GT3 Configuration

Security Configuration

If you already have GT2 certificates and have /etc/grid-security configured, you may skip this step.

You can use an existing CA, create a simpleCA, or use an online certificate servie:

  1. An existing CA: This is the most secure option. If you have a CA available to you, it will most likely have its own web page with instructions on how to use it. After you have acquired a host certificate and a user certificate, you may continue with the configuration.
  2. SimpleCA:After the install-gt3 step, the SimpleCA package is installed but not configured. You may follow the instructions at the SimpleCA page. Briefly, you will run $GLOBUS_LOCATION/setup/globus/setup-simple-ca. It will create a new CA for you, and installs it to $HOME/.globus/simpleCA. Then you can use the grid-cert-request program and the grid-ca-sign program to request and sign user and host certificates.
  3. GCS: The online certificate service may be used to generate low-quality certificates if necessary.

MMJFS Configuration

  1. After you have hostcerts, run install-gt3-mmjfs /path/to/install in the installer directory
  2. After installing MMJFS, go to /path/to/install/bin and run setperms.sh as root. This sets up the two setuid binaries (launch_uhe_setuid and globus-grim) required by the GT3 GRAM service. It is important that the account under which you plan to run the GRAM master managed job factory is a member of the group that owns the launch_uhe_setuid program. This group defaults to the default group of the installing user and should only contain privileged members.
  3. With the server configuration and setuid in place, we need to add authorizations for who will be allowed to submit jobs.
  4. First, create a /etc/grid-security/grid-mapfile. The syntax is to have one line per user, with the certificate subject followed by the user account name, like the following:
    "/O=Grid/O=Globus/OU=mcs.anl.gov/CN=Charles Bacon" bacon
  5. Now that users can authorize to your server, it's time to start it up. You don't have to specify -p if you want 8080, but you can specify an alternate port if you need to.
  6. With the container running, a client can submit a job.
  7. Note that etc/test.xml may output to both ~/stdout and ~/stderr. A successful run will append a line to the stdout file.
  8. In order to stop the container, issue the following command in another terminal window, as the user who started the container. These will have the effect of issuing a controlled stop command.

For support, please see the Support Page

Charles Bacon
Last modified: Sun Feb 15 16:28:05 CDT 2004