wiki:iRODSwithGSI

Version 26 (modified by Jeanne Ohren, 11 years ago) (diff)

--

Using iRODS with Grid Security Infrastructure (GSI)

Overview

This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah.

Configuration

iRODS server: pc475.emulab.net
iRODS client: pc321.emulab.net

Results

I was able to execute an ils command from client to server with each of the following certificate configurations:

Using a regular X509 certificate

I used both CiLogon and GENI/GCF certificates to access the "alice" account on the iRODS server. The difference between the two types of certificates was getting the client and host certificates and CA certificates into the appropriate format. In both cases, a certificate and private key pair was installed on both the iRODS client and iRODS server. The client's subject DN was added as a "user authentication-name" to the appropriate account on the iRODS server.

Using a regular X509 certificate with server authentication

Using the same regular X509 certificate configuration, I was able to add server authentication by adding the subject DN of the iRODS server certificate (hostcert.pem) to the irodsEnv on the client. This was specified using the irodsServerDn parameter.

Using a proxy certificate

I used proxy certificates generated two different ways to access the alice account on the iRODS server. The first proxy certificate was generated using the Globus grid-proxy-init command. The second proxy certificate was generated using openssl commands. Both of these methods worked. See details below.

Installation

These are the details of how I configured each of the different scenarios.

Server

  1. Software must be installed as a non-root user so I created a "globus" user:
        sudo useradd -m -s /bin/bash globus
        sudo passwd globus
    
  1. Install the libltdl-dev package
       sudo apt-get install libltdl-dev
    
  1. Make the directory in which GSI will be installed.
       sudo mkdir /usr/local/globus
       sudo chmod a+w /usr/local/globus
    
  1. Change to the globus user
        su - globus
    
  1. Download iRODS and GSI software to the globus home directory.
  1. Build GSI
     cd /home/globus
     tar -zxvf gt5.2.2-all-source-installer.tar.gz
     cd gt5.2.2-all-source-installer
     export GLOBUS_LOCATION=/usr/local/globus
     ./configure --prefix $GLOBUS_LOCATION
     make globus-gsi
    
  1. A few tweaks I had to make to get iRODS to build
    cd /usr/local/globus/include/globus
    ln -s gcc64dbg/globus_config.h 
    
    cd /usr/local/globus
    mv lib/perl lib64
    mv lib lib.old
    ln -s lib64 lib
    
  1. Build iRODS
      cd /home/globus/iRODS
      ./irodssetup
    
    

Answers to the irods questions:

globus@pc:~/iRODS$ ./irodssetup 

    Include additional prompts for advanced settings [no]? no
    Build an iRODS server [yes]? yes
    Make this Server ICAT-Enabled [yes]?  yes
    iRODS zone name [tempZone]? tempZone 
    iRODS login name [rods]? rods
    Password [rods]? rods
    Download and build a new Postgres DBMS [yes]? yes
    New Postgres directory? /home/globus/iRODS/postgres
    New database login name [globus]? globus
    Password? globus
    PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz
    ODBC version [unixODBC-2.2.12.tar.gz]?  unixODBC-2.2.12.tar.gz
    Include GSI [no]? yes
    GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus
    GSI Install Type to use (or 'none')? globus
    Include Kerberos [no]? no
    Include the NCCS Auditing extensions [no]? no
    Save configuration (irods.config) [yes]? yes
  1. Add the following to /home/globus/.bashrc
    export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH
    export GLOBUS_LOCATION=/usr/local/globus
    export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib
    
    

Client

Same as the server only answer "no" to the following question during irodssetup:

    Build an iRODS server [yes]? no

Configuring iRODS

Server

  1. Make the .irods subdirectory
       mkdir /home/globus/.irods
    
  1. Configure the iRODS client on the server node to use the rods user in file /home/globus/.irods/.irodsEnv
    # iRODS server host name:
    irodsHost 'pc475.emulab.net'
    # iRODS server port number:
    irodsPort 1247
    
