Table of Contents

  1. To be written
  2. Introduction
  3. CentOS Installation
  4. Pacman Installation
  5. VOMS Installation
  6. Globus-Simple-CA Installation
  7. Globus-Simple-CA Set Up
  8. Install host certificate
  9. Install http service certificate
  10. Maintaining your own CA distribution
  11. VO Set Up
  12. Get non-root user certificate
  13. Importing Certificates in Web-browser
  14. Accessing VOMS via web interface
  15. Notes

To be written

  • VomsExploration - Adding host as voms-admin
  • Add link to VomsConfiguration? page - To generate gridmap file on compute element we need to give ACL to a user called 'Anyone'.

Introduction

The following instructions provide guideline about setting up VOMS instance with Globus-Simple-CA.

CentOS Installation

Install CentOS using the kickstart file attached to this page. In this installation we have used CentOS-5.2 as our operating system. The kickstart file should be web accessible. At the boot prompt enter following command to start installation. You will need to change CDs during the installation process. 

linux ks=http://<ip.addr.kickstart.url>/<path-to-kickstart.file>

Pacman Installation

VOMS uses pacman for installation. Download and install pacman using following set of commands. This will update the $PATH variable with the pacman binaries directory. 

cd /var/tmp
wget http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-3.28.tar.gz
tar --no-same-owner -C /opt/ -xzvf pacman-3.28.tar.gz
cd /opt
ln -s pacman-3.28 pacman
cd pacman
source setup.sh

VOMS Installation

For this test installation firewall was not configured to allow connections on port 8443. Disable firewall to accept connections: 

service iptables stop

Now we need to create a VOMS installation directory and start installation using pacman. 

mkdir -p /usr/local/osg/voms
export VDT_LOCATION=/usr/local/osg/voms
cd $VDT_LOCATION
pacman -get  http://software.grid.iu.edu/osg-1.2:voms

The above commands will install VOMS, but it is not configured yet as we don't host certificate/key in place right now. You should see output similar to following lines: 

[root@localhost voms]# pacman -get  http://software.grid.iu.edu/osg-1.2:voms
Do you want to add [http://software.grid.iu.edu/osg-1.2] to [trusted.caches]? (y/n/yall): y
Do you want to add [http://vdt.cs.wisc.edu/vdt_200_cache] to [trusted.caches]? (y/n/yall): y
Beginning VDT prerequisite checking script vdt-common/vdt-prereq-check...

All prerequisite checks are satisfied.

========== IMPORTANT ==========
Most of the software installed by the VDT *will not work* until you install
certificates.  To complete your CA certificate installation, see the notes
in the post-install/README file.

vdt/setup/configure_voms: ERROR: need host certificate (see post-install/README)

The certificate/key part will be completed after Simple-CA set up. Now we will source the VOMS setup file which will define and update appropriate environment variables 

source setup.sh

Globus-Simple-CA Installation

In this step we will install Simple-CA for our test installation. After this we will get host certificate/key pair for our machine. 

cd $VDT_LOCATION
pacman -get http://vdt.cs.wisc.edu/vdt_200_cache:Globus-Simple-CA

Globus-Simple-CA Set Up

Start Simple-CA set up by running following command: 

/usr/local/osg/voms/globus/setup/globus/setup-simple-ca

You should see output similar to following highlighted block. 

    C e r t i f i c a t e    A u t h o r i t y    S e t u p

This script will setup a Certificate Authority for signing Globus
users certificates.  It will also generate a simple CA package
that can be distributed to the users of the CA.

The CA information about the certificates it distributes will
be kept in:
/root/.globus/simpleCA/

The unique subject name for this CA is:
cn=Globus Simple CA, ou=simpleCA-localhost.localdomain, ou=GlobusTest, o=Grid

Do you want to keep this as the CA subject (y/n) [y]:y

Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA):pavgi@uab.edu

The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid.  A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires.  This can be done
by re-running this setup script.  Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]:

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

creating CA config package...done.

