Home -> Toolkit -> Docs -> 2.4 -> Admin

Advanced Globus 2.4 Configuration

These instructions will show you how to configure the various server daemons beyond the default configuration.

• Configuring GRAM
• Configuring MDS
• Configuring GridFTP

Configuring GRAM

Advanced configuration of GRAM consists of the following tasks:

1. Adding jobmanagers
2. Adding trust to a new CA/removing trust from an old CA
3. Starting your own CA
4. Adding gram-reporter

1. Adding jobmanagers
   

   The fork job manager scheduler package is the only one included in the Resource Management service bundle.  It will be installed when running gpt-postinstall.  Additional schedulers can be added by installing the job manager setup package for your scheduler.  Look for the one appropriate to your scheduler on the download page.  To install it, run "gpt-install <scheduler-setup-packages>", then "gpt-postinstall".

   The first job manager scheduler package installed will be installed as the default job manager service (e.g. $GLOBUS_LOCATION/grid-services/jobmanager).  Additional job manager scheduler packages installed will be installed using the convention "jobmanager-<scheduler-name>" (e.g. $GLOBUS_LOCATION/grid-services/jobmanager-pbs).

   All job manager scheduler setup packages have the argument "-service-name <name>" in order to install a non-fork scheduler as the default job manager service.  For example, this command will set the pbs scheduler as the default job manager service:

     % setup-globus-job-manager-pbs -service-name jobmanager

   If you need to alter the behavior of the job manager scheduler interface, or you want to create a new job manager scheduler interface for a scheduler that is not available, see this tutorial web page.

   The details of how to make a client submit to a non-default gatekeeper is covered in the user's guide section.

   Note: If you wish to have your job manager report into your MDS, you need to install the appropriate GRAM Reporter setup package for your scheduler.  The GRAM Reporter setup packages for each scheduler can be found on the download page.

2. Adding trust to a new CA/removing trust from an old CA
   

   The set of trusted Certificate Authorities is contained in the /etc/grid-security/certificates directory. By default, that directory contains two entries. One, called 42864e48.0 is the public certificate of the Globus CA. The other, called 42864e48.signing_policy is the signing policy for the Globus CA certificate.

   The name "42864e8" comes from the openssl -hash option. If you create your own Certificate Authority, you can use the command openssl x509 -in yourcert.pem -noout -hash to determine its hash value. You will need to place a copy of that public certificate, under the name hash.0 (where "hash" corresponds to the output of the openssl command) in the /etc/grid-security/certificates of every Toolkit installation which you want to trust certificates which your CA has signed. Additionally, you will have to create a hash.signing_policy file which contains the DN of your CA, as well as the namespace for which your CA signs.

   Namespaces for CAs are designed to be unique. If you do establish your own CA, do not use the "/O=Grid/O=Globus" namespace. That is reserved for the Globus CA.

   Removing trust for a particular CA is as easy as deleting the two files which correspond to the CA. First, look for the .signing_policy which corresponds to the CA you want to remove. Then remove both the .signing_policy and .0 file that correspond to that hash.

3. Starting your own CA

   There is now a Globus package named Simple CA which is designed to help you establish a CA for your test Grid.

4. Adding gram-reporter

   If you installed the "All" or "All Server" binary bundles, the gram-reporter package was installed for you, since it was known at install time that you had both GRAM and MDS. gram-reporter publishes jobmanager information into MDS. 

   To enable gram-reporter, you need to install the globus-gram-reporter package plus one jobmanager-specific setup package.  You also need to edit the globus-job-manager.conf file to add the "-publish-jobs" and "-job-reporting-dir" options, as described in the GRAM jobmanager documentation.  The jobmanager will output status files to the -job-reporting-dir, which gram-reporter will read and publish into MDS.

Configuring MDS

Advanced configuration of MDS consists of the following tasks:

1. Deciding whether or not to allow anonymous access
2. Configuring which GIISes a particular GRIS will report to
3. Configuring which GRISes a particular GIIS allows to report to it
4. Configuring a hierarchical GIIS
5. Adding new information providers

1. Deciding whether or not to allow anonymous access

   The file $GLOBUS_LOCATION/etc/grid-info-slapd.conf contains the lines which allow or disallow anonymous binding to the GRIS and GIIS. By default, it is configured to allow anonymous access to both. If you want non-anonymous access, you will need to acquire an LDAP certificate.

   The lines you need to change are the anonymousbind options. By default, they say yes. Change this to no to disable anonymous access. You will now need a separate authorization file called $GLOBUS_LOCATION/etc/grid-mapfile. It has the same syntax as the GRAM grid-mapfile, mapping from certificate subjects to usernames.

2. Configuring which GIISes a particular GRIS will report to

   The file $GLOBUS_LOCATION/etc/grid-info-resource-register.conf contains a list of registrations. Each entry specifies a GRIS with the "reghn, regport" information, and a GIIS for that GRIS to report into with the "hn, port" entries. The full syntax is listed in the guide to configuration files.

   By default, this file is configured to have the local GRIS report into the local GIIS. Be aware that a GIIS has a configuration file which tells it which registrations to accept. If you add reporting from a GRIS to a GIIS, you must also configure the GIIS to accept the registration from the GRIS.

3. Configuring which GRISes a particular GIIS allows to report to it

   The file $GLOBUS_LOCATION/etc/grid-info-site-policy.conf controls the acceptance of registration messages by a GIIS. The default is for the GIIS to accept registrations only from itself, and from port 2135. This file must be modified from the default to accept outside GRISes, as well as in a hierarchical GIIS environment.

4. Configuring a hierarchical GIIS

   See the Hierarchical GIIS PDF for details. You will need to add a registration from your local GIIS to a remote GIIS, as well as configuring the remote GIIS to accept your registration.

5. Adding an information provider

   The GRIS comes configured to provide information about basic machine resources, like memory, disk space, and networking. You may wish to have the GRIS provide some more application-specific information, or other information which your virtual organization decides to publish about its machines.

   See the MDS web pages for a discussion of how to add a provider.

Configuring Grid-FTP

Advanced configuration of GridFTP consists of the following tasks:

1. Enabling third-party transfer

1. Enabling third-party transfer

   Enabling third party transfers involved editing $GLOBUS_LOCATION/etc/ftpaccess file to add the lines

        	port-allow all 0.0.0.0/0
        	pasv-allow all 0.0.0.0/0
        

   on both sides of the third-party connection.

Charles Bacon

Last modified: Thu Apr 24 10:15:09 CDT 2002