Globus Toolkit 3.2: Installation Guide

• You must already have installed the Globus Toolkit 3.2

As globus, set GLOBUS_LOCATION to where you installed the Globus Toolkit.

This will either be export GLOBUS_LOCATION=/path/to/install or setenv GLOBUS_LOCATION /path/to/install.

Source $GLOBUS_LOCATION/etc/globus-user-env.{sh,csh} depending on shell.

• .sh for Bourne shell
• .csh for C shell

Your best option is to use an already existing CA. You may have access to one from the company you work for, or an organization you are affiliated with. Some universities provide certificates for their members and affiliates. Contact your support organization for details about how to acquire a certificate. You may find your CA listed in the TERENA Repository.

If you do not have an existing CA, you can set up a CA for your own use with the Globus SimpleCA package. SimpleCA provides a wrapper around the openssl CA functionality and is sufficient for simple Grid services. Alternatively, you can use openssl's CA.sh command on its own.

You can also use an online certificate service. However, this option should only be used as a last resort because it does not fulfill some of the duties of a real Certificate Authority. If you must use this option, please see the following link for instructions: http://gcs.globus.org:8080/gcs.

• If you do not have access to an existing CA and want to use SimpleCA, continue with step 3.
• If you already have a CA, you will need to follow their configuration directions. If they include a CA setup package, you may continue to step 11 directly. If they do not, you will need to create an /etc/grid-security/certificates directory and include the CA cert and signing policy in that directory. See Configuring a Trusted CA for more details. Then proceed to step 11.

Make sure you have the following users on your machine:

• Your user account, which will be used to run the client programs.
  
• A generic globus account, which will be used to perform administrative tasks such as starting and stopping the container, deploying services, etc. This user will also be in charge of managing the SimpleCA. To do this, make sure this account has read and write permissions in the $GLOBUS_LOCATION directory.

Run the setup script:

$GLOBUS_LOCATION/setup/globus/setup-simple-ca 

Subject name: This script prompts you for information about the CA you wish to create:

The unique subject name for this CA is:

cn=Globus Simple CA, ou=simpleCA-mayed.mcs.anl.gov, ou=GlobusTest, o=Grid

Do you want to keep this as the CA subject (y/n) [y]:
              

The common name (cn) is Globus Simple CA , which identifies this particular certificate as the CA certificate within the GloubusTest/simpleCA-hostname domain.

The organizational unit (ou) is GlobusTest , and the second ou is specific to your hostname. That identifies this CA from other CAs created by SimpleCA by other people.

The organization is Grid.

Press y to keep the default subject name (recommended).

Email: The next prompt looks like:

Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA):

Enter the email address where you intend to receive certificate requests. It should be your real email address that you check, not the address of the globus user.

The CA certificate has an expiration date. Keep in mind that 
once the CA certificate has expired, all the certificates 
signed by that CA become invalid.  A CA should regenerate 
the CA certificate and start re-issuing ca-setup packages 
before the actual CA certificate expires.  This can be done 
by re-running this setup script.  Enter the number of DAYS 
the CA certificate should last before it expires.
[default: 5 years (1825 days)]:

This is the number of days for which the CA certificate is valid. Once this time expires, the CA certificate will have to be recreated, and all of its certificates regranted.

Passphrase:

Generating a 1024 bit RSA private key
........++++++
................++++++
writing new private key to '/home/globus/.globus/simpleCA//private/cakey.pem'
Enter PEM pass phrase:
              

The passphrase of the CA certificate will be used only when signing certificates (with grid-cert-sign). It should be hard to guess, as its compromise may compromise all the certificates signed by the CA.

Enter your passphrase.

Important: Your passphrase must not contain any spaces.

Finally you'll see the following:

A self-signed certificate has been generated 
for the Certificate Authority with the subject: 

/O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/CN=Globus Simple CA

If this is invalid, rerun this script 

setup/globus/setup-simple-ca

and enter the appropriate fields.

-------------------------------------------------------------------

The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cak
ey.pem
The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem

The distribution package built for this CA is stored in

/home/globus/.globus/simpleCA//globus_simple_ca_68ea3306_setup-0.17.tar.gz
              

This information will be important for setting up other machines in your grid. The number 68ea3306 in the last line is known as your CA hash. It will be some 8 hexadecimal digit string.

Press any key to acknowledge this screen.

***************************************************************************

Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:

/opt/gt3/setup/globus_simple_ca_68ea3306_setup/setup-gsi

For further information on using the setup-gsi script, use the -help
option.  The -default option sets this security configuration to be 
the default, and -nonroot can be used on systems where root access is 
not available.

***************************************************************************

setup-ssl-utils: Complete

We'll cover this last step in the next section. For now, just notice that it refers to your $GLOBUS_LOCATION and the CA Hash from the last message.

