|
Note:
This is a model deployment plan. Sites
or Virtual Organizations or Grids may have their own schemes.
Subscribers and system administrators should follow local or
organizational rules in prefrence to this model.
Requirements:
- All Clients and all servers must
install CA support files in the
TRUSTED_CA directory
-
Personal certificates must be exported from your browser. This
PKCS#12 format export must be
transformed into
openssl
compatible files.
- System or globus
administrators should use 'doegrids-cert-request' to create
service certificate signing request files.
To meet these requirement, we have provided a tar
file based distribution of appropriate CA support files and
scripts.
Download
from this site.
Model Deployment
The goal of this model deployment is to
demonstrate how DOEGrids CA certificates should be installed,
and how the support files may be used. This may not be
appropriate for all sites for production use, but may prove
useful for everyone for testing purpose.
- Untar the distribution in
/etc/grid-security on all hosts.
-
Read the README.doegrids file in the directory
doegrids.
- Check the integrity of the
distribution with the provided scripts.
-
Remove or hide ~/.globus/certificates and the
environment variable X509_CERT_DIR (See note above).
-
Create a grid service certificate signing
request.
- doegrids-cert-request -host <FQDN> for a
host certificate or
- doegrids-cert-request -host <FQDN>
-service <name> for a service certificate such as ldap/natasha.biglab.org
- Go to the
DOEGrids CA.
Select "Grid or SSL Server". Copy and paste the
Certificate Signing Request into the "PKCS#10
Request" text box. Fill out the rest of the form and
"Submit".
- Install the
certificate, when approved, in /etc/grid-security/hostcert.pem.
-
Obtain a personal certificate.
-
Create a proxy certificate with grid-proxy-init
-verify.
- Run a model globus job (such
as "ls" or "/bin/date").
|
