 |
 |
Chapter 6: Deploying The Globus Toolkit 4.0.xObtaining Credentials for Generic User
With the Globus toolkit installed on nodeA and your CA files installed you can now request a certificate for a generic user on your nodeA. We will use 'jane' as the generic user account.
Begin by becoming user jane: [root@nodeA i386]# su - jane As usual, before running any Globus Toolkit commands the user needs to set up her environment: [jane@nodeA ~]$ export GLOBUS_LOCATION=/opt/globus-4.0.1 Note I used a PEM pass phrase for jane same as Unix password: janeuser
Now use the 'grid-cert-request' script with no arguments to create a request for user jane. When prompted enter a password or pass phrase for the password that will protect user jane's credentials: [jane@nodeA ~]$ grid-cert-request A certificate request and private key is being created. You will be asked to enter a PEM pass phrase. This pass phrase is akin to your account password, and is used to protect your key file. If you forget your pass phrase, you will need to obtain a new certificate. Generating a 1024 bit RSA private key
You are about to be asked to enter information that will be incorporated into your certificate request. Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [ps.univa.com]:Name (e.g., John M. Smith) []: A private key and a certificate request has been generated with the subject: If the CN=Jane User is not appropriate, rerun this script with the -force -cn "Common Name" options. Your private key is stored in /home/jane/.globus/userkey.pem Please e-mail the request to the Test01 root@nodeb.ps.univa.com Your certificate will be mailed to you within two working days. If you receive no response, contact Test01 at root@nodeb.ps.univa.com Ignore the instructions about emailing the certificate request. Instead you will act now to get the certificate request signed. First make sure the request was generated: [jane@nodeA ~]$ ls -l .globus/usercert_request.pem To sign the certificate we will copy the request from nodeA to nodeB, sign the certificate as user 'globus' (since globus owns the CA), and then return the signed certificate to user jane's account. Begin by going to nodeB and copying over the certificate request for user jane: [globus@nodeB ~]$ cd .globus/simpleCA/ Now use the 'grid-ca-sign' command to sign the certificate. You will need to enter the password that protect the CA (not the password for user jane's private key): [globus@nodeB simpleCA]$ grid-ca-sign -in ./usercert_request.pem -out ./usercert.pem To sign the request please enter the password for the CA key: The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/02.pem With the certificate signed you can go back to nodeA and grab it from nodeB: [jane@nodeA ~]$ scp root@nodeb:/home/globus/.globus/simpleCA/usercert.pem $HOME/.globus/usercert.pem Check to make sure that user jane's certificate is owned by user jane and has the correct permissions: [jane@nodeA ~]$ ls -alh .globus/usercert.pem |
||
|
| home | FAQ | feedback | Ch. 1 | Ch. 2 | Ch. 3 | Ch. 4 | Ch. 5 | Ch. 6 | Ch. 7 | Ch. 8 | Ch. 9 | © 2006 - Globus Consortium |