServerAuth.jpg)]] ==== Using a proxy certificate ==== I used proxy certificates generated two different ways to access the alice account on the iRODS server. The first proxy certificate was generated using the Globus grid-proxy-init command. The second proxy certificate was generated using openssl commands. Both of these methods worked. See details [http://groups.geni.net/geni/wiki/iRODSwithGSI#GCFwgrid-proxy-init below]. [[Image(ProxyCert.jpg)]] === Installation === These are the details of how I configured each of the different scenarios. ==== Server ==== 1. Software must be installed as a non-root user so I created a "globus" user: {{{ sudo useradd -m -s /bin/bash globus sudo passwd globus }}} 2. Install the libltdl-dev package {{{ sudo apt-get install libltdl-dev }}} 3. Make the directory in which GSI will be installed. {{{ sudo mkdir /usr/local/globus sudo chmod a+w /usr/local/globus }}} 4. Change to the globus user {{{ su - globus }}} 5. Download iRODS and GSI software to the globus home directory. * iRODS 3.2: http://irods.sdsc.edu/download.html * GSI: http://www.globus.org/ftppub/gt5/5.2/5.2.2/installers/src/gt5.2.2-all-source-installer.tar.gz 6. Build GSI {{{ cd /home/globus tar -zxvf gt5.2.2-all-source-installer.tar.gz cd gt5.2.2-all-source-installer export GLOBUS_LOCATION=/usr/local/globus ./configure --prefix $GLOBUS_LOCATION make globus-gsi }}} 7. A few tweaks I had to make to get iRODS to build {{{ cd /usr/local/globus/include/globus ln -s gcc64dbg/globus_config.h cd /usr/local/globus mv lib/perl lib64 mv lib lib.old ln -s lib64 lib }}} 8. Build iRODS {{{ cd /home/globus/iRODS ./irodssetup }}} Answers to the irods questions: {{{ globus@pc:~/iRODS$ ./irodssetup Include additional prompts for advanced settings [no]? no Build an iRODS server [yes]? yes Make this Server ICAT-Enabled [yes]? yes iRODS zone name [tempZone]? tempZone iRODS login name [rods]? rods Password [rods]? rods Download and build a new Postgres DBMS [yes]? yes New Postgres directory? /home/globus/iRODS/postgres New database login name [globus]? globus Password? globus PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz ODBC version [unixODBC-2.2.12.tar.gz]? unixODBC-2.2.12.tar.gz Include GSI [no]? yes GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus GSI Install Type to use (or 'none')? globus Include Kerberos [no]? no Include the NCCS Auditing extensions [no]? no Save configuration (irods.config) [yes]? yes }}} 8. Add the following to /home/globus/.bashrc {{{ export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH export GLOBUS_LOCATION=/usr/local/globus export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib }}} ==== Client ==== Same as the server only answer "no" to the following question during irodssetup: {{{ Build an iRODS server [yes]? no }}} === Configuring iRODS === ==== Server ==== 1. Make the .irods subdirectory {{{ mkdir /home/globus/.irods }}} 2. Configure the iRODS client on the server node to use the rods user in file /home/globus/.irods/.irodsEnv {{{ # iRODS server host name: irodsHost 'pc475.emulab.net' # iRODS server port number: irodsPort 1247 # Default storage resource name: irodsDefResource 'demoResc' # Home directory in iRODS: irodsHome '/tempZone/home/rods' # Current directory in iRODS: irodsCwd '/tempZone/home/rods' # Account name: irodsUserName 'rods' # Zone: irodsZone 'tempZone' }}} 3. Create users (I had alice). Password is not needed since we will be using GSI. {{{ iadmin mkuser alice rodsuser }}} 4. We will add user authentication ids later after we set up certificates. ==== Client ==== 1. Make the .irods subdirectory {{{ mkdir /home/globus/.irods }}} 2. Configure the iRODS client on the client node to use GSI authentication and the alice user. Create file /home/globus/.irods/.irodsEnv with contents similar to the following. {{{ irodsHost 'pc475.emulab.net' # iRODS server port number: irodsPort 1247 # Default storage resource name: irodsDefResource 'demoResc' # Home directory in iRODS: irodsHome '/tempZone/home/alice' # Current directory in iRODS: irodsCwd '/tempZone/home/alice' # Account name: irodsUserName 'alice' # Zone: irodsZone 'tempZone' irodsAuthScheme GSI }}} === Setting up the certificates === I configured three different types of certificates: CILogon, GENI/GCF certificates with grid-proxy-init, and GENI/GCF with openssl generated proxy. In all cases, I needed the following: * Two different cert/key pairs: one for the client and one for the server. * Proxy certificate * The CA certificates ==== !CiLogon ==== I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs. 1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link. This should download a PKCS12 format certificate. 