guide:Certificates/allocation

From Dgiref
Jump to: navigation, search

You need a host certificate and at least one user certificate to deploy / use the middleware (globus, glite, unicore) services. For more information about how to get a certificate please see:

WARNING: Remove the password from a host certificate If the host certificate is protected with a password, remove the password as root with the following command: 

mv hostkey.pem protectedkey.pem 
openssl rsa -in protectedkey.pem -out hostkey.pem


Contents

CAs

The directory /etc/grid-security/certificates contains the CA certificates.

Current procedure to install the CAs certificates is the follow:

  1. download the repo file from http://mirror.scc.kit.edu/downloads/yum.repo
  2. to update/install the CAs cleaning yum cache with the command: yum clean cache metadata
  3. install CA rpms with yum

There are some options for CA certificates, consider:

  • to install only the LCG CAs use lcg-CA repository
  • to install more then LCG CAs use EUGridPMA repository

It is not necessary to install CA packages into the CE nodes, while they have already. But to use CAs certificates on another server (e.g. cfengine master host) do:

lcg-CA 

su
wget -O /etc/yum.repos.d/lcg-CA.repo http://svn.rz.uni-karlsruhe.de/svn/dgiref/PROD/repl/root/etc/yum.repos/lcg-CA.repo
yum -y install lcg-CA

EUGridPMA 

su
wget -O /etc/yum.repos.d/eugridpma.repo http://mirror.scc.kit.edu/downloads/yum.repo/eugridpma.repo
yum install ca_policy_igtf-classic ca_policy_igtf-slcs

Host certificates

The host certificate will be copied as root to the directory /etc/grid-security and will be used as a certificate for the Globus container (as root execute): 

cd /etc/grid-security
cp yourhostkey.pem hostkey.pem
cp yourhostcert.pem hostcert.pem
cp hostkey.pem containerkey.pem
cp hostcert.pem containercert.pem
chown  globus.globus container*.pem
Access Rights

The access rights to the various certificate files should be adapted: 

chmod 400 *key.pem
chmod 644 *cert.pem
User certificates

The grid users will need their certificates in their home directory. Set up as follows: 

su $USER              # grid user
cd ~/.globus
cp yourusercert.pem usercert.pem
cp youruserkey.pem userkey.pem
chmod 400 *key.pem
chmod 644 *cert.pem
Note-icon.png
  
To assign a host certificate in .pem format to truststore with java keytool can be the similar error: "Do not a x509 certificate". The solution can be to delete the header in the certificate till the == BEGIN == section.
Retrieved from "http://dgiref.d-grid.de/wiki/guide:Certificates/allocation"
Personal tools