Вече сме приключили с подготовката за инсталиране и остава да изтеглим кода и да го изградим.
root@debian:~# adduser globus
Adding user `globus'...
Adding new group `globus' (1023).
Adding new user `globus' (1023) with group `globus'.
Creating home directory `/home/globus'.
Copying files from `/etc/skel'
Enter new UNIX password:********
Retype new UNIX password:********
passwd: password updated successfully
Changing the user information for globus
Enter the new value, or press ENTER for the default
Full Name []: Globus
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y
root@choate:/etc/init.d# mkdir /usr/local/globus-4.0.8/
root@choate:/etc/init.d# chown globus:globus /usr/local/globus-4.0.8/
Сега е необходимо да изпълним следващите стъпки като новосъздадения потребител -globus.
globus@debian:~$ tar xzf gt4.0.8-all-source-installer.tar.gz
globus@debian:~$ cd gt4.0.8-all-source-installer
globus@debian:~/gt4.0.8-all-source-installer$ export \ ANT_HOME=/usr/local/apache-ant-1.6.5
globus@debian:~/gt4.0.8-all-source-installer$ export \ JAVA_HOME=/usr/java/j2sdk1.4.2_10/
globus@debian:~/gt4.0.8-all-source-installer$ export \ PATH=$ANT_HOME/bin:$JAVA_HOME/bin:$PATH
globus@debian:~/gt4.0.8-all-source-installer$ ./configure -- \ prefix=/usr/local/globus-4.0.8
checking build system type... i686-pc-linux-gnu
checking for javac... /usr/java/j2sdk1.4.2_10//bin/javac
checking for ant... /usr/local/apache-ant-1.6.5/bin/ant
configure: creating ./config.status
config.status: creating Makefile
Сега е време да изградим Toolkit-a:
globus@choate:~/gt4.0.8-all-source-installer$ make | tee installer.log
cd gpt-3.2autotools2004 && OBJECT_MODE=32 ./build_gpt
build_gpt ====> installing GPT into /usr/local/globus-4.0.8/
...
Time for a coffee break here, the build will take over an hour, possibly
longer depending on how fast your machine is
...
echo "Your build completed successfully. Please run make install."
Your build completed successfully. Please run make install.
globus@choate:~/gt4.0.8-all-source-installer$ make install
/usr/local/globus-4.0.8//sbin/gpt-postinstall
...
..Done
3.3. Инсталиране и настройване на сертификат за сигурност на първата машина.
Сега след като Toolkit-а вече инсталиран ще трябва да направим сертификати за машината и за потребителите. За да направим това ще използваме SimpleCA, който се предлага заедно с Toolkit-а.
globus@choate:~$ export GLOBUS_LOCATION=/usr/local/globus-4.0.8
globus@choate:~$ source $GLOBUS_LOCATION/etc/globus-user-env.sh
globus@choate:~$ $GLOBUS_LOCATION/setup/globus/setup-simple-ca
WARNING: GPT_LOCATION not set, assuming:
GPT_LOCATION=/usr/local/globus-4.0.8
C e r t i f i c a t e A u t h o r i t y S e t u p
This script will setup a Certificate Authority for signing Globus
users certificates. It will also generate a simple CA package
that can be distributed to the users of the CA.
The CA information about the certificates it distributes will
be kept in:
/home/globus/.globus/simpleCA/
/usr/local/globus-4.0.8/setup/globus/setup-simple-ca: line 250:
test: res: integer expression expected
The unique subject name for this CA is:
cn=Globus Simple CA, ou=simpleCA-debian.tu-varna.bg, ou=GlobusTest, o=Grid
Do you want to keep this as the CA subject (y/n) [y]:
y
Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA): user@debian
The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid. A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires. This can be done
by re-running this setup script. Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]:RETURN
Enter PEM pass phrase:******
Verifying - Enter PEM pass phrase:******
/bin/sed: can't read /tmp//globus_tmp_ca_setup//pkgdata/pkg_data_src.gpt.tmpl:
No such file or directory
creating CA config package...
