全部博文(163)
分类: LINUX
2010-03-19 10:18:49
)创建主机证书
以root用户执行:
[root@wang136 opt]# /usr/local/globus-
Generating a 1024 bit RSA private key
.......++++++
...................++++++
writing new private key to '/etc/grid-security/hostkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-wang136.hrwang.com]:Name (e.g., John M. Smith) []:
A private host key and a certificate request has been generated
with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/CN=host/wang136.hrwang.com
----------------------------------------------------------
The private key is stored in /etc/grid-security/hostkey.pem
The request is stored in /etc/grid-security/hostcert_request.pem
Please e-mail the request to the Globus Simple CA wanghongrui@ceopen.cn
You may use a command similar to the following:
cat /etc/grid-security/hostcert_request.pem | mail wanghongrui@ceopen.cn
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at wanghongrui@ceopen.cn
)签发主机证书
以globus用户执行
[globus@wang136 globus-
To sign the request
please enter the password for the CA key:123456 这里需要输入一开始创建CA时设置的密码
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem
以root用户执行:
[root@wang136 opt]# cp /tmp/hostsigned.pem /etc/grid-security/hostcert.pem
确保权限如下:
/etc/grid-security/hostcert.pem 644 root root
/etc/grid-security/hostkey.pem 400 root root
创建用户证书
[root@wang136 grid-security]# useradd nimbus
[root@wang136 grid-security]# passwd nimbus
切换到nimbus用户登陆,执行如下命令:
[nimbus@wang136 ~]$ export GLOBUS_LOCATION=/usr/local/globus-
[nimbus@wang136 ~]$ cd /usr/local/globus-
[nimbus@wang136 bin]$ ./grid-cert-request (提示输入用户名,我输入的是Hongrui Wang)
Enter your name, e.g., John Smith: Hongrui Wang
A certificate request and private key is being created.
You will be asked to enter a PEM pass phrase.
This pass phrase is akin to your account password,
and is used to protect your key file.
If you forget your pass phrase, you will need to
obtain a new certificate.
Generating a 1024 bit RSA private key
.......++++++
................++++++
writing new private key to '/home/nimbus/.globus/userkey.pem'
Enter PEM pass phrase: 这里提示输入用户证书的密码
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-wang136.hrwang.com]:Level 2 Organizational Unit [hrwang.com]:Name (e.g., John M. Smith) []:
A private key and a certificate request has been generated with the subject:
/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang
If the CN=Hongrui Wang is not appropriate, rerun this
script with the -force -cn "Common Name" options.
Your private key is stored in /home/nimbus/.globus/userkey.pem
Your request is stored in /home/nimbus/.globus/usercert_request.pem
Please e-mail the request to the Globus Simple CA wanghongrui@ceopen.cn
You may use a command similar to the following:
cat /home/nimbus/.globus/usercert_request.pem | mail wanghongrui@ceopen.cn
Only use the above if this machine can send AND receive e-mail. if not, please
mail using some other method.
Your certificate will be mailed to you within two working days.
If you receive no response, contact Globus Simple CA at wanghongrui@ceopen.cn
此命令生成了三个文件:
[nimbus@wang136 bin]$ ls -l ~/.globus/
total 8
-rw-r--r-- 1 nimbus nimbus 0 May 26 18:22 usercert.pem 空的
-rw-r--r-- 1 nimbus nimbus 1439 May 26 18:22 usercert_request.pem
-r-------- 1 nimbus nimbus 963 May 26 18:22 userkey.pem
[nimbus@wang136 bin]$ cp ~/.globus/usercert_request.pem /tmp/
)签发用户证书
以globus用户执行
[globus@wang136 globus-
To sign the request
please enter the password for the CA key:123456 需要输入CA的密码
The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/02.pem
再以root权限,执行如下命令:
[root@wang136 tmp]# chown nimbus:nimbus /tmp/usercert_signed.pem
[root@wang136 tmp]# chmod 644 /tmp/usercert_signed.pem
再以nimbus用户,执行如下命令:
[nimbus@wang136 .globus]$ cp /tmp/usercert_signed.pem ~/.globus/usercert.pem
)确保主机证书可以被容器访问
以root用户执行
[root@wang136 tmp]# cd /etc/grid-security/
[root@wang136 grid-security]# cp hostkey.pem containerkey.pem
[root@wang136 grid-security]# cp hostcert.pem containercert.pem
[root@wang136 grid-security]# chown globus:globus container*
[root@wang136 grid-security]# ls -l *.pem
-rw-r--r-- 1 globus globus 2710 May 26 18:34 containercert.pem
-r-------- 1 globus globus 887 May 26 18:34 containerkey.pem
-rw-r--r-- 1 root root 2710 May 26 18:18 hostcert.pem
-rw-r--r-- 1 root root 1422 May 26 18:11 hostcert_request.pem
-r-------- 1 root root 887 May 26 18:11 hostkey.pem
为用户增加授权
以root用户创建/etc/grid-security/grid-mapfile文件。
这个文件里需要两块内容:
the subject name of a user
the account name it should map to
语法规则是每行一个用户。
nimbus用户,使用grid-cert-info来获取subject name,使用whoami来获取account name:
[nimbus@wang136 .globus]$ cd /usr/local/globus-
[nimbus@wang136 bin]$ ./grid-cert-info -subject
/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang
[nimbus@wang136 bin]$ whoami
nimbus
用root权限,执行如下的命令:
[root@wang136 grid-security]# /usr/local/globus-
Modifying /etc/grid-security/grid-mapfile ...
/etc/grid-security/grid-mapfile does not exist... Attempting to create /etc/grid-security/grid-mapfile
New entry:
"/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang" nimbus
(1) entry added
相应的行已经被添加如grid-mapfile,内容如下:
[root@wang136 grid-security]# cat grid-mapfile
"/O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang" nimbus
验证基础安全
到此位置,已经安装了可信任CA,需求的主机证书,用户证书,你可以验证一下你的安全设置。使用nimbus用户,执行:
[nimbus@wang136 bin]$ /usr/local/globus-
User Cert File: /home/nimbus/.globus/usercert.pem
User Key File: /home/nimbus/.globus/userkey.pem
Trusted CA Cert Dir: /etc/grid-security/certificates
Output File: /tmp/x509up_u501
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-wang136.hrwang.com/OU=hrwang.com/CN=Hongrui