To finish the setup of GSI, run as root (or, if no root privileges are available, add the -nonroot option to the command line):

$GLOBUS_LOCATION/setup/globus_simple_ca_CA_Hash_setup/setup-gsi -default

The output should look like:

setup-gsi: Configuring GSI security
Installing /etc/grid-security/certificates//grid-security.conf.CA_Hash...
Running grid-security-config...
Installing Globus CA certificate into trusted CA certificate directory...
Installing Globus CA signing policy into trusted CA certificate directory...
setup-gsi: Complete

You must request and sign a host certificate and then copy it into the appropriate directory for secure services. The certificate must be for a machine which has a consistent name in DNS; you should not run it on a computer using DHCP where a different name could be assigned to your computer.

Request a host certificate: As root, run:

grid-cert-request -host 'hostname'

This creates the following files:

• /etc/grid-security/hostkey.pem
• /etc/grid-security/hostcert_request.pem
• (an empty) /etc/grid-security/hostcert.pem

Note: If you are using your own CA, follow their instructions about creating a hostcert (one which has a commonName (CN) of your hostname), then place the cert and key in the /etc/grid-security/ location. You may then proceed to user certificates.

Sign the host certificate: as globus, run:

grid-ca-sign -in hostcert_request.pem -out hostsigned.pem

A signed host certificate, named hostsigned.pem is written to the current directory.

When prompted for a passphrase, enter the one you specified in step 8 (for the private key of the CA certificate.)

As root, move the signed host certificate to /etc/grid-security/hostcert.pem.

The certificate should be owned by root, and read-only for other users.

The key should be read-only by root.

Request a user certificate: As your normal user account (not globus), run:

grid-cert-request

After you enter a passphrase, this creates

• ~$USER/.globus/usercert.pem (empty)
• ~$USER/.globus/userkey.pem
• ~$USER/.globus/usercert_request.pem

Email the usercert_request.pem file to the SimpleCA maintainer.

Note: If you are using your own CA, follow their instructions about creating a usercert (one which has a commonName (CN) of your real name), then place the cert and key in the ~USER/.globus/ location. You may then proceed to verifying proxy creation.

Sign the user certificate: as the SimpleCA owner globus, run:

grid-ca-sign -in usercert_request.pem -out signed.pem

When prompted for a password, enter the one you specified in step 8 (for the private key of the CA certificate.)

Now send the signed copy (signed.pem) back to the user who requested the certificate.

As your normal user account (not globus), copy the signed user certificate into ~/.globus/ and rename it as usercert.pem, thus replacing the empty file.

The certificate should be owned by the user, and read-only for other users.
The key should be read-only by the owner

To test that the SimpleCA certificate is installed in /etc/grid-security/certificates and that your certificate is in place with the correct permissions, run:

user$ grid-proxy-init -debug -verify

After entering your passphrase, successful output looks like:

[bacon@mayed schedulers]$ grid-proxy-init -debug -verify

User Cert File: /home/user/.globus/usercert.pem
User Key File: /home/user/.globus/userkey.pem

Trusted CA Cert Dir: /etc/grid-security/certificates

Output File: /tmp/x509up_u1817
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=User Name
Enter GRID pass phrase for this identity:
Creating proxy ..............................++++++++++++
...............++++++++++++
 Done
Proxy Verify OK
Your proxy is valid until: Sat Mar 20 03:01:46 2004

As root, run:

$GLOBUS_LOCATION/bin/setperms.sh

Create /etc/grid-security/grid-mapfile as root.

You need two pieces of information - the subject name of a user, and the account name it should map to.

The syntax is one line per user, with the certificate subject followed by the user account name.

Run grid-cert-info to get your subject name, and whoami to get the account name:

bacon$ grid-cert-info -subject
/O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon
bacon$ whoami
bacon

The corresponding line in the grid-mapfile:

"/O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=Charles Bacon" bacon

The quotes around the subject name are important, because it contains spaces.

At this step, you have a single machine configured. Recall that in Step 8 a CA setup package was created in .globus/simpleCA//globus_simple_ca_HASH_setup-0.17.tar.gz. If you want to use your certificates on another machine, you will have to install that CA setup package on that machine. To install it, copy that package to the second machine and run:

$GLOBUS_LOCATION/sbin/gpt-build globus_simple_ca_HASH_setup-0.17.tar.gz gcc32dbg

Then you will have to perform the setup-gsi -default from step 10. If you are going to run services on the second host, it will need a host certificate and a grid-mapfile also. You may re-use your user certificates on the new host. You will need to copy the requests to the host where the SimpleCA was first installed in order to sign them.

Now you are ready to use secure services.

If you only want to test a basic Grid service, you are ready to test your installation.

If you want to use certain services, see the following topics:

• Configuring Resource Management
• Configuring GridFTP
• Configuring RFT
• Configuring RLS
• Configuring the Index Service
• Configuring pre-Web Services Components