This information is for a release that is no longer supported by the Globus Toolkit. The currently supported versions of the Globus Toolkit are 4.2 (recommended) and 4.0.

GSI: System Administrator's Guide

Overview
Firewall Requirements for the Globus Toolkit and GSI
>Configuration

GSI Configuration Information

Configuration for Generating Certificate Requests

The following files are required for generating a certificate request:
  • globus-user-ssl.conf.XXXXX : defines the distinguished name to use for a user's certificate request.
  • globus-host-ssl.conf.XXXXX : defines the distinguished name for a host (or service) certificate request.
  • grid-security.conf.XXXXXX : a base configuration file used by the above configuration files.
XXXXX is replaced by the unique hash of the trusted CA certificate (The CA which will sign the request). These files should be located in the TRUSTED_CA directory, explained in the following section. To generate a certificate request, grid-cert-request must be able to determine which trusted CA (multiple CA's may be installed) to generate a request for. This is done by creating a symbolic link for each of these config files from the GRID_SECURITY directory, to their actual location in the TRUSTED_CA directory.

GRID_SECURITY /globus-user-ssl.conf --> TRUSTED_CA /globus-user-ssl.conf.XXXXXX
GRID_SECURITY /globus-host-ssl.conf --> TRUSTED_CA /globus-host-ssl.conf.XXXXXX
GRID_SECURITY /grid-security.conf --> TRUSTED_CA /grid-security.conf.XXXXXX

These files are only required when you plan to use the grid-cert-request tool.

Configuring a Trusted CA

The following files are required to setup a trusted CA (required by all globus enabled programs):
  • XXXXX.0 : The trusted CA certificate.
  • XXXXX.signing_policy : A configuration file defining the DN's a CA is willing to sign.
XXXXX is replaced by the hash of the trusted CA certificate. These files need to be located in the TRUSTED_CA directory, explained in the following section, and have permissions requirements, as specified here

GSI Directories

The GSI uses the following directories:

  • TRUSTED_CA directory: contains the CA certificates and associated files trusted by the globus installation . The trusted certificates directory is searched for in the following order:

    • X509_CERT_DIR environment variable. If this variable is set, trusted certificates are searched for here.
    • $HOME/.globus/certificates/ This is a user specific location to search for trusted certificates.
    • /etc/grid-security/certificates/ The default location for trusted certificates and config files. This location is independent of the location of a globus installation.
    • $GLOBUS_LOCATION/share/certificates/ location based on a globus installation.

    Be aware, the first directory found to exist in the search order is the directory that gets used, independ e nt of whether it has the correct trusted CA certificate. If multiple directories exist and you want to use a directory that does not appear first in the search order, X509_CERT_DIR must be set.

  • GRID_SECURITY directory: contains symbolic links to the certificate request configuration files . For certificate request purposes t his directory is searched for in the following order:

    • GRID_SECURITY_DIR environment variable. If this variable is set, the symbolic links of configuration files are searched for here.
    • /etc/grid-security The default location to search for the configuration file symbolic links.
    • $GLOBUS_LOCATION/etc File location based on a globus install.

    If a certificate request needs to be based on an installed trusted CA other than the default, grid-cert-request provides the -ca to specify any CA to create a request.

Installation of GSI Configuration Files

The above configuration files are installed using the setup-gsi script. This script gets run as a manual post-install step to an installation of the globus toolkit. Using the option -nonroot will install configuration files as follows:

TRUSTED_CA : $GLOBUS_LOCATION/share/certificates
GRID_SECURITY : $GLOBUS_LOCATION/etc/

If the -nonroot option is not used, the configuration files will be installed as follows:

TRUSTED_CA : /etc/grid-security/certificates
GRID_SECURITY : /etc/grid-security

Gridmap File Search Rules

The Gridmap file is searched for in the following way. If the user is root (uid 0) then the following locations are checked:

  • value of the GRIDMAP environment variable
  • /etc/grid-security/grid-mapfile

If on the other hand the user is a non-root user we check the following:

  • value of the GRIDMAP environment variable
  • $HOME/.gridmap

Credential Acquisition Rules

Credentials are looked for in the following order: service credential, host credential, proxy credential and user credential. These are in turn looked for in the following locations:

  • Service credentials:

    • the X509_USER_KEY and X509_USER_CERT environment variables
    • /etc/grid-security/ <service>/<service>{cert,key}.pem
    • $GLOBUS_LOCATION/etc/ <service>/<service>{cert,key}.pem
    • $HOME/.globus / <service>/<service>{cert,key}.pem

  • Host credentials:

    • the X509_USER_KEY and X509_USER_CERT environment variables
    • /etc/grid-security/ host{cert,key}.pem
    • $GLOBUS_LOCATION/etc/host {cert,key}.pem
    • $HOME/.globus / host{cert,key}.pem

  • Proxy credentials:

    • the X509_USER_PROXY environment variable
    • /tmp/x509up_u<uid>

  • User credentials:

    • the X509_USER_KEY and X509_USER_CERT environment variables
    • $HOME/.globus/user{cert,key}.pem
    • $HOME/.globus/usercred.p12

GSI File Permissions Requirements