2. You will need to convert the p12 file to the cert and key files: {{{ openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem }}} NOTE: server pair must be named hostcert.pem and hostkey.pem 3. You will need to strip the password from the host key (iRODS does not support host keys with passphrases). {{{ openssl rsa -in /tmp/hostkey.pem -out hostkey.pem }}} 4. Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz You should end up with the following: * A cert/key pair for the iRODS client * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) * The CA certificate tarball ===== Server ===== 1. Create the directory /home/globus/.globus {{{ mkdir /home/globus/.globus }}} 2. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus {{{ mv /tmp/hostkey.pem /home/globus/.globus mv /tmp/hostcert.pem /home/globus/.globus }}} 3. Change the permissions of the hostkey.pem to 0600 {{{ chmod 600 /home/globus/.globus/hostkey.pem }}} Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus {{{ tar -zxvf /tmp/cilogon-ca-certificates.tar.gz mv cilogon-ca/certificates /home/globus/.globus }}} ===== Client ===== You can do this as any user. I used user globus. 1. Create the directory /home/globus/.globus {{{ mkdir /home/globus/.globus }}} 2. Place the userkey.pem and usercert.pem files in /home/globus/.globus {{{ mv /tmp/userkey.pem /home/globus/.globus mv /tmp/usercert.pem /home/globus/.globus }}} 3. Change the permissions of the userkey.pem to 0600 {{{ chmod 600 /home/globus/.globus/userkey.pem }}} Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus {{{ tar -zxvf /tmp/cilogon-ca-certificates.tar.gz mv cilogon-ca/certificates /home/globus/.globus }}} 4. Set the environment {{{ export X509_CERT_DIR=/home/globus/.globus/certificates export X509_USER_CERT=/home/globus/.globus/usercert.pem export X509_USER_KEY=/home/globus/.globus/userkey.pem }}} 4. Create the proxy certificate {{{ cd /home/globus/.globus /usr/local/globus/bin/grid-proxy-init -debug }}} Output should look something like this: {{{ User Cert File: /users/globus/.globus/usercert.pem User Key File: /users/globus/.globus/userkey.pem Trusted CA Cert Dir: (null) Output File: /tmp/x509up_u20001 Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 Enter GRID pass phrase for this identity: Creating proxy .++++++++++++ ....................++++++++++++ Done Your proxy is valid until: Fri Nov 30 19:26:51 2012 }}} The proxy certificate will be created in /tmp with a file name of the format x509up_uXXXXX where XXXXX is the id of the user running the grid-proxy-init command. 5. Verify the proxy certificate {{{ /usr/local/globus/bin/grid-proxy-init -debug -verify }}} Output should look something like this: {{{ User Cert File: /users/globus/.globus/usercert.pem User Key File: /users/globus/.globus/userkey.pem Trusted CA Cert Dir: /users/globus/.globus/certificates/ Output File: /tmp/x509up_u20001 Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 Enter GRID pass phrase for this identity: Creating proxy ..............................++++++++++++ ......++++++++++++ Done Proxy Verify OK Your proxy is valid until: Fri Nov 30 19:27:15 2012 }}} 6. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate: {{{ unset X509_USER_CERT unset X509_USER_KEY }}} 7. Go back to the '''iRODS server''' and add the user authentication id. Identity is the one specified in the output of grid-proxy-init above. {{{ iadmin aua alice '/DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700' }}} 8. Now you will be able to run ils. {{{ johren@pc:/tmp$ ils /tempZone/home/alice: }}} ==== GCF w/ grid-proxy-init ==== I downloaded the GCF code () to generate GENI certificates from my own clearing house. 