Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1734040
  • 博文数量: 163
  • 博客积分: 10591
  • 博客等级: 上将
  • 技术积分: 1980
  • 用 户 组: 普通用户
  • 注册时间: 2006-08-08 18:17
文章分类

全部博文(163)

文章存档

2018年(1)

2012年(1)

2011年(47)

2010年(58)

2009年(21)

2008年(35)

分类: LINUX

2010-03-19 10:18:49

)创建主机证书

root用户执行:

[root@wang136 opt]# /usr/local/globus-4.0.8/bin/grid-cert-request -host `hostname`

Generating a 1024 bit RSA private key

.......++++++

...................++++++

writing new private key to '/etc/grid-security/hostkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-wang136.hrwang.com]:Name (e.g., John M. Smith) []:

 

A private host key and a certificate request has been generated

with the subject:

 

/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/CN=host/wang136.hrwang.com

 

----------------------------------------------------------

 

The private key is stored in /etc/grid-security/hostkey.pem

The request is stored in /etc/grid-security/hostcert_request.pem

 

Please e-mail the request to the Globus Simple CA wanghongrui@ceopen.cn

You may use a command similar to the following:

 

 cat /etc/grid-security/hostcert_request.pem | mail wanghongrui@ceopen.cn

 

Only use the above if this machine can send AND receive e-mail. if not, please

mail using some other method.

 

Your certificate will be mailed to you within two working days.

If you receive no response, contact Globus Simple CA at wanghongrui@ceopen.cn

 

)签发主机证书

globus用户执行

[globus@wang136 globus-4.0.8]$ grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out /tmp/hostsigned.pem

To sign the request

please enter the password for the CA key:123456  这里需要输入一开始创建CA时设置的密码

 

The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem

 

 

root用户执行:

[root@wang136 opt]# cp /tmp/hostsigned.pem  /etc/grid-security/hostcert.pem

 

确保权限如下:

/etc/grid-security/hostcert.pem   644   root   root

/etc/grid-security/hostkey.pem   400   root   root

 

创建用户证书

[root@wang136 grid-security]# useradd nimbus

[root@wang136 grid-security]# passwd nimbus

 

切换到nimbus用户登陆,执行如下命令:

[nimbus@wang136 ~]$ export GLOBUS_LOCATION=/usr/local/globus-4.0.8

[nimbus@wang136 ~]$ cd /usr/local/globus-4.0.8/bin/

[nimbus@wang136 bin]$ ./grid-cert-request   (提示输入用户名,我输入的是Hongrui Wang

Enter your name, e.g., John Smith: Hongrui Wang

A certificate request and private key is being created.

You will be asked to enter a PEM pass phrase.

This pass phrase is akin to your account password,

and is used to protect your key file.

If you forget your pass phrase, you will need to

obtain a new certificate.

 

Generating a 1024 bit RSA private key

.......++++++

................++++++

writing new private key to '/home/nimbus/.globus/userkey.pem'

Enter PEM pass phrase:                                这里提示输入用户证书的密码

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-wang136.hrwang.com]:Level 2 Organizational Unit [hrwang.com]:Name (e.g., John M. Smith) []:

 

A private key and a certificate request has been generated with the subject:

 

/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang

 

If the CN=Hongrui Wang is not appropriate, rerun this

script with the -force -cn "Common Name" options.

 

Your private key is stored in /home/nimbus/.globus/userkey.pem

Your request is stored in /home/nimbus/.globus/usercert_request.pem

 

Please e-mail the request to the Globus Simple CA wanghongrui@ceopen.cn

You may use a command similar to the following:

 

  cat /home/nimbus/.globus/usercert_request.pem | mail wanghongrui@ceopen.cn

 

Only use the above if this machine can send AND receive e-mail. if not, please

mail using some other method.

 

Your certificate will be mailed to you within two working days.

