CEPBA CA FAQ's

Installing CEPBA CA

Requirements:

  • Globus Toolkit installed in the host
  • It's better to have access as root user for a correct installation. Anyway, it is optional

Procedure:

As non root user

  1. Download the CEPBA CA package

  2. Set environment variables :

    tcsh: setenv GPT_LOCATION < gpt path >
    setenv GLOBUS_LOCATION < GLOBUS path >

    bash: export GPT_LOCATION=< GPT path >
    export GPT_LOCATION=< GLOBUS path >

  3. Install the CEPBA_CA package:

    $GPT_LOCATION/sbin/gpt-build < cepba ca package > flavor

    For example:

    $GPT_LOCATION/sbin/gpt-build globus_simple_ca_5ea3fe0c_setup-0.13.tar.gz gcc32dbg

  4. Run gpt-postinstall

    $GPT_LOCATION/sbin/gpt-postinstall

As root user

  1. Set environment variables

    tcsh: setenv GPT_LOCATION < gpt path >
    setenv GLOBUS_LOCATION < GLOBUS path >

    bash: export GPT_LOCATION=< GPT path >
    export GLOBUS_LOCATION= < globus path >

  2. Configure the Globus security

    $GLOBUS_LOCATION/setup/globus_simple_ca_5ea3fe0c_setup/setup_gsi

    Answer "Y" and "Q"

How to create my user's CEPBA CA credential

CEPBA CA uses X.509 certificates with a PEM format.There are two ways to create a CEPBA CA user credential. You have to choose one of the following options:

  • Installing the CEPBA CA package in your client (see documentation)

  • Entering in a CEPBA/BSC node with a certification request service (if you have an user account)

Once you have started a user session in a CEPBA/BSC node or you have installed the package in your client follow the steps below to create your credential .

  1. First, you have to initialize the globus client environment.

    tcsh: setenv GLOBUS_LOCATION < globus path >
    source $GLOBUS_LOCATION/etc/globus-user-env.csh

    bash: export GLOBUS_LOCATION= < globus path >
    source $GLOBUS_LOCATION/etc/globus-user-env.sh

  2. Next, generate the user's private key and a user certificate request with the following command . We suggest making a new directory to save the certification files. We call it < cert_directory >.

    grid-cert-request -ca -dir < cert_directory >

    nondefaultca=true

    The available CA configurations installed on this host are:

    1) 42864e48 - /C=US/O=Globus/CN=Globus Certification Authority
    2) 5ea3fe0c - /O=Grid/OU=CEPBA/OU=UPC/CN=CEPBA CA
    3) b91c3caf - /O=Grid/OU=UPC/OU=CEPBA/CN=CEPBA CA

    (Choose 5ea3fe0c /O=Grid/OU=CEPBA/OU=UPC/CN=CEPBA CA)

    Using CA: 5ea3fe0c - /O=Grid/OU=CEPBA/OU=UPC/CN=CEPBA CA

    A certificate request and private key is being created.
    You will be asked to enter a PEM pass phrase.
    This pass phrase is akin to your account password,
    and is used to protect your key file.
    If you forget your pass phrase, you will need to
    obtain a new certificate.

    Using configuration from
    /etc/grid-security/certificates/globus-user-ssl.conf.5ea3fe0c
    Generating a 1024 bit RSA private key
    .....................................++++++
    ..++++++
    writing new private key to '/home/des/lribes/tmp/userkey.pem'
    Enter PEM pass phrase:

    (Type your personal password for your user certificate)

    A private key and a certificate request has been generated with the subject:

    /O=Grid/OU=CEPBA/OU=UPC/OU=cepba.upc.es/CN=Lluis Ribes

    If the CN=Lluis Ribes is not appropriate, rerun this
    script with the -force -cn "Common Name" options.

    Your private key is stored in /home/des/lribes/tmp/userkey.pem
    Your request is stored in /home/des/lribes/tmp/usercert_request.pem

    Please e-mail the request to the CEPBA CA jorge.ejarque.at.bsc.es
    Only use the above if this machine can send AND receive e-mail. if not, please
    mail using some other method.

    Your certificate will be mailed to you within two working days.
    If you receive no response, contact CEPBA CA at jorge [dot] ejarqueatbsc [dot] es (Jorge Ejarque )

  3. Send the content of the generated file called < cert_directory >/usercert_request.pem to the e-mail address jorge [dot] ejarqueatbsc [dot] es (jorge.ejarque.at.bsc.es) (Don't attach the file. You have to copy the file content and paste in the e-mail body)

  4. In a short time interval, you will receive an e-mail whose content will be the user certificate. You will have to paste the content of the received e-mail into < cert_directory >/usercert.pem.

