Difference between revisions of "Preparing access to the BWDAHub"

From Lsdf
(tarball link auf rda gesetzt)
(Login to the BWDAHub)
 
(23 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  +
&nbsp;&nbsp;[[BWDAHub|<small>BWDAHub</small>]]
  +
&nbsp;&nbsp;<small>Preparing access to the BWDAHub</small>
  +
&nbsp;&nbsp;[[Quickstart guide for gtransfer|<small>Quickstart guide for gtransfer</small>]]
  +
&nbsp;&nbsp;[[Quickstart guide for gsatellite|<small>Quickstart guide for gsatellite</small>]]
  +
----
   
   
= Introduction =
+
== Introduction ==
 
For using the BWDataArchiv (BWDA) service it is mandatory to use certificates. X.509 certificates allow the mapping of user credentials to real persons and are issued or signed by so-called registration authorities (RAs). Due to this mapping certificates allow for very trustworthy communication. Please see [https://info.pca.dfn.de/grid-ras.html 1] for a listing of Grid RAs available in Germany.
 
   
  +
For using gridFTP with the BWDataArchiv (BWDA) service it is mandatory to use certificates. X.509 certificates allow the mapping of user credentials to real persons and are issued or signed by so-called registration authorities (RAs). Due to this mapping certificates allow for very trustworthy communication. Please see [https://info.pca.dfn.de/grid-ras.html 1] for a listing of Grid RAs available in Germany.
   
 
<div style="border:1px solid #808080; margin:5px 3px 0px 3px; padding:3px 5px 2px 5px; background:#CEEEEE">'''NOTE:''' Commands or options in brackets are optional and may depend on your currently used UID or your choice. The <span style="color:red">$</span> character marks the shell prompt for a non-root user in Linux.
 
<div style="border:1px solid #808080; margin:5px 3px 0px 3px; padding:3px 5px 2px 5px; background:#CEEEEE">'''NOTE:''' Commands or options in brackets are optional and may depend on your currently used UID or your choice. The <span style="color:red">$</span> character marks the shell prompt for a non-root user in Linux.
 
</div>
 
</div>
   
= GSI proxy certificate =
+
== GSI proxy credential ==
   
For accessing the BWDAHub via gsissh and performing your data transfers with GridFTP you need a GSI proxy certificate signed by your personal X.509 certificate. Please see [http://toolkit.globus.org/toolkit/docs/4.0/security/key-index.html 2] for more information about GSI proxy certificates.
+
For accessing the BWDAHub via gsissh and performing your data transfers with GridFTP you need a GSI proxy credential (GPC) signed by your personal X.509 certificate. Please see [http://toolkit.globus.org/toolkit/docs/4.0/security/key-index.html 2] for more information about GSI proxy certificates.
   
I.e. this means that you first need a personal X.509 certificate signed by your organization or institute. In addition the source and destination GridFTP services must be able to verify your personal (GSI proxy) certificate to enable the data transfer. By default a personal X.509 certificate issued by the two German grid certificate authorities:
+
I.e. this means that you first need a personal X.509 certificate signed by your organization or institute. In addition the source and destination GridFTP services must be able to verify your GPC to enable the data transfer. By default a GPC derived from a personal X.509 certificate issued by the two German grid certificate authorities:
   
 
* "DFN-Verein PCA Grid - G01"
 
* "DFN-Verein PCA Grid - G01"
 
* "GridKa-CA"
 
* "GridKa-CA"
   
...or their affiliated RAs is required for data transfers. Other CAs can be accepted locally at the BWDataArchiv after manual configuration by BWDA personnel, but you also need to make sure that your personal (GSI proxy) certificate is also accepted by the source/destination GridFTP service (depending on the direction of the GridFTP data transfer).
+
...or their affiliated RAs is required for data transfers. Other CAs can be accepted locally at the BWDataArchiv after manual configuration by BWDA personnel, but you also need to make sure that your derived GPC is also accepted by the source/destination GridFTP service (depending on the direction of the GridFTP data transfer).
   