    # Default storage resource name:
    irodsDefResource 'demoResc'
    # Home directory in iRODS:
    irodsHome '/tempZone/home/rods'
    # Current directory in iRODS:
    irodsCwd '/tempZone/home/rods'
    # Account name:
    irodsUserName 'rods'
    # Zone:
    irodsZone 'tempZone'
    
  1. Create users (I had alice). Password is not needed since we will be using GSI.
       iadmin mkuser alice rodsuser
    
  1. We will add user authentication ids later after we set up certificates.

Client

  1. Make the .irods subdirectory
       mkdir /home/globus/.irods
    
  1. Configure the iRODS client on the client node to use GSI authentication and the alice user. Create file /home/globus/.irods/.irodsEnv with contents similar to the following.
    irodsHost 'pc475.emulab.net'
    # iRODS server port number:
    irodsPort 1247
    
    # Default storage resource name:
    irodsDefResource 'demoResc'
    # Home directory in iRODS:
    irodsHome '/tempZone/home/alice'
    # Current directory in iRODS:
    irodsCwd '/tempZone/home/alice'
    # Account name:
    irodsUserName 'alice'
    # Zone:
    irodsZone 'tempZone'
    
    irodsAuthScheme GSI
    

Setting up the certificates

I configured four different types of certificates: CILogon, regular GENI/GCF certificates, GENI/GCF certificates with grid-proxy-init, and GENI/GCF with openssl generated proxy.

In all cases, I needed the following:

  • Two different cert/key pairs: one for the client and one for the server.
  • Proxy certificate
  • The CA certificates

CiLogon

I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs.

  1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link.

This should download a PKCS12 format certificate.

  1. You will need to convert the p12 file to the cert and key files:
      openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem
      openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem
      openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem
      openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem
    

NOTE: server pair must be named hostcert.pem and hostkey.pem

  1. You will need to strip the password from the host key (iRODS does not support host keys with passphrases).
        openssl rsa -in /tmp/hostkey.pem -out hostkey.pem
    
  1. Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz

You should end up with the following:

  • A cert/key pair for the iRODS client
  • A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
  • The CA certificate tarball
Server
  1. Create the directory /home/globus/.globus
        mkdir /home/globus/.globus
    
  1. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus
        mv /tmp/hostkey.pem /home/globus/.globus
        mv /tmp/hostcert.pem /home/globus/.globus
    
  1. Change the permissions of the hostkey.pem to 0600
        chmod 600 /home/globus/.globus/hostkey.pem
    

Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus
Client

You can do this as any user. I used user globus.

  1. Create the directory /home/globus/.globus
        mkdir /home/globus/.globus
    
  1. Place the userkey.pem and usercert.pem files in /home/globus/.globus
        mv /tmp/userkey.pem /home/globus/.globus
        mv /tmp/usercert.pem /home/globus/.globus
    
  1. Change the permissions of the userkey.pem to 0600
        chmod 600 /home/globus/.globus/userkey.pem
    

Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus
  1. Set the environment
        export X509_CERT_DIR=/home/globus/.globus/certificates
        export X509_USER_CERT=/home/globus/.globus/usercert.pem
        export X509_USER_KEY=/home/globus/.globus/userkey.pem
    
  1. Create the proxy certificate
        cd /home/globus/.globus
        /usr/local/globus/bin/grid-proxy-init -debug
    

Output should look something like this:

User Cert File: /users/globus/.globus/usercert.pem
User Key File: /users/globus/.globus/userkey.pem

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u20001
Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
Enter GRID pass phrase for this identity:
Creating proxy .++++++++++++
....................++++++++++++
 Done
Your proxy is valid until: Fri Nov 30 19:26:51 2012

The proxy certificate will be created in /tmp with a file name of the format x509up_uXXXXX where XXXXX is the id of the user running the grid-proxy-init command.

