Version 3 (modified by 11 years ago) (diff) | ,
---|
Using iRODS with Grid Security Infrastructure (GSI)
Overview
This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah.
Configuration
iRODS server: pc475.emulab.net
iRODS client: pc321.emulab.net
Installation
Server
- Software must be installed as a non-root user so I created a "globus" user:
sudo mkuser -m -s /bin/bash globus sudo passwd globus
- Install the libltdl-dev package
sudo apt-get install libltdl-dev
- Change to the globus user
su - globus
- Download iRODS and GSI software to the globus home directory.
- iRODS 3.2: http://irods.sdsc.edu/download.html
- GSI: http://www.globus.org/ftppub/gt5/5.2/5.2.2/installers/src/gt5.2.2-all-source-installer.tar.gz
- Build GSI
cd /home/globus tar -zxvf gt5.2.2-all-source-installer.tar.gz cd gt5.2.2-all-source-installer export GLOBUS_LOCATION=/usr/local/globus ./configure --prefix $GLOBUS_LOCATION make globus-gsi
- A few tweaks I had to make to get iRODS to build
cd /usr/local/globus/include/globus ln -s gcc64dbg/globus_config.h cd /usr/local/globus mv lib/perl lib64 mv lib lib.old ln -s lib64 lib
- Build iRODS
cd /home/globus/iRODS ./irodssetup
Answers to the irods questions:
globus@pc:~/iRODS$ ./irodssetup Include additional prompts for advanced settings [no]? no Build an iRODS server [yes]? yes Make this Server ICAT-Enabled [yes]? yes iRODS zone name [tempZone]? tempZone iRODS login name [rods]? rods Password [rods]? rods Download and build a new Postgres DBMS [yes]? yes New Postgres directory? /home/globus/iRODS/postgres New database login name [globus]? globus Password? globus PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz ODBC version [unixODBC-2.2.12.tar.gz]? unixODBC-2.2.12.tar.gz Include GSI [no]? yes GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus GSI Install Type to use (or 'none')? globus Include Kerberos [no]? no Include the NCCS Auditing extensions [no]? no Save configuration (irods.config) [yes]? yes
- Add the following to /home/globus/.bashrc
export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH export GLOBUS_LOCATION=/usr/local/globus export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib
Client
Same as the server only answer "no" to the following question during irodssetup:
Build an iRODS server [yes]? no
Configuring iRODS
Server
- Configure the client to use the rods user on the iRODS server in file /home/globus/.irods/.irodsEnv
# iRODS server host name: irodsHost 'pc475.emulab.net' # iRODS server port number: irodsPort 1247 # Default storage resource name: irodsDefResource 'demoResc' # Home directory in iRODS: irodsHome '/tempZone/home/rods' # Current directory in iRODS: irodsCwd '/tempZone/home/rods' # Account name: irodsUserName 'rods' # Zone: irodsZone 'tempZone'
- Create users (I had alice). Password is not needed since we will be using GSI.
iadmin mkuser alice rodsuser
- We will add user authentication ids later after we set up certificates.
Client
- Configured the irods client to use GSI authentication and the alice user.
irodsHost 'pc475.emulab.net' # iRODS server port number: irodsPort 1247 # Default storage resource name: irodsDefResource 'demoResc' # Home directory in iRODS: irodsHome '/tempZone/home/alice' # Current directory in iRODS: irodsCwd '/tempZone/home/alice' # Account name: irodsUserName 'alice' # Zone: irodsZone 'tempZone' irodsAuthScheme GSI
Setting up the certificates
I configured three different types of certificates: CILogon, GENI/GCF certificates with grid-proxy-init, and GENI/GCF with openssl generated proxy.
In both cases, I needed the following:
- Two different cert/key pairs: one for the client and one for the server.
- Proxy certificate
- The CA certificates
CiLogon
I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs.
- For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link.
This should download a PKCS12 format certificate.
- You will need to convert the p12 file to the cert and key files:
openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem
NOTE: server pair must be named hostcert.pem and hostkey.pem
- You will need to strip the password from the host key (iRODS does not support host keys with passphrases).
openssl rsa -in /tmp/hostkey.pem -out hostkey.pem
- Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz
You should end up with the following:
- A cert/key pair for the iRODS client
- A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
- The CA certificate tarball
Server
- Create the directory /home/globus/.globus
mkdir /home/globus/.globus
- Place the hostkey.pem and hostcert.pem files in /home/globus/.globus
mv /tmp/hostkey.pem /home/globus/.globus mv /tmp/hostcert.pem /home/globus/.globus
- Change the permissions of the hostkey.pem to 0600
chmod 600 /home/globus/.globus/hostkey.pem
Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus
tar -zxvf /tmp/cilogon-ca-certificates.tar.gz mv cilogon-ca/certificates /home/globus/.globus
Client
You can do this as any user. I used user johren.