Please contact your IT department on how to acquire such a personal X.509 certificate. After receiving your personal X.509 certificate you need to forward the certificate's distinguished name (DN) to the BWDA personnel in order to activate access to the BWDAHub. To determine the DN you can <!--either--> use the following openssl command on your personal X.509 certificate:
+
Please contact your IT department on how to acquire such a personal X.509 certificate. After receiving your personal X.509 certificate you need to forward the certificate's distinguished name (DN) to the BWDA personnel in order to activate access to the BWDAHub. You can do this either using the webinterface https://www.rda.kit.edu/bwDA or by sending an email to bwarchiv-support[at]lists.kit.edu. Note that it may take some days until your DN will be usable for data transfers. To determine the DN you can use the following openssl command on your personal X.509 certificate:
   
  +
<pre>
$ openssl x509 -noout -subject -in <YOUR_PERSONAL_X509_CERTIFICATE_FILE>
 
  +
$ openssl x509 -noout -subject -in <YOUR_PERSONAL_X509_CERTIFICATE_FILE>
  +
</pre>
   
<!--
 
Deactivated as the web based service at LRZ uses a DFN Grid certificate, but the DFN Grid CA certificate is usually not included in the certificate store of trusted CA certificates included in web browsers. Hence users would have to first include and trust this CA certificate in their web browsers before it can be used without warning messages of the web browsers.
 
   
  +
=== Procedure (Linux) ===
...or a [https://gridftp.cloud.mwn.de/cgi-bin/get_dn/get_dn web based service] from [http://www.lrz.de/ LRZ] provided your personal X.509 certificate was already imported into your web browser.
 
  +
-->
 
  +
== Procedure (Linux) ==
 
'''Install the''' <span style="color:red"><code>globus-proxy-utils </code></span> '''package'''
+
'''Install the <span style="color:red"><code>globus-proxy-utils </code></span> package'''
   
 
RHEL and compatible:
 
RHEL and compatible:
Line 42: Line 46:
 
* install package with <span style="color:red"><code>$ [sudo] apt-get install globus-proxy-utils</code></span>
 
* install package with <span style="color:red"><code>$ [sudo] apt-get install globus-proxy-utils</code></span>
   
'''Create a GSI proxy certificate'''
+
'''Create a GSI proxy credential'''
   
 
Place your personal X.509 certficate and corresponding private key as PKCS#12 keystore in the directory <span style="color:red"><code>$HOME/.globus</code></span> (you usually can export such a keystore from your web browser!). File system access permissions are important, so please follow the next commands exactly:
 
Place your personal X.509 certficate and corresponding private key as PKCS#12 keystore in the directory <span style="color:red"><code>$HOME/.globus</code></span> (you usually can export such a keystore from your web browser!). File system access permissions are important, so please follow the next commands exactly:
Line 50: Line 54:
 
* Now export your keystore to the file <span style="color:red"><code>$HOME/.globus/usercred.p12</code></span>
 
* Now export your keystore to the file <span style="color:red"><code>$HOME/.globus/usercred.p12</code></span>
   
Actually create your GSI proxy certficate:
+
Actually create your GPC:
   
 
* <span style="color:red"><code>$ grid-proxy-init [-valid <NUMBER_OF_HOURS:NUMBER_OF_MINUTES>]</code></span>
 
* <span style="color:red"><code>$ grid-proxy-init [-valid <NUMBER_OF_HOURS:NUMBER_OF_MINUTES>]</code></span>
 
* Your GSI proxy certficate will be valid for the given number of hours and minutes or 12 hours by default
 
* Your GSI proxy certficate will be valid for the given number of hours and minutes or 12 hours by default
   
  +
== Install and configure gsissh ==
<!--
 
== Procedure (Windows) ==
 
   
  +
Gsissh is a modified version of ssh which allows authentication with a GPC.
tbd
 
-->
 
   
= Install and configure gsissh =
 
   
  +
=== Procedure (Linux) ===
Gsissh is a modified version of ssh which allows authentication with a GSI proxy certificate.
 
