Installing Globus and EDG services on DAS2 (fs2)

1. Get all relevant RPMS from the repository. A snapshot of the full WP6 RPM repository (which is maintained on marianne.in2p3.fr) can be found in this directory and from the release-bundle overview. The directory contains all RPMS that were installed on fs2.das2.nikhef.nl to get the Grid software running. All files are collapsed into one directory.
2. The RPMs in the repository are grouped into five sets:

   rpmlist-edg-security

   EDG certification authorities

   rpmlist-external-core-perl

   Perl5 modules needed to run the EDG utilities

   rpmlist-edg-wp6-utils

   EDG WP6 utilities to generate grid-mapfiles and CRL updates

   rpmlist-globus2-beta21

   Globus 2.0 EDG-beta-21

   rpmlist-globus2-beta21-edgconfig

   EDG Globus configuration tools and globus.conf

   These rpmlists can also be found in the repository directory.
3. Install the RPM sets in the following order:

   rpmlist-external-perl-core
   rpmlist-globus2-beta21
   rpmlist-globus2-beta21-edgconfig
   rpmlist-edg-security
   rpmlist-edg-wp6-utils
   

   If you are installing these on a "plain" RedHat 7.2 system, you will also need the "old" ncurses rpm (ncurses4-5.0-5.i386.rpm).
4. If you want to build Globus-based applications on this system using the makefile generator provided by GPT, also install the GPT rpm (i386 and source).
5. Create a directory /etc/grid-security if is does not already exist.

   cd /etc
   mkdir grid-security
   chown root:root grid-security
   mkdir grid-security/certificates
   chown root:root grid-security/certificates
   

6. Create the compatibility signing-policy file for Globus 1.1.3. This has to be done every time a CA policy changes or a new CA RPM is added:

   cd /etc/grid-security/certificates
   cat *signing_policy > ca-signing-policy.conf
   

7. Generate a directory for leased accounts. This directory as to be global within the administrative domain in which the leased accounts are used. If you have multiple front-end nodes, you must export this directory using NFS:

   mkdir /etc/grid-security/gridmapdir
   chown root:root /etc/grid-security/gridmapdir
   

   and generate empty files named after all your leased accounts. E.g. if you would have accounts "test001", "test002",...,"test020", you should do:

   cd /etc/grid-security/gridmapdir
   touch test001
   touch test002
   ...
   touch test020
   

   or something a bit more clever (make a script).
8. Configure your mkgridmap utility. The configuration file is at /opt/edg/etc/mkgridmap.conf. Please modify the example provided for your own administrative domain. To test it, add the relevant PERL modules to your path and run mkgridmap:

   export PERL5LIB=/usr/lib/perl5/site_perl/5.005/i386-linux:\
   /usr/lib/perl5/site_perl/5.005
   /opt/edg/sbin/mkgridmap
   

   If you are happy with this service, add the PERL environment to /etc/rc.d/init.d/edg-gridmapfile-upgraded.
9. If you have "local" users to add to your grid-mapfile, do su in mkgridmap.conf using the gmf_local directive. Also configure any VO groups that you want to give access to your resources. If you use the AUTO login-name generation, names will the concatanation of all initials in the user's certificate subject, followed by the complete surname. So, "David Groep" will be local user "dgroep". This behaviour can be modified in the "subject2user" script.
10. Add the perl line also to the top in /etc/rc.d/init.d/edg-crl-upgraded. This script will periodically retrieve the latest CRLs from the CA repositories.
11. Make sure your system clock is synchronized with the rest of the world, preferably using (x)ntpd. Pick a local, reliable time server and run:

    ntpdate -u timehost.mydomain
    date
    cat /etc/sysconfig/clock
    hwclock --systohc [--utc]
    

12. Acquire a host certificate for your gatekeeper and GridFTP service. The subject name (DN) should be something like O=dutchgrid, O=hosts, OU=nikhef.nl, CN=fs2.das2.nikhef.nl. Go to the DutchGrid CA site at http://certificate.nikhef.nl/userhelp.html and request a "host" certificate appropriate for your domain. Please follow the instructions there about requesting a cert, mailing the request and submitting to authorization of your request. The private key you generate must be kep secure, so immediately set the umask to 400 and ownership to root if it is not like that already.
    After authentication, you will receive a signed host certificate. You put both key (mode 400) and host cert (mode 444) in the directory /opt/globus/etc/, named "hostkey.pem" and "hostcert.pem". Then, make symlinks from the /etc/grid-security directory:

    cd /etc/grid-security
    ln -s /opt/globus/etc/hostcert.pem
    ln -s /opt/globus/etc/hostkey.pem
    

13. Configure your Globus install using /etc/globus.conf. The template for this file is already on your system and can be found at /opt/globus/share/doc/globus.conf.template. The main entries required for a full globus service (gatekeeper, GridFTP, MDS/GIS) are in in this example. Modify at least the following variables to reflext your local situation:

    GLOBUS_HOST_DN="hn=fs2.das2.nikhef.nl, dc=das2, dc=nikhef, dc=nl, o=Grid"
    GLOBUS_ORG_DN="dc=das2, dc=nikhef, dc=nl, o=Grid"
    

    Remember that a local user called "globus" must exist; the MDS services will be run by this user.
    You will be configuring a "fork" and "pbs" job manager, a gsi-wuftpd GridFTP service and a GRIS service registering (anonymously) to the central GIIS at fs2.das2.nikhef.nl.
14. Add the Globus and EDG services to the system startup sequence:

    chkconfig globus-mds on
    chkconfig globus-gatekeeper on
    chkconfig globus-gsi_wuftpd on
    chkconfig edg-gridmapfile-upgraded on
    chkconfig edg-crl-upgraded on
    

    and start all these services from /etc/rc.d/init.d/....
15. Test the setup from a remote system using your own grid credentials. Add your subjectname to the grid-mapfile if necessary for testing.