Installing Globus Toolkit 2.0 (Tested with SuSE Linux)

Philipp Wieder, FZJ

Version 1.1, 21 06 2002

Note

The installation requires root privileges. It is possible to install non-root, but some modifications are needed. Please refer to Appendix B for a non-root installation.

Prerequisites

Set the environment variable GLOBUS_LOCATION to the directory you wish to install the Globus Toolkit in.

The Globus Packaging Tools

The GPT are used to install the rest of the Globus Toolkit. Get and unpack the GPT bundle to the GLOBUS_LOCATION (the current package is located at ftp://ftp.globus.org/pub/gt2/2.0/gpt/gpt-1.0.tar.gz).

To install the GPT change the directory to GLOBUS_LOCATION/gpt-1.0 and type ./build_gpt.

Server installation from the source

Here only a server installation from the source is described. The client and SDK installations only differ concerning the bundle names and options given to
globus-build (see Appendix A).

Download the following source bundles to fully install the server:

Information Services:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_information_services_bundle-server-src.tar.gz

Data Management:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_data_management_bundle-server-src.tar.gz

Resource Management:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_resource_management_bundle-server-src.tar.gz

Do not unzip and untar the bundles.

Put the bundles into the GLOBUS_LOCATION directory and execute the following commands from the GLOBUS_LOCATION/sbin (before executing the commands finish reading this section, please):

Information Services:

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_information_services_bundle-server-src.tar.gz gcc32dbgpthr

Data Management:

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_data_management_bundle-server-src.tar.gz -static=1 gcc32dbg

Resource Management:

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_resource_management_bundle-server-src.tar.gz -static=1 gcc32dbg

Each of the previous commands has to be followed by gpt_verify and gpt-postinstall, both in GLOBUS_LOCATION/sbin.

To finish the GSI setup, run setup-gsi as root (the command is located at GLOBUS_LOCATION/setup/globus). The default values in the following dialog can be adopted, but you may specify a Organizational Unit (OU) for the base user DN.

Certificates

Globus distinguishes between three different certificates: (a) user certificates, (b) Gatekeeper certificates and (c) MDS certificates. To run the client, one only needs the user certificate. To run the server the Gatekeeper certificate is sufficient, but advertising MDS information to the clients, the MDS certificate is required, too. The grid-cert-request can be found at GLOBUS_LOCATION/bin.

Client certificate

Run grid-cert-request under the uid the client will operate. This will create a .globus directory in the client’s $HOME directory including usercert.pem, usercert_request.pem and userkey.pem. Mail the usercert_request.pem using copy and paste to mailto:ca@globus.org. The answer to this email has to be saved in $HOME/.globus/usercert.pem.

Gatekeeper certificate

Run grid-cert-request –gatekeeper <fully_qualified_hostname>

-key /etc/grid-security/hostkey.pem

-cert /etc/grid-security/hostcert.pem

–req /etc/grid-security/host.req.

Mail /etc/grid-security/host.req to mailto:ca@globus.org and copy the required certificate to /etc/grid-security/hostcert.pem. Then change the directory to GLOBUS_LOCATION/setup/globus and finish the server installation with setup-globus-gram-job-manager.

MDS certificate

Requesting an MDS certificate is analogous to the Gatekeeper certificate using the command:

grid-cert-request –cn “ldap/<fully_qualified_hostname>”

-key $GLOBUS_LOCATION/etc/server.key

-cert $GLOBUS_LOCATION/etc/server.cert

–req $GLOBUS_LOCATION/etc/server.request –nopw

-dir $GLOBUS_LOCATION/etc.

The grid-mapfile

To map the Globus users to the corresponding uids on the Globus server, create a file called grid-mapfile in /etc/grid-security. This file consists of one entry per line, which e.g. looks like the following using Globus certificates:

“O=Grid/O=Globus/CN=<User’s Name>” <uid>.

Starting the Gatekeeper

To start the Gatekeeper by hand execute from the GLOBUS_LOACTION/sbin directory:

globus-gatekeeper –conf $GLOBUS_LOACTION/etc/globus-gatekeeper.conf.

This will return the Gatekeeper’s contact string. For production use or convenience reasons the Gatekeeper should, of course, be started at system start-up.

Testing the installation

You need a system, which has the appropriate client bundles installed. Set up the user’s environment by executing:

. globus-user-env.sh (sh) or

source globus-user-env.csh (csh).

Both files can be found at GLOBUS_LOCATION/etc.

Create a Globus user proxy file which will be stored in /tmp:

grid-proxy-init ($GLOBUS_LOCATION/bin).

To send an RSL string to the Gatekeeper use globusrun ($GLOBUS_LOCATION/bin), e.g.:

globusrun –o –r <gatekeeper_contact_string> ‘&(executable=/bin/ls)’, where the RSL string is enclosed in ‘...’.

Setting up the MDS

To be added

Usage of EUROGRID Certificates with the Globus Toolkit

The use of EUROGRID certificates with Globus requires two actions:

Setting up the Globus security environment to accept EUROGRID certificates and
the creation of a temporary Globus proxy certificate from the EUROGRID certificate.