Now, you have already got your CEPBA credential. It consists of two files:

  • userkey.pem: user's private key
  • usercert.pem: user's certificate (public key signed by CEPBA CA)

Make a backup of this files and never publish the information of userkey.pem.

 

How to create my host's CEPBA CA credential

First of all, you must install the CEPBA CA package (more information), if you have not installed this package yet. Once you have already installed it, Follow the next steps to create a host credential.

  1. You have to set the Globus user environment variables with the following commands

    tcsh: setenv GLOBUS_LOCATION path>
    source $GLOBUS_LOCATION/etc/globus-user-env.csh

    bash: export GLOBUS_LOCATION=
    source $GLOBUS_LOCATION/etc/globus-user-env.sh

  2. Next, generate the user's private key and a user certificate request with the following command below. We suggest making a new directory to save the certification files. We call it < cert_directory >.

    grid-cert-request -ca -dir < cert_directory > -host < hostname.domain >

    ...
    x) 5ea3fe0c - /O=Grid/OU=CEPBA/OU=UPC/CN=CEPBA CA
    ...

    Enter the index number of the CA you want to sign your cert request:

    (Choose 5ea3fe0c /O=Grid/OU=CEPBA/OU=UPC/CN=CEPBA CA)

    A private host key and a certificate request has been generated
    with the subject:

    /O=Grid/OU=CEPBA/OU=UPC/CN=host/ole.upc.es

    ----------------------------------------------------------

    The private key is stored in /cepba/lribes/tmp/hostkey.pem
    The request is stored in /cepba/lribes/tmp/hostcert_request.pem

    Please e-mail the request to the CEPBA CA jorge [dot] ejarqueatbsc [dot] es (Jorge Ejarque)
    Only use the above if this machine can send AND receive e-mail. if not, please
    mail using some other method.

    Your certificate will be mailed to you within two working days.
    If you receive no response, contact CEPBA CA at jorge [dot] ejarqueatbsc [dot] es (jorge.ejarque.at.bsc.es)

     

  3. Send the content of the generated file < cert_directory >/hostcert_request.pem to the e-mail address jorge [dot] ejarqueatbsc [dot] es (jorge.ejaque.at.bsc.es).(Don't attach the file. You have to copy and paste the file content in the e-mail body).

  4. In a short time interval, you will receive an e-mail whose content will be the user certificate. You will have to paste the content of the received e-mail into < cert_directory >/hostcert.pem.

Now you have already got the host CEPBA credential. It consists of two files:

  • hostkey.pem: host private key
  • hostcert.pem: host certificate (public key signed by CEPBA CA)

Make a backup of this files and never publish the information of userkey.pem . Follow the next FAQs in order to install the new certificate in your host.

How to install user certificates in a grid client

You have to copy userkey.pem and usercert.pem files into $HOME/.globus directory. If it does not exist, you must create it. The file permissions must be as we show below (400 for userkey.pem and 444 for usercert.pem).

-r--r--r-- 1 lribes des 3155 Jul 21 09:36 usercert.pem
-r-------- 1 lribes des 951 Jul 21 09:36 userkey.pem

How to install host certificates

You have to copy userkey.pem and usercert.pem files into the Globus security directory (normally /etc/grid-security). If it does not exist, check your Globus installation because it could be incomplete. The file permissions must be as we show below (400 for userkey.pem and 444 for usercert.pem), and the owner must be the root user.

-r--r--r-- 1 root system 3155 Jul 21 09:36 hostcert.pem
-r-------- 1 root system 951 Jul 21 09:36 hostkey.pem

If you are using Globus Toolkit 4 probably you also need a container certificate. It is the same as the host certificate. See GT4 documentation to know how to install this certificates

If you want to verify the certificate installation, see next FAQ

How to verify the host certificate installation

You must run the gatekeeper in test mode and root user as we show below:

/usr/bin/env env LD_LIBRARY_PATH=$GLOBUS_LOCATION/ lib
$GLOBUS_LOCATION/sbin/globus-gatekeeper -test

Testing gatekeeper
Local user id (uid): root
Home directory: /etc/xinetd.d
Libexec directory: /etc/xinetd.d/libexec
Gatekeeper subject name: "/O=Grid/OU=CEPBA/OU=UPC/CN=host/ole.upc.es"
Gatekeeper test complete: Success!
Gatekeeper shutting down!

Check if the gatekeeper subject name match with the new host certificate and the result of the Gatekeeper test is success!