Overview

Overview of the Toolkit

Installation
– Prerequisites
– Installation Options

Security
– Certification Authorities
– Proxy Certificates
– Authorization
– Firewalls
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
1
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
2
Full Toolkit
Installation Prerequisites

Java 1.4.2

Ant 1.5+

C compiler

GNU make/tar/sed

JDBC-compliant database (like postgres)
– Required for RLS, RFT only

zlib for GSI-OpenSSH

sudo for GRAM
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
3
Full Toolkit
Optional Software

IODBC driver
– Required for RLS, not built by default

Apache Tomcat
– Required for WebMDS
– May optionally install Java WS Core into
Tomcat also
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
4
Installing Java WS Core Only

Core
– Source: run ant dist
– Binary: untar/unzip

This installs a Java-only development
platform
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
5
Full Installation

./configure

make

make install

Supports sub-targets if you want to build
only a subset of the toolkit. For instance:
– make gridftp
– make wsgram
– make globus-data-management-server
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
6
Installation Options

--prefix to control install dir

--with-iodbc=/path/to/iodbc
– Enables the build of RLS

--enable-wsgram-{condor,lsf,pbs}
– Install the WS-GRAM scheduler adapter

--with-gsiopensshargs=“args”
– Pass build arguments to GSI-OpenSSH like
“—with-tcpwrappers”
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
7
Installation Options (continued)

--with-gptlocation=“dir”
– If you want to install GPT outside of the
main install dir

--with-flavor=<flavor>
– Choose between GCC and vendorcc, 32/64
bits, whether to enable debugging symbols

--with-buildopts=“args”
– Pass options to the whole build, like
--verbose or –force
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
8
Supported Platforms

Apple Mac OS X

Linux
– Debian, Fedora Core, SuSE, RHEL, RedHat

FreeBSD

HP/UX

AIX

Solaris

Windows (Java only)
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
9
Master Configuration Checklist





Choose a CA or create one
Acquire hostcert, usercert
Create grid-mapfile
Add gsiopenssh, gridftp, and myproxy to
/etc/services and /etc/xinetd.d
Create a DB and dbuser for RFT
– Add –i to /etc/xinetd.d/postgresql
– Allow access in pg_hba.conf


Add GRAM sudo entries
Create copy of hostcert called containercert, add
container startup to /etc/init.d
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
10
Security Configuration


After installing the toolkit, we have the
tools to acquire certificates
Globus uses Grid Security Infrastructure
(GSI) for security
– PKI based, so we need X.509 certificates

This will provide mutual authentication
between services, single sign-on, and
cross-organizational security
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
11
Trusting a Certificate Authority

Two files must exist in the trusted CA
directory (/etc/grid-security/certificates by
default) to trust a CA:
– cert_hash.0 – the CA certificate
– cert_hash.signing_policy – CA signing policy

The hash may be found by running
– openssl x509 –hash –noout < CA_certfile
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
12
Finding Trusted CAs

If $X509_CERT_DIR set, there

Else, $HOME/.globus/certificates if it exists


Else /etc/grid-security/certificates if it
exists
Else
$GLOBUS_LOCATION/share/certificates
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
13
Configuration for
Certificate Request Generation

Three files per CA for requests
– globus-user-ssl.conf - Defines name prefix
for user certs
– globus-host-ssl.conf - Defines name prefix
for host certs
– grid-security.conf - Contains the name and
email address of the CA

Often provided as symlinks. grid-defaultca will allow you to change the active set
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
14
Finding
Certificate Request Configuration

If set, $GRID_SECURITY_DIR

Else /etc/grid-security if the files are there

Else $GLOBUS_LOCATION/etc
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
15
Acquiring Certificates




Best option: Acquire a certificate from an
existing Certificate Authority (CA)
Second-best: Setup a new CA for use
while you’re learning, and find a real CA
for later use
Last resort: Use a certificate from an
untrustworthy source
For all options, you must install the CA
certificate on every machine you use
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
16
Certificate: Best Option




You will have to prove your identity to the
CA, then will receive a certificate
You can check the TERENA Academic CA
Repository for research/academic CAs
The CA should have instructions for
acquiring the CA certificate and installing it
into /etc/grid-security/certificates
For instance, UK e-Science Certification
Authority
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
17
Certificate: SimpleCA



Globus has scripts to integrate the openssl
CA.pl script with an installation
Every full installation has the capability to
create a new CA
If you perform multiple installations, create
only one CA to use for the whole site, then
distribute the configuration files to the rest
of the machines
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
18
Certificate: SimpleCA Continued




