Globus Online for HPSS: Difference between revisions

From Lsdf
Jump to navigationJump to search
No edit summary
Line 101: Line 101:
* If you run globus-connect-server-setup many times you get this error message:
* If you run globus-connect-server-setup many times you get this error message:
"You are not an admin of the MyProxy Delegation Service"
"You are not an admin of the MyProxy Delegation Service"
*Solution: run as root:

**Solution: run as root:


# rm /var/lib/myproxy-oauth/myproxy-oauth.db
# rm /var/lib/myproxy-oauth/myproxy-oauth.db
Line 108: Line 107:
== Usage with your Grid User Certificate ==
== Usage with your Grid User Certificate ==


1. Login via ssh to a Host where you have your valid Grid user Certificate and the myproxy packae installed.
*Login via ssh to a Host where you have your valid Grid user Certificate and the myproxy packae installed.

2. Create and store a credential on the Myproxy Server which is the same as the Endpoint Server at KIT.
*Create and store a credential on Myproxy Server which is the same as the Endpoint Server at KIT.
myproxy-init -s archive-tgftp.lsdf.kit.edu -l <LDAP username>
myproxy-init -s archive-tgftp.lsdf.kit.edu -l <LDAP username>
* You will be prompted to enter your Grid user key password and
**You will be prompted to enter your Grid user key password. You also will be prompted to set a so called MyProxy passphrase twice to protect your created credential on Myproxy Server.
*!!This password must be the same as your LDAP-Account!! This what I found to be able to login via OAuth. (Please check!)
* you will be prompted to set a so called MyProxy passphrase twice to protect your created credential on Myproxy Server.
** !!This password must be the same as your LDAP-Account!! This what I found to be able to login via OAuth. (Please check!)
*Your credential will be saved on the MyProxy Server under
*Your credential will be saved on the MyProxy Server under
/var/lib/globus-connect-server/myproxy-ca/store
/var/lib/globus-connect-server/myproxy-ca/store
*myproxy-init executes a script to create the user's Home directory structure with private/ public/.

* myproxy-init executes a script to create the user's Home directory structure with private/ public/.
/usr/local/bin/myproxy-accepted-credentials-mapapp <User Cert DN><LDAP name>
/usr/local/bin/myproxy-accepted-credentials-mapapp <User Cert DN><LDAP name>
3. In case 2. has failed complaining about missing CA-cerificates download the CA certificates directory via:
*In case 2. has failed complaining about missing CA-cerificates download the CA certificates directory via:
myproxy-get-trustroots -s archive-tgftp.lsdf.kit.edu &#13;
myproxy-get-trustroots -s archive-tgftp.lsdf.kit.edu

4.

Revision as of 16:36, 19 June 2015

This is a guide on setup the Globus Online service to storge data on HPSS at KIT.

Components

  • GridFTP Server connected to HPSS-DSI
  • myProxy Server for managing and creating user proxies
  • OAuth Server for User logins to the globus-Online Endpoint at KIT.
  • Globus Online Web Interface.

Requirements

  • A working HPSS Frontend with HPSS Client software installed and configured.
  • A working GridFTP Server with a valid Grid Host certificate. (GridKa Host certificate)
  • A working HPSS-GridFTP-DSI compiled package
    • Notice: a HPSS-Fuse instead of DSI would also work.
  • A working Connection to an LDAP Server to authorized the user locally on the GridFTP server.
  • A Globus Online account if not already exists.
  • A valid Grid User certificate.