- Create the directory /home/johren/.globus
mkdir /home/johren/.globus
- Place the userkey.pem and usercert.pem files in /home/johren/.globus
mv /tmp/userkey.pem /home/johren/.globus mv /tmp/usercert.pem /home/johren/.globus
- Change the permissions of the userkey.pem to 0600
chmod 600 /home/johren/.globus/userkey.pem
Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus
tar -zxvf /tmp/cilogon-ca-certificates.tar.gz mv cilogon-ca/certificates /home/globus/.globus
- Set the environment
export X509_CERT_DIR=/home/johren/.globus/certificates export X509_USER_CERT=/home/johren/.globus/usercert.pem export X509_USER_KEY=/home/johren/.globus/userkey.pem
- Create the proxy certificate
cd /home/johren/.globus /usr/local/johren/bin/grid-proxy-init -debug
Output should look something like this:
User Cert File: /users/johren/.globus/usercert.pem User Key File: /users/johren/.globus/userkey.pem Trusted CA Cert Dir: (null) Output File: /tmp/x509up_u20001 Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 Enter GRID pass phrase for this identity: Creating proxy .++++++++++++ ....................++++++++++++ Done Your proxy is valid until: Fri Nov 30 19:26:51 2012
- Verify the proxy certificate
/usr/local/johren/bin/grid-proxy-init -debug -verify
Output should look something like this:
User Cert File: /users/johren/.globus/usercert.pem User Key File: /users/johren/.globus/userkey.pem Trusted CA Cert Dir: /users/johren/.globus/certificates/ Output File: /tmp/x509up_u20001 Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 Enter GRID pass phrase for this identity: Creating proxy ..............................++++++++++++ ......++++++++++++ Done Proxy Verify OK Your proxy is valid until: Fri Nov 30 19:27:15 2012
- Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate:
unset X509_USER_CERT unset X509_USER_KEY
- Go back to the iRODS server and add the user authentication id.
Identity is the one specified in the output of grid-proxy-init above.
iadmin aua alice '/DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700'
- Now you should be able to run ils.
johren@pc:/tmp$ ils /tempZone/home/alice:
GCF w/ grid-proxy-init
I downloaded the GCF code () to generate GENI certificates from my own clearing house.
- Ran src/gen-certs.py to generate certificates for both host and client.
./src/gen-certs.py ./src/gen-certs.py --notAll --exp -u host ./src/gen-certs.py --notAll --exp -u alice
- Configure the root CA certificates. These can be found in the trusted_roots directory generated above.
However, a hash link and signing_policy need to be created for each cert.
2a. Move the trusted_roots directory to /home/johren/.globus/certificates.
2b. Determine the hash for the certificate and create the link
2c. Create the signing_policy file and create a hash link for this.
You should end up with the following:
- A cert/key pair for the iRODS client
- A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
- The CA certificate directory
Server
- Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus
mv /tmp/hostkey.pem /home/globus/.globus mv /tmp/hostcert.pem /home/globus/.globus
- Change the permissions of the hostkey.pem to 0600
chmod 600 /home/globus/.globus/hostkey.pem
- Copy the CA certificates created above to /home/globus/.globus/certificates
Client
- Place the alicekey.pem and alicecert.pem files in /home/johren/.globus
mv /tmp/alicekey.pem /home/johren/.globus mv /tmp/alicecert.pem /home/johren/.globus
- Change the permissions of the alicekey.pem to 0600
chmod 600 /home/johren/.globus/alicekey.pem
- Copy the CA certificates created above to /home/johren/.globus/certificates
- Set the environment
export X509_CERT_DIR=/home/johren/.globus/certificates export X509_USER_CERT=/home/johren/.globus/alicecert.pem export X509_USER_KEY=/home/johren/.globus/alicekey.pem
- Create the proxy certificate
cd /home/johren/.globus /usr/local/johren/bin/grid-proxy-init -debug
Output should look something like this:
User Cert File: /users/johren/.globus/alice-cert.pem User Key File: /users/johren/.globus/alice-key.pem Trusted CA Cert Dir: (null) Output File: /tmp/x509up_u20001 Your identity: /CN=geni//gpo//gcf.user.alice Creating proxy .......................................++++++++++++ .........++++++++++++ Done Your proxy is valid until: Fri Nov 30 19:57:41 2012
- Verify the proxy certificate
/usr/local/johren/bin/grid-proxy-init -debug -verify
Output should look something like this:
User Cert File: /users/johren/.globus/alice-cert.pem User Key File: /users/johren/.globus/alice-key.pem Trusted CA Cert Dir: /users/johren/.globus/certificates/ Output File: /tmp/x509up_u20001 Your identity: /CN=geni//gpo//gcf.user.alice Creating proxy .++++++++++++ .....++++++++++++ Done Proxy Verify OK Your proxy is valid until: Fri Nov 30 19:57:56 2012
- Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate:
unset X509_USER_CERT unset X509_USER_KEY
- Go back to the iRODS server and add the user authentication id.
Identity is the one specified in the output of grid-proxy-init above.
iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
- Now you should be able to run ils.
johren@pc:/tmp$ ils /tempZone/home/alice:
GCF w/ openssl proxy cert
Server
Same as GCF w/ grid-proxy-init.
Client
Steps 1-3 are the same as GCF w/ grid-proxy-init.
- Get the identity from the GCF cert.
- Create the CSR.
- Create the proxy certificate.
- Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the same as the proxy cert generated by grid-proxy-init.
- Copy the concatenated certificate to /tmp.
- Run grid-proxy-info to get the identity of the proxy certificate.
- Go back to the iRODS server and add the user authentication id.
iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
- Now you should be able to run ils.
johren@pc:/tmp$ ils /tempZone/home/alice:
References
https://code.renci.org/gf/project/jargon/tracker/?action=TrackerItemEdit&tracker_item_id=132 http://www.nordugrid.org/documents/certificate_howto.html https://cilogon.org/ https://www.irods.org/index.php/Grid_Security_Infrastructure
Attachments (3)
- ServerAuth.jpg (39.2 KB) - added by 11 years ago.
- GENIcert.jpg (32.1 KB) - added by 11 years ago.
- ProxyCert.jpg (43.5 KB) - added by 11 years ago.
Download all attachments as: .zip