A self-signed certificate has been generated
for the Certificate Authority with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-localhost.localdomain/CN=Globus Simple CA

If this is invalid, rerun this script
/usr/local/osg/voms/globus/setup/globus/setup-simple-ca
and enter the appropriate fields.
...
...
...

Look for the following lines and run the specified setup-gsi command as seen in your installation window to complete Simple-CA set up. This will install Globus CA certificates and signing policy in the /etc/grid-security directory. 

Note: To complete setup of the GSI software you need to run the
following script as root to configure your security configuration
directory:

/usr/local/osg/voms/globus/setup/globus_simple_ca_c7881362_setup/setup-gsi

Install host certificate

We need to install host certificates for our VOMS machine. It allows the root user on this machine to be a VO-Admin and run voms-admin command. The following command will generate a private host key and a certificate request. Replace <host.ip.addr.or.hostname> with the IP address or hostname. I used IP address as the hostname was not defined for my box. 

grid-cert-request -host <host.ip.addr.or.hostname>

Sign the host certificate request by running following command. 

grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out /etc/grid-security/hostcert.pem

Install http service certificate

Request http service certificate as: 

grid-cert-request -host <host.ip.addr.or.hostname> -service http

Sign the http certificate request by running following command. 

grid-ca-sign -in /etc/grid-security/http/httpcert_request.pem -out /etc/grid-security/http/httpcert.pem

Change permissions on certificate/key pair so that http service can use it: 

chown daemon:daemon /etc/grid-security/http/httpcert.pem
chown daemon:daemon /etc/grid-security/http/httpkey.pem

Maintaining your own CA distribution

We need to configure our VOMS instance with the Globus-Simple-CA set up. The post-install/README file has a note about it. Also, if you run vdt-cert-status then you should see error messages as follows: 

[root@localhost voms]# vdt-ca-certs-status

CA-Certificates Info:
ERROR: Installed certs version not defined.

vdt-update-certs info:
Status file not found.  Creating status file '/usr/local/osg/voms/vdt/var/certs-updater-status'.
    Last run: unknown
    WARNING: last update time unknown
no crontab for root
    Status: Installed, but not running via root's crontab.

Fetch-CRL info:
    Last run: unknown (/usr/local/osg/voms/vdt/var/fetch-crl.lastrun does not exist or cannot be read).
    Status: Installed, but not running via root's crontab

The following page provides instructions regarding maintaining own CA distribution: http://vdt.cs.wisc.edu/releases/2.0.0/cert-distribution.html . This page provides a link to certs SVN repository to download required certificates and required scripts. I had a problem checking out the code and also we don't need all of their certs as we will be using Simple-CA. We will create a directory structure by following their code base, get the required scripts in place, and then copy our CA certs files. We need to create a directory structure as 

certs-dir
 -- certificates 
     -- certificate.file
     -- certificate-signing.policy
     -- INDEX.txt 
     -- CHANGES  
 -- validate_index.pl
 -- make-manifest 
 -- defs

Following commands will get you started, but you will need to get INDEX.txt, validate_index.pl, make-manifest, and defs file from the VDT certs repository. Copy-paste the required scripts from web browser if SVN doesn't work. Modify INDEX.txt, CHANGES, and defs file as mentioned on this site. 

mkdir /var/tmp/cert-dist
cd /var/tmp/cert-dist
mkdir certificates 
cp /etc/grid-security/certificates/<hash#>.0 certificates/
cp /etc/grid-security/certificates/<hash#>.signing_policy certificates/
vi certificates/INDEX.txt
vi certificates/CHANGES
vi validate_index.pl
vi make-manifest
vi defs 
chmod +x validate_index.pl
chmod +x make-manifest

Run following commands to create your own CA distribution and place it in a web accessible location. 

cd /var/tmp/cert-dist
./validate_index.pl

If hashes do not match then you will need to edit INDEX.txt file appropriately. You should see following output after successful validation. 