Run
$GLOBUS_LOCATION/setup/globus/setupsimple-ca
Accept the defaults
Your certificate authority is now installed in
$HOME/.globus/simpleCA/
Finally, run
– $GLOBUS_LOCATION/setup/globus_simple_
ca_[HASH]_setup/setup-gsi –default
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
19
Certificate: SimpleCA Continued

A package is created for deployment on
other machines:
– globus_simple_ca_[CA-HASH]_setup.tar.gz


To install the package, run gpt-build on
globus_simple_ca_[CA-HASH]_setup.tar.gz
Then run gpt-postinstall and
– $GLOBUS_LOCATION/setup/globus_simple_
ca_[HASH]_setup/setup-gsi –default
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
20
Certificate: SimpleCA Continued


You may now request a certificate using grid-certrequest
Then, on the machine where you installed the CA,
run grid-ca-sign
– $GLOBUS_LOCATION/bin/grid-ca-sign -in
bogusin.pem -out bogusout.pem


The file named in the –out flag should be sent back
to the user who requested the certificate
The signed cert should be placed in
$HOME/.globus/usercert.pem
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
21
Certificate:
Globus Certificate Service




Now there is an even more explicitly lowtrust CA available at
http://gcs.globus.org:8080/
It auto-signs unique certificates with no
validation
This is the fastest way to start testing, but
only useful for local testing
Must install GCS CA package to configure
requests/trust for the GCS
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
22
CA Certificates Review


The CA certificate must wind up in
/etc/grid-security/certificates
If you don’t have root, you can store those
somewhere else
– See the “Finding Trusted CAs” slide for the
search hierarchy

Without these certs in place, all secure
operations will fail
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
23
Issuing Certificate Requests

Once the CA is setup, run
– grid-cert-request for a user cert
– grid-cert-request –host (as root) for a
hostcert


May specify which CA configuration to use
with “-ca”
May find list of available CAs with “griddefault-ca –list”
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
24
Proxy Certificates


Once you have requested and received a
certificate from a CA, you may create
proxies
Proxies are used in the mutual
authentication process
– By default, good for 12 hours
– Stored on local disk
CA
Globus Week 2005
User
Charles Bacon (bacon@mcs.anl.gov)
Proxy
25
Proxy Certificates Continued

grid-proxy-init
– Present in full toolkit install using a C
binary, or java class if core-only install

To change proxy file locations:
– X509_USER_PROXY for C commandline
– proxy= in cog.properties for Java

Use –verify –debug to check that CA cert is
properly installed
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
26
Container and Host Credentials


You will have two copies of the hostcert
One will be used by root-owned services
and owned by root
– /etc/grid-security/hostcert.pem
– /etc/grid-security/hostkey.pem

The other will be used by the container and
owned by the globus user
– /etc/grid-security/containercert.pem
– /etc/grid-security/containerkey.pem
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
27
Authorization: grid-mapfile


Specified in /etc/grid-security/grid-mapfile
“/O=Bogus/OU=Bogosity/CN=Bogus User”
boguser

grid-mapfile-add-entry

grid-mapfile-remove-entry

grid-mapfile-check-consistency

May map to multiple local identities
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
28
Finding the grid-mapfile

If $GRIDMAP is set, use that

Else, if root, /etc/grid-security/grid-mapfile

Else $HOME/.gridmap
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
29
Environment Variables

X509_USER_PROXY to find proxy file

X509_USER_{CERT,KEY} to find cert/key

GRIDMAP to find grid-mapfile

X509_CERT_DIR to find CA certs

GRID_SECURITY_DIR to find cert request
configuration
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
30
Firewalls

Set the environment variable
GLOBUS_TCP_PORT_RANGE to control the
sockets opened for listening
– G_T_P_R=“50000,51000”

Set the variable
GLOBUS_TCP_SOURCE_RANGE to control
sockets opened for sending
– G_T_S_R=“30000,31000”
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
31
Hostnames During Mutual Authz



If globus-hostname does not return the
fully-qualified domain name (FQDN), you
may set GLOBUS_HOSTNAME to override it
For multi-homed hosts, the hostname used
will be the one received by a reverselookup of the IP address used
Mismatches between the host cert and this
name will result in “Expected subject name
‘host1’, got credential ‘host2’”
Globus Week 2005
Charles Bacon (bacon@mcs.anl.gov)
32