GT3 Configuration
Security Configuration
If you already have GT2 certificates and have /etc/grid-security
configured, you may skip this step.
You can use an existing CA, create a simpleCA, or use an online
certificate servie:
- An existing CA: This is the most secure option. If you
have a CA available to you, it will most likely have its own web page
with instructions on how to use it. After you have acquired a host
certificate and a user certificate, you may continue with the
configuration.
- SimpleCA:After the install-gt3 step, the SimpleCA package
is installed but not configured. You may follow the instructions at
the SimpleCA
page. Briefly, you will run
$GLOBUS_LOCATION/setup/globus/setup-simple-ca. It will create a new
CA for you, and installs it to $HOME/.globus/simpleCA. Then you can
use the grid-cert-request program and the grid-ca-sign program to
request and sign user and host certificates.
- GCS: The
online certificate service may be used to generate low-quality
certificates if necessary.
MMJFS Configuration
- After you have hostcerts, run
install-gt3-mmjfs
/path/to/install
in the installer directory
- After installing MMJFS, go to /path/to/install/bin and run setperms.sh
as root. This sets up
the two setuid binaries (launch_uhe_setuid and globus-grim)
required by the GT3 GRAM service. It is important that the
account under which you plan to run the GRAM master managed job
factory is a member of the group that owns the launch_uhe_setuid
program. This group defaults to the default group of the
installing user and should only contain privileged members.
- With the server configuration and setuid in place, we need to add
authorizations for who will be allowed to submit jobs.
- First, create a /etc/grid-security/grid-mapfile. The syntax is to
have one line per user, with the certificate subject followed by the
user account name, like the following:
"/O=Grid/O=Globus/OU=mcs.anl.gov/CN=Charles Bacon" bacon
- Now that users can authorize to your server, it's time to start it
up. You don't have to specify -p if you want 8080, but
you can specify an alternate port if you need to.
globus$ export GLOBUS_LOCATION=`pwd`
globus$ bin/globus-start-container -p 8080
- With the container running, a client can submit a job.
bacon$ grid-proxy-init
bacon$ bin/managed-job-globusrun -factory http://140.221.57.75:8080/ogsa/services/base/gram/MasterForkManagedJobFactoryService
-file etc/test.xml
- Note: your -factory URI will be different, including your
own IP address and port. You can see the list of services
in the output of globus-start-container. If you do not see
MasterForkManagedJobFactoryService, you might have skipped
install-gt3-mmjfs.
- Note that etc/test.xml may output to both ~/stdout and
~/stderr. A successful run will append a line to the stdout file.
- In order to stop the container, issue the
following command in another terminal window, as the user who started the
container. These will have the effect of issuing a controlled
stop command.
For support, please see the Support
Page
Charles Bacon
Last modified: Sun Feb 15 16:28:05 CDT 2004