1 hashes found in INDEX.txt
1 hashes found in certificates directory
All hashes match

We need to generate a tarball of certificate distribution and place it in a web accessible location. The VOMS comes with a local apache instance which is configured to run using secure connections. We also have another apache instance installed thru our kickstart installation. We will start the system-httpd service and use it to distribute our CA. Following instructions will create a directory structure and then place a tarball in that location. 

mkdir -p /var/www/html/software/
mkdir -p /var/www/html/software/certificates
mkdir -p /var/www/html/software/certificates/1 
tar zcf /var/www/html/software/certificates/1/certificates-1-1.tar.gz `find certificates ! -name \\*~ ! -name .#\\* ! -type d | grep -v '\.svn'`
service httpd start

Make sure that this tarball is available for download thru web. If that works then proceed with following instructions: 

cd /var/tmp/cert-dist
./make-manifest

You should see output similar to: 

Making manifest of /var/www/html/software/certificates/1/certificates-1-1.tar.gz...
    Backup: /var/www/html/software/certificates/old-manifests/vdt-igtf-ca-certs-version.20090809T232859
    Manifest: /var/www/html/software/certificates/vdt-igtf-ca-certs-version
    Compat manifest: /var/www/html/software/certificates/ca-certs-version

Set up CA with your VOMS install as: 

vdt-ca-manage setupca --location local --url http://<host.ip.addr.or.hostname>/software/certificates/ca-certs-version

The vdt-ca-certs-status and vdt-version will now return information about the CA.

VO Set Up

By default all VDT(?) services are disabled. We need to enable them manually. You can view a list of VOMS services by running following command. 

vdt-control --list

Note that VOMS service is not listed until we create a VO. Enable all other services manually as: 

vdt-control --enable vdt-rotate-logs
vdt-control --enable vdt-update-certs
vdt-control --enable mysql5
vdt-control --enable apache
vdt-control --enable tomcat-55

Create a new VO by running following command. Replace <VO-Name. with your desired VO name. Use '--server y' option to install and enable VOMS service. 

$VDT_LOCATION/vdt/setup/configure_voms --vo <VO-Name>

This will create a database by your VO name in the MySQL. You may confirm this by connecting to MySQL as 

mysql5/bin/mysql -u root
mysql> show databases;

If you did not use '--server y' option, then you need to enable VOMS service manually: 

vdt-control --enable voms

Start VDT services 

vdt-control --on

Get non-root user certificate

The post-install script in the kickstart file creates three non-root users as jpr, ppr, and ssp. We will get user certificate for one of these users for future use e.g.: browser import. Following commands will request certificate for user called spp. 

su - ssp
cd /usr/local/osg/voms
source setup.sh
grid-cert-request

Sign the certificate as in previous section (you need to be root): 

grid-ca-sign -in /home/ssp/.globus/usercert_request.pem -out /home/ssp/.globus/usercert.pem

Importing Certificates in Web-browser

We need to import user certificate in the web browser in order to access VOMS via web interface. Otherwise we will get error regarding SSL handshake failure. We will import the non-root user certificate created in previous step. Most browsers need certificates in 'p12' format. To convert the certificate to the "p12" format run the following on the machine with OpenSSL installed (kickstart included OpenSSL package): 

cd /home/ssp
openssl pkcs12 -export -in .globus/usercert.pem -inkey .globus/userkey.pem -out cert-simpleca.p12

Import this certificate in your web browser. For Mozilla Firefox 3.0: Edit >> Preferences >> Advanced >> Encryption-tab >> View-Certificates-button >> Import-button >> Browse-And-Load-Your-p12-Cert.

Accessing VOMS via web interface

Access your VOMS server on port 8443 as 'https://<voms.server.ip.addr>:8443'.

  • 404 - VO does not exist or not yet deployed (restart tomcat).
  • 503 - Tomcat hasn't started completely. Try after few minutes.

Notes

  • My host cert was saved as hostsigned.pem and I had no problem creating new VOs. But I got an error regarding 'TRUSTED_CA line not found' when I tried to remove any VO. The openssl command revealed that hostcert.pem file was empty (as I had created hostsigned.pem file instead of hostcert.pem).
  • If the hostname is changed then we will need to get new certs and also add host as a VO-Admin.
  • If all the certs were in place prior to the pacman installation, a default VO called VDT would have been configured.

Attachments