This file contains brief information on obtaining certificates for the Globus system (http://www.globus.org). Information about using Gloubs in High Energy Physics experiments can be found at http://dbserv.pnpi.spb.ru/RRCF/. Acquiring a Certificate for Globus Users For working with Globus you will need to acquire a certificate from an authorized organization. If you don't know of such an organization, then you may be able to get a free "low quality" (testing) certificate from the authors of the Globus System (see http://gcs.globus.org:8080/gcs) or use the Globus Simple Certificate Authority (Simple CA), which is included in this distribution, as recommended by the authors of Globus. If you want to use the Simple CA by default, then you should take the following actions: As the user you should execute the script: $GLOBUS_LOCATION/setup/globus/setup-simple-ca In the directory /home/globus the subdirectory .globus/simpleCA is created. The owner of SimpleCA will be the user . Next you should run this script as root: $GLOBUS_LOCATION/setup/globus_simple_ca_[CA-Hash]_setup/setup-gsi -default Where CA-Hash is provided by the previous script. This will create the directory /etc/grid-securuty/certificates. Creating of a Certificate Host ------------------------------ As root run this command: grid-cert-request -host Then as user run: grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out hostsigned.pem hostsigned.pem will be created in the current directory, i.e. /home/globus Then as root run: mv hostsigned.pem /etc/grid-security/hostcert.pem Creating a User Certificate --------------------------------- As user , run the command: grid-cert-request The directory /home//.globus will be created, with the files: usercert_request.pem usercert.pem You will be asked to supply a password to give you access to the systems. The password may be non-trivial and included spaces. For example, the password could be the following phrase: Linux will dominate the world. Now you will need to send the file usercert_request.pem from the user to globus: mail globus@domain -a $HOME/.globus/usercert_request.pem Upon receiving this request, the user should run the following command: grid-ca-sign -in usercert_request.pem -out signed.pem and send back the file signed.pem to the user. The user needs to place this certificate in his home directory in the directory .globus: cp signed.pem $HOME/.globus/usercert.pem Then the user should test the certificate with this command: grid-proxy-init -debug -verify As superuser, root should execute this command: $GLOBUS_LOCATION/bin/setperms.sh As root create the file /etc/grid-security/grid-mapfile, which should contain a line of this type: "content" Where content is the information given by the command grid-cert-info -subject which should be run as . Then, as root run the following scripts: $GLOBUS_LOCATION/setup/globus/setup-globus-gaa-authz-callout $GLOBUS_LOCATION/setup/globus/setup-globus-gram-job-manager Testing the Installation ------------------------ Testing GRAM Through the Command Line ------------------------------------- As run these commands: grid-proxy-init globus-personal-gatekeeper -start The second command should resturn a line that looks like this: ":4589:/O=Grid/O=Globus/CN=Your Name" or, if you are using Simple CA, like this: ":32817:/O=Grid/OU=GlobusTest/OU=simpleCA-hostname/OU=domain/CN=Your Name" Put his line in the command in place of "": globusrun -o -r "" '&(executable=/bin/date)' You should see the date and time. At this point you get a working personal proxy and gatekeeper. Testing fork and sge (Sun Grid Engine) Managers using MMJFS As user globus run: cd $GLOBUS_LOCATION globus-start-container To test the fork manager as run: grid-proxy-init cd $GLOBUS_LOCATION managed-job-globusrun -factory \ http://:8080/ogsa/services/base/gram/MasterForkManagedJobFactoryService \ -file schema/base/gram/examples/test.xml You should see some messages like: WAITING FOR JOB TO FINISH Job Status: Active Job Status: Done For testing the sge manager, it is necessary that SGE has been installed and configured. You need to add this line to the file /etc/services: sge_commd port/tcp # Sun Grid Engine where "port" is the number of the port that SGE uses. As user run these commands: grid-proxy-init (if it's not already running) cd $GLOBUS_LOCATION managed-job-globusrun -factory \ http://:8080/ogsa/services/base/gram/MasterSGEManagedJobFactoryService \ -file schema/base/gram/examples/test.xml You should see the same kind of messages, as with the fork manager. Testing OSGA Service Data Browser GUI ----------------------------------------- As user run: cd $GLOBUS_LOCATION bin/globus-start-container As user run: cd $GLOBUS_LOCATION bin/globus-sdb The Service Data Browser window will appear, and in it a frame where you will see the current list of services. Conclusion The Globus system is developing quite quickly. As a result on the site http://www.globus.org updates appear frequently. So follow the news. For further configure of GT 3.2 this page is useful: http://www-unix.globus.org/toolkit/docs/3.2/index.html