sysadmin
@
extreme.indiana.edu


Home
Machines
CSG
    Support
    Packages
Lab
    User's Guide
    Sysadmin's Guide
    Packages
Projects
    Portal
    LEAD
    Grid Info

Globus Sysadmin's Guide

Installed Versions

1.1.3

2.0beta

2.0

2.0-callback_spaces

2.2

We are maintaining version 2.0 and 2.2 of Globus. Older clients are still available but all servers are running version 2.2. Note: the 2.0-callback_spaces version is for the GrADS testbed and contains patches to enable Autopilot to work with Globus.

Documentation

GT2 Admin Guide

Admin Tutorial

Certificate Management

There are currently 2 sets of Globus CA-signed certificates for each extreme machine. One is the host certificate which is used by GRAM and GridFTP and the other is a ldap service certificate which is used by MDS. The host certificates are installed in /etc/grid-security directory under host[cert,key].pem and the ldap certificates are installed in /etc/grid-security/ldap under ldap[cert,key].pem. These certificates must be owned by root and the permission on the keys must be owner read-only.

Since /etc/grid-security is not a directory that is backed up on tape, copies of certificates are stored under the globus account under ~globus/Admin/machines under the machine name. These should be considered the master copies so that we can recover the certificates in the case of disk crashes.

Each certificate is valid only for a year. So, a month or so before expiration, a notice will be sent to you from the Globus CA notifying you will need to run grid-cert-request to renew the certificate. Enclosed in the message is a challenge string which you'll need when renewing the certificate. Examples of running grid-cert-request are below:

sudo grid-cert-renew -oldcert hostcert.pem -oldkey hostkey.pem -newkey newkey.pem -newcertreq newreq.pem -nopassphrase

sudo grid-cert-renew -oldcert ldapcert.pem -oldkey ldapkey.pem -newkey newldapkey.pem -newcertreq newldapreq.pem -nopassphrase

You'll need to mail the renewal cert requests (in the examples above that would be newreq.pem or newldapreq.pem) to ca@globus.org. Within a couple of days, they'll send you the signed certificate. Update the new certificate/key pair in the globus account. E.g.

mv newkey.pem hostkey.pem; mv <signed cert> hostcert.pem

or

mv newldapkey.pem ldapkey.pem; mv <signed cert> ldapcert.pem

And then similarly update the certs in the machine's /etc/grid-security directory.

Restarting MDS server

To restart a GIIS/GRIS on a host, execute (from that host)

sudo /etc/init.d/rc.host restart gris

CA Installs

You should get a gpt bundle from the CA you wish to install.

$GPT_LOCATION/sbin/globus-build -force -install-only <ca bundle> <any flavor>

It can be any flavor because these are just shell scripts.

IU CA install

Install Pages

1.1.3

2.0beta

2.0

2.0-callback_spaces

2.2

Last updated 31 Mar 2006 by machrist@cs.indiana.edu