![[Go to Home]](/images/dutchgrid-logo-min.gif){kind=logo}
DutchGrid ConfigurationGlobus 2.0
Globus 1.1.x
Configuring the local globus system for DutchGrid
Adding your system to the DutchGrid consists of the following steps (for Globus 1.1.3 and its derivates):- Compile and install Globus:
- If you plan to run Globus 1.1.3, 1.1.4 or one of the gsi-alpha version of 1.1.3, look here for installation instructions.
- If you want to install Globus-2.0 with the EDG patches (for flexible authorization support, leased accounts, etc.), see the install guide for DAS2 systems.
- Directing GIIS registration to "giishost.nikhef.nl" on port 30001 (only for 1.1.3 derivatives)
- Setting up your grid security config to contact "ca@nikhef.nl" and making the user and host base DN conforming to DutchGrid CA policy standards
- Possibly patching $GLOBUS_INSTALL_PATH/etc/grid-security.conf for a typo
- Setting up the "share/certificates" directory in both the instllation and in all deploy directories
Directing GIIS registration
Modify the file $GLOBUS_INSTALL_PATH/etc/grid-info.conf such that the top part reads:... # These values are set by globus-setup SETUP_GRID_INFO_MODEL="MDS_SITE_INDEX" SETUP_GRID_INFO_HOST="giishost.nikhef.nl" SETUP_GRID_INFO_PORT="30001" SETUP_GRID_INFO_BASEDN="" SETUP_GRID_INFO_ORGANIZATION_DN="dc=YOUR_ORGNAME, dc=nl, o=Grid" SETUP_GRID_INFO_ORGANIZATION_ADMIN_DN="" ...Where YOUR_ORGNAME is something like "amolf", "knmi", "telin", etc.
Setting up your grid security
In $GLOBUS_INSTALL_PATH/etc/grid-security.conf, modify the top part to:... # These values are set by globus-setup SETUP_GSI_HOST_BASE_DN="ou=YOUR_ORG_DNS_DOMAINNAME, o=hosts, o=dutchgrid" SETUP_GSI_USER_BASE_DN="o=YOUR_ORG_NAME, o=users, o=dutchgrid" SETUP_GSI_CA_NAME="NIKHEF medium-security X.509 CA" SETUP_GSI_CA_EMAIL_ADDR="ca@nikhef.nl" ...and look at the bottom of the script for the line reading:
# CA Email address for the organization
GSI_CA_EMAIL_ADDR="${SETUP_GSI_CA_EMAIL_ADDR:-${DEFAULT_GSI_CA_EMAIL_ADDR}}"
and make sure that the second variable name (SETUP_GSI_CA_EMAIL_ADDR)
indeed is spelled exectly as shown, including the "_CA_"!
YOUR_ORG_DNS_DOMAINNAME: someting like nikhef.nl,
wins.uva.nl, etc.
YOUR_ORG_NAME: for example nikhef, amolf, ...
Setting up the "share/certificates" directory
The script provided on the DutchGrid website as GetCerts-20010612 can be used to automatically install and configure the share/certificates direcotry for use with all DataGrid CA's. You can run it nightly from cron, as specified in the documentation.
To initialize your directory, run:
perl ./getcerts.pl --certdir $GLOBUS_INSTALL_PATH/share/certificates \
--config ./certs.cf --now
Please verify all ca certs by comparing them to the ones at
the original web sites and to marianne.in2p3.fr (the DataGrid WP6 site).
You can re-obtain the cert of a specific CA by using the "--reloadcerts"
option.
My crontab script reads:
perl $HOME/bin/getcerts.pl \
--certdir /global/globus/share/certificates \
--config /user/gridadm/bin/certs.cf
And at NIKHEF, all machines share the same certificates directory by
having $DEPLOY_DIR/share/certificates being a symlink to
the install certificates directory (being "/global/globus/share/certificates").
Certificates
For use on DutchGrid, you will need a certificate (a electronic file containing a digitally signed copy of the public key pertaining to your keypair) signed by a DataGrid CA. And if you are based in the Netherlands, the DutchGrid/NIKHEF CA should be contacted. Provided you configured Globus as detailed above, the grid-cert-request program will suggest mailing your certificate request to "ca@nikhef.nl". You can also use the build-a-request form on the DutchGrid CA web.Do not mail your request to ca@globus.org, since Globus certs will not be valid on the EU-DataGrid! See the DutchGrid CA site for the signing policy and procedures. ... And protect your private key at all times!
Getting in the TestBed Overview pages
Send me a mail with your host name(s). If you have any specific news to announce on the "Hot News" page, you can mail it to that address as well.Comments to David Groep