wiki:iRODSwithGSI

Version 9 (modified by Jeanne Ohren, 7 years ago) (diff)

--

Using iRODS with Grid Security Infrastructure (GSI)

Overview

This is an experiment to set up an iRODS server and client using GSI authentication rather than username/password authentication. I ran this experiment using two raw nodes running Ubuntu 12.04 at Protogeni Utah.

Configuration

iRODS server: pc475.emulab.net
iRODS client: pc321.emulab.net

Installation

Server

  1. Software must be installed as a non-root user so I created a "globus" user:
        sudo useradd -m -s /bin/bash globus
        sudo passwd globus
    
  1. Install the libltdl-dev package
       sudo apt-get install libltdl-dev
    
  1. Make the directory in which GSI will be installed.
       sudo mkdir /usr/local/globus
       sudo chmod a+w /usr/local/globus
    
  1. Change to the globus user
        su - globus
    
  1. Download iRODS and GSI software to the globus home directory.
  1. Build GSI
     cd /home/globus
     tar -zxvf gt5.2.2-all-source-installer.tar.gz
     cd gt5.2.2-all-source-installer
     export GLOBUS_LOCATION=/usr/local/globus
     ./configure --prefix $GLOBUS_LOCATION
     make globus-gsi
    
  1. A few tweaks I had to make to get iRODS to build
    cd /usr/local/globus/include/globus
    ln -s gcc64dbg/globus_config.h 
    
    cd /usr/local/globus
    mv lib/perl lib64
    mv lib lib.old
    ln -s lib64 lib
    
  1. Build iRODS
      cd /home/globus/iRODS
      ./irodssetup
    
    

Answers to the irods questions:

globus@pc:~/iRODS$ ./irodssetup 

    Include additional prompts for advanced settings [no]? no
    Build an iRODS server [yes]? yes
    Make this Server ICAT-Enabled [yes]?  yes
    iRODS zone name [tempZone]? tempZone 
    iRODS login name [rods]? rods
    Password [rods]? rods
    Download and build a new Postgres DBMS [yes]? yes
    New Postgres directory? /home/globus/iRODS/postgres
    New database login name [globus]? globus
    Password? globus
    PostgreSQL version [postgresql-9.0.3.tar.gz]? postgresql-9.0.3.tar.gz
    ODBC version [unixODBC-2.2.12.tar.gz]?  unixODBC-2.2.12.tar.gz
    Include GSI [no]? yes
    GLOBUS_LOCATION [/usr/local/globus]? /usr/local/globus
    GSI Install Type to use (or 'none')? globus
    Include Kerberos [no]? no
    Include the NCCS Auditing extensions [no]? no
    Save configuration (irods.config) [yes]? yes
  1. Add the following to /home/globus/.bashrc
    export PATH=/home/globus/iRODS/clients/icommands/bin:$PATH
    export GLOBUS_LOCATION=/usr/local/globus
    export LD_LIBRARY_PATH=$GLOBUS_LOCATION/lib
    
    

Client

Same as the server only answer "no" to the following question during irodssetup:

    Build an iRODS server [yes]? no

Configuring iRODS

Server

  1. Make the .irods subdirectory
       mkdir /home/globus/.irods
    
  1. Configure the iRODS client on the server node to use the rods user in file /home/globus/.irods/.irodsEnv
    # iRODS server host name:
    irodsHost 'pc475.emulab.net'
    # iRODS server port number:
    irodsPort 1247
    
    # Default storage resource name:
    irodsDefResource 'demoResc'
    # Home directory in iRODS:
    irodsHome '/tempZone/home/rods'
    # Current directory in iRODS:
    irodsCwd '/tempZone/home/rods'
    # Account name:
    irodsUserName 'rods'
    # Zone:
    irodsZone 'tempZone'
    
  1. Create users (I had alice). Password is not needed since we will be using GSI.
       iadmin mkuser alice rodsuser
    
  1. We will add user authentication ids later after we set up certificates.

Client

  1. Make the .irods subdirectory
       mkdir /home/globus/.irods
    
  1. Configure the iRODS client on the client node to use GSI authentication and the alice user. Create file /home/globus/.irods/.irodsEnv with contents similar to the following.
    irodsHost 'pc475.emulab.net'
    # iRODS server port number:
    irodsPort 1247
    
    # Default storage resource name:
    irodsDefResource 'demoResc'
    # Home directory in iRODS:
    irodsHome '/tempZone/home/alice'
    # Current directory in iRODS:
    irodsCwd '/tempZone/home/alice'
    # Account name:
    irodsUserName 'alice'
    # Zone:
    irodsZone 'tempZone'
    
    irodsAuthScheme GSI
    

Setting up the certificates

I configured three different types of certificates: CILogon, GENI/GCF certificates with grid-proxy-init, and GENI/GCF with openssl generated proxy.

