I also should have mentioned that for gsissh you cat do something like
the
Following in your SXXsshd initd script.
SSHD_ARGS="-o ListenAddress=<myprimary ip>:4122 -o PidFile=$PID_FILE -p
4122"
do_start()
{
if [ ! -d $localstatedir ]; then
mkdir -p $localstatedir
fi
echo -n "Starting up GSI-OpenSSH sshd server... "
/bin/env X509_USER_CERT=/etc/grid-security/hostcert.pem
X509_USER_KEY=/etc/grid-security/hostkey.pem ${sbindir}/sshd $SSHD_ARGS
> /dev/null 2>&1 &
#cp /var/run/sshd.pid $PID_FILE
if [ $? -eq 0 ]; then
echo "done."
else
echo "failed to start GSI-OpenSSH sshd server!"
fi
}
-----Original Message-----
From: Mike Coyne
Sent: Tuesday, February 09, 2010 3:21 PM
To: Bill Anderson
Cc: [email protected]
Subject: Re: [gt-user] host cert. question
I have had the best luck by starting a individual globus-file-server
using each cred and listening on a seperate ip address under xinetd for
linux. Note you would need the gsiftp and gsiftpeth1 in your services
file.... a similar approach works for the gatekeeper but you need to
specify two seperate $GLOBUS_LOCATION/etc/globus-gatekeeper.confxxx
files , one for each set of creds and set the gatekeeper to bind to a
specific address.
service gsiftp
{
disable = no
instances = 1000
socket_type = stream
wait = no
user = root
env =
LD_LIBRARY_PATH=/opt/vdt/globus/lib
X509_USER_CERT=/etc/grid-security/hostcert.pem
X509_USER_KEY=/etc/grid-security/hostkey.pem
server
= /opt/vdt/globus/sbin/globus-gridftp-server
server_args = -i
-Z /var/log/gridftp/ftp_xfer.log
log_on_success += DURATION
nice = 10
bind = <myprimary_ip_address>
}
service gsiftpeth1
{
disable = no
instances = 1000
port = 2811
socket_type = stream
wait = no
user = root
env =
LD_LIBRARY_PATH=/opt/vdt/globus/lib
X509_USER_CERT=/etc/grid-security-eth1/hostcert.pem
X509_USER_KEY=/etc/grid-security-eth1/hostkey.pem
server
= /opt/vdt/globus/sbin/globus-gridftp-server
server_args = -i
-Z /var/log/gridftp/ftp_xfer1.log
log_on_success += DURATION
nice = 10
bind = <mysecondary_ip_address>
}
Hope this help
Mike Coyne
On Tue, 2010-02-09 at 10:14 -0700, Bill Anderson wrote:
>
>
> Hi there,
>
> I have a host with multiple IP addresses and I'd like to use
> globus-url-copy to connect to one of those addresses. However,
the
> address I want to use does not correspond to the hostname for the
> host that shows up with 'uname -a'. I've created a host
> certificate for the hostname that does correspond to the IP
> address I'm trying to connect to, but I continue to get error
> messages like:
>
> 530-globus_gsi_gssapi: Authorization denied: The name of the remote
host (hpsstst01e.ucar.edu), and the expected name for the remote host
(hpsstst01i.ucar.edu) do not match. This happens when the name in the
host certificate does not match the information obtained from DNS and is
often a DNS configuration problem.
> 530 End.
>
> I'm trying to connect to hpsstst01e.ucar.edu via globus-url-copy,
> but the hostname that's reported by 'uname -a' is
'hpsstst01i.ucar.edu".
>
> My host certificate is shown below.
>
> Is is possible to create a host certificate for a host where
there
> may be differences between the hostname used in connecting to the
server
> and the name reported by 'uname'?
>
> Thanks for any help,
>
> Bill
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 4 (0x4)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: O=Grid, OU=GlobusTest,
OU=simpleCA-hpsstst01i.ucar.edu, CN=Globus Simple CA
> Validity
> Not Before: Feb 9 17:03:12 2010 GMT
> Not After : Feb 9 17:03:12 2011 GMT
> Subject: O=Grid, OU=GlobusTest,
OU=simpleCA-hpsstst01i.ucar.edu, CN=host/hpsstst01e.ucar.edu
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:ab:df:67:42:80:e2:2f:ee:e9:0b:f8:e1:46:15:
> e1:4d:0d:66:66:c0:1c:a7:90:28:25:42:e6:ed:ab:
> 33:e4:a5:fc:73:1a:2c:cd:3a:90:dd:c1:5b:a9:fa:
> 2a:75:40:89:e4:09:f1:b7:ab:fa:08:f8:6c:a5:3b:
> f6:74:dd:3d:5f:62:90:23:47:46:5f:5a:38:e4:5c:
> c1:53:87:97:74:96:39:db:11:4d:11:56:09:68:30:
> 95:a0:d9:c0:ca:70:d2:e6:95:14:1d:a2:b2:e8:2a:
> 5a:50:34:b0:26:68:01:7f:d5:58:cb:08:0f:b3:ad:
> 2c:f0:10:f5:6e:1a:2f:06:31
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> Netscape Cert Type:
> SSL Client, SSL Server, S/MIME, Object Signing
> Signature Algorithm: md5WithRSAEncryption
> 52:b7:3a:d3:55:17:3f:54:50:46:18:3d:e7:e3:dc:ff:20:b5:
> 05:d3:30:11:6a:7c:b6:ae:ab:22:64:b7:07:5b:67:63:6c:13:
> 95:ec:f3:3d:bd:82:ee:1d:32:fc:67:ed:eb:57:c3:40:f5:8e:
> 4b:1b:39:d4:68:ca:33:e8:cb:30:b3:fb:c9:ff:bb:6f:db:8e:
> cb:bd:ae:63:81:dd:f9:79:95:9f:91:c4:65:2e:74:0a:65:44:
> f9:70:12:8a:d9:5e:ea:2c:84:02:19:48:48:10:93:b9:4a:9d:
> 71:3f:75:e6:ff:e0:2a:3b:16:aa:39:9d:79:ac:e0:ef:bf:1a:
> 1d:52
>
> .....
>
