[Go to Home]

Installing and deploying a GridFTP service (FNAL version)

This is a short step-by-step guide to installing and configuring GridFTP. Although specifically written for the FermiLab-NIKHEF test setup, it also contains information with general applicability. Hope you get some use out of it.

David Groep


  • unless a binary distribution is available to you, you must obtain the Globus sources and compile them. You need at least version 1.1.3b14-gsiftp-alpha4 from http://www.globus.org/gsiftp-alpha/release-alpha4.html Compile them for your platform of choice. You do not need to deploy Globus on your system, compiling the development libraries is sufficient.
    You can get pre-compiled binaries (courtesy of SARA) from https://certificate.nikhef.nl/misc/. You need not provide a user certificate, you'll get access anyway.
  • obtain the gsi-enhanced wu-ftpd server, available from http://www.globus.org/gsiftp-alpha/tools.html. You need at least version 0.5 of the wu-ftpd server. (unless you installed the pre-compiled binary)
  • setup the GSI for use with host services. This involves:

    • creating a directory "/etc/grid-security/", root:root, mode 755. (see alse http://www.globus.org/security/v1.1/etc_grid_security.html)
    • request a certificate for the host that will run the server (see http://www.globus.org/security/v1.1/host_cert.html). Have this certificate signed by a Certification Authority (one of the CA's configured in your ca-signing-policy.conf), e.g. the new ESnet Grid CA or (for the time being) the Globus CA. Make all necessary symlinks, as stated on the globus web page.
      An example of an /etc/grid-security directory is also available at https://certificate.nikhef.nl/misc/
      Your Subject DN should be like: "/O=Grid/O=Globus/CN=host/d0test.fnal.gov" if you want to get certified by the Globus CA (Doug Engert). This may take one or two days...
      Make sure your host key (userkey.pem and the hostkey.pem symlink) are owned by root and only readable by root (mode 400)! This is essential for system integrity!
    • inside this directory, creating a grid-mapfile to authorize users. The format is "subjectDN local_user_name". For example: 
      "/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg
"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon
"/O=dutchgrid/O=users/O=nikhef/CN=Antony Antony" antony
"/O=dutchgrid/O=users/O=nikhef/CN=Kors Bos" bosk
"/C=IT/O=INFN/L=Torino/CN=Piergiorgio Cerello/Email=Piergiorgio.Cerello@to.infn.it" aliprod
      This file has to be owned by a trusted user (preferably root, although this is not required) and not writeable by anyone else. This is vital for system integrity!
    • create a directory "/etc/grid-security/certificates/", owner by a trusted user (e.g. root), with a list of trusted certification authorities. Configure at least the "NIKHEF medium-security CA" and "Globus". You can obtain the certificates directly from the CA web sites, of look in the NIKHEF certificates directory browsable at https://certificate.nikhef.nl/certificates/. (a user cert not required).
      The Globus cert is included as part of the Globus distribution (filename 42864e48.0), the NIKHEF medium-security cert is available from http://certificate.nikhef.nl/
      You have to periodically refresh the Certificate Revocation Lists (CRLs) distributed by the CA's. You can use the (perl) script provided at http://www.dutchgrid.nl/Admin/Getcerts.html for this.
    • Install your globus-signed certificate (the one you got back from Doug by e-mail) in /etc/grid-security/usercert.pem and make the hostcert.pem symlink to it. Have it owned by root, mode 444).

  • put all configuration files in place, and enable third-party transfers. For example in the "ftpaccess" file for gsiwuftpd: 
    class   all   real *
pasv-allow all 0.0.0.0/0

limit   all   1   Any      /global/ices/toolset/etc/ftpmessage.dead

readme  README*    login
readme  README*    cwd=*

message /welcome.msg            login
message .message                cwd=*

compress        yes             all
tar             yes             all

log commands real
log transfers anonymous,real inbound,outbound
log security real,anonymous
log syslog+xferlog

shutdown /etc/shutmsg
email gridadm@nikhef.nl
  • After you install your (globus-signed) host certificate, run the gsi-wuftpd-0.5 server *as root*. Do not run it as a user, since in that case the host cert cannot be found. 
    gsi-wu-ftpd-0.5  -l -a -d -v -S -p 2811 -i -o
  • check that the daemon is listening on port 2811. If you have a personal certificate from Globus, and you put yourself in the /etc/grid-security/grid-mapfile, try to connect to your server using gsincftp.
    The URL is "gsiftp://d0test.fnal.gov/........".
  • If you have any question, please contact me directly at davidg@nikhef.nl
Comments to David Groep