Software Links
Getting Started
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide
- Migrating Guides
Reference
Manuals
Common Runtime
Security
- GSI C
- GSI Java
- Java WS A&A
- C WS A&A (coming soon)
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
Data Mgt
WS MDS
Execution Mgt
Table of Contents
Credentials are looked for in the following order:
service credential
host credential
proxy credential
user credential
X509_USER_PROXY specifies the path to the
proxy credential. If X509_USER_PROXY is not set, the
proxy credential is created (by grid-proxy-init) and searched for (by
client programs) in an operating-system-dependent local temporary file.
X509_USER_CERT and X509_USER_KEY specify the path to the end
entity (user, service, or host) certificate and corresponding private key. The paths to the certificate and key files are determined as follows:
For service credentials:
- If
X509_USER_CERTandX509_USER_KEYexist and contain a valid certificate and key, those files are used. - Otherwise, if the files
/etc/grid-security/andservice/servicecert/etc/grid-security/exist and contain a valid certificate and key, those files are used.service/servicekey - Otherwise, if the files
$GLOBUS_LOCATION/etc/grid-security/andservice/servicecert$GLOBUS_LOCATION/etc/grid-security/exist and contain a valid certificate and key, those files are used.service/servicekey - Otherwise, if the files
service/servicecertservice/servicekey.globusdirectory exist and contain a valid certificate and key, those files are used.
For host credentials:
- If
X509_USER_CERTandX509_USER_KEYexist and contain a valid certificate and key, those files are used. - Otherwise, if the files
/etc/grid-security/hostcert.pemand/etc/grid-security/hostkey.pemexist and contain a valid certificate and key, those files are used. - Otherwise, if the files
$GLOBUS_LOCATION/etc/grid-security/hostcert.pemand$GLOBUS_LOCATION/etc/grid-security/hostkey.pemexist and contain a valid certificate and key, those files are used. - Otherwise, if the files
hostcert.pemandhostkey.pemin the user's.globusdirectory, exist and contain a valid certificate and key, those files are used.
For user credentials:
- If
X509_USER_CERTandX509_USER_KEYexist and contain a valid certificate and key, those files are used. - Otherwise, if the files
usercert.pemanduserkey.pemexist in the user's.globusdirectory, those files are used. - Otherwise, if a PKCS-12 file called
usercred.p12exists in the user's.globusdirectory, the certificate and key are read from that file.
GRIDMAP specifies the path to the grid map file,
which is used to map distinguished names (found in certificates) to local names (such as login
accounts). The location of the grid map file is determined as follows:
- If the
GRIDMAPenvironment variable is set, the grid map file location is the value of that environment variable. Otherwise:
- If the user is root (uid 0), then the grid map file is
/etc/grid-security/grid-mapfile. - Otherwise, the grid map file is
$HOME/.gridmap.
- If the user is root (uid 0), then the grid map file is
X509_CERT_DIR is used to specify the path to the trusted certificates
directory. This directory contains information about which CAs are trusted (including the
CA certificates themselves) and, in some
cases, configuration information used by grid-cert-request to formulate
certificate requests. The location of the trusted certificates directory is determined as
follows:
- If the
X509_CERT_DIRenvironment variable is set, the trusted certificates directory is the value of that environment variable. - Otherwise, if
$HOME/.globus/certificatesexists, that directory is the trusted certificates directory. - Otherwise, if
/etc/grid-security/certificatesexists, that directory is the trusted certificates directory. - Finally, if
$GLOBUS_LOCATION/share/certificatesexists, then it is the trusted certificates directory.
GSI_AUTHZ_CONF is used to specify the path to the
GSI authorization callout configuration file. This file is used to configure
authorization callouts used by both the gridmap and the authorization API. The location of the
GSI authorization callout configuration file is determined as follows:
- If the
GSI_AUTHZ_CONFenvironment variable is set, the authorization callout configuration file location is the value of this environment variable. - Otherwise, if
/etc/grid-security/gsi-authz.confexists, then this file is used. - Otherwise, if
$GLOBUS_LOCATION/etc/gsi-authz.confexists, then this file is used. - Finally, if
$HOME/.gsi-authz.confexists, then this file is used.
GSI_GAA_CONF is used to specify the path to the GSI GAA (Generic Authorization and Access control)
configuration file. This file is used to configure policy language specific
plugins to the GAA-API. The location of the GSI GAA configuration file is determined as
follows:
- If the
GSI_GAA_CONFenvironment variable is set, the GAA configuration file location is the value of this environment variable. - Otherwise, if
/etc/grid-security/gsi-gaa.confexists, then this file is used. - Otherwise, if
$GLOBUS_LOCATION/etc/gsi-gaa.confexists, then this file is used. - Finally, if
$HOME/.gsi-gaa.confexists, then this file is used.
GRID_SECURITY_DIR specifies a path to a directory containing configuration
files that specify default values to be placed in certificate requests. This environment
variable is used only by the grid-cert-request and grid-default-ca commands.
The location of the grid security directory is determined as follows:
- If the
GRID_SECURITY_DIRenvironment variable is set, the grid security directory is the value of that environment variable. - If the configuration files exist in
/etc/grid-security, the grid security directory is that directory. - if the configuration files exist in
$GLOBUS_LOCATION/etc, the grid security directory is that directory.