Installation

Hostname: archive-tgftp.lsdf.kit.edu OS: SL 6.4

  • Download and install Globus Connect server repository
# curl -LOs http://toolkit.globus.org/ftppub/globus-connect-server/globus-connect-server-repo-latest.noarch.rpm
# rpm --import http://www.globus.org/ftppub/globus-connect-server/RPM-GPG-KEY-Globus
# yum install globus-connect-server-repo-latest.noarch.rpm
  • Install
# yum install globus-connect-server

Configuration

  • Adapt the config files. Both files contain detailed information on configuration possibilities. Please check!
/etc/globus-connect-server.conf
/var/lib/globus-connect-server/myproxy-server.conf
  • globus-connect-server.conf
[Globus]
User = %(GLOBUS_USER)s
Password = %(GLOBUS_PASSWORD)s
[Endpoint]
Name = bwda-go-1
Public = True
DefaultDirectory = /~/
[Security]
FetchCredentialFromRelay =  False
CertificateFile = /etc/grid-security/hostcert.pem
KeyFile = /etc/grid-security/hostkey.pem
TrustedCertificateDirectory = /etc/grid-security/certificates
IdentityMethod = OAuth
AuthorizationMethod = MyProxyGridmapCallout
[GridFTP]
Server = archive-tgftp.lsdf.kit.edu
IncomingPortRange = 50000,51000
OutgoingPortRange = 50000,51000
RestrictPaths = RW~,R/hpss/fs/GFTP/public (!! to check)
# still not working, needs registration
Sharing = True
SharingRestrictPaths = R/hpss/fs/GFTP/public
SharingStateDir = /var/globusonline/sharing/$USER
[MyProxy]
Server = %(HOSTNAME)s
ServerBehindNAT = False
CADirectory = /var/lib/globus-connect-server/myproxy-ca
ConfigFile = /var/lib/globus-connect-server/myproxy-server.conf
[OAuth]
Server = %(HOSTNAME)s
  • myproxy-server.conf
authorized_retrievers      "*"
default_retrievers         "*"
authorized_renewers        "*"
default_renewers           "none"
default_key_retrievers     "none"
trusted_retrievers         "*"
default_trusted_retrievers "none"
accepted_credentials       "*"            
certificate_issuer_cert "/var/lib/globus-connect-server/myproxy-ca/cacert.pem"
certificate_issuer_key "/var/lib/globus-connect-server/myproxy-ca/private/cakey.pem"
certificate_issuer_key_passphrase "globus"
certificate_serialfile "/var/lib/globus-connect-server/myproxy-ca/serial"
certificate_out_dir "/var/lib/globus-connect-server/myproxy-ca/newcerts"
certificate_issuer_subca_certfile "/var/lib/globus-connect-server/myproxy-ca/cacert.pem"
max_cert_lifetime 168
cert_dir /etc/grid-security/certificates
pam  "required"
pam_id "login"
certificate_mapapp /var/lib/globus-connect-server/myproxy-ca/mapapp
accepted_credentials_mapapp /usr/local/bin/myproxy-accepted-credentials-mapapp

Endpoint Creation

Now setup your Frontend GridFTP Server as an Endpoint for globus Online

# globus-connect-server-setup
  • The globus-connect-server-setup asks you for your Globus Online account name and password.
  • If you run globus-connect-server-setup many times you get this error message:
"You are not an admin of the MyProxy Delegation Service"
  • Solution: run as root:
# rm /var/lib/myproxy-oauth/myproxy-oauth.db

Usage with your Grid User Certificate

  • Login via ssh to a Host where you have your valid Grid user Certificate and the myproxy packae installed.
  • Create and store a credential on Myproxy Server which is the same as the Endpoint Server at KIT.
myproxy-init -s archive-tgftp.lsdf.kit.edu -l <LDAP username>
    • You will be prompted to enter your Grid user key password. You also will be prompted to set a so called MyProxy passphrase twice to protect your created credential on Myproxy Server.
  • !!This password must be the same as your LDAP-Account!! This what I found to be able to login via OAuth. (Please check!)
  • Your credential will be saved on the MyProxy Server under
/var/lib/globus-connect-server/myproxy-ca/store
  • myproxy-init executes a script to create the user's Home directory structure with private/ public/.
/usr/local/bin/myproxy-accepted-credentials-mapapp <User Cert DN><LDAP name> 
  • In case 2. has failed complaining about missing CA-cerificates download the CA certificates directory via:
myproxy-get-trustroots -s archive-tgftp.lsdf.kit.edu