   
== Procedure (Linux) ==
 
   
'''Install the''' <span style="color:red"><code>gsi-openssh-clients</code></span> '''package'''
+
'''Install the <span style="color:red"><code>gsi-openssh-clients</code></span> package'''
   
 
RHEL and compatible:
 
RHEL and compatible:
Line 79: Line 79:
 
* Install package with <span style="color:red"><code>$ [sudo] apt-get install gsi-openssh-clients </code></span>
 
* Install package with <span style="color:red"><code>$ [sudo] apt-get install gsi-openssh-clients </code></span>
 
* On Debian additionally install the <span style="color:red"><code>libglobus-usage0 </code></span> package with <span style="color:red"><code>$ [sudo] apt-get install libglobus-usage0 </code></span>
 
* On Debian additionally install the <span style="color:red"><code>libglobus-usage0 </code></span> package with <span style="color:red"><code>$ [sudo] apt-get install libglobus-usage0 </code></span>
  +
   
 
'''Configure the trusted CA certficates directory'''
 
'''Configure the trusted CA certficates directory'''
Line 86: Line 87:
 
First create the needed directory for the CA certificate:
 
First create the needed directory for the CA certificate:
   
  +
<pre>
[$ mkdir -p $HOME/.globus; chmod 0700 $HOME/.globus]
 
$ mkdir $HOME/.globus/certificates
+
[$ mkdir -p $HOME/.globus; chmod 0700 $HOME/.globus]
  +
$ mkdir $HOME/.globus/certificates
  +
</pre>
   
  +
Then download the [https://www.rda.kit.edu/downloads/certificates.tar.gz tarball] containing the necessary certificate and support files via your web browser and place it in <span style="color:red"><code>$HOME/.globus/certificates</code></span>. The SHA256 hash of the tarball is:
   
  +
<pre>
Then download the [https://www.rda.kit.edu/downloads/certificates.tar.gz tarball] containing the necessary certificate and support files via your Webbrowser from BWSyncAndShare and place it in <span style="color:red"><code>$HOME/.globus/certificates</code></span>. The SHA256 hash of the tarball is:
 
  +
154bf3698be4502dffa68b65e94d9e5e1c3be5b0e73e045294d24c523041b445
  +
</pre>
   
  +
If your download has a different hash value, don't use it and contact the [mailto:support-bwarchiv@lists.kit.edu BWDA personnel] for further assistance.
154bf3698be4502dffa68b65e94d9e5e1c3be5b0e73e045294d24c523041b445
 
   
If your download has a different hash value, don't use it and contact the BWDA personnel for further assistance.
 
<div style="border:1px solid #808080; margin:5px 3px 0px 3px; padding:3px 5px 2px 5px; background:#CEEEEE">'''NOTE:''' The original tarball was extended to also include the CA certificate of "GridKa-CA" under the old subject DN hash as name, which was and still is used by older OpenSSL versions (prior to v1.0.0). Just for reference, this '''older''' tarball's SHA256 hash value was:
 
</div>
 
52136e8943f03b8accfc8573273786a84fe6ee50f4ad33a9a45e8d379d5199a8
 
 
Now untar it with <span style="color:red"><code>$ tar -xzf certificates.tar.gz</code></span>
 
Now untar it with <span style="color:red"><code>$ tar -xzf certificates.tar.gz</code></span>
<!--
 
== Procedure (Windows) ==
 
   
  +
== Login to the BWDAHub ==
tbd
 
  +
-->
 
  +
= Login to the BWDAHub =
 
 
After following the descriptions made above you will be able to login to the BWDAHub with the following command:
 
After following the descriptions made above you will be able to login to the BWDAHub with the following command:
  +
$ gsissh bwdahub.lsdf.kit.edu -p 22222
 
  +
<pre>
Last login: Thu May 19 14:22:00 2016 from userhost.domain.tld
 
  +
$ gsissh myusername@bwdahub.lsdf.kit.edu
+-[Welcome]-------------------------------------------------------------------+
 
  +
Last login: Thu May 19 14:22:00 2016 from userhost.domain.tld
| |
 
  +
+-[Welcome]-------------------------------------------------------------------+
| BWDAHub (bwdahub.lsdf.kit.edu) |
 
| |
+
| |
  +
| BWDAHub (bwdahub.lsdf.kit.edu) |
+-[Contact]-------------------------------------------------------------------+
 
| |
+
| |
  +
+-[Contact]-------------------------------------------------------------------+
| General support: |
 
| |
+
| |
| * <support-bwarchiv@lists.kit.edu> |
+
| General support: |
| |
+
| |
  +
| * <support-bwarchiv@lists.kit.edu> |
+-[Docs]----------------------------------------------------------------------+
 
| |
+
| |
  +
+-[Docs]----------------------------------------------------------------------+
| Before you start, please have a look at the documentation available in: |
 
| |
+
| |
  +
| Before you start, please have a look at the documentation available in: |
| /usr/share/doc/bwdahub-0.4.0 |
 
| |
+
| |
| * gtransfer-quickstart.md |
+
| /usr/share/doc/bwdahub-0.5.0 |
| * gsatellite-quickstart.md |
+
| |
| |
+
| * gtransfer-quickstart.md |
  +
| * gsatellite-quickstart.md |
+-[News]----------------------------------------------------------------------+
 
| |
+
| |
  +
+-[News]----------------------------------------------------------------------+
| 2016-04-27: |
 
