Globus Online for HPSS

From Lsdf
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This is a guide on setup the Globus Online service to storge data on HPSS at KIT.

Components

  • GridFTP Server connected to HPSS-DSI
  • myProxy Server for managing and creating user proxies
  • OAuth Server for User logins to the globus-Online Endpoint at KIT.
  • Globus Online Web Interface.

Requirements

  • A working HPSS Frontend with HPSS Client software installed and configured.
  • A working GridFTP Server with a valid Grid Host certificate. (GridKa Host certificate)
  • A working HPSS-GridFTP-DSI compiled package
    • Notice: a HPSS-Fuse instead of DSI would also work.
  • A working Connection to an LDAP Server to authorized the user locally on the GridFTP server.
  • A Globus Online account if not already exists.
  • A valid Grid User certificate.

Installation

Hostname: archive-tgftp.lsdf.kit.edu OS: SL 6.4

  • Download and install Globus Connect server repository
# curl -LOs http://toolkit.globus.org/ftppub/globus-connect-server/globus-connect-server-repo-latest.noarch.rpm
# rpm --import http://www.globus.org/ftppub/globus-connect-server/RPM-GPG-KEY-Globus
# yum install globus-connect-server-repo-latest.noarch.rpm
  • Install
# yum install globus-connect-server

Configuration

  • Adapt the config files. Both files contain detailed information on configuration possibilities. Please check!
/etc/globus-connect-server.conf
/var/lib/globus-connect-server/myproxy-server.conf
  • globus-connect-server.conf
[Globus]
User = %(GLOBUS_USER)s
Password = %(GLOBUS_PASSWORD)s
[Endpoint]
Name = bwda-go-1
Public = True
DefaultDirectory = /~/
[Security]
FetchCredentialFromRelay =  False
CertificateFile = /etc/grid-security/hostcert.pem
KeyFile = /etc/grid-security/hostkey.pem
TrustedCertificateDirectory = /etc/grid-security/certificates
IdentityMethod = OAuth
AuthorizationMethod = MyProxyGridmapCallout
[GridFTP]
Server = archive-tgftp.lsdf.kit.edu
IncomingPortRange = 50000,51000
OutgoingPortRange = 50000,51000
RestrictPaths = RW~,R/hpss/fs/GFTP/public (!! to check)
# still not working, needs registration
Sharing = True
SharingRestrictPaths = R/hpss/fs/GFTP/public
SharingStateDir = /var/globusonline/sharing/$USER
[MyProxy]
Server = %(HOSTNAME)s
ServerBehindNAT = False
CADirectory = /var/lib/globus-connect-server/myproxy-ca
ConfigFile = /var/lib/globus-connect-server/myproxy-server.conf
[OAuth]
Server = %(HOSTNAME)s
  • myproxy-server.conf
authorized_retrievers      "*"
default_retrievers         "*"
authorized_renewers        "*"
default_renewers           "none"
default_key_retrievers     "none"
trusted_retrievers         "*"
default_trusted_retrievers "none"
accepted_credentials       "*"            
certificate_issuer_cert "/var/lib/globus-connect-server/myproxy-ca/cacert.pem"
certificate_issuer_key "/var/lib/globus-connect-server/myproxy-ca/private/cakey.pem"
certificate_issuer_key_passphrase "globus"
certificate_serialfile "/var/lib/globus-connect-server/myproxy-ca/serial"
certificate_out_dir "/var/lib/globus-connect-server/myproxy-ca/newcerts"
certificate_issuer_subca_certfile "/var/lib/globus-connect-server/myproxy-ca/cacert.pem"
max_cert_lifetime 168
cert_dir /etc/grid-security/certificates
pam  "required"
pam_id "login"
certificate_mapapp /var/lib/globus-connect-server/myproxy-ca/mapapp
accepted_credentials_mapapp /usr/local/bin/myproxy-accepted-credentials-mapapp

Endpoint Creation

Now setup your Frontend GridFTP Server as an Endpoint for globus Online 

# globus-connect-server-setup
  • The globus-connect-server-setup asks you for your Globus Online account name and password.
  • If you run globus-connect-server-setup many times you get this error message:
"You are not an admin of the MyProxy Delegation Service"
  • Solution: run as root:
# rm /var/lib/myproxy-oauth/myproxy-oauth.db

Usage with your Grid User Certificate

  • Login via ssh to a Host where you have your valid Grid user Certificate and the myproxy packae installed.
  • Create and store a credential on Myproxy Server which is the same as the Endpoint Server at KIT.
myproxy-init -s archive-tgftp.lsdf.kit.edu -l <LDAP username>
  • You will be prompted to enter your Grid user key password. You also will be prompted to set a so called MyProxy passphrase twice to protect your created credential on Myproxy Server. This password must be the same as your LDAP-Account!! This what I found to be able to login via OAuth. (Please check!)
  • Your credential will be saved on the MyProxy Server under
/var/lib/globus-connect-server/myproxy-ca/store
  • myproxy-init executes a script to create the user's Home directory structure with private/ public/.
/usr/local/bin/myproxy-accepted-credentials-mapapp <User Cert DN><LDAP name>
  • In case myproxy-init has failed complaining about missing CA-cerificates download the CA certificates directory via:
myproxy-get-trustroots -s archive-tgftp.lsdf.kit.edu
Retrieved from "https://wiki.scc.kit.edu/lsdf/index.php?title=Globus_Online_for_HPSS&oldid=2965"