|
@ extreme.indiana.edu
|
Globus Sysadmin's GuideInstalled Versions1.1.3 2.0beta 2.0 2.0-callback_spaces 2.2 We are maintaining version 2.0 and 2.2 of Globus. Older clients are still available but all servers are running version 2.2. Note: the 2.0-callback_spaces version is for the GrADS testbed and contains patches to enable Autopilot to work with Globus. DocumentationCertificate ManagementThere are currently 2 sets of Globus CA-signed certificates for each extreme machine. One is the host certificate which is used by GRAM and GridFTP and the other is a ldap service certificate which is used by MDS. The host certificates are installed in /etc/grid-security directory under host[cert,key].pem and the ldap certificates are installed in /etc/grid-security/ldap under ldap[cert,key].pem. These certificates must be owned by root and the permission on the keys must be owner read-only. Since /etc/grid-security is not a directory that is backed up on tape, copies of certificates are stored under the globus account under ~globus/Admin/machines under the machine name. These should be considered the master copies so that we can recover the certificates in the case of disk crashes. Each certificate is valid only for a year. So, a month or so before expiration, a notice will be sent to you from the Globus CA notifying you will need to run grid-cert-request to renew the certificate. Enclosed in the message is a challenge string which you'll need when renewing the certificate. Examples of running grid-cert-request are below: sudo grid-cert-renew -oldcert hostcert.pem -oldkey hostkey.pem -newkey newkey.pem -newcertreq newreq.pem -nopassphrase sudo grid-cert-renew -oldcert ldapcert.pem -oldkey ldapkey.pem -newkey newldapkey.pem -newcertreq newldapreq.pem -nopassphrase You'll need to mail the renewal cert requests (in the examples above that would be newreq.pem or newldapreq.pem) to ca@globus.org. Within a couple of days, they'll send you the signed certificate. Update the new certificate/key pair in the globus account. E.g. mv newkey.pem hostkey.pem; mv <signed cert> hostcert.pem or mv newldapkey.pem ldapkey.pem; mv <signed cert> ldapcert.pem And then similarly update the certs in the machine's /etc/grid-security directory. Restarting MDS serverTo restart a GIIS/GRIS on a host, execute (from that host) sudo /etc/init.d/rc.host restart gris CA InstallsYou should get a gpt bundle from the CA you wish to install. $GPT_LOCATION/sbin/globus-build -force -install-only <ca bundle> <any flavor> It can be any flavor because these are just shell scripts. Install Pages
|