  +
| |
| The new default behaviour of gtransfer is to also encrypt the data |
 
  +
| 2016-09-06: |
| channel. Please see `gtransfer-quickstart.md' for more details. |
 
  +
| New gtransfer version (v0.7.0) installed on the BWDAHub. With this version |
| |
 
  +
| it's now also possible to specify the user account on GridFTP servers when |
| 2016-05-19: |
 
  +
| using host aliases. I.e.: |
| Planned downtime for 1h at max starting at 07:00h (CET). [COMPLETED] |
 
| |
+
| |
  +
| `$ gt -s user1@my-gridftp:/~/files/* -d user2@bwda:/~/files` |
+-----------------------------------------------------------------------------+
 
  +
| |
INFO: Disk quotas for user user (uid 123):
 
  +
| ...will now also work. |
  +
| |
  +
| For more details about the new release visit: |
  +
| |
  +
| `https://github.com/fr4nk5ch31n3r/gtransfer/releases/tag/v0.7.0` |
  +
| |
  +
+-----------------------------------------------------------------------------+
  +
INFO: Disk quotas for user user (uid 123):
  +
Filesystem blocks quota limit grace files quota limit grace
  +
/dev/sda4 123M 1024M 1536M 1627 0 0 OK
  +
INFO: Creating limited delegated GSI proxy credential "/home/user/.gsatellite/tmp/defaultGsiProxyCredential" for gtransfer data transfer jobs... OK
  +
[user@archive-gftp-fuse ~]$
  +
</pre>
  +
  +
== I wasn't able to install the required Globus tools ==
  +
  +
If the Globus tools cannot be installed or if there are no binaries for your platform, please follow the next steps to get access to the BWDAHub and the tools installed there.
  +
  +
=== Alternative GSI proxy credential creation ===
  +
  +
Download the tool [https://www.rda.kit.edu/downloads/genproxy.bash genproxy] from our website (right klick on the link and use "Save Link as..." for downloading the file because otherwise it is displayed by the browser as it is a plain text bash script file). Before continuing, check that the computed SHA256 hash for the content of the tool matches the value given below (e.g. on Linux use <span style="color:red"><code>$ sha256sum genproxy</code></span>):
  +
  +
<pre>
  +
98b4232f709331527a5edcddc3d3561180e001bb634e775cab085d7a24d29344
  +
</pre>
  +
  +
If your download has a different hash value, don't use it and contact the [mailto:support-bwarchiv@lists.kit.edu BWDA personnel] for further assistance.
  +
  +
Make the tool executable (<span style="color:red"><code>$ chmod +x genproxy</code></span>) and include it in your <span style="color:red"><code>PATH</code></span> environment variable so that you can use it from everywhere. Some Linux distributions also automatically include executables placed in <span style="color:red"><code>$HOME/bin</code></span> in your <span style="color:red"><code>PATH</code></span> environment variable. Alternatively copy <span style="color:red"><code>genproxy</code></span> to your <span style="color:red"><code>$HOME/.globus</code></span> directory and use it from this directory exclusively. Don't forget to prepend the path to the tool then or <span style="color:red"><code>./</code></span> when calling it from there directly.
  +
  +
When finished make sure your personal certificate (<span style="color:red"><code>usercert.pem</code></span>) and private key (<span style="color:red"><code>userkey.pem</code></span>) are available as PEM files in <span style="color:red"><code>$HOME/.globus</code></span>. If this is the case, you can now create a GSI proxy credential by just calling <span style="color:red"><code>genproxy</code></span> and entering the pass phrase to decrypt your private key:
  +
  +
Example:
  +
<pre>
  +
$ genproxy
  +
Your identity: /C=DE/O=Grid/OU=University #1/CN=User
  +
Enter pass phrase for /home/user/.globus/userkey.pem:
  +
Your proxy `/tmp/x509up_p6729.file8x0ds0.1' is valid until: Wed Aug 17 12:31:23 CEST 2016
  +
</pre>
  +