In all cases, I needed the following:

  • Two different cert/key pairs: one for the client and one for the server.
  • Proxy certificate
  • The CA certificates

CiLogon

I logged into https://cilogon.org and used two different Google accounts to get the two cert/key pairs.

  1. For each account, select "Get New Certificate". When the certificate is generated, click on the "download certificate" link.

This should download a PKCS12 format certificate.

  1. You will need to convert the p12 file to the cert and key files:
      openssl pkcs12 -in user1cred.p12 -nokeys -out usercert.pem
      openssl pkcs12 -in user1cred.p12 -nocerts -out userkey.pem
      openssl pkcs12 -in user2cred.p12 -nokeys -out hostcert.pem
      openssl pkcs12 -in user3cred.p12 -nocerts -out hostkey.pem
    

NOTE: server pair must be named hostcert.pem and hostkey.pem

  1. You will need to strip the password from the host key (iRODS does not support host keys with passphrases).
        openssl rsa -in /tmp/hostkey.pem -out hostkey.pem
    
  1. Download the CA certificates from https://cilogon.org/cilogon-ca-certificates.tar.gz

You should end up with the following:

  • A cert/key pair for the iRODS client
  • A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
  • The CA certificate tarball
Server
  1. Create the directory /home/globus/.globus
        mkdir /home/globus/.globus
    
  1. Place the hostkey.pem and hostcert.pem files in /home/globus/.globus
        mv /tmp/hostkey.pem /home/globus/.globus
        mv /tmp/hostcert.pem /home/globus/.globus
    
  1. Change the permissions of the hostkey.pem to 0600
        chmod 600 /home/globus/.globus/hostkey.pem
    

Untar the CA certificate tarball and move the certificates directory into /home/globus/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus
Client

You can do this as any user. I used user johren.

  1. Create the directory /home/johren/.globus
        mkdir /home/johren/.globus
    
  1. Place the userkey.pem and usercert.pem files in /home/johren/.globus
        mv /tmp/userkey.pem /home/johren/.globus
        mv /tmp/usercert.pem /home/johren/.globus
    
  1. Change the permissions of the userkey.pem to 0600
        chmod 600 /home/johren/.globus/userkey.pem
    

Untar the CA certificate tarball and move the certificates directory into /home/johren/.globus

    tar -zxvf /tmp/cilogon-ca-certificates.tar.gz
    mv cilogon-ca/certificates /home/globus/.globus
  1. Set the environment
        export X509_CERT_DIR=/home/johren/.globus/certificates
        export X509_USER_CERT=/home/johren/.globus/usercert.pem
        export X509_USER_KEY=/home/johren/.globus/userkey.pem
    
  1. Create the proxy certificate
        cd /home/johren/.globus
        /usr/local/johren/bin/grid-proxy-init -debug
    

Output should look something like this:

User Cert File: /users/johren/.globus/usercert.pem
User Key File: /users/johren/.globus/userkey.pem

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u20001
Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
Enter GRID pass phrase for this identity:
Creating proxy .++++++++++++
....................++++++++++++
 Done
Your proxy is valid until: Fri Nov 30 19:26:51 2012
  1. Verify the proxy certificate
        /usr/local/johren/bin/grid-proxy-init -debug -verify
    

Output should look something like this:

User Cert File: /users/johren/.globus/usercert.pem
User Key File: /users/johren/.globus/userkey.pem

Trusted CA Cert Dir: /users/johren/.globus/certificates/

Output File: /tmp/x509up_u20001
Your identity: /DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700
Enter GRID pass phrase for this identity:
Creating proxy ..............................++++++++++++
......++++++++++++
 Done
Proxy Verify OK
Your proxy is valid until: Fri Nov 30 19:27:15 2012
  1. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate:
    unset X509_USER_CERT
    unset X509_USER_KEY
    
  1. Go back to the iRODS server and add the user authentication id.

Identity is the one specified in the output of grid-proxy-init above.

   iadmin aua alice '/DC=org/DC=cilogon/C=US/O=Google/CN=Jeanne Ohren A1700'
  1. Now you should be able to run ils.
    johren@pc:/tmp$ ils
    /tempZone/home/alice:
    

GCF w/ grid-proxy-init

I downloaded the GCF code () to generate GENI certificates from my own clearing house.