  1. Verify the proxy certificate
        /usr/local/globus/bin/grid-proxy-init -debug -verify
    

Output should look something like this:

User Cert File: /users/globus/.globus/usercert.pem
User Key File: /users/globus/.globus/userkey.pem

Trusted CA Cert Dir: /users/globus/.globus/certificates/

Output File: /tmp/x509up_u20001
Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
Enter GRID pass phrase for this identity:
Creating proxy ..............................++++++++++++
......++++++++++++
 Done
Proxy Verify OK
Your proxy is valid until: Fri Nov 30 19:27:15 2012
  1. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate:
    unset X509_USER_CERT
    unset X509_USER_KEY
    
  1. Go back to the iRODS server and add the user authentication id.

Identity is the one specified in the output of grid-proxy-init above.

   iadmin aua alice '/DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700'
  1. Now you will be able to run ils.
    johren@pc:/tmp$ ils
    /tempZone/home/alice:
    

GENI/GCF certificates

I downloaded the GCF code () to generate GENI certificates from my own clearing house.

  1. Ran src/gen-certs.py to generate certificates for both host and client.
       ./src/gen-certs.py
       ./src/gen-certs.py --notAll --exp -u host
       ./src/gen-certs.py --notAll --exp -u alice
    
  1. Configure the root CA certificates. These can be found in the trusted_roots directory generated above.

However, a hash link and signing_policy need to be created for each cert.

2a. Go to the trusted_roots directory

   cd trusted_roots

2b. For each certificate, determine the hash for the certificate and create the link

globus@pc-0:~/irodscerts/trusted_roots$ openssl x509 -in ch-cert.pem -hash -noout
0894ffd6
globus@pc-0:~/irodscerts/trusted_roots$ ln -s ch-cert.pem 0894ffd6.0

2c. Determine the issuer of each certificate

  openssl x509 -in <certificate-file> -issuer -noout

2d. Create the signing_policy file (e.g. ch-cert.signing_policy) with contents like the following (where access_id_CA is the subject of the CA - openssl x509 -in <certificate-file> -subject -noout).

access_id_CA   X509    '/CN=geni//gpo//gcf.authority.sa'
pos_rights     globus  CA:sign
cond_subjects  globus  '/*'

2e. Create a symlink to the signing policy using the hash determined above.

   ln -s ch-cert.signing_policy 0894ffd6.0

You should end up with the following:

  • A cert/key pair for the iRODS client
  • A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
  • The CA certificate directory

Your CA certificate directory (e.g. trusted_roots) should looks something like this:

pc:~/.globus/certificates% ls -l
total 28
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   11 Nov 28 09:33 0894ffd6.0 -> ch-cert.pem
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   22 Nov 28 09:57 0894ffd6.signing_policy -> ch-cert.signing_policy
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   11 Nov 28 09:33 18f0c2ad.0 -> ma-cert.pem
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   22 Nov 28 09:57 18f0c2ad.signing_policy -> ma-cert.signing_policy
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   10 Nov 28 09:32 aacaba34.0 -> cacert.pem
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   21 Nov 28 09:56 aacaba34.signing_policy -> cacert.signing_policy
-rw-r--r-- 1 johren pgeni-gpolab-bbn  916 Nov 28 09:31 cacert.pem
-rw-r--r-- 1 johren pgeni-gpolab-bbn  111 Nov 28 09:53 cacert.signing_policy
-rw-r--r-- 1 johren pgeni-gpolab-bbn 3023 Nov 28 09:31 CATedCACerts.pem
-rw-r--r-- 1 johren pgeni-gpolab-bbn  834 Nov 28 12:31 ch-cert.pem
-rw-r--r-- 1 johren pgeni-gpolab-bbn  116 Nov 28 09:54 ch-cert.signing_policy
-rw-r--r-- 1 johren pgeni-gpolab-bbn 1273 Nov 28 09:31 ma-cert.pem
-rw-r--r-- 1 johren pgeni-gpolab-bbn  111 Nov 28 09:55 ma-cert.signing_policy
Server
  1. Create the directory /home/globus/.globus (if it doesn't alredy exist)
        mkdir /home/globus/.globus
    
  1. Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus
        mv /tmp/hostkey.pem /home/globus/.globus
        mv /tmp/hostcert.pem /home/globus/.globus
    