(1) First store the EUROGRID CA certificate (eg_ca_cert.pem) in the /etc/grid_security/certificates directory. Link the eg_ca_cert.pem to it’s hash value:

ln –s eg_ca_cert.pem ‘openssl x509 –hash –noout –in eg_ca_cert.pem‘.0

(which results in something like 7c9a85ef.0).

Now create a signing policy file which is named like the hash value followed by .signing_policy (e.g. 7c9a85ef.signing_policy). The signing policy for the EUROGRID CA may look like the one below (but could be stricter concerning the cond_subjects):

# ca-signing-policy.conf, see ca-signing-policy.doc for more information

# This is the configuration file describing the policy for what CAs are

# allowed to sign whoses certificates.

# This file is parsed from start to finish with a given CA and subject

# name.

# subject names may include the following wildcard characters:

# * Matches any number of characters.

# ? Matches any single character.

# CA names must be specified (no wildcards). Names containing whitespaces

# must be included in single quotes, e.g. 'Certification Authority'.

# Names must not contain new line symbols.

# The value of condition attribute is represented as a set of regular

# expressions. Each regular expression must be included in double quotes.

# This policy file dictates the following policy:

# -The Globus CA can sign Globus certificates

# Format:

#------------------------------------------------------------------------

# token type | def.authority | value

#--------------|---------------|-----------------------------------------

# EACL entry #1|

access_id_CA X509 '/C=GB/L=Manchester/O=University of Manchester/OU=Manchester Computing/CN=EUROGRID CA/Email=eurogrid-ca@eurogrid.org'

pos_rights globus CA:sign

cond_subjects globus '"/C=GB/*" "/C=DE/*" "/C=PL/*" "/C=NO/*" "/C=FR/*"'

# end of EACL

(2) To create a Globus user proxy certificate from the Eurogrid certificate, the private Eurogrid key (generally named user-<first>_<last name>.<nr>.p12) and the password protecting it are needed. Create a signed certificate and key using the following commands:

openssl pkcs12 –in user-<first>_<last name>.<nr>.p12 –clcerts –nokeys –out usercert.pem

openssl pkcs12 –in user-<first>_<last name>.<nr>.p12 –nocerts –out userkey.pem

Set 400 rights on the userkey.pem and 444 on the usercert.pem and store them either in ./globus in the users home directory (default) or in a different directory you then have to specify creating the proxy (see grid-proxy-init –help for alternative certificate directories). Run grid-proxy-init. The proxy file is per default stored in /tmp but another proxy directory can be specified and set via the X509_USER_PROXY environment variable. If you also use Globus certificates be aware that the default Globus userkey.pem and usercert.pem reside in ./globus. Protect them from being overwritten.

Thanks to Jon MacLaren for the OpenSSL details.

Appendix A: Installation of client and SDK bundles

These installations are analogous to the above described server installation.

Client installation

Information Services:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_information_services_bundle-client-src.tar.gz

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_information_services_bundle-client-src.tar.gz gcc32dbgpthr

Data Management:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_data_management_bundle-client-src.tar.gz

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_data_management_bundle-client-src.tar.gz gcc32dbg

Resource Management:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_resource_management_bundle-client-src.tar.gz

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_resource_management_bundle-client-src.tar.gz gcc32dbg

SDK installation

Information Services:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_information_services_bundle-sdk-src.tar.gz

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_information_services_bundle-sdk-src.tar.gz gcc32dbgpthr

Data Management:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_data_management_bundle-sdk-src.tar.gz

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_data_management_bundle-sdk-src.tar.gz gcc32dbg

Resource Management:

ftp://ftp.globus.org/pub/gt2/2.0/bundles/src/globus_resource_management_bundle-sdk-src.tar.gz

globus-build –install-only –log=build.log $GLOBUS_LOCATION/globus_resource_management_bundle-sdk-src.tar.gz gcc32dbg

Appendix B: Non-root installation

If the Globus Toolkit is installed without root privileges, add the –nonroot[=path] option to the setup-gsi command (see Server installation from the source). If no path is specified, the configuration files will be placed in $GLOBUS_LOCATION/etc and the trusted CA files will reside in $GLOBUS_LOCATION/share/certificates.

This implies that the Gatekeeper certificate is requested and stored using the alternative path and not /etc/grid-security (see Gatekeeper certificate).

Unfortunately, the alternative pathes are not recognized by the setup-globus-gram-job-manager command which has to be executed in advance. Therefore the pathes have to be adopted manually in the globus-gatekeeper.conf file. The file can be found at $GLOBUS_LOCATION/etc and the parameters x509_user_cert, x509_user_key and x509_cert_dir have to point to the Gatekeeper’s certificate, key and the trusted certificate directory respectively. Also adopt –gridmap.

Now execute setup-globus-gram-job-manager and the Gatekeeper should run without root privileges using the user’s certificate.

The grid-mapfile is not stored in /etc/grid-security, but in the configuration file directory specified above (see also The grid-mapfile).

Now run grid-proxy-init ($GLOBUS_LOCATION/bin) and start the Gatekeeper as described in Starting the Gatekeeper.

Appendix C: Additional resources

Globus Toolkit page: http://www.globus.org/toolkit/download/

Globus installation instructions: http://www.globus.org/gt2/install/index.html

Globus Toolkit download page:http://www.globus.org/gt2/install/download.html