  +
<div style="border:1px solid #808080; margin:5px 3px 0px 3px; padding:3px 5px 2px 5px; background:#CEEEEE">'''NOTE:''' By default the <span style="color:red"><code>genproxy</code></span> tool uses a "non-guessable" name for the generated GPC. This is important on multi-user hosts because otherwise symlink attacks are possible in <span style="color:red"><code>/tmp</code></span> which can expose the GPC to other users. If you're running <span style="color:red"><code>genproxy</code></span> from a single user host, you can also predefine the path and name of the GPC in the environment variable <span style="color:red"><code>X509_USER_PROXY</code></span> (for example with <span style="color:red"><code>$ export X509_USER_PROXY="$HOME/.globus/mygpc"</code></span>).</div>
  +
  +
=== Copy GSI proxy credential to the BWDAHub ===
  +
  +
<div style="border:1px solid #808080; margin:5px 3px 0px 3px; padding:3px 5px 2px 5px; background:#CEEEEE">'''NOTE:''' For the following step you need to know your password on the BWDAHub or have already placed your SSH public key there, so you can login to the BWDAHub via <span style="color:red"><code>ssh</code></span>.</div>
  +
  +
When finished with the GSI proxy credential creation, copy the created GSI proxy credential to the BWDAHub using <span style="color:red"><code>scp</code></span> and the exact name for the destination file (<span style="color:red"><code>X509_USER_PROXY</code></span>) as given in the following command:
  +
  +
<pre>
  +
$ scp /tmp/x509up_p6729.file8x0ds0.1 user@bwdahub.lsdf.kit.edu:.globus/X509_USER_PROXY
  +
</pre>
  +
  +
...or when you used the environment variable <span style="color:red"><code>X509_USER_PROXY</code></span> also with the following command:
  +
  +
<pre>
  +
$ scp "$X509_USER_PROXY" user@bwdahub.lsdf.kit.edu:.globus/X509_USER_PROXY
  +
</pre>
  +
  +
=== Logging in to the BWDAHub using ssh ===
  +
  +
Now you are ready to login to the BWDAHub and using the tools installed there with <span style="color:red"><code>ssh</code></span> alone.
  +
  +
<div style="border:1px solid #808080; margin:5px 3px 0px 3px; padding:3px 5px 2px 5px; background:#CEEEEE">'''NOTE:''' With <span style="color:red"><code>ssh</code></span> you need to use your username on the BWDAHub, as otherwise <span style="color:red"><code>ssh</code></span> tries to login with your local username.</div>
  +
  +
<pre>
  +
$ ssh user@bwdahub.lsdf.kit.edu
  +
Last login: Thu May 19 14:22:00 2016 from userhost.domain.tld
  +
  +
+-[Welcome]-------------------------------------------------------------------+
  +
| |
  +
| BWDAHub (bwdahub.lsdf.kit.edu) |
  +
| |
  +
+-[Contact]-------------------------------------------------------------------+
  +
| |
  +
| General support: |
  +
| |
  +
| * <support-bwarchiv@lists.kit.edu> |
  +
| |
  +
+-[Docs]----------------------------------------------------------------------+
  +
| |
  +
| Before you start, please have a look at the documentation available in: |
  +
| |
  +
| /usr/share/doc/bwdahub-0.5.0 |
  +
| |
  +
| * gtransfer-quickstart.md |
  +
| * gsatellite-quickstart.md |
  +
| |
  +
+-[News]----------------------------------------------------------------------+
  +
| |
  +
| 2016-09-06: |
  +
| New gtransfer version (v0.7.0) installed on the BWDAHub. With this version |
  +
| it's now also possible to specify the user account on GridFTP servers when |
  +
| using host aliases. I.e.: |
  +
| |
  +
| `$ gt -s user1@my-gridftp:/~/files/* -d user2@bwda:/~/files` |
  +
| |
  +
| ...will now also work. |
  +
| |
  +
| For more details about the new release visit: |
  +
| |
  +
| `https://github.com/fr4nk5ch31n3r/gtransfer/releases/tag/v0.7.0` |
  +
| |
  +
+-----------------------------------------------------------------------------+
  +
  +
INFO: Disk quotas for user user (uid 123):
 