  1. Change the permissions of the hostkey.pem to 0600
        chmod 600 /home/globus/.globus/hostkey.pem
    
  1. Copy the CA certificates created above to /home/globus/.globus/certificates
    mkdir /home/globus/.globus/certificates
    cp trusted_roots/* /home/globus/.globus/certificates
    
Client
  1. Create the directory /home/globus/.globus (if it doesn't already exist)
        mkdir /home/globus/.globus
    
  1. Place the alicekey.pem and alicecert.pem files in /home/globus/.globus
        mv /tmp/alicekey.pem /home/globus/.globus
        mv /tmp/alicecert.pem /home/globus/.globus
    
  1. Change the permissions of the alicekey.pem to 0600
        chmod 600 /home/globus/.globus/alicekey.pem
    
  1. Copy the CA certificates created above to /home/globus/.globus/certificates
    mkdir /home/globus/.globus/certificates
    cp trusted_roots/* /home/globus/.globus/certificates
    
  1. Set the environment
        export X509_CERT_DIR=/home/globus/.globus/certificates
        export X509_USER_CERT=/home/globus/.globus/alicecert.pem
        export X509_USER_KEY=/home/globus/.globus/alicekey.pem
    
  1. Get the subject DN from the certificate:
    globus@pc:~$ openssl x509 -in .globus/alice-cert.pem -subject -noout
    subject= /CN=geni//gpo//gcf.user.alice
    
  1. Go back to the iRODS server and add the user authentication id.
       iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
    
  1. Now you will be able to run ils.
    johren@pc:/tmp$ ils
    /tempZone/home/alice:
    

GENI/GCF certificate with server authentication

Follow the same steps 1-5 above.

  1. Get the subject DN from the certificate on the iRODS server
    globus@pc-0:~$ openssl x509 -in .globus/hostcert.pem -subject -noout
    subject= /CN=geni//gpo//gcf.user.irods
    
  1. Add this DN to the .irodsEnv on the iRODS client (/home/globus/.irods/.irodsEnv)
    irodsHost 'pc201.emulab.net'
    # iRODS server port number:
    irodsPort 1247
    
    # Default storage resource name:
    irodsDefResource 'demoResc'
    # Home directory in iRODS:
    irodsHome '/tempZone/home/alice'
    # Current directory in iRODS:
    irodsCwd '/tempZone/home/alice'
    # Account name:
    irodsUserName 'alice'
    # Zone:
    irodsZone 'tempZone'
    
    irodsAuthScheme GSI
    irodsServerDn '/CN=geni//gpo//gcf.user.irods'
    
  1. Now you will be able to run ils on the client.
    johren@pc:/tmp$ ils
    /tempZone/home/alice:
    

GCF w/ grid-proxy-init

I downloaded the GCF code () to generate GENI certificates from my own clearing house.

  1. Ran src/gen-certs.py to generate certificates for both host and client.
       ./src/gen-certs.py
       ./src/gen-certs.py --notAll --exp -u host
       ./src/gen-certs.py --notAll --exp -u alice
    
  1. Configure the root CA certificates. These can be found in the trusted_roots directory generated above.

However, a hash link and signing_policy need to be created for each cert.

2a. Go to the trusted_roots directory

   cd trusted_roots

2b. For each certificate, determine the hash for the certificate and create the link

globus@pc-0:~/irodscerts/trusted_roots$ openssl x509 -in ch-cert.pem -hash -noout
0894ffd6
globus@pc-0:~/irodscerts/trusted_roots$ ln -s ch-cert.pem 0894ffd6.0

2c. Determine the issuer of each certificate

  openssl x509 -in <certificate-file> -issuer -noout

2d. Create the signing_policy file (e.g. ch-cert.signing_policy) with contents like the following (where access_id_CA is the issuer of the CA found in step 2c).

access_id_CA   X509    '/CN=geni//gpo//gcf.authority.sa'
pos_rights     globus  CA:sign
cond_subjects  globus  '/*'

2e. Create a symlink to the signing policy using the hash determined above.

   ln -s ch-cert.signing_policy 0894ffd6.0

You should end up with the following:

  • A cert/key pair for the iRODS client
  • A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
  • The CA certificate directory

Your CA certificate directory (e.g. trusted_roots) should looks something like this:

pc:~/.globus/certificates% ls -l
total 28
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   11 Nov 28 09:33 0894ffd6.0 -> ch-cert.pem
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   22 Nov 28 09:57 0894ffd6.signing_policy -> ch-cert.signing_policy
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   11 Nov 28 09:33 18f0c2ad.0 -> ma-cert.pem
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   22 Nov 28 09:57 18f0c2ad.signing_policy -> ma-cert.signing_policy
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   10 Nov 28 09:32 aacaba34.0 -> cacert.pem
lrwxrwxrwx 1 johren pgeni-gpolab-bbn   21 Nov 28 09:56 aacaba34.signing_policy -> cacert.signing_policy
-rw-r--r-- 1 johren pgeni-gpolab-bbn  916 Nov 28 09:31 cacert.pem
-rw-r--r-- 1 johren pgeni-gpolab-bbn  111 Nov 28 09:53 cacert.signing_policy
-rw-r--r-- 1 johren pgeni-gpolab-bbn 3023 Nov 28 09:31 CATedCACerts.pem
-rw-r--r-- 1 johren pgeni-gpolab-bbn  834 Nov 28 12:31 ch-cert.pem
-rw-r--r-- 1 johren pgeni-gpolab-bbn  116 Nov 28 09:54 ch-cert.signing_policy
-rw-r--r-- 1 johren pgeni-gpolab-bbn 1273 Nov 28 09:31 ma-cert.pem
-rw-r--r-- 1 johren pgeni-gpolab-bbn  111 Nov 28 09:55 ma-cert.signing_policy
Server
  1. Create the directory /home/globus/.globus (if it doesn't alredy exist)
        mkdir /home/globus/.globus
    
  1. Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus
        mv /tmp/hostkey.pem /home/globus/.globus
        mv /tmp/hostcert.pem /home/globus/.globus
    
  1. Change the permissions of the hostkey.pem to 0600
        chmod 600 /home/globus/.globus/hostkey.pem
    
  1. Copy the CA certificates created above to /home/globus/.globus/certificates
    mkdir /home/globus/.globus/certificates
    cp trusted_roots/* /home/globus/.globus/certificates
    
Client
  1. Create the directory /home/globus/.globus (if it doesn't already exist)
        mkdir /home/globus/.globus
    
  1. Place the alicekey.pem and alicecert.pem files in /home/globus/.globus
        mv /tmp/alicekey.pem /home/globus/.globus
        mv /tmp/alicecert.pem /home/globus/.globus
    
  1. Change the permissions of the alicekey.pem to 0600
        chmod 600 /home/globus/.globus/alicekey.pem
    
  1. Copy the CA certificates created above to /home/globus/.globus/certificates
    mkdir /home/globus/.globus/certificates
    cp trusted_roots/* /home/globus/.globus/certificates
    
  1. Set the environment
        export X509_CERT_DIR=/home/globus/.globus/certificates
        export X509_USER_CERT=/home/globus/.globus/alicecert.pem
        export X509_USER_KEY=/home/globus/.globus/alicekey.pem
    
  1. Create the proxy certificate
        cd /home/globus/.globus
        /usr/local/globus/bin/grid-proxy-init -debug
    

Output should look something like this:

User Cert File: /home/globus/.globus/alice-cert.pem
User Key File: /home/globus/.globus/alice-key.pem

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u20001
Your identity: /CN=geni//gpo//gcf.user.alice
Creating proxy .......................................++++++++++++
.........++++++++++++
 Done
Your proxy is valid until: Fri Nov 30 19:57:41 2012
  1. Verify the proxy certificate
        /usr/local/globus/bin/grid-proxy-init -debug -verify
    

Output should look something like this:

User Cert File: /home/globus/.globus/alice-cert.pem
User Key File: /home/globus/.globus/alice-key.pem