A self-signed certificate has been generated
for the Certificate Authority with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-debian.tu-varna.bg /CN=Globus Simple CA
If this is invalid, rerun this script
/usr/local/globus-4.0.8/setup/globus/setup-simple-ca
and enter the appropriate fields.
-------------------------------------------------------------------
The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem
The distribution package built for this CA is stored in
/home/globus/.globus/simpleCA//globus_simple_ca_ebb88ce5_setup-0.18.tar.gz
This file must be distributed to any host wishing to request
certificates from this CA.
CA setup complete.
The following commands will now be run to setup the security
configuration files for this CA:
$GLOBUS_LOCATION/sbin/gpt-build \
/home/globus/.globus/simpleCA//globus_simple_ca_ebb88ce5_setup-0.18.tar.gz
$GLOBUS_LOCATION/sbin/gpt-postinstall
-------------------------------------------------------------------
setup-ssl-utils: Configuring ssl-utils package
Running setup-ssl-utils-sh-scripts...
***************************************************************************
Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:
/usr/local/globus-4.0.8/setup/globus_simple_ca_ebb88ce5_setup/setup-gsi
For further information on using the setup-gsi script, use the -help
option. The -default option sets this security configuration to be
the default, and -nonroot can be used on systems where root access is
not available.
***************************************************************************
setup-ssl-utils: Complete
Това е доста изходна информация. Ето какво всъщност се случи:
globus@debian:~$ ls ~/.globus/
simpleCA
globus@debian:~$ ls ~/.globus/simpleCA/
cacert.pem globus_simple_ca_ebb88ce5_setup-0.18.tar.gz newcerts
certs grid-ca-ssl.conf private
crl index.txt serial
Това е директорията в която е създаден SimpleCA, a сега трябва да накарам моята машина да му „вярва”. Може да постигнем това чрез изпълнение на следните команди, но логнати като root:
root@debian:~# export GLOBUS_LOCATION=/usr/local/globus-4.0.8
root@debian:~#$GLOBUS_LOCATION/setup/globus_simple_ca_ebb88ce5_setup/ \ setup-gsi -default
setup-gsi: Configuring GSI security
Making /etc/grid-security...
mkdir /etc/grid-security
Making trusted certs directory: /etc/grid-security/certificates/
mkdir /etc/grid-security/certificates/
Installing /etc/grid-security/certificates//grid-security.conf.ebb88ce5...
Running grid-security-config...
Installing Globus CA certificate into trusted CA certificate directory...
Installing Globus CA signing policy into trusted CA certificate directory...
setup-gsi: Complete
root@debian:~# ls /etc/grid-security/
certificates globus-host-ssl.conf globus-user-ssl.conf grid-security.conf
root@debian:~# ls /etc/grid-security/certificates/
ebb88ce5.0 globus-user-ssl.conf.ebb88ce5
ebb88ce5.signing_policy grid-security.conf.ebb88ce5
globus-host-ssl.conf.ebb88ce5
Това са конфигурационните файлове, които установяват „доверието” на simpleCA за нашата Globus toolkit инсталация. Трябва да обърнем внимание, че хеш стойността ebb88ce5 съвпада със хеш стойността на simpleCA. Сега след като сме създали CA и му „вярваме” е необходимо да получим хостсертификат за машината:
root@debian:~# source $GLOBUS_LOCATION/etc/globus-user-env.sh
root@debian:~# grid-cert-request -host `hostname`
Generating a 1024 bit RSA private key
..++++++
...................................................++++++
writing new private key to '/etc/grid-security/hostkey.pem'
...