If you receive no response, contact Globus Simple CA at wanghongrui@ceopen.cn

 

此命令生成了三个文件:

[nimbus@wang136 bin]$ ls -l ~/.globus/

total 8

-rw-r--r-- 1 nimbus nimbus    0 May 26 18:22 usercert.pem            空的

-rw-r--r-- 1 nimbus nimbus 1439 May 26 18:22 usercert_request.pem

-r-------- 1 nimbus nimbus  963 May 26 18:22 userkey.pem

 

[nimbus@wang136 bin]$ cp ~/.globus/usercert_request.pem  /tmp/       

 

)签发用户证书

globus用户执行

[globus@wang136 globus-4.0.8]$ grid-ca-sign -in /tmp/usercert_request.pem -out /tmp/usercert_signed.pem

To sign the request

please enter the password for the CA key:123456             需要输入CA的密码

 

The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/02.pem

 

 

再以root权限,执行如下命令:

[root@wang136 tmp]# chown nimbus:nimbus /tmp/usercert_signed.pem

[root@wang136 tmp]# chmod 644 /tmp/usercert_signed.pem

 

再以nimbus用户,执行如下命令:

[nimbus@wang136 .globus]$ cp /tmp/usercert_signed.pem  ~/.globus/usercert.pem

 

 

确保主机证书可以被容器访问

root用户执行

[root@wang136 tmp]# cd /etc/grid-security/

[root@wang136 grid-security]# cp hostkey.pem containerkey.pem

[root@wang136 grid-security]# cp hostcert.pem containercert.pem

[root@wang136 grid-security]# chown globus:globus container*

[root@wang136 grid-security]# ls -l *.pem

-rw-r--r-- 1 globus globus 2710 May 26 18:34 containercert.pem

-r-------- 1 globus globus  887 May 26 18:34 containerkey.pem

-rw-r--r-- 1 root   root   2710 May 26 18:18 hostcert.pem

-rw-r--r-- 1 root   root   1422 May 26 18:11 hostcert_request.pem

-r-------- 1 root   root    887 May 26 18:11 hostkey.pem

 

为用户增加授权

root用户创建/etc/grid-security/grid-mapfile文件。

这个文件里需要两块内容:

       the subject name of a user

       the account name it should map to

语法规则是每行一个用户。

 

nimbus用户,使用grid-cert-info来获取subject name,使用whoami来获取account name

[nimbus@wang136 .globus]$ cd /usr/local/globus-4.0.8/bin/

[nimbus@wang136 bin]$ ./grid-cert-info -subject

/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang

[nimbus@wang136 bin]$ whoami

nimbus

 

root权限执行如下的命令

[root@wang136 grid-security]# /usr/local/globus-4.0.8/sbin/grid-mapfile-add-entry -dn "/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang" -ln nimbus

Modifying /etc/grid-security/grid-mapfile ...

/etc/grid-security/grid-mapfile does not exist... Attempting to create /etc/grid-security/grid-mapfile

New entry:

"/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang" nimbus

(1) entry added

 

相应的行已经被添加如grid-mapfile,内容如下:

[root@wang136 grid-security]# cat grid-mapfile

"/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang" nimbus

 

验证基础安全

到此位置,已经安装了可信任CA,需求的主机证书,用户证书,你可以验证一下你的安全设置。使用nimbus用户,执行:

[nimbus@wang136 bin]$ /usr/local/globus-4.0.8/bin/grid-proxy-init -verify -debug

User Cert File: /home/nimbus/.globus/usercert.pem

User Key File: /home/nimbus/.globus/userkey.pem

 

Trusted CA Cert Dir: /etc/grid-security/certificates

 

Output File: /tmp/x509up_u501

Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang

Enter GRID pass phrase for this identity:123456             输入用户证书的密码

Creating proxy ...++++++++++++

........++++++++++++

 Done

Proxy Verify OK

Your proxy is valid until: Wed May 27 06:43:36 2009

 

配置gridftp服务

 

root用户执行如下命令:

[root@wang136 grid-security]# cd /etc/xinetd.d/

[root@wang136 xinetd.d]# vi gridftp

service gsiftp

{

instances               = 100

protocol                = tcp

socket_type             = stream

wait                    = no

user                    = root

env                     += GLOBUS_LOCATION=/usr/local/globus-4.0.8

env                     += LD_LIBRARY_PATH=/usr/local/globus-4.0.8/lib

server                  = /usr/local/globus-4.0.8/sbin/globus-gridftp-server

server_args             = -i

log_on_success          += DURATION

disable                 = no

}

 

