Well, I've run into another brick wall, and need another clue or two. After progressing through the SimpleCA instructions, the step 5 verification succeeds (as globus user, gridtest): grid-proxy-init -debug -verify Which comes back with the successful output and asks for the pass phrase, so that is OK. I then create the rpm package as outlined in step 6: rpmbuild -ta ./globus_simple_ca_HASH.tar.gz I installed that on my client, but I can not transfer any files, and all attempts to do so result in authentication errors.
Steps I've taken: Copied /home/gridtest/.globus to machine2 Started the grid-ftp service on machine1: sudo service globus-gridftp-server start Telnet to machine1 from machine2, and get the banner: telnet machine2 2811 But trying globus-url-copy gsiftp://localhost/tmp/file1 file:///tmp/file2 on machine1, or globus-url-copy -v gsiftp://machine1/tmp/file1 file:///tmp/file2 from machine2 fails with several lines of errors that all relate to authentication errors. So I guess my questions at this point are: What needs to be running on which machine What certificate files need to be on which machine How do I transfer a file from the client (machine2) to the server (machine1)? Thanks, Melvin ---------------------------------------- > From: [email protected] > To: [email protected] > Date: Wed, 17 Oct 2012 14:20:50 -0500 > CC: [email protected] > Subject: Re: [gt-user] host certificate request fails > > > Thanks John, > > Looks like we both had the same thought because that is what I've been doing > too. > > Your advice was right on and I'm making a bit of progress. This may work yet. > You'll notice this reply is not the same as the one I accidentally sent to > just you, because I found a few errors in that line of thought. This reply > includes those corrected steps. > > What I ended up doing: > > sudo mkdir /etc/grid-security/ > sudo chown gridtest:gridtest /etc/grid-security/ > > mkdir /etc/grid-security/certificates > /usr/bin/grid-ca-create > > cp /home/gridtest/)/globus-host-ssl.conf /etc/grid-security > cp /home/gridtest/.globus/simpleCA/globus-user-ssl.conf /etc/grid-security > cp /home/gridtest/.globus/simpleCA/grid-security.conf /etc/grid-security > cp /home/gridtest/.globus/simpleCA/signing-policy /etc/grid-security > cp /home/gridtest/.globus/simpleCA/grid-ca-ssl.conf /etc/grid-security > > Then at step three, you and Joseph were correct about the FQDN: > grid-cert-request -host 'gridftp.mydomain.com' -force > > After that, the documentation > (http://www.globus.org/toolkit/docs/5.2/5.2.2/admin/install/appendix.html#gtadmin-simpleca) > seems to be fairly accurate. > > (For the curious, in my original reply I had run grid-ca-create as root, and > that put the files into /var/lib/globus/simple_ca, not ~/.globus/simpleCA. > There were other location discrepancies as well) > > ________________________________ > > Date: Wed, 17 Oct 2012 10:35:56 -0500 > > Subject: Re: [gt-user] host certificate request fails > > From: [email protected] > > To: [email protected] > > > > Well, > > > > I worked around these issues doing some tricks. For instance, when > > grid-ca-create shows the warning [permissions] message, I ignored and > > copied the required files to the /etc/grid-security directory as I > > mentioned berfore. If /etc/grid-security does not exist, I created it > > as root user and then changed its ownership to the globus user. As a > > matter of fact, until you mentioned, I did not know that > > GLOBUS_LOCATION points to /usr/sbin directory so for the installation > > purposes, I think, is not relevant that variable at that time. > > > > > > > > On 17 October 2012 09:53, gridftp user > > <[email protected]<mailto:[email protected]>> wrote: > > > > Hi John, > > > > You are the second person to mention this, and this sounds like just > > what I need. I'll report back on my progress. > > > > You bring up an interesting point regarding the globus user. According > > to the Simple CA instructions, I should create a "...generic globus > > account, which will be used > > to perform administrative > > tasks. > > This user will also be in charge of > > managing the SimpleCA. To do this, make > > sure this account has read and write > > permissions in the > > $GLOBUS_LOCATION directory." I am > > trying to implement this on CentOS 6.2, and > > $GLOBUS_LOCATION is /usr/sbin, which is > > only writable by root. That makes it kind of difficult to create a > > generic, non-privileged user with the stated necessary write > > permissions. Can you tell me what needs to be written to so I can only > > allow that write access instead of full access to /usr/sbin? > > > > Thanks! > > > > ________________________________ > > > Date: Wed, 17 Oct 2012 08:37:37 -0500 > > > Subject: Re: [gt-user] host certificate request fails > > > From: > > [email protected]<mailto:[email protected]> > > > To: [email protected]<mailto:[email protected]> > > > CC: [email protected]<mailto:[email protected]> > > > > > > Hi Melvin, > > > > > > Days ago I experimented the same issue that you are facing now and I > > > think that the problem is on the Globus Toolkit documentation. Here is > > > how I fixed > > > > > > 1. Be sure to run the grid-ca-create command as globus user > > > 2. This command creates a directory in the globus's home directory > > > (~/.globus/simpleCA) which contains a lot of files that you need to > > > copy in the /etc/grid-security directory. Those files are: > > > globus-host-ssl.conf, globus-user-ssl.conf and grid-security.conf. I > > > also copied signing-policy and grid-ca-ssl.conf but I am not quite sure > > > if they have to be copied too. > > > > > > Run the hostname command be sure that it returns the FQDN for the > > > machine where you are setting up the griftp service. > > > > > > The /etc/grid-security/certificates exists on that machine? > > > > > > On 17 October 2012 08:25, gridftp user > > > > > <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> > > wrote: > > > > > > According to the instructions for setting up the Simple CA > > > > > (http://globus.org/toolkit/docs/5.2/5.2.2/admin/install/appendix.html#gtadmin-simpleca), > > > I need to request a host certificate by running: > > > sudo grid-cert-request -host 'hostname' > > > > > > It would have been really nice if the next line explained what value is > > > expected for 'hostname' but the author failed to see a need for this. > > > Assuming it means my host, I entered: > > > sudo grid-cert-request -host > > > > > '[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>' > > > > > > and got an immediate error: > > > line 917: /etc/grid-security/grid-security.conf: No such file or > > directory > > > > > > Searching for that file name on the Globus site, I found a description > > > from the version 4.0 documentation > > > (http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch05.html): > > > grid-security.conf A base configuration file that contains the > > > name and email address for the CA. > > > > > > So I created that /etc/grid-security/grid-security.conf file: > > > root > > > > > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > > > > > > Now sudo grid-cert-request -host > > > > > '[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>' > > gives another > > > error: > > > /etc/grid-security/grid-security.conf: line 1: root: command not found > > > /etc/grid-security/grid-security.conf: line 2: > > > > > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>: > > command not found > > > /usr/bin/grid-cert-request: line 442: > > > /etc/grid-security/globus-host-ssl.conf: No such file or directory > > > > > > So obviously grid-security.conf is not a base configuration file that > > > contains the name and email address for the CA. Is there any chance > > > someone would be willing to take a minute to explain what that file > > > should contain, as well an example of what should be in > > > /etc/grid-security/globus-host-ssl.conf? I would sure appreciate it. > > > > > > Thanks, > > > Melvin > > > > > > > > > > >