Filesystem blocks quota limit grace files quota limit grace
 
Filesystem blocks quota limit grace files quota limit grace
 
/dev/sda4 123M 1024M 1536M 1627 0 0 OK
 
/dev/sda4 123M 1024M 1536M 1627 0 0 OK
INFO: Creating limited delegated GSI proxy credential "/home/user/.gsatellite/tmp/defaultGsiProxyCredential" for gtransfer data transfer jobs... OK
+
INFO: Creating limited delegated GSI proxy credential "/home/user/.gsatellite/tmp/defaultGsiProxyCredential" for gtransfer data transfer jobs... OK
[user@archive-gftp-fuse ~]$
+
[user@archive-gftp-fuse ~]$
  +
</pre>
  +
  +
----
  +
[[BWDAHub|<small>back to BWDAHub</small>]]&nbsp;&nbsp;&nbsp;[[BwDataArchiv|<small>back to bwDataArchiv</small>]]&nbsp;&nbsp;&nbsp;[[Using bwDataArchiv|<small>back to Using bwDataArchiv</small>]]

Latest revision as of 15:56, 2 August 2019

  BWDAHub   Preparing access to the BWDAHub   Quickstart guide for gtransfer   Quickstart guide for gsatellite



Introduction

For using gridFTP with the BWDataArchiv (BWDA) service it is mandatory to use certificates. X.509 certificates allow the mapping of user credentials to real persons and are issued or signed by so-called registration authorities (RAs). Due to this mapping certificates allow for very trustworthy communication. Please see 1 for a listing of Grid RAs available in Germany.

NOTE: Commands or options in brackets are optional and may depend on your currently used UID or your choice. The $ character marks the shell prompt for a non-root user in Linux.

GSI proxy credential

For accessing the BWDAHub via gsissh and performing your data transfers with GridFTP you need a GSI proxy credential (GPC) signed by your personal X.509 certificate. Please see 2 for more information about GSI proxy certificates.

I.e. this means that you first need a personal X.509 certificate signed by your organization or institute. In addition the source and destination GridFTP services must be able to verify your GPC to enable the data transfer. By default a GPC derived from a personal X.509 certificate issued by the two German grid certificate authorities:

  • "DFN-Verein PCA Grid - G01"
  • "GridKa-CA"

...or their affiliated RAs is required for data transfers. Other CAs can be accepted locally at the BWDataArchiv after manual configuration by BWDA personnel, but you also need to make sure that your derived GPC is also accepted by the source/destination GridFTP service (depending on the direction of the GridFTP data transfer).

Please contact your IT department on how to acquire such a personal X.509 certificate. After receiving your personal X.509 certificate you need to forward the certificate's distinguished name (DN) to the BWDA personnel in order to activate access to the BWDAHub. You can do this either using the webinterface https://www.rda.kit.edu/bwDA or by sending an email to bwarchiv-support[at]lists.kit.edu. Note that it may take some days until your DN will be usable for data transfers. To determine the DN you can use the following openssl command on your personal X.509 certificate:

$ openssl x509 -noout -subject -in <YOUR_PERSONAL_X509_CERTIFICATE_FILE>


Procedure (Linux)

Install the globus-proxy-utils package

RHEL and compatible:

  • Activate EPEL repository (see 3 for details) or the Globus Alliance repository (see 4 for details)
  • install package with $ [sudo] yum install globus-proxy-utils

Debian and compatible:

  • Activate the Globus Alliance repository (see 4 for details)
  • install package with $ [sudo] apt-get install globus-proxy-utils

Create a GSI proxy credential

Place your personal X.509 certficate and corresponding private key as PKCS#12 keystore in the directory $HOME/.globus (you usually can export such a keystore from your web browser!). File system access permissions are important, so please follow the next commands exactly:

  • $ mkdir $HOME/.globus; chmod 0700 $HOME/.globus
  • $ umask 0177; touch $HOME/.globus/usercred.p12
  • Now export your keystore to the file $HOME/.globus/usercred.p12

Actually create your GPC:

  • $ grid-proxy-init [-valid <NUMBER_OF_HOURS:NUMBER_OF_MINUTES>]
  • Your GSI proxy certficate will be valid for the given number of hours and minutes or 12 hours by default

Install and configure gsissh

Gsissh is a modified version of ssh which allows authentication with a GPC.