1. Ran src/gen-certs.py to generate certificates for both host and client. {{{ ./src/gen-certs.py ./src/gen-certs.py --notAll --exp -u host ./src/gen-certs.py --notAll --exp -u alice }}} 2. Configure the root CA certificates. These can be found in the trusted_roots directory generated above. However, a hash link and signing_policy need to be created for each cert. 2a. Go to the trusted_roots directory {{{ cd trusted_roots }}} 2b. For each certificate, determine the hash for the certificate and create the link {{{ globus@pc-0:~/irodscerts/trusted_roots$ openssl x509 -in ch-cert.pem -hash -noout 0894ffd6 globus@pc-0:~/irodscerts/trusted_roots$ ln -s ch-cert.pem 0894ffd6.0 }}} 2c. Determine the issuer of each certificate {{{ openssl x509 -in -issuer -noout }}} 2d. Create the signing_policy file (e.g. ch-cert.signing_policy) with contents like the following (where access_id_CA is the issuer of the CA found in step 2c). {{{ access_id_CA X509 '/CN=geni//gpo//gcf.authority.sa' pos_rights globus CA:sign cond_subjects globus '/*' }}} 2e. Create a symlink to the signing policy using the hash determined above. {{{ ln -s ch-cert.signing_policy 0894ffd6.0 }}} You should end up with the following: * A cert/key pair for the iRODS client * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) * The CA certificate directory Your CA certificate directory (e.g. trusted_roots) should looks something like this: {{{ pc:~/.globus/certificates% ls -l total 28 lrwxrwxrwx 1 johren pgeni-gpolab-bbn 11 Nov 28 09:33 0894ffd6.0 -> ch-cert.pem lrwxrwxrwx 1 johren pgeni-gpolab-bbn 22 Nov 28 09:57 0894ffd6.signing_policy -> ch-cert.signing_policy lrwxrwxrwx 1 johren pgeni-gpolab-bbn 11 Nov 28 09:33 18f0c2ad.0 -> ma-cert.pem lrwxrwxrwx 1 johren pgeni-gpolab-bbn 22 Nov 28 09:57 18f0c2ad.signing_policy -> ma-cert.signing_policy lrwxrwxrwx 1 johren pgeni-gpolab-bbn 10 Nov 28 09:32 aacaba34.0 -> cacert.pem lrwxrwxrwx 1 johren pgeni-gpolab-bbn 21 Nov 28 09:56 aacaba34.signing_policy -> cacert.signing_policy -rw-r--r-- 1 johren pgeni-gpolab-bbn 916 Nov 28 09:31 cacert.pem -rw-r--r-- 1 johren pgeni-gpolab-bbn 111 Nov 28 09:53 cacert.signing_policy -rw-r--r-- 1 johren pgeni-gpolab-bbn 3023 Nov 28 09:31 CATedCACerts.pem -rw-r--r-- 1 johren pgeni-gpolab-bbn 834 Nov 28 12:31 ch-cert.pem -rw-r--r-- 1 johren pgeni-gpolab-bbn 116 Nov 28 09:54 ch-cert.signing_policy -rw-r--r-- 1 johren pgeni-gpolab-bbn 1273 Nov 28 09:31 ma-cert.pem -rw-r--r-- 1 johren pgeni-gpolab-bbn 111 Nov 28 09:55 ma-cert.signing_policy }}} ===== Server ===== 1. Create the directory /home/globus/.globus (if it doesn't alredy exist) {{{ mkdir /home/globus/.globus }}} 2. Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus {{{ mv /tmp/hostkey.pem /home/globus/.globus mv /tmp/hostcert.pem /home/globus/.globus }}} 3. Change the permissions of the hostkey.pem to 0600 {{{ chmod 600 /home/globus/.globus/hostkey.pem }}} 4. Copy the CA certificates created above to /home/globus/.globus/certificates {{{ mkdir /home/globus/.globus/certificates cp trusted_roots/* /home/globus/.globus/certificates }}} ===== Client ===== 1. Create the directory /home/globus/.globus (if it doesn't already exist) {{{ mkdir /home/globus/.globus }}} 2. Place the alicekey.pem and alicecert.pem files in /home/globus/.globus {{{ mv /tmp/alicekey.pem /home/globus/.globus mv /tmp/alicecert.pem /home/globus/.globus }}} 3. Change the permissions of the alicekey.pem to 0600 {{{ chmod 600 /home/globus/.globus/alicekey.pem }}} 4. Copy the CA certificates created above to /home/globus/.globus/certificates {{{ mkdir /home/globus/.globus/certificates cp trusted_roots/* /home/globus/.globus/certificates }}} 5. Set the environment {{{ export X509_CERT_DIR=/home/globus/.globus/certificates export X509_USER_CERT=/home/globus/.globus/alicecert.pem export X509_USER_KEY=/home/globus/.globus/alicekey.pem }}} 6. Create the proxy certificate {{{ cd /home/globus/.globus /usr/local/globus/bin/grid-proxy-init -debug }}} Output should look something like this: {{{ User Cert File: /home/globus/.globus/alice-cert.pem User Key File: /home/globus/.globus/alice-key.pem Trusted CA Cert Dir: (null) Output File: /tmp/x509up_u20001 Your identity: /CN=geni//gpo//gcf.user.alice Creating proxy .......................................