Preparing access to the BWDAHub

From Lsdf
Jump to navigationJump to search

  BWDAHub<br\>   Preparing access to the BWDAHub<br\>   Quickstart guide for gtransfer<br\>   Quickstart guide for gsatellite

Introduction

For using the BWDataArchiv (BWDA) service it is mandatory to use certificates. X.509 certificates allow the mapping of user credentials to real persons and are issued or signed by so-called registration authorities (RAs). Due to this mapping certificates allow for very trustworthy communication. Please see 1 for a listing of Grid RAs available in Germany.


NOTE: Commands or options in brackets are optional and may depend on your currently used UID or your choice. The $ character marks the shell prompt for a non-root user in Linux.

GSI proxy credential

For accessing the BWDAHub via gsissh and performing your data transfers with GridFTP you need a GSI proxy credential (GPC) signed by your personal X.509 certificate. Please see 2 for more information about GSI proxy certificates.

I.e. this means that you first need a personal X.509 certificate signed by your organization or institute. In addition the source and destination GridFTP services must be able to verify your GPC to enable the data transfer. By default a GPC derived from a personal X.509 certificate issued by the two German grid certificate authorities:

  • "DFN-Verein PCA Grid - G01"
  • "GridKa-CA"

...or their affiliated RAs is required for data transfers. Other CAs can be accepted locally at the BWDataArchiv after manual configuration by BWDA personnel, but you also need to make sure that your derived GPC is also accepted by the source/destination GridFTP service (depending on the direction of the GridFTP data transfer).

Please contact your IT department on how to acquire such a personal X.509 certificate. After receiving your personal X.509 certificate you need to forward the certificate's distinguished name (DN) to the BWDA personnel in order to activate access to the BWDAHub. To determine the DN you can use the following openssl command on your personal X.509 certificate:

$ openssl x509 -noout -subject -in <YOUR_PERSONAL_X509_CERTIFICATE_FILE>

Procedure (Linux)

Install the globus-proxy-utils package

RHEL and compatible:

  • Activate EPEL repository (see 3 for details) or the Globus Alliance repository (see 4 for details)
  • install package with $ [sudo] yum install globus-proxy-utils

Debian and compatible:

  • Activate the Globus Alliance repository (see 4 for details)
  • install package with $ [sudo] apt-get install globus-proxy-utils

Create a GSI proxy credential

Place your personal X.509 certficate and corresponding private key as PKCS#12 keystore in the directory $HOME/.globus (you usually can export such a keystore from your web browser!). File system access permissions are important, so please follow the next commands exactly:

  • $ mkdir $HOME/.globus; chmod 0700 $HOME/.globus
  • $ umask 0177; touch $HOME/.globus/usercred.p12
  • Now export your keystore to the file $HOME/.globus/usercred.p12

Actually create your GPC:

  • $ grid-proxy-init [-valid <NUMBER_OF_HOURS:NUMBER_OF_MINUTES>]
  • Your GSI proxy certficate will be valid for the given number of hours and minutes or 12 hours by default


Install and configure gsissh

Gsissh is a modified version of ssh which allows authentication with a GSI proxy certificate.

Procedure (Linux)

Install the gsi-openssh-clients package

RHEL and compatible:

  • Activate EPEL repository (see 3 for details) or the Globus Alliance repository (see 4 for details)
  • Install package with $ [sudo] yum install gsi-openssh-clients

Debian and compatible:

  • Activate the Globus Alliance repository (see 4 for details)
  • Install package with $ [sudo] apt-get install gsi-openssh-clients
  • On Debian additionally install the libglobus-usage0 package with $ [sudo] apt-get install libglobus-usage0

Configure the trusted CA certficates directory

When accessing a gsissh service on a remote site the gsissh client checks the authenticity of the host certificate offered before continuing with authentication of the user. To be able to verify the offered host certificate, the client needs to trust the certificate of the CA that signed the host certificate. The BWDAHub is hosted by KIT in Karlsruhe and hence its host certificate was signed by the "GridKa-CA". Hence your gsissh client does only need to trust the CA certificate of the "GridKa-CA" to successfully verify the host certificate of the BWDAHub.

First create the needed directory for the CA certificate:

[$ mkdir -p $HOME/.globus; chmod 0700 $HOME/.globus]
$ mkdir $HOME/.globus/certificates


Then download the tarball containing the necessary certificate and support files via your Webbrowser from BWSyncAndShare and place it in $HOME/.globus/certificates. The SHA256 hash of the tarball is:

154bf3698be4502dffa68b65e94d9e5e1c3be5b0e73e045294d24c523041b445

If your download has a different hash value, don't use it and contact the BWDA personnel for further assistance.

NOTE: The original tarball was extended to also include the CA certificate of "GridKa-CA" under the old subject DN hash as name, which was and still is used by older OpenSSL versions (prior to v1.0.0). Just for reference, this older tarball's SHA256 hash value was:
52136e8943f03b8accfc8573273786a84fe6ee50f4ad33a9a45e8d379d5199a8

Now untar it with $ tar -xzf certificates.tar.gz

Login to the BWDAHub

After following the descriptions made above you will be able to login to the BWDAHub with the following command:

$ gsissh bwdahub.lsdf.kit.edu -p 22222
Last login: Thu May 19 14:22:00 2016 from userhost.domain.tld
+-[Welcome]-------------------------------------------------------------------+
|                                                                             |
|                       BWDAHub (bwdahub.lsdf.kit.edu)                        |
|                                                                             |
+-[Contact]-------------------------------------------------------------------+
|                                                                             |
| General support:                                                            |
|                                                                             |
| * <support-bwarchiv@lists.kit.edu>                                          |
|                                                                             |
+-[Docs]----------------------------------------------------------------------+
|                                                                             |
| Before you start, please have a look at the documentation available in:     |
|                                                                             |
| /usr/share/doc/bwdahub-0.4.0                                                |
|                                                                             |
| * gtransfer-quickstart.md                                                   |
| * gsatellite-quickstart.md                                                  |
|                                                                             |
+-[News]----------------------------------------------------------------------+
|                                                                             |
| 2016-04-27:                                                                 |
|  The new default behaviour of gtransfer is to also encrypt the data         |
|  channel. Please see `gtransfer-quickstart.md' for more details.            |
|                                                                             |
| 2016-05-19:                                                                 |
|  Planned downtime for 1h at max starting at 07:00h (CET). [COMPLETED]       |
|                                                                             |
+-----------------------------------------------------------------------------+
INFO: Disk quotas for user user (uid 123): 
    Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
     /dev/sda4    123M   1024M   1536M            1627       0       0         OK
INFO: Creating limited delegated GSI proxy credential "/home/user/.gsatellite/tmp/defaultGsiProxyCredential" for gtransfer data transfer jobs... OK
[user@archive-gftp-fuse ~]$

back to BWDAHub   back to bwDataArchiv   back to Using bwDataArchiv