Trusted CA Cert Dir: /home/globus/.globus/certificates/

Output File: /tmp/x509up_u20001
Your identity: /CN=geni//gpo//gcf.user.alice
Creating proxy .++++++++++++
.....++++++++++++
 Done
Proxy Verify OK
Your proxy is valid until: Fri Nov 30 19:57:56 2012
  1. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate:
    unset X509_USER_CERT
    unset X509_USER_KEY
    
  1. Go back to the iRODS server and add the user authentication id.

Identity is the one specified in the output of grid-proxy-init above.

   iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
  1. Now you will be able to run ils.
    johren@pc:/tmp$ ils
    /tempZone/home/alice:
    

GCF w/ openssl proxy cert

Server

Same as GCF w/ grid-proxy-init.

Client

Steps 1-3 are the same as GCF w/ grid-proxy-init.

  1. Get the subject from the GCF certificate (alice-cert.pem)
    globus@pc:~/.globus$ openssl x509 -in alice-cert.pem -subject -noout
    subject= /CN=geni//gpo//gcf.user.alice
    
  1. Create the CSR using csr.conf provided by Ezra (see attached). Accept default answer for all except "Common Name" questions.

Give the subject (from previous step, do not include the 'CN=') and your own 8 digit number.

globus@pc:~/.globus$ openssl req -new -config /tmp/csr.conf -out alice.csr -keyout alice-proxy.key
Generating a 1024 bit RSA private key
........++++++
.................++++++
writing new private key to 'alice-proxy.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name "C" (2 letter code) []:
State Name "ST" (full name) []:
Locality Name "L" (eg, city) []:
Organization Name "O" (eg, company) []:
Organizational Unit Name "OU" (eg, section) []:
Common Name "CN" (eg, YOUR name) []:geni//gpo//gcf.user.alice
Email Address []:
Common Name "CN" (unique 8 digit number) []:12345678    

This should produce the csr and key files specified on the command line.

  1. Create the proxy certificate using the csr file generated in the previous step as well as alice-cert.pem and alice-key.pem.
    globus@pc:~/.globus$ openssl x509 -req -CAcreateserial -in alice.csr -days 7 -out alice_proxy.pem -CA alice-cert.pem -CAkey alice-key.pem -extfile /tmp/csr.conf -extensions v3_proxy
    Signature ok
    subject=/CN=geni//gpo//gcf.user.alice/CN=12345678
    Getting CA Private Key
    
  1. Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the globus user id (id -u).
    globus@pc:~/.globus$ cat alice_proxy.pem > x509up_u20002
    globus@pc:~/.globus$ cat alice-proxy.key >> x509up_u20002
    globus@pc:~/.globus$ cat alice-cert.pem >> x509up_u20002
    
  1. Copy the concatenated certificate to /tmp and set the permissions to 0600.
       cp x509up_u20002 /tmp
       chmod 600 /tmp/x509up_u20002
    
  1. Run grid-proxy-info to get the identity of the proxy certificate.
    globus@pc:~/.globus$ /usr/local/globus/bin/grid-proxy-info -f /tmp/x509up_u20002 
    subject  : /CN=geni//gpo//gcf.user.alice/CN=12345678
    issuer   : /CN=geni//gpo//gcf.user.alice
    identity : /CN=geni//gpo//gcf.user.alice/CN=12345678
    type     : RFC 3820 compliant independent proxy
    strength : 1024 bits
    path     : /tmp/x509up_u20002
    timeleft : 167:58:47  (7.0 days)
    
  1. Go back to the iRODS server and add the user authentication id using the identity from the previous step.
       iadmin aua alice '/CN=geni//gpo//gcf.user.alice/CN=12345678'
    
  1. Now you will be able to run ils.
    johren@pc:/tmp$ ils
    /tempZone/home/alice:
    

References

[1] http://www.globus.org/security/overview.html
[2] https://www.irods.org/index.php/Grid_Security_Infrastructure
[3] https://code.renci.org/gf/project/jargon/tracker/?action=TrackerItemEdit&tracker_item_id=132
[4] http://www.nordugrid.org/documents/certificate_howto.html
[5] https://cilogon.org/

Attachments (3)

Download all attachments as: .zip