Thanks John, Looks like we both had the same thought because that is what I've been doing too. Your advice was right on and I'm making a bit of progress. This may work yet. You'll notice this reply is not the same as the one I accidentally sent to just you, because I found a few errors in that line of thought. This reply includes those corrected steps. What I ended up doing:
sudo mkdir /etc/grid-security/ sudo chown gridtest:gridtest /etc/grid-security/ mkdir /etc/grid-security/certificates /usr/bin/grid-ca-create cp /home/gridtest/)/globus-host-ssl.conf /etc/grid-security cp /home/gridtest/.globus/simpleCA/globus-user-ssl.conf /etc/grid-security cp /home/gridtest/.globus/simpleCA/grid-security.conf /etc/grid-security cp /home/gridtest/.globus/simpleCA/signing-policy /etc/grid-security cp /home/gridtest/.globus/simpleCA/grid-ca-ssl.conf /etc/grid-security Then at step three, you and Joseph were correct about the FQDN: grid-cert-request -host 'gridftp.mydomain.com' -force After that, the documentation (http://www.globus.org/toolkit/docs/5.2/5.2.2/admin/install/appendix.html#gtadmin-simpleca) seems to be fairly accurate. (For the curious, in my original reply I had run grid-ca-create as root, and that put the files into /var/lib/globus/simple_ca, not ~/.globus/simpleCA. There were other location discrepancies as well) ________________________________ > Date: Wed, 17 Oct 2012 10:35:56 -0500 > Subject: Re: [gt-user] host certificate request fails > From: [email protected] > To: [email protected] > > Well, > > I worked around these issues doing some tricks. For instance, when > grid-ca-create shows the warning [permissions] message, I ignored and > copied the required files to the /etc/grid-security directory as I > mentioned berfore. If /etc/grid-security does not exist, I created it > as root user and then changed its ownership to the globus user. As a > matter of fact, until you mentioned, I did not know that > GLOBUS_LOCATION points to /usr/sbin directory so for the installation > purposes, I think, is not relevant that variable at that time. > > > > On 17 October 2012 09:53, gridftp user > <[email protected]<mailto:[email protected]>> wrote: > > Hi John, > > You are the second person to mention this, and this sounds like just > what I need. I'll report back on my progress. > > You bring up an interesting point regarding the globus user. According > to the Simple CA instructions, I should create a "...generic globus > account, which will be used > to perform administrative > tasks. > This user will also be in charge of > managing the SimpleCA. To do this, make > sure this account has read and write > permissions in the > $GLOBUS_LOCATION directory." I am > trying to implement this on CentOS 6.2, and > $GLOBUS_LOCATION is /usr/sbin, which is > only writable by root. That makes it kind of difficult to create a > generic, non-privileged user with the stated necessary write > permissions. Can you tell me what needs to be written to so I can only > allow that write access instead of full access to /usr/sbin? > > Thanks! > > ________________________________ > > Date: Wed, 17 Oct 2012 08:37:37 -0500 > > Subject: Re: [gt-user] host certificate request fails > > From: > [email protected]<mailto:[email protected]> > > > To: [email protected]<mailto:[email protected]> > > CC: [email protected]<mailto:[email protected]> > > > > Hi Melvin, > > > > Days ago I experimented the same issue that you are facing now and I > > think that the problem is on the Globus Toolkit documentation. Here is > > how I fixed > > > > 1. Be sure to run the grid-ca-create command as globus user > > 2. This command creates a directory in the globus's home directory > > (~/.globus/simpleCA) which contains a lot of files that you need to > > copy in the /etc/grid-security directory. Those files are: > > globus-host-ssl.conf, globus-user-ssl.conf and grid-security.conf. I > > also copied signing-policy and grid-ca-ssl.conf but I am not quite sure > > if they have to be copied too. > > > > Run the hostname command be sure that it returns the FQDN for the > > machine where you are setting up the griftp service. > > > > The /etc/grid-security/certificates exists on that machine? > > > > On 17 October 2012 08:25, gridftp user > > > <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> > > wrote: > > > > According to the instructions for setting up the Simple CA > > > (http://globus.org/toolkit/docs/5.2/5.2.2/admin/install/appendix.html#gtadmin-simpleca), > > > I need to request a host certificate by running: > > sudo grid-cert-request -host 'hostname' > > > > It would have been really nice if the next line explained what value is > > expected for 'hostname' but the author failed to see a need for this. > > Assuming it means my host, I entered: > > sudo grid-cert-request -host > > > '[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>' > > > > > and got an immediate error: > > line 917: /etc/grid-security/grid-security.conf: No such file or > directory > > > > Searching for that file name on the Globus site, I found a description > > from the version 4.0 documentation > > (http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch05.html): > > grid-security.conf A base configuration file that contains the > > name and email address for the CA. > > > > So I created that /etc/grid-security/grid-security.conf file: > > root > > > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > > > > > Now sudo grid-cert-request -host > > > '[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>' > > gives another > > error: > > /etc/grid-security/grid-security.conf: line 1: root: command not found > > /etc/grid-security/grid-security.conf: line 2: > > > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>: > > command not found > > /usr/bin/grid-cert-request: line 442: > > /etc/grid-security/globus-host-ssl.conf: No such file or directory > > > > So obviously grid-security.conf is not a base configuration file that > > contains the name and email address for the CA. Is there any chance > > someone would be willing to take a minute to explain what that file > > should contain, as well an example of what should be in > > /etc/grid-security/globus-host-ssl.conf? I would sure appreciate it. > > > > Thanks, > > Melvin > > > > > >