Procedure (Linux)

Install the gsi-openssh-clients package

RHEL and compatible:

  • Activate EPEL repository (see 3 for details) or the Globus Alliance repository (see 4 for details)
  • Install package with $ [sudo] yum install gsi-openssh-clients

Debian and compatible:

  • Activate the Globus Alliance repository (see 4 for details)
  • Install package with $ [sudo] apt-get install gsi-openssh-clients
  • On Debian additionally install the libglobus-usage0 package with $ [sudo] apt-get install libglobus-usage0


Configure the trusted CA certficates directory

When accessing a gsissh service on a remote site the gsissh client checks the authenticity of the host certificate offered before continuing with authentication of the user. To be able to verify the offered host certificate, the client needs to trust the certificate of the CA that signed the host certificate. The BWDAHub is hosted by KIT in Karlsruhe and hence its host certificate was signed by the "GridKa-CA". Hence your gsissh client does only need to trust the CA certificate of the "GridKa-CA" to successfully verify the host certificate of the BWDAHub.

First create the needed directory for the CA certificate:

[$ mkdir -p $HOME/.globus; chmod 0700 $HOME/.globus]
$ mkdir $HOME/.globus/certificates

Then download the tarball containing the necessary certificate and support files via your web browser and place it in $HOME/.globus/certificates. The SHA256 hash of the tarball is:

154bf3698be4502dffa68b65e94d9e5e1c3be5b0e73e045294d24c523041b445

If your download has a different hash value, don't use it and contact the BWDA personnel for further assistance.

Now untar it with $ tar -xzf certificates.tar.gz

Login to the BWDAHub

After following the descriptions made above you will be able to login to the BWDAHub with the following command:

$ gsissh myusername@bwdahub.lsdf.kit.edu
Last login: Thu May 19 14:22:00 2016 from userhost.domain.tld
+-[Welcome]-------------------------------------------------------------------+
|                                                                             |
|                       BWDAHub (bwdahub.lsdf.kit.edu)                        |
|                                                                             |
+-[Contact]-------------------------------------------------------------------+
|                                                                             |
| General support:                                                            |
|                                                                             |
| * <support-bwarchiv@lists.kit.edu>                                          |
|                                                                             |
+-[Docs]----------------------------------------------------------------------+
|                                                                             |
| Before you start, please have a look at the documentation available in:     |
|                                                                             |
| /usr/share/doc/bwdahub-0.5.0                                                |
|                                                                             |
| * gtransfer-quickstart.md                                                   |
| * gsatellite-quickstart.md                                                  |
|                                                                             |
+-[News]----------------------------------------------------------------------+
|                                                                             |
| 2016-09-06:                                                                 |
|  New gtransfer version (v0.7.0) installed on the BWDAHub. With this version |
|  it's now also possible to specify the user account on GridFTP servers when |
|  using host aliases. I.e.:                                                  |
|                                                                             |
|  `$ gt -s user1@my-gridftp:/~/files/* -d user2@bwda:/~/files`               |
|                                                                             |
|  ...will now also work.                                                     |
|                                                                             |
|  For more details about the new release visit:                              |
|                                                                             |
|  `https://github.com/fr4nk5ch31n3r/gtransfer/releases/tag/v0.7.0`           |
|                                                                             |
+-----------------------------------------------------------------------------+
INFO: Disk quotas for user user (uid 123): 
    Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
     /dev/sda4    123M   1024M   1536M            1627       0       0         OK
INFO: Creating limited delegated GSI proxy credential "/home/user/.gsatellite/tmp/defaultGsiProxyCredential" for gtransfer data transfer jobs... OK
[user@archive-gftp-fuse ~]$

I wasn't able to install the required Globus tools

If the Globus tools cannot be installed or if there are no binaries for your platform, please follow the next steps to get access to the BWDAHub and the tools installed there.

Alternative GSI proxy credential creation

Download the tool genproxy from our website (right klick on the link and use "Save Link as..." for downloading the file because otherwise it is displayed by the browser as it is a plain text bash script file). Before continuing, check that the computed SHA256 hash for the content of the tool matches the value given below (e.g. on Linux use $ sha256sum genproxy):

98b4232f709331527a5edcddc3d3561180e001bb634e775cab085d7a24d29344

If your download has a different hash value, don't use it and contact the BWDA personnel for further assistance.

