Gridftp client: Difference between revisions

From Lsdf
Jump to navigationJump to search
mNo edit summary
mNo edit summary
Line 1: Line 1:
'''Grid Certificate''' <br>
'''Grid Certificate''' <br>
* In order to use gridftp you need to have a valid grid certificate issued from the [https://gridka-ca-sec.fzk.de/ GridKa Certificate Authority] (CA).
* In order to use gridftp you need to have a valid grid certificate issued from the [https://gridka-ca-sec.fzk.de/ GridKa Certificate Authority] (CA). For instructions see https://gridka-ca-sec.fzk.de/help/index.php?lid=1
* Export your certificate from your browser as pk12 file and convert into the pem format with this [https://gridka-ca-sec.fzk.de/download/p12-2-pem-en.sh script] (requires openssl):
* Export your certificate from your browser as pk12 file and convert into the pem format with this [https://gridka-ca-sec.fzk.de/download/p12-2-pem-en.sh script] (requires openssl):
wget --no-check-certificate https://gridka-ca-sec.fzk.de/download/p12-2-pem-en.sh
wget --no-check-certificate https://gridka-ca-sec.fzk.de/download/p12-2-pem-en.sh
Line 16: Line 16:
-r--------. 1 myname users 2004 Mar 15 09:28 userkey.pem
-r--------. 1 myname users 2004 Mar 15 09:28 userkey.pem
* The gridftp client needs to trust the CA that issued the host certificate of the gridftp server. Therefore, you need copy the CA root certificate of the [https://gridka-ca-sec.fzk.de/ GridKa CA] to the certificates subfolder:
* The gridftp client needs to trust the CA that issued the host certificate of the gridftp server. Therefore, you need copy the CA root certificate of the [https://gridka-ca-sec.fzk.de/ GridKa CA] to the certificates subfolder:
cd $HOME/.globus/certificates
* to be continued...
wget --no-check-certificate https://gridka-ca-sec.fzk.de/gridka-root-cert.crt
openssl x509 -in gridka-root-cert.crt -out 7ecb2657.0 -outform PEM
rm gridka-root-cert.crt
(remark: 7ecb2657 is a hash of the CA pem file:
openssl x509 -hash -noout < 7ecb2657.0
7ecb2657
)<br>
Create a text file called 7ecb2657.signing_policy with the following content:
access_id_CA X509 '/C=DE/O=GermanGrid/CN=GridKa-CA'
pos_rights globus CA:sign
cond_subjects globus '"/C=DE/O=GermanGrid/*" "/O=GermanGrid/OU=*"'

ls -l $HOME/.globus/certificates
-rw-r--r--. 1 myname users 1631 Mar 9 07:35 7ecb2657.0
-rw-r--r--. 1 myname users 267 Mar 9 07:35 7ecb2657.signing_policy

* Install globus-proxy-utils (contains commands grid-proxy-init, grid-proxy-info and grid-proxy-destroy)<br>
On Red Hat (Fedora, CentOS, Scientific Linux):
yum install globus-proxy-utils
On Debian (Debian, Ubuntu):
apt-get install globus-proxy-utils

* Generate a grid proxy:



'''uberftp'''
[http://dims.ncsa.illinois.edu/set/uberftp/ uberftp] is an interactive gridftp client.
* On Red Hat based distributions it can be installed with:
yum install uberftp
*

'''Troubleshooting'''
* Error messages from gridftp server: http://www.globus.org/toolkit/docs/4.2/4.2.0/data/gridftp/admin/gridftp-troubleshooting.html
* If you need help open a ticket at [https://helpdesk.lsdf.kit.edu/ helpdesk]

Revision as of 10:52, 19 March 2013

Grid Certificate

wget --no-check-certificate https://gridka-ca-sec.fzk.de/download/p12-2-pem-en.sh
chmod 755 p12-2-pem-en.sh
./p12-2-pem-en.sh usercert.p12
  • copy user certificate files in .globus folder:
mkdir -p $HOME/.globus/certificates
mv usercert.pem $HOME/.globus
mv userkey.pem $HOME/.globus
chmod og-rwx $HOME/.globus userkey.pem

ls -l $HOME/.globus/
drwxrwxr-x. 2 myname users 4096 Mar  9 08:29 certificates
-r--r--r--. 1 myname users 1999 Mar 15 09:28 usercert.pem
-r--------. 1 myname users 2004 Mar 15 09:28 userkey.pem
  • The gridftp client needs to trust the CA that issued the host certificate of the gridftp server. Therefore, you need copy the CA root certificate of the GridKa CA to the certificates subfolder:
cd $HOME/.globus/certificates
wget --no-check-certificate https://gridka-ca-sec.fzk.de/gridka-root-cert.crt
openssl x509 -in gridka-root-cert.crt -out 7ecb2657.0 -outform PEM
rm gridka-root-cert.crt

(remark: 7ecb2657 is a hash of the CA pem file:

openssl x509 -hash -noout < 7ecb2657.0
7ecb2657

)
Create a text file called 7ecb2657.signing_policy with the following content:

access_id_CA  X509   '/C=DE/O=GermanGrid/CN=GridKa-CA'
pos_rights    globus CA:sign
cond_subjects globus '"/C=DE/O=GermanGrid/*" "/O=GermanGrid/OU=*"'
ls -l $HOME/.globus/certificates
-rw-r--r--. 1 myname users 1631 Mar  9 07:35 7ecb2657.0
-rw-r--r--. 1 myname users  267 Mar  9 07:35 7ecb2657.signing_policy
  • Install globus-proxy-utils (contains commands grid-proxy-init, grid-proxy-info and grid-proxy-destroy)

On Red Hat (Fedora, CentOS, Scientific Linux):

yum install globus-proxy-utils

On Debian (Debian, Ubuntu):

apt-get install globus-proxy-utils
  • Generate a grid proxy:


uberftp uberftp is an interactive gridftp client.

  • On Red Hat based distributions it can be installed with:
yum install uberftp

Troubleshooting