Globus Toolkit 3.2: Installation Guide

As root, find /etc/services and add the service name "gsigatekeeper" to port 2119:

gsigatekeeper 2119/tcp # Globus Gatekeeper

Follow the appropriate instructions below according to what your host is running.

Inetd
As root, find /etc/inetd.conf and add the following entry, all on one line:

gsigatekeeper stream tcp nowait root
/usr/bin/env env LD_LIBRARY_PATH=GLOBUS_LOCATION/lib
GLOBUS_LOCATION/sbin/globus-gatekeeper
-conf GLOBUS_LOCATION/etc/globus-gatekeeper.conf

Be sure to replace GLOBUS_LOCATION below with the actual value of $GLOBUS_LOCATION in your environment.

This line sets the environment variable by using /usr/bin/env (the location may vary on your system) to first set LD_LIBRARY_PATH, and then to call the gatekeeper itself.

The advantage of this setup is that when you apply a security update to your installation, the gatekeeper will pick it up dynamically without your having to rebuild it.

Xinetd
Go to the /etc/xinetd.d/ directory and add a file called globus-gatekeeper with the following contents.

service gsigatekeeper
{
socket_type = stream
protocol = tcp
wait = no
user = root
env = LD_LIBRARY_PATH=GLOBUS_LOCATION/lib
server = GLOBUS_LOCATION/sbin/globus-gatekeeper
server_args = -conf GLOBUS_LOCATION/etc/globus-gatekeeper.conf
disable = no
}

Be sure to replace GLOBUS_LOCATION with the actual value of $GLOBUS_LOCATION in your environment.

This file sets the environment by using the env = option to set LD_LIBRARY_PATH in the gatekeeper's environment.

The advantage of this setup is that when you apply a security update to your installation, the gatekeeper will pick it up dynamically without your having to rebuild it.

Follow the appropriate instructions below according to what your host is running.

Inetd
On most Linux systems, you can simply run:

killall -HUP inetd

On other systems, the following has the same effect:

ps aux | grep inetd | awk '{print $2;}' | xargs kill -HUP

Xinetd
On most Linux systems, you can simply run:

/etc/rc.d/init.d/xinetd restart

Your system may also support the reload option.

If neither option works, see man xinetd.

Create a file named /etc/grid-security/grid-mapfile with single line entries listing a certificate subject and a username, such as the following example:

"/O=Grid/O=Globus/OU=your.domain/CN=Your Name" youruserid

You can check your subject name using grid-cert-info -subject. There are utility commands in $GLOBUS_LOCATION/sbin/grid-mapfile for adding entries, removing entries, and checking consistency.

Run:

% GLOBUS_LOCATION/sbin/globus-mds start

To make this startup automatic, place it in the startup scripts of your machine. Contact your system administrator to determine where the call to this script needs to be placed. On a RedHat Linux system, the answer is /etc/rc.d/init.d, with a call to that script made in the appropriate /etc/rc.d/rc?.d (where ? is the default runlevel of your system, as specified in /etc/inittab).

There is a single SLAPD instance for both GRIS and GIIS.

You are now set for anonymous queries.

The Pre-WS Index Service defaults to using the same grid-mapfile as GRAM, namely
/etc/grid-security/grid-mapfile

To change that location, modify $GLOBUS_LOCATION/etc/grid-info-server-env.conf.

Request an LDAP certificate by running:

% grid-cert-request -service ldap -host FQDN

Replace FQDN with the fully qualified domain name of the host that will run the LDAP server.

Send the request to your Certificate Authority.

This could be a SimpleCA you created, an existing CA, or the online certificate service.

When you retrieve your certificate, save it to /etc/grid-security/ldap/ldapcert.pem.

This file must be owned by the user account that will run the Pre-WS Index Service (MDS2). The file should have permissions 444.

Also change the ownership of /etc/grid-security/ldap/ldapkey.pem to the user account that will run the Pre-WS Index Service. Make sure ldapkey.pem has permissions 400.