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at user@debian
Трябва да подпишем сертификата като потребител globus
globus@debian:~$ grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out hostsigned.pem
To sign the request
please enter the password for the CA key:******
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem
Последната ни стъпка е да копираме подписания сертификат в /etc:
root@debian:~# cp ~globus/hostsigned.pem /etc/grid-security/hostcert.pem
Сертификата за хоста, както и ключа са притежание на потребителя root и ще бъдат използвани от GridFTP сървъра. Тъй като контейнера с уеб услуги работи с потребители различни от root се нуждаем от сертификат притежаван от потребителя globus. В крайна сметка, необходими са ни един сертификат/ключ за хоста притежавани от потребителя root и един сертификат/ключ за хоста притежавани от потребителя globus. Това може да се постигне с копиране на файловете:
root@debian:/etc/grid-security# cp hostcert.pem containercert.pem
root@debian:/etc/grid-security# cp hostkey.pem containerkey.pem
root@debian:/etc/grid-security# chown globus:globus container*.pem
root@debian:/etc/grid-security# ls -l *.pem
-r-------- 1 globus globus 887 2009-12-15 07:48 containerkey.pem
-rw-r--r-- 1 globus globus 2710 2009-12-15 07:48 containercert.pem
-rw-r--r-- 1 root root 2710 2009-12-15 07:47 hostcert.pem
-rw-r--r-- 1 root root 1404 2009-12-15 07:40 hostcert_request.pem
-r-------- 1 root root 887 2009-12-15 07:40 hostkey.pem
Сега ще вземем сертификат за потребителя user:
debian % setenv GLOBUS_LOCATION /usr/local/globus-4.0.8/
debian % source $GLOBUS_LOCATION/etc/globus-user-env.csh
debian % grid-cert-request
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.
Generating a 1024 bit RSA private key
.........................................................++++++
.........................++++++
unable to write 'random state'
writing new private key to '/home/bacon/.globus/userkey.pem'
Enter PEM pass phrase: ****
Verifying - Enter PEM pass phrase: ****
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
-----
Level 0 Organization [Grid]:
Level 0 Organizational Unit [GlobusTest]:
Level 1 Organizational Unit [debian.tu-varna.bg]:
Level 2 Organizational Unit [tu-varna.bg]:
Name (e.g., John M. Smith) []:
A private key and a certificate request has been generated with the subject:
/O=Grid/OU=GlobusTest/OU=debian.tu-varna.bg/OU=tu-varna.bg/CN=User
If the CN=User is not appropriate, rerun this
script with the -force -cn "Common Name" options.
Your private key is stored in /home/user/.globus/userkey.pem
Your request is stored in /home/user/.globus/usercert_request.pem
Please e-mail the request to the Globus Simple CA user@debian
You may use a command similar to the following:
cat /home/user/.globus/usercert_request.pem | mail user@debian
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at user@debian
Необходимо е тази заявка за сертификат да достигне до потребителя globus за да може да бъде подписана. Тъй като потребителя user се намира на същата машина просто копираме заявката в съответната директория на потребителя globus и след това изпълняваме следната команда:
globus@debian:~$ grid-ca-sign -in request.pem -out signed.pem
To sign the request
please enter the password for the CA key: ******
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/02.pem
globus@debian:~$ cat signed.pem | mail user@debian
След като сертификата е подписан е необходимо отново да се копира в съответната директория на потребителя user:
deian % cp signed.pem ~/.globus/usercert.pem
debian % ls -l ~/.globus/
total 12
-rw-r--r-- 1 bacon globdev 895 2005-11-15 07:57 usercert.pem
-rw-r--r-- 1 bacon globdev 1426 2005-11-15 07:51 usercert_request.pem
-r-------- 1 bacon globdev 963 2005-11-15 07:51 userkey.pem
Последната ни стъпка на този етап ще бъде да създадем grid-mapfile от името на потребителя root, като този файл ще служи за упълномощаване:
рoot@debian:/etc/grid-security# pico /etc/grid-security/grid-mapfile
root@debian:/etc/grid-security# cat /etc/grid-security/grid-mapfile
"/O=Grid/OU=GlobusTest/OU=debian.tu-varna.bg/OU=tu-varna.bg/CN=User" user
Трябва да знаем, че потребителят globus не се нуждае от сертификат. Това е сервизен потребител, който използваме за да управляваме GLOBUS_LOCATION. Когато стартира контейнера с услуги, потребителя globus ще използва сертификата на контейнера. Само реалните потребители се нуждаят от потребителски сертификати.
Сподели с приятели: |