Globus Online for HPSS: Difference between revisions
From Lsdf
Jump to navigationJump to search
Felix.bach (talk | contribs) No edit summary |
|||
(9 intermediate revisions by one other user not shown) | |||
Line 13: | Line 13: | ||
* A working [https://github.com/JasonAlt/GridFTP-DSI-for-HPSS HPSS-GridFTP-DSI] compiled package |
* A working [https://github.com/JasonAlt/GridFTP-DSI-for-HPSS HPSS-GridFTP-DSI] compiled package |
||
** Notice: a HPSS-Fuse instead of DSI would also work. |
** Notice: a HPSS-Fuse instead of DSI would also work. |
||
* A working Connection to an LDAP Server to |
* A working Connection to an LDAP Server to authorize the user locally on the GridFTP server. |
||
* [https://www.globus.org/SignUp A Globus Online account] if not already exists. |
* [https://www.globus.org/SignUp A Globus Online account] if not already exists. |
||
* A valid Grid User certificate. |
* A valid Grid User certificate. |
||
Line 101: | Line 101: | ||
* If you run globus-connect-server-setup many times you get this error message: |
* If you run globus-connect-server-setup many times you get this error message: |
||
"You are not an admin of the MyProxy Delegation Service" |
"You are not an admin of the MyProxy Delegation Service" |
||
⚫ | |||
⚫ | |||
# rm /var/lib/myproxy-oauth/myproxy-oauth.db |
# rm /var/lib/myproxy-oauth/myproxy-oauth.db |
||
* The name of the Endpoint is: hpss#bwda-go-1 |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
* You will be prompted to enter your Grid user key password and |
|||
⚫ | |||
** !!This password must be the same as your LDAP-Account!! This what I found to be able to login via OAuth. (Please check!) |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
* [http://grid.ncsa.illinois.edu/myproxy/pam.html Update to Myproxy passphrase issue] When using PAM for authentication to retrieve credentials stored in the MyProxy repository, it is simplest to store unencrypted credentials, via the '''--no_passphrase''' argument (equivalent to '''-n''') to myproxy-init. That way, the PAM password can change independently of MyProxy and users' stored credentials. |
|||
* Your created (proxy) credentials will last for 7 days but if you use the option '''--cred_lifetime 0''' (aquivalent to '''-c 0''') it will last for 366.9 days. |
|||
⚫ | |||
⚫ | |||
* myproxy-init executes a script to create the user's Home directory structure with private/ public/. |
* myproxy-init executes a script to create the user's Home directory structure with private/ public/. |
||
/usr/local/bin/myproxy-accepted-credentials-mapapp <User Cert DN><LDAP name> |
/usr/local/bin/myproxy-accepted-credentials-mapapp <User Cert DN><LDAP name> |
||
* In case myproxy-init has failed complaining about missing CA-cerificates download the CA certificates directory via: |
|||
myproxy-get-trustroots -s archive-tgftp.lsdf.kit.edu |
myproxy-get-trustroots -s archive-tgftp.lsdf.kit.edu |
||
* Login to [https://www.globus.org Globus Online] with your Globus Online account credentials and activate the Endpoint. |
|||
* for the activation and File Transfer You will be redirected to the OAuth Server at KIT to login with your LDAP credentials. |
|||
⚫ | |||
4. |
|||
* If a User does not have a valid Grid User Certificate the user can directly login to Globus Online chose the Endpoint (hpss#bwda-go-1) and a dummy proxy certificate will be created for him. |
|||
* You only must have an account on the archive-tgftp.lsdf.kit.edu. |
Latest revision as of 09:34, 26 July 2017
This is a guide on setup the Globus Online service to storge data on HPSS at KIT.
Components
- GridFTP Server connected to HPSS-DSI
- myProxy Server for managing and creating user proxies
- OAuth Server for User logins to the globus-Online Endpoint at KIT.
- Globus Online Web Interface.
Requirements
- A working HPSS Frontend with HPSS Client software installed and configured.
- A working GridFTP Server with a valid Grid Host certificate. (GridKa Host certificate)
- A working HPSS-GridFTP-DSI compiled package
- Notice: a HPSS-Fuse instead of DSI would also work.
- A working Connection to an LDAP Server to authorize the user locally on the GridFTP server.
- A Globus Online account if not already exists.
- A valid Grid User certificate.
Installation
Hostname: archive-tgftp.lsdf.kit.edu OS: SL 6.4
- Download and install Globus Connect server repository
# curl -LOs http://toolkit.globus.org/ftppub/globus-connect-server/globus-connect-server-repo-latest.noarch.rpm # rpm --import http://www.globus.org/ftppub/globus-connect-server/RPM-GPG-KEY-Globus # yum install globus-connect-server-repo-latest.noarch.rpm
- Install
# yum install globus-connect-server
Configuration
- Adapt the config files. Both files contain detailed information on configuration possibilities. Please check!
