[[PageOutline]] == Using iRODS with Grid Security Infrastructure (GSI) == === Overview === This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah. === Configuration === iRODS server: pc475.emulab.net[[BR]] iRODS client: pc321.emulab.net === Installation === ==== Server ==== 1. Software must be installed as a non-root user so I created a "globus" user: {{{ sudo useradd -m -s /bin/bash globus sudo passwd globus }}} 2. Install the libltdl-dev package {{{ sudo apt-get install libltdl-dev }}} 3. Make the directory in which GSI will be installed. {{{ sudo mkdir /usr/local/globus sudo chmod a+w /usr/local/globus }}} 4. Change to the globus user {{{ su - globus }}} 5. Download iRODS and GSI software to the globus home directory. * iRODS 3.2: http://irods.sdsc.edu/download.html * GSI: http://www.globus.org/ftppub/gt5/5.2/5.2.2/installers/src/gt5.2.2-all-source-installer.tar.gz 6. Build GSI {{{ cd /home/globus tar -zxvf gt5.2.2-all-source-installer.tar.gz cd gt5.2.2-all-source-installer export GLOBUS_LOCATION=/usr/local/globus ./configure --prefix $GLOBUS_LOCATION make globus-gsi }}} 7. A few tweaks I had to make to get iRODS to build {{{ cd /usr/local/globus/include/globus ln -s gcc64dbg/globus_config.h cd /usr/local/globus mv lib/perl lib64 mv lib lib.old ln -s lib64 lib }}} 8. Build iRODS {{{ cd /home/globus/iRODS ./irodssetup }}} Answers to the irods questions: {{{ globus@pc:~/iRODS$ ./irodssetup Include additional prompts for advanced settings [no]? no Build an iRODS server [yes]? yes Make this Server ICAT-Enabled [yes]? yes iRODS zone name [tempZone]? tempZone iRODS login name [rods]? rods Password [rods]? rods Download and build a new Postgres DBMS [yes]? yes New Postgres directory? /home/globus/iRODS/postgres New database login name [globus]? globus Password? globus PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz ODBC version [unixODBC-2.2.12.tar.gz]? unixODBC-2.2.12.tar.gz Include GSI [no]? yes GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus GSI Install Type to use (or 'none')? globus Include Kerberos [no]? no Include the NCCS Auditing extensions [no]? no Save configuration (irods.config) [yes]? yes }}} 8. Add the following to /home/globus/.bashrc {{{ export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH export GLOBUS_LOCATION=/usr/local/globus export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib }}} ==== Client ==== Same as the server only answer "no" to the following question during irodssetup: {{{ Build an iRODS server [yes]? no }}} === Configuring iRODS === ==== Server ==== 1. Configure the client to use the rods user on the iRODS server in file /home/globus/.irods/.irodsEnv {{{ # iRODS server host name: irodsHost 'pc475.emulab.net' # iRODS server port number: irodsPort 1247 # Default storage resource name: irodsDefResource 'demoResc' # Home directory in iRODS: irodsHome '/tempZone/home/rods' # Current directory in iRODS: irodsCwd '/tempZone/home/rods' # Account name: irodsUserName 'rods' # Zone: irodsZone 'tempZone' }}} 2. Create users (I had alice). Password is not needed since we will be using GSI. {{{ iadmin mkuser alice rodsuser }}} 3. We will add user authentication ids later after we set up certificates. ==== Client ==== 1. Configured the irods client to use GSI authentication and the alice user. {{{ irodsHost 'pc475.emulab.net' # iRODS server port number: irodsPort 1247 # Default storage resource name: irodsDefResource 'demoResc' # Home directory in iRODS: irodsHome '/tempZone/home/alice' # Current directory in iRODS: irodsCwd '/tempZone/home/alice' # Account name: irodsUserName 'alice' # Zone: irodsZone 'tempZone' irodsAuthScheme GSI }}} === Setting up the certificates === I configured three different types of certificates: CILogon, GENI/GCF certificates with grid-proxy-init, and GENI/GCF with openssl generated proxy. In both cases, I needed the following: * Two different cert/key pairs: one for the client and one for the server. * Proxy certificate * The CA certificates ==== !CiLogon ==== I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs. 1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link. This should download a PKCS12 format certificate. 