Preparing access to the BWDAHub
Introduction
For using the BWDataArchiv (BWDA) service it is mandatory to use certificates. X.509 certificates allow the mapping of user credentials to real persons and are issued or signed by so-called registration authorities (RAs). Due to this mapping certificates allow for very trustworthy communication. Please see 1 for a listing of Grid RAs available in Germany.
GSI proxy certificate
For accessing the BWDAHub via gsissh and performing your data transfers with GridFTP you need a GSI proxy certificate signed by your personal X.509 certificate. Please see 2 for more information about GSI proxy certificates.
I.e. this means that you first need a personal X.509 certificate signed by your organization or institute. In addition the source and destination GridFTP services must be able to verify your personal (GSI proxy) certificate to enable the data transfer. By default a personal X.509 certificate issued by the two German grid certificate authorities:
- "DFN-Verein PCA Grid - G01"
- "GridKa-CA"
...or their affiliated RAs is required for data transfers. Other CAs can be accepted locally at the BWDataArchiv after manual configuration by BWDA personnel, but you also need to make sure that your personal (GSI proxy) certificate is also accepted by the source/destination GridFTP service (depending on the direction of the GridFTP data transfer).
Please contact your IT department on how to acquire such a personal X.509 certificate. After receiving your personal X.509 certificate you need to forward the certificate's distinguished name (DN) to the BWDA personnel in order to activate access to the BWDAHub. To determine the DN you can use the following openssl command on your personal X.509 certificate:
$ openssl x509 -noout -subject -in <YOUR_PERSONAL_X509_CERTIFICATE_FILE>
Procedure (Linux)
Install the globus-proxy-utils
package
RHEL and compatible:
- Activate EPEL repository (see 3 for details) or the Globus Alliance repository (see 4 for details)
- install package with
$ [sudo] yum install globus-proxy-utils
Debian and compatible:
- Activate the Globus Alliance repository (see 4 for details)
- install package with
$ [sudo] apt-get install globus-proxy-utils
Create a GSI proxy certificate
Place your personal X.509 certficate and corresponding private key as PKCS#12 keystore in the directory $HOME/.globus
(you usually can export such a keystore from your web browser!). File system access permissions are important, so please follow the next commands exactly:
$ mkdir $HOME/.globus; chmod 0700 $HOME/.globus
$ umask 0177; touch $HOME/.globus/usercred.p12
- Now export your keystore to the file
$HOME/.globus/usercred.p12
Actually create your GSI proxy certficate:
$ grid-proxy-init [-valid <NUMBER_OF_HOURS:NUMBER_OF_MINUTES>]
- Your GSI proxy certficate will be valid for the given number of hours and minutes or 12 hours by default
Install and configure gsissh
Gsissh is a modified version of ssh which allows authentication with a GSI proxy certificate.
Procedure (Linux)
Install the gsi-openssh-clients
package
RHEL and compatible:
- Activate EPEL repository (see 3 for details) or the Globus Alliance repository (see 4 for details)
- Install package with
$ [sudo] yum install gsi-openssh-clients
Debian and compatible:
- Activate the Globus Alliance repository (see 4 for details)
- Install package with
$ [sudo] apt-get install gsi-openssh-clients
- On Debian additionally install the
libglobus-usage0
package with$ [sudo] apt-get install libglobus-usage0
Configure the trusted CA certficates directory
When accessing a gsissh service on a remote site the gsissh client checks the authenticity of the host certificate offered before continuing with authentication of the user. To be able to verify the offered host certificate, the client needs to trust the certificate of the CA that signed the host certificate. The BWDAHub is hosted by KIT in Karlsruhe and hence its host certificate was signed by the "GridKa-CA". Hence your gsissh client does only need to trust the CA certificate of the "GridKa-CA" to successfully verify the host certificate of the BWDAHub.
First create the needed directory for the CA certificate:
[$ mkdir -p $HOME/.globus; chmod 0700 $HOME/.globus] $ mkdir $HOME/.globus/certificates
Then download the tarball containing the necessary certificate and support files via your Webbrowser from BWSyncAndShare and place it in $HOME/.globus/certificates
. The SHA256 hash of the tarball is:
154bf3698be4502dffa68b65e94d9e5e1c3be5b0e73e045294d24c523041b445
If your download has a different hash value, don't use it and contact the BWDA personnel for further assistance.
52136e8943f03b8accfc8573273786a84fe6ee50f4ad33a9a45e8d379d5199a8
Now untar it with $ tar -xzf certificates.tar.gz
Login to the BWDAHub
After following the descriptions made above you will be able to login to the BWDAHub with the following command:
$ gsissh bwdahub.lsdf.kit.edu -p 22222 Last login: Thu May 19 14:22:00 2016 from userhost.domain.tld +-[Welcome]-------------------------------------------------------------------+ | | | BWDAHub (bwdahub.lsdf.kit.edu) | | | +-[Contact]-------------------------------------------------------------------+ | | | General support: | | | | * <support-bwarchiv@lists.kit.edu> | | | +-[Docs]----------------------------------------------------------------------+ | | | Before you start, please have a look at the documentation available in: | | | | /usr/share/doc/bwdahub-0.4.0 | | | | * gtransfer-quickstart.md | | * gsatellite-quickstart.md | | | +-[News]----------------------------------------------------------------------+ | | | 2016-04-27: | | The new default behaviour of gtransfer is to also encrypt the data | | channel. Please see `gtransfer-quickstart.md' for more details. | | | | 2016-05-19: | | Planned downtime for 1h at max starting at 07:00h (CET). [COMPLETED] | | | +-----------------------------------------------------------------------------+ INFO: Disk quotas for user user (uid 123): Filesystem blocks quota limit grace files quota limit grace /dev/sda4 123M 1024M 1536M 1627 0 0 OK INFO: Creating limited delegated GSI proxy credential "/home/user/.gsatellite/tmp/defaultGsiProxyCredential" for gtransfer data transfer jobs... OK [user@archive-gftp-fuse ~]$