Make the tool executable ($ chmod +x genproxy) and include it in your PATH environment variable so that you can use it from everywhere. Some Linux distributions also automatically include executables placed in $HOME/bin in your PATH environment variable. Alternatively copy genproxy to your $HOME/.globus directory and use it from this directory exclusively. Don't forget to prepend the path to the tool then or ./ when calling it from there directly.

When finished make sure your personal certificate (usercert.pem) and private key (userkey.pem) are available as PEM files in $HOME/.globus. If this is the case, you can now create a GSI proxy credential by just calling genproxy and entering the pass phrase to decrypt your private key:

Example:

$ genproxy 
Your identity: /C=DE/O=Grid/OU=University #1/CN=User
Enter pass phrase for /home/user/.globus/userkey.pem:
Your proxy `/tmp/x509up_p6729.file8x0ds0.1' is valid until: Wed Aug 17 12:31:23 CEST 2016
NOTE: By default the genproxy tool uses a "non-guessable" name for the generated GPC. This is important on multi-user hosts because otherwise symlink attacks are possible in /tmp which can expose the GPC to other users. If you're running genproxy from a single user host, you can also predefine the path and name of the GPC in the environment variable X509_USER_PROXY (for example with $ export X509_USER_PROXY="$HOME/.globus/mygpc").

Copy GSI proxy credential to the BWDAHub

NOTE: For the following step you need to know your password on the BWDAHub or have already placed your SSH public key there, so you can login to the BWDAHub via ssh.

When finished with the GSI proxy credential creation, copy the created GSI proxy credential to the BWDAHub using scp and the exact name for the destination file (X509_USER_PROXY) as given in the following command:

$ scp /tmp/x509up_p6729.file8x0ds0.1 user@bwdahub.lsdf.kit.edu:.globus/X509_USER_PROXY

...or when you used the environment variable X509_USER_PROXY also with the following command:

$ scp "$X509_USER_PROXY" user@bwdahub.lsdf.kit.edu:.globus/X509_USER_PROXY

Logging in to the BWDAHub using ssh

Now you are ready to login to the BWDAHub and using the tools installed there with ssh alone.

NOTE: With ssh you need to use your username on the BWDAHub, as otherwise ssh tries to login with your local username.
$ ssh user@bwdahub.lsdf.kit.edu
Last login: Thu May 19 14:22:00 2016 from userhost.domain.tld

+-[Welcome]-------------------------------------------------------------------+
|                                                                             |
|                       BWDAHub (bwdahub.lsdf.kit.edu)                        |
|                                                                             |
+-[Contact]-------------------------------------------------------------------+
|                                                                             |
| General support:                                                            |
|                                                                             |
| * <support-bwarchiv@lists.kit.edu>                                          |
|                                                                             |
+-[Docs]----------------------------------------------------------------------+
|                                                                             |
| Before you start, please have a look at the documentation available in:     |
|                                                                             |
| /usr/share/doc/bwdahub-0.5.0                                                |
|                                                                             |
| * gtransfer-quickstart.md                                                   |
| * gsatellite-quickstart.md                                                  |
|                                                                             |
+-[News]----------------------------------------------------------------------+
|                                                                             |
| 2016-09-06:                                                                 |
|  New gtransfer version (v0.7.0) installed on the BWDAHub. With this version |
|  it's now also possible to specify the user account on GridFTP servers when |
|  using host aliases. I.e.:                                                  |
|                                                                             |
|  `$ gt -s user1@my-gridftp:/~/files/* -d user2@bwda:/~/files`               |
|                                                                             |
|  ...will now also work.                                                     |
|                                                                             |
|  For more details about the new release visit:                              |
|                                                                             |
|  `https://github.com/fr4nk5ch31n3r/gtransfer/releases/tag/v0.7.0`           |
|                                                                             |
+-----------------------------------------------------------------------------+

INFO: Disk quotas for user user (uid 123): 
     Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
      /dev/sda4    123M   1024M   1536M            1627       0       0         OK
INFO: Creating limited delegated GSI proxy credential "/home/user/.gsatellite/tmp/defaultGsiProxyCredential" for gtransfer data transfer jobs... OK
[user@archive-gftp-fuse ~]$

back to BWDAHub   back to bwDataArchiv   back to Using bwDataArchiv