2. You will need to convert the p12 file to the cert and key files: {{{ openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem }}} NOTE: server pair must be named hostcert.pem and hostkey.pem 3. You will need to strip the password from the host key (iRODS does not support host keys with passphrases). {{{ openssl rsa -in /tmp/hostkey.pem -out hostkey.pem }}} 4. Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz You should end up with the following: * A cert/key pair for the iRODS client * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) * The CA certificate tarball ===== Server ===== 1. Create the directory /home/globus/.globus {{{ mkdir /home/globus/.globus }}} 2. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus {{{ mv /tmp/hostkey.pem /home/globus/.globus mv /tmp/hostcert.pem /home/globus/.globus }}} 3. Change the permissions of the hostkey.pem to 0600 {{{ chmod 600 /home/globus/.globus/hostkey.pem }}} Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus {{{ tar -zxvf /tmp/cilogon-ca-certificates.tar.gz mv cilogon-ca/certificates /home/globus/.globus }}} ===== Client ===== You can do this as any user. I used user johren. 1. Create the directory /home/johren/.globus {{{ mkdir /home/johren/.globus }}} 2. Place the userkey.pem and usercert.pem files in /home/johren/.globus {{{ mv /tmp/userkey.pem /home/johren/.globus mv /tmp/usercert.pem /home/johren/.globus }}} 3. Change the permissions of the userkey.pem to 0600 {{{ chmod 600 /home/johren/.globus/userkey.pem }}} Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus {{{ tar -zxvf /tmp/cilogon-ca-certificates.tar.gz mv cilogon-ca/certificates /home/globus/.globus }}} 4. Set the environment {{{ export X509_CERT_DIR=/home/johren/.globus/certificates export X509_USER_CERT=/home/johren/.globus/usercert.pem export X509_USER_KEY=/home/johren/.globus/userkey.pem }}} 4. Create the proxy certificate {{{ cd /home/johren/.globus /usr/local/johren/bin/grid-proxy-init -debug }}} Output should look something like this: {{{ User Cert File: /users/johren/.globus/usercert.pem User Key File: /users/johren/.globus/userkey.pem Trusted CA Cert Dir: (null) Output File: /tmp/x509up_u20001 Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 Enter GRID pass phrase for this identity: Creating proxy .++++++++++++ ....................++++++++++++ Done Your proxy is valid until: Fri Nov 30 19:26:51 2012 }}} 5. Verify the proxy certificate {{{ /usr/local/johren/bin/grid-proxy-init -debug -verify }}} Output should look something like this: {{{ User Cert File: /users/johren/.globus/usercert.pem User Key File: /users/johren/.globus/userkey.pem Trusted CA Cert Dir: /users/johren/.globus/certificates/ Output File: /tmp/x509up_u20001 Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700 Enter GRID pass phrase for this identity: Creating proxy ..............................++++++++++++ ......++++++++++++ Done Proxy Verify OK Your proxy is valid until: Fri Nov 30 19:27:15 2012 }}} 6. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate: {{{ unset X509_USER_CERT unset X509_USER_KEY }}} 7. Go back to the '''iRODS server''' and add the user authentication id. Identity is the one specified in the output of grid-proxy-init above. {{{ iadmin aua alice '/DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700' }}} 8. Now you should be able to run ils. {{{ johren@pc:/tmp$ ils /tempZone/home/alice: }}} ==== GCF w/ grid-proxy-init ==== I downloaded the GCF code () to generate GENI certificates from my own clearing house. 