  1. Ran src/gen-certs.py to generate certificates for both host and client.
       ./src/gen-certs.py
       ./src/gen-certs.py --notAll --exp -u host
       ./src/gen-certs.py --notAll --exp -u alice
    
  1. Configure the root CA certificates. These can be found in the trusted_roots directory generated above.

However, a hash link and signing_policy need to be created for each cert.

2a. Move the trusted_roots directory to /home/johren/.globus/certificates.

2b. Determine the hash for the certificate and create the link

2c. Create the signing_policy file and create a hash link for this.

You should end up with the following:

  • A cert/key pair for the iRODS client
  • A cert/key pair for the iRODS server (must be named hostcert.pem and hostkey.pem)
  • The CA certificate directory
Server
  1. Place the hostkey.pem and hostcert.pem files (generated above) in /home/globus/.globus
        mv /tmp/hostkey.pem /home/globus/.globus
        mv /tmp/hostcert.pem /home/globus/.globus
    
  1. Change the permissions of the hostkey.pem to 0600
        chmod 600 /home/globus/.globus/hostkey.pem
    
  1. Copy the CA certificates created above to /home/globus/.globus/certificates
Client
  1. Place the alicekey.pem and alicecert.pem files in /home/johren/.globus
        mv /tmp/alicekey.pem /home/johren/.globus
        mv /tmp/alicecert.pem /home/johren/.globus
    
  1. Change the permissions of the alicekey.pem to 0600
        chmod 600 /home/johren/.globus/alicekey.pem
    
  1. Copy the CA certificates created above to /home/johren/.globus/certificates
  1. Set the environment
        export X509_CERT_DIR=/home/johren/.globus/certificates
        export X509_USER_CERT=/home/johren/.globus/alicecert.pem
        export X509_USER_KEY=/home/johren/.globus/alicekey.pem
    
  1. Create the proxy certificate
        cd /home/johren/.globus
        /usr/local/johren/bin/grid-proxy-init -debug
    

Output should look something like this:

User Cert File: /users/johren/.globus/alice-cert.pem
User Key File: /users/johren/.globus/alice-key.pem

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u20001
Your identity: /CN=geni//gpo//gcf.user.alice
Creating proxy .......................................++++++++++++
.........++++++++++++
 Done
Your proxy is valid until: Fri Nov 30 19:57:41 2012
  1. Verify the proxy certificate
        /usr/local/johren/bin/grid-proxy-init -debug -verify
    

Output should look something like this:

User Cert File: /users/johren/.globus/alice-cert.pem
User Key File: /users/johren/.globus/alice-key.pem

Trusted CA Cert Dir: /users/johren/.globus/certificates/

Output File: /tmp/x509up_u20001
Your identity: /CN=geni//gpo//gcf.user.alice
Creating proxy .++++++++++++
.....++++++++++++
 Done
Proxy Verify OK
Your proxy is valid until: Fri Nov 30 19:57:56 2012
  1. Unset X509_USER_CERT and X509_USER_KEY so it uses the proxy certificate:
    unset X509_USER_CERT
    unset X509_USER_KEY
    
  1. Go back to the iRODS server and add the user authentication id.

Identity is the one specified in the output of grid-proxy-init above.

   iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
  1. Now you should be able to run ils.
    johren@pc:/tmp$ ils
    /tempZone/home/alice:
    

GCF w/ openssl proxy cert

Server

Same as GCF w/ grid-proxy-init.

Client

Steps 1-3 are the same as GCF w/ grid-proxy-init.

  1. Get the identity from the GCF cert.
  1. Create the CSR.
  1. Create the proxy certificate.
  1. Concatenate the new proxy cert, new private key, and original certificate to a file named x509up_uXXXXX where XXXXX is the same as the proxy cert generated by grid-proxy-init.
  1. Copy the concatenated certificate to /tmp.
  1. Run grid-proxy-info to get the identity of the proxy certificate.
  1. Go back to the iRODS server and add the user authentication id.
       iadmin aua alice '/CN=geni//gpo//gcf.user.alice'
    
  1. Now you should be able to run ils.
    johren@pc:/tmp$ ils
    /tempZone/home/alice:
    

References

https://code.renci.org/gf/project/jargon/tracker/?action=TrackerItemEdit&tracker_item_id=132
http://www.nordugrid.org/documents/certificate_howto.html
https://cilogon.org/
https://www.irods.org/index.php/Grid_Security_Infrastructure

Attachments (3)

Download all attachments as: .zip