[root@wang136 xinetd.d]# vi /etc/services                末尾添加如下内容

gsiftp            2811/tcp

 

[root@wang136 xinetd.d]# service xinetd reload

Reloading configuration:                                   [  OK  ]

[root@wang136 xinetd.d]# netstat -an |grep 2811

tcp        0      0 0.0.0.0:2811                0.0.0.0:*                   LISTEN     

主机已经配置了hostcert,我们使用root启动了gridftp-server

nimbus用户做个实验:

[nimbus@wang136 bin]$ pwd

/usr/local/globus-4.0.8/bin

[nimbus@wang136 bin]$ ./globus-url-copy gsiftp://wang136.hrwang.com/etc/group file:///tmp/nimbus.group.copy

[nimbus@wang136 bin]$ ls -l /tmp/nimbus.group.copy

-rw-rw-r-- 1 nimbus nimbus 760 May 26 18:52 /tmp/nimbus.group.copy

[nimbus@wang136 bin]$ diff /etc/group /tmp/nimbus.group.copy

 

验证调整GT

globus用户执行

[globus@wang136 globus-4.0.8]$ pwd

/usr/local/globus-4.0.8

[globus@wang136 globus-4.0.8]$ vi etc/globus_wsrf_core_samples_counter/security-config.xml 

   

       

           

       

   

   

       

           

       

   

   

       

           

       

   

   

       

   

   

 

1:将所有”GSISecureConversation”转换成”GSITransport”。将”self”改为”gridmap”

 

[globus@wang136 globus-4.0.8]$ ./bin/globus-start-container        启动container

Starting SOAP server at:

With the following services:

 

[1]: AdminService

[2]: AuthzCalloutTestService

[3]: ContainerRegistryEntryService

[4]: ContainerRegistryService

[5]: CounterService

[6]: JWSCoreVersion

[7]: ManagementService

[8]: NotificationConsumerFactoryService

[9]: NotificationConsumerService

[10]: NotificationTestService

[11]: PersistenceTestSubscriptionManager

[12]: SampleAuthzService

[13]: SecureCounterService

[14]: SecurityTestService

[15]: ShutdownService

[16]: SubscriptionManagerService

[17]: TestAuthzService

[18]: TestRPCService

[19]: TestService

[20]: TestServiceRequest

[21]: TestServiceWrongWSDL

[22]: Version

[23]: WidgetNotificationService

[24]: WidgetService

[25]: gsi/AuthenticationService

 

可以看到[13]: SecureCounterService

 

使用nimbus用户执行如下:

[nimbus@wang136 bin]$ /usr/local/globus-4.0.8/bin/counter-client -s SecureCounterService  

Got notification with value: 3

Counter has value: 3

Got notification with value: 13


安装Nimbus-TP2.2

[root@wang136 opt]# pwd                            软件放在/opt目录下

/opt

[root@wang136 opt]# tar zxvf nimbus-TP2.2.tar.gz

[root@wang136 opt]# chown -R globus:globus nimbus-TP2.2

 

切换到globus用户下,执行

[globus@wang136 nimbus-TP2.2]$ pwd

/opt/nimbus-TP2.2

[globus@wang136 nimbus-TP2.2]$ ./bin/all-build-and-install.sh

     [echo] **** Module: /opt/nimbus-TP2.2/autoconfiguration

     [echo] Installing: Nimbus auto-configuration tools GAR package

     [echo] Deploying gar with profile:

     [echo] Installed: Nimbus auto-configuration tools GAR package

     [echo]        

     [echo] NOTES: To run the auto-configuration program, launch:

     [echo]        /usr/local/globus-4.0.8/share/nimbus-autoconfig/autoconfig.sh

     [echo]        

     [echo]        To run the cloud configuration admin helper, launch:

     [echo]        /usr/local/globus-4.0.8/share/nimbus-autoconfig/cloud-admin.sh

     [echo]        

 

BUILD SUCCESSFUL

Total time: 2 minutes 3 seconds

Successful: Nimbus - build and install all

 

[globus@wang136 nimbus]$ cp /etc/grid-security/grid-mapfile /usr/local/globus-4.0.8/etc/nimbus/nimbus-grid-mapfile            

注:两处的文件内容保持一致。

阅读(1448) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~