Prev   Next

Configuring

Table of Contents

1. Trusted Certificates Location
2. Signing Policy Location
3. User Certificate Location
4. User Private Key Location
5. Proxy file Location
6. Public IP address
7. TCP Port Range

In general no extra configuration is required to use GSI Java. However, in certain cases additional configuration might be required. The GSI Java configuration file (based on Java CoG Kit) is placed in $HOME/.globus/cog.properties on Unix/Linux machines or %USERPROFILE%\.globus\cog.properties on Windows machines.

1. Trusted Certificates Location

Trusted certificates can be configured as described below and are loaded in the specified order:

  1. Property cacerts in configuration file cog.properties file can be used to set the trusted certificates. The value of the property is a list of comma-separated CA certificates or directories of certificates. Example:

    	  cacert = /home/gawor/MyCaCert.pem, /etc/grid-security/certificates/

    If a directory is specified in the list, all certificate files within that directory with .<digit> extension will be loaded.

  2. The system property X509_CERT_DIR can be used to configured trusted certificates. It is used if the cog.properties file is not found or the cacert property is not set

  3. Trusted certificates can be placed in ${user.home}/.globus/certificates directory. If system property is not set, this location is checked.

  4. The certificates can be placed in /etc/grid-security/certificates directory. This directory is checked on Unix/Linux machines if certificates are not found as described in previous steps.

If one of the above directories with certificates is found, all the certificates in that directory will be loaded and used. If no directory is found, GSI Java will not work.

2. Signing Policy Location

Signing policies are read in from the same directory as trusted certiricates. All files with <caHash>.signing_policy in the same directory as trusted certificates are loaded for processing. By defaul signing policies are required and enforced.

Signing policy enforcement can be disabled by setting a system property java.security.gsi.signing.policy to "no" or "false".

Details on signing policy grammar support is outlined here

3. User Certificate Location

User certificate can be configured as described below and an attempt is made to find the file in the order specified:

  1. Location of the file can be specified as value of property usercert in configuration file cog.properties

  2. Location of the user certificate can be set as value of environment variable X509_USER_CERT. This property is used if cog.properties file is not configured or the usercert property is not specified in the file.

  3. The certificate can be placed in default location ${user.home}/.globus/usercert.pem. If none of the above configuration is found, the library defaults to this location.

4. User Private Key Location

User private key can be configured as described below and an attempt is made to find the file in the order specified:

  1. Location of the file can be specified as value of property userkey in configuration file cog.properties

  2. Location of the user private key can be set as value of environment variable X509_USER_KEY. This property is used if cog.properties file is not configured or the userkey property is not specified in the file.

  3. The private key can be placed in default location ${user.home}/.globus/userkey.pem. If none of the above configuration is found, the library defaults to this location.

5. Proxy file Location

Proxy file can be configured as described below and an attempt is made to find the file in the order specified:

  1. Location of the file can be specified as value of property proxy in configuration file cog.properties

  2. Location of the proxy can be set as value of environment variable X509_USER_PROXY. This property is used if cog.properties file is not configured or the proxy property is not specified in the file.

  3. If the above configuration is not used, then the library looks for proxy in default location using the following rules:

    • If a UID system property is set, and running on a Unix/Linux machine it returns /tmp/x509up_u${UID}.

    • If on any other machine than Unix/Linux,it returns ${tempdir}/x509up_u${UID}, where tempdir is a platform-specific temporary directory as indicated by the java.io.tmpdir system property.

    • If a UID system property is not set, the username will be used instead of the UID. That is, it returns ${tempdir}/x509up_u_${user.name}, where tempdir is a platform-specific temporary directory as indicated by the java.io.tmpdir system property and user.name is a system property.

6. Public IP address

Sometimes, especially on machines with DHCP enabled, the local IP address of the machine might be incorrectly detected by Java or the wrong non-public IP address might be used if behind a NAT router or on VPN. To configure the public IP address used by GSI Java, add the following line to the configuration file:

ip=<current ip>

This has the same effect as setting the GLOBUS_HOSTNAME environment property or Java system property.

7. TCP Port Range

Sometimes it is necessary to restrict the listening port numbers that Java CoG Toolkit will use. To set the port range in the configuration file, just add the following line:

tcp.port.range=<min>,<max>

This has the same effect as setting the GLOBUS_TCP_PORT_RANGE environment property or Java system property.

Prev   Next
Building and installing Home Deploying