Dear List! We're trying to setup a GridFTP + MyProxy infrastructure to enable GlobusOnline services for our users. We've setup a basic service that consists of a simple gridftp installation and myproxy server - both have host certificates signed by an IGTF accredited certificate authority and we've been able to do GFTP transfers between two hosts with user certificates signed by our NREN's personal CA.
There are a few questions still left where it would be good to know how to proceed with this. Given that some of our collaboration partners don't have a clearly assigned grid where they belong to and/or could get the appropriate host and user certificates to be able to use our GFTP service I'd like to know if this is the way to proceed: Setup MyProxy with it's own (self signed) CA and use myproxy over it's PAM/LDAP interface to resolve users and then issue temporary certificates for these users and provide the GFTP server with this CA's root certificate and have that set to be a trusted CA? Is this a common approach? I've seen that there are basically only a few accredited short lived CAs out there. If the MyProxy CA does provide credentials to non X509 certified users how do I proceed with host certificates of them (assuming they only want GFTP for our GFTP to their user equipment transfers)? Is this only practically possible by using GO and accepting GO's Globus Connect root CA for hosts and users - do I still need the MyProxy self signed CA in this case? TIA, PF Petar Forai — HPC Engineer Gregor Mendel Institute of Molecular Plant Biology mailto: [email protected] GPG/PGP-Fingerprint: AB28 19EE CDF9 FDF0 BE75 B685 6092 5EF5 9F95 6183