/etc/globus-connect-server.conf /var/lib/globus-connect-server/myproxy-server.conf
- globus-connect-server.conf
[Globus] User = %(GLOBUS_USER)s Password = %(GLOBUS_PASSWORD)s [Endpoint] Name = bwda-go-1 Public = True DefaultDirectory = /~/ [Security] FetchCredentialFromRelay = False CertificateFile = /etc/grid-security/hostcert.pem KeyFile = /etc/grid-security/hostkey.pem TrustedCertificateDirectory = /etc/grid-security/certificates IdentityMethod = OAuth AuthorizationMethod = MyProxyGridmapCallout [GridFTP] Server = archive-tgftp.lsdf.kit.edu IncomingPortRange = 50000,51000 OutgoingPortRange = 50000,51000 RestrictPaths = RW~,R/hpss/fs/GFTP/public (!! to check) # still not working, needs registration Sharing = True SharingRestrictPaths = R/hpss/fs/GFTP/public SharingStateDir = /var/globusonline/sharing/$USER [MyProxy] Server = %(HOSTNAME)s ServerBehindNAT = False CADirectory = /var/lib/globus-connect-server/myproxy-ca ConfigFile = /var/lib/globus-connect-server/myproxy-server.conf [OAuth] Server = %(HOSTNAME)s
- myproxy-server.conf
authorized_retrievers "*" default_retrievers "*" authorized_renewers "*" default_renewers "none" default_key_retrievers "none" trusted_retrievers "*" default_trusted_retrievers "none" accepted_credentials "*" certificate_issuer_cert "/var/lib/globus-connect-server/myproxy-ca/cacert.pem" certificate_issuer_key "/var/lib/globus-connect-server/myproxy-ca/private/cakey.pem" certificate_issuer_key_passphrase "globus" certificate_serialfile "/var/lib/globus-connect-server/myproxy-ca/serial" certificate_out_dir "/var/lib/globus-connect-server/myproxy-ca/newcerts" certificate_issuer_subca_certfile "/var/lib/globus-connect-server/myproxy-ca/cacert.pem" max_cert_lifetime 168 cert_dir /etc/grid-security/certificates pam "required" pam_id "login" certificate_mapapp /var/lib/globus-connect-server/myproxy-ca/mapapp accepted_credentials_mapapp /usr/local/bin/myproxy-accepted-credentials-mapapp
Endpoint Creation
Now setup your Frontend GridFTP Server as an Endpoint for globus Online
# globus-connect-server-setup
- The globus-connect-server-setup asks you for your Globus Online account name and password.
- If you run globus-connect-server-setup many times you get this error message:
"You are not an admin of the MyProxy Delegation Service"
- Solution: run as root:
# rm /var/lib/myproxy-oauth/myproxy-oauth.db
- The name of the Endpoint is: hpss#bwda-go-1
- Login via ssh to a Host where you have your valid Grid user Certificate and the myproxy packae installed.
- Create and store a credential on Myproxy Server which is the same as the Endpoint Server at KIT.
myproxy-init -s archive-tgftp.lsdf.kit.edu -l <LDAP username> [--cred_lifetime 0 | --no_passphrase]
- You will be prompted to enter your Grid user key password. You also will be prompted to set a so called MyProxy passphrase twice to protect your created credential on Myproxy Server. This password must be the same as your PAM password or LDAP-Account password.
- Update to Myproxy passphrase issue When using PAM for authentication to retrieve credentials stored in the MyProxy repository, it is simplest to store unencrypted credentials, via the --no_passphrase argument (equivalent to -n) to myproxy-init. That way, the PAM password can change independently of MyProxy and users' stored credentials.
- Your created (proxy) credentials will last for 7 days but if you use the option --cred_lifetime 0 (aquivalent to -c 0) it will last for 366.9 days.
- Your credential will be saved on the MyProxy Server under
/var/lib/globus-connect-server/myproxy-ca/store
- myproxy-init executes a script to create the user's Home directory structure with private/ public/.
/usr/local/bin/myproxy-accepted-credentials-mapapp <User Cert DN><LDAP name>
- In case myproxy-init has failed complaining about missing CA-cerificates download the CA certificates directory via:
myproxy-get-trustroots -s archive-tgftp.lsdf.kit.edu
- Login to Globus Online with your Globus Online account credentials and activate the Endpoint.
- for the activation and File Transfer You will be redirected to the OAuth Server at KIT to login with your LDAP credentials.
Usage for user without a Grid User certificate
- If a User does not have a valid Grid User Certificate the user can directly login to Globus Online chose the Endpoint (hpss#bwda-go-1) and a dummy proxy certificate will be created for him.
- You only must have an account on the archive-tgftp.lsdf.kit.edu.