The host certificate just created is owned by root and will be used by services such as 'globus-gridftp-server'. Most often the other services and the container they run in are not run as root. They are run as user 'globus. Still, these services usually run with a host type certificate.

So we need to make a copy of the host certificate that the globus user has access to. As root do:

[root@nodeB opt]# cp /opt/globus-4.0.1/etc/hostcert.pem /opt/globus-4.0.1/etc/containercert.pem
[root@nodeB opt]# chown globus.globus /opt/globus-4.0.1/etc/containercert.pem
[root@nodeB opt]# ls -alh /opt/globus-4.0.1/etc/containercert.pem
-rw-r--r-- 1 globus globus 2.5K Feb 22 10:57 /opt/globus-4.0.1/etc/containercert.pem
[root@nodeB opt]# cp /opt/globus-4.0.1/etc/hostkey.pem /opt/globus-4.0.1/etc/containerkey.pem
[root@nodeB opt]# chown globus.globus /opt/globus-4.0.1/etc/containerkey.pem
[root@nodeB opt]# ls -alh /opt/globus-4.0.1/etc/containerkey.pem
-r-------- 1 globus globus 887 Feb 22 10:58 /opt/globus-4.0.1/etc/containerkey.pem

With the copy for the container we can, as user globus, edit the security configuration file so that the container can find the certificate and its key. Use any text editor to edit the file

$GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml

and in that file look for the "key-file" and "cert-file" fields and set the paths to point to the container key and cert respectivcely. Your file should look like this:

[globus@nodeB opt]$ cat /opt/globus-4.0.1/etc/globus_wsrf_core/global_security_descriptor.xml
<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns="http://www.globus.org">
<credential>
<key-file value="/opt/globus-4.0.1/etc/containerkey.pem"/>
<cert-file value="/opt/globus-4.0.1/etc/containercert.pem"/>
</credential>
<gridmap value="/opt/globus-4.0.1/etc/grid-mapfile"/>
</securityConfig>

< Back Next >