 |
 |
Chapter 6: Deploying The Globus Toolkit 4.0.xCreating a Certificate Authority
In this next section we create a certificate authority. Note that it is only necessary to create a certificate authority on one machine in your 'grid'. For the purposes of this tutorial we will use nodeB, though any of the Globus installations could be used, including a host that is not directly part of your grid.
If you have not already setup your environment for the globus user do that now: export GLOBUS_LOCATION=/opt/globus-4.0.1 Now run the 'setup-simple-ca' command to begin the setup process. This is a short, menu driven script so the input needed to be typed in is shown in red:
Note that you will be prompted twice for a password or pass phrase. Please be sure to remember this pass phrase.
[globus@nodeB gt4.0.1-all-source-installer]$ $GLOBUS_LOCATION/setup/globus/setup-simple-ca WARNING: GPT_LOCATION not set, assuming: C e r t i f i c a t e A u t h o r i t y S e t u p This script will setup a Certificate Authority for signing Globus users certificates. It will also generate a simple CA package that can be distributed to the users of the CA. The CA information about the certificates it distributes will be kept in: /home/globus/.globus/simpleCA/ The unique subject name for this CA is: cn=Globus Simple CA, ou=simpleCA-nodeb.ps.univa.com, ou=GlobusTest, o=Grid Do you want to keep this as the CA subject (y/n) [y]: n Enter a unique subject name for this CA: cn=<MyOrganization>,ou=ConsortiumTutorial,ou=GlobusTest,o=Grid Replace <MyOrganization> with the name of your organization. Enter the email of the CA (this is the email where certificate requests will be sent to be signed by the CA): <MyEmailAddress> Replace <MyEmailAddress> with your e-mail address, or simply a dummy e-mail address as this is not important.
The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid. A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires. This can be done
by re-running this setup script. Enter the number of DAYS
the CA certificate should last before it expires. Hit Return to accept default.
Enter PEM pass phrase:<MyPEMpassPhrase> Replace <MyPEMpassPhrase> with your choice of PEM pass phrase, the pass phrase "GlobusTutorial" (whithout the quotes) was used in the compilation of this tutorial.
creating CA config package...done. setup-ssl-utils: Configuring ssl-utils package
Note: To complete setup of the GSI software you need to run the following script as root to configure your security configuration directory:
setup-ssl-utils: Complete In the output above you may see that a unique hash number for the CA was created. In your example the hash number will be different since your organization name will be different. As indicated by the output above, we next need to run the 'setup-gsi' command. We will run it with the '-default' flag so that the CA we just created becomes the default certificate authority for certificates created on this node. We also use the '-nonroot' flag in order to keep all the configuration under the directory $GLOBUS_DIRECTION. This does not have to be run as root as the output from the setup-simple-ca command entered above would have you indicate. [globus@nodeB ~]$ /opt/globus-4.0.1/setup/globus_simple_ca_f1f2d5e6_setup/setup-gsi -default -nonroot Now the CA just created is installed and is the default for requesting certificates on nodeB. |
||
|
| home | FAQ | feedback | Ch. 1 | Ch. 2 | Ch. 3 | Ch. 4 | Ch. 5 | Ch. 6 | Ch. 7 | Ch. 8 | Ch. 9 | © 2006 - Globus Consortium |