Next we want to request a host certificate for nodeB. After making the request we will sign the certificate using the CA on node B. After the request is signed we will install the certificate in the proper place on nodeB.

To request a host certificate become root and begin by setting up the environment properly:

[root@nodeB opt]# export GLOBUS_LOCATION=/opt/globus-4.0.1
[root@nodeB opt]# source /opt/globus-4.0.1/etc/globus-user-env.sh

Next run the 'grid-cert-request' command using the '-host' flag to indicate the fully qualified name of your nodeB, and the '-dir' option to direct the files into the directory $GLOBUS_LOCATION/etc:

[root@nodeB opt]# grid-cert-request -host nodeb.ps.univa.com -dir $GLOBUS_LOCATION/etc

This will create the file hostcert_request.pem:

[root@nodeB opt]# ls -alh $GLOBUS_LOCATION/etc/hostcert_request.pem
-rw-r--r-- 1 root root 1.3K Feb 22 10:39 /opt/globus-4.0.1/etc/hostcert_request.pem

There is also an associated private key:

[root@nodeB opt]# ls -alh $GLOBUS_LOCATION/etc/hostkey.pem
-r-------- 1 root root 887 Feb 22 10:39 /opt/globus-4.0.1/etc/hostkey.pem

Now that the certificate has been requested, the request must be signed by the CA. To sign the request become user globus again and set up the environment again:

[root@nodeB opt]# su - globus
[globus@nodeB ~]$ export GLOBUS_LOCATION=/opt/globus-4.0.1
[globus@nodeB ~]$ source $GLOBUS_LOCATION/etc/globus-user-env.sh

The certificate request is signed using the command 'grid-ca-sign'. When prompted enter the password for the certificate authority:

[globus@nodeB ~]$ grid-ca-sign -in $GLOBUS_LOCATION/etc/hostcert_request.pem -out $GLOBUS_LOCATION/etc/hostcert.pem

Note: If the hostcert.pem file exists the grid-ca-sign command may be run with the -f (force) option.

To sign the request please enter the password for the CA key:

The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem

As the output above indicates a signed version of the (public) certificate is kept with the CA files in the home directory of the user signing the certificate (globus in this case), but it is also ouptut where we asked it to be output:

[globus@nodeB ~]$ ls -alh $GLOBUS_LOCATION/etc/hostcert.pem
-rw-rw-r-- 1 globus globus 2.5K Feb 22 10:45 /opt/globus-4.0.1/etc/.hostcert.pem
[globus@nodeB ~]$ ls -alh /home/globus/.globus/simpleCA/newcerts/01.pem
-rw-rw-r-- 1 globus globus 2.5K Feb 22 10:45 /home/globus/.globus/simpleCA/newcerts/01.pem

Before the host services on nodeB that run as user root (globus-gridftp-server) can use this certificate we need to make sure the permissions and ownership of the file are correct. The files need to be owned by root with the permissions shown below. You will again have to log in as root to do this.

[root@nodeB opt]# chown root.root /opt/globus-4.0.1/etc/hostcert.pem
[root@nodeB opt]# chmod 644 /opt/globus-4.0.1/etc/hostcert.pem
[root@nodeB opt]# ls -alh /opt/globus-4.0.1/etc/host*.pem
-rw-r--r-- 1 root root 2.5K Feb 22 10:45 /opt/globus-4.0.1/etc/hostcert.pem
-r-------- 1 root root 887 Feb 22 10:39 /opt/globus-4.0.1/etc/hostkey.pem

< Back Next >