++++++++++++ .........++++++++++++ Done Your proxy is valid until: Fri Nov 30 19:57:41 2012 }}} 7. Verify the proxy certificate {{{ /usr/local/globus/bin/grid-proxy-init -debug -verify }}} Output should look something like this: {{{ User Cert File: /home/globus/.globus/alice-cert.pem User Key File: /home/globus/.globus/alice-key.pem Trusted CA Cert Dir: /home/globus/.globus/certificates/ Output File: /tmp/x509up_u20001 Your identity: /CN=geni//gpo//gcf.user.alice Creating proxy .++++++++++++ .....++++++++++++ Done Proxy Verify OK Your proxy is valid until: Fri Nov 30 19:57:56 2012 }}} 8. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate: {{{ unset X509_USER_CERT unset X509_USER_KEY }}} 9. Go back to the '''iRODS server''' and add the user authentication id. Identity is the one specified in the output of grid-proxy-init above. {{{ iadmin aua alice '/CN=geni//gpo//gcf.user.alice' }}} 10. Now you will be able to run ils. {{{ johren@pc:/tmp$ ils /tempZone/home/alice: }}} ==== GCF w/ openssl proxy cert ==== ===== Server ===== Same as GCF w/ grid-proxy-init. ===== Client ===== Steps 1-3 are the same as GCF w/ grid-proxy-init. 4. Get the subject from the GCF certificate (alice-cert.pem) {{{ globus@pc:~/.globus$ openssl x509 -in alice-cert.pem -subject -noout subject= /CN=geni//gpo//gcf.user.alice }}} 5. Create the CSR using csr.conf provided by Ezra (see attached). Accept default answer for all except "Common Name" questions. Give the subject (from previous step, do not include the 'CN=') and your own 8 digit number. {{{ globus@pc:~/.globus$ openssl req -new -config /tmp/csr.conf -out alice.csr -keyout alice-proxy.key Generating a 1024 bit RSA private key ........++++++ .................++++++ writing new private key to 'alice-proxy.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name "C" (2 letter code) []: State Name "ST" (full name) []: Locality Name "L" (eg, city) []: Organization Name "O" (eg, company) []: Organizational Unit Name "OU" (eg, section) []: Common Name "CN" (eg, YOUR name) []:geni//gpo//gcf.user.alice Email Address []: Common Name "CN" (unique 8 digit number) []:12345678 }}} This should produce the csr and key files specified on the command line. 6. Create the proxy certificate using the csr file generated in the previous step as well as alice-cert.pem and alice-key.pem. {{{ globus@pc:~/.globus$ openssl x509 -req -CAcreateserial -in alice.csr -days 7 -out alice_proxy.pem -CA alice-cert.pem -CAkey alice-key.pem -extfile /tmp/csr.conf -extensions v3_proxy Signature ok subject=/CN=geni//gpo//gcf.user.alice/CN=12345678 Getting CA Private Key }}} 7. Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the globus user id (id -u). {{{ globus@pc:~/.globus$ cat alice_proxy.pem > x509up_u20002 globus@pc:~/.globus$ cat alice-proxy.key >> x509up_u20002 globus@pc:~/.globus$ cat alice-cert.pem >> x509up_u20002 }}} 8. Copy the concatenated certificate to /tmp and set the permissions to 0600. {{{ cp x509up_u20002 /tmp chmod 600 /tmp/x509up_u20002 }}} 9. Run grid-proxy-info to get the identity of the proxy certificate. {{{ globus@pc:~/.globus$ /usr/local/globus/bin/grid-proxy-info -f /tmp/x509up_u20002 subject : /CN=geni//gpo//gcf.user.alice/CN=12345678 issuer : /CN=geni//gpo//gcf.user.alice identity : /CN=geni//gpo//gcf.user.alice/CN=12345678 type : RFC 3820 compliant independent proxy strength : 1024 bits path : /tmp/x509up_u20002 timeleft : 167:58:47 (7.0 days) }}} 10. Go back to the '''iRODS server''' and add the user authentication id using the identity from the previous step. {{{ iadmin aua alice '/CN=geni//gpo//gcf.user.alice/CN=12345678' }}} 8. Now you will be able to run ils. {{{ johren@pc:/tmp$ ils /tempZone/home/alice: }}} === References === https://code.renci.org/gf/project/jargon/tracker/?action=TrackerItemEdit&tracker_item_id=132 [[BR]] http://www.nordugrid.org/documents/certificate_howto.html [[BR]] https://cilogon.org/ [[BR]] https://www.irods.org/index.php/Grid_Security_Infrastructure