1. Ran src/gen-certs.py to generate certificates for both host and client. {{{ ./src/gen-certs.py ./src/gen-certs.py --notAll --exp -u host ./src/gen-certs.py --notAll --exp -u alice }}} 2. Configure the root CA certificates. These can be found in the trusted_roots directory generated above. However, a hash link and signing_policy need to be created for each cert. 2a. Move the trusted_roots directory to /home/johren/.globus/certificates. 2b. Determine the hash for the certificate and create the link {{{ }}} 2c. Create the signing_policy file and create a hash link for this. {{{ }}} You should end up with the following: * A cert/key pair for the iRODS client * A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem) * The CA certificate directory ===== Server ===== 1. Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus {{{ mv /tmp/hostkey.pem /home/globus/.globus mv /tmp/hostcert.pem /home/globus/.globus }}} 2. Change the permissions of the hostkey.pem to 0600 {{{ chmod 600 /home/globus/.globus/hostkey.pem }}} 3. Copy the CA certificates created above to /home/globus/.globus/certificates ===== Client ===== 1. Place the alicekey.pem and alicecert.pem files in /home/johren/.globus {{{ mv /tmp/alicekey.pem /home/johren/.globus mv /tmp/alicecert.pem /home/johren/.globus }}} 3. Change the permissions of the alicekey.pem to 0600 {{{ chmod 600 /home/johren/.globus/alicekey.pem }}} 3. Copy the CA certificates created above to /home/johren/.globus/certificates 4. Set the environment {{{ export X509_CERT_DIR=/home/johren/.globus/certificates export X509_USER_CERT=/home/johren/.globus/alicecert.pem export X509_USER_KEY=/home/johren/.globus/alicekey.pem }}} 4. Create the proxy certificate {{{ cd /home/johren/.globus /usr/local/johren/bin/grid-proxy-init -debug }}} Output should look something like this: {{{ User Cert File: /users/johren/.globus/alice-cert.pem User Key File: /users/johren/.globus/alice-key.pem Trusted CA Cert Dir: (null) Output File: /tmp/x509up_u20001 Your identity: /CN=geni//gpo//gcf.user.alice Creating proxy .......................................++++++++++++ .........++++++++++++ Done Your proxy is valid until: Fri Nov 30 19:57:41 2012 }}} 5. Verify the proxy certificate {{{ /usr/local/johren/bin/grid-proxy-init -debug -verify }}} Output should look something like this: {{{ User Cert File: /users/johren/.globus/alice-cert.pem User Key File: /users/johren/.globus/alice-key.pem Trusted CA Cert Dir: /users/johren/.globus/certificates/ Output File: /tmp/x509up_u20001 Your identity: /CN=geni//gpo//gcf.user.alice Creating proxy .++++++++++++ .....++++++++++++ Done Proxy Verify OK Your proxy is valid until: Fri Nov 30 19:57:56 2012 }}} 6. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate: {{{ unset X509_USER_CERT unset X509_USER_KEY }}} 7. Go back to the '''iRODS server''' and add the user authentication id. Identity is the one specified in the output of grid-proxy-init above. {{{ iadmin aua alice '/CN=geni//gpo//gcf.user.alice' }}} 8. Now you should be able to run ils. {{{ johren@pc:/tmp$ ils /tempZone/home/alice: }}} ==== GCF w/ openssl proxy cert ==== ===== Server ===== Same as GCF w/ grid-proxy-init. ===== Client ===== Steps 1-3 are the same as GCF w/ grid-proxy-init. 4. Get the identity from the GCF cert. 5. Create the CSR. {{{ }}} 6. Create the proxy certificate. 7. Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the same as the proxy cert generated by grid-proxy-init. 8. Copy the concatenated certificate to /tmp. 9. Run grid-proxy-info to get the identity of the proxy certificate. 10. Go back to the '''iRODS server''' and add the user authentication id. {{{ iadmin aua alice '/CN=geni//gpo//gcf.user.alice' }}} 8. Now you should be able to run ils. {{{ johren@pc:/tmp$ ils /tempZone/home/alice: }}} === References === https://code.renci.org/gf/project/jargon/tracker/?action=TrackerItemEdit&tracker_item_id=132 [[BR]] http://www.nordugrid.org/documents/certificate_howto.html [[BR]] https://cilogon.org/ [[BR]] https://www.irods.org/index.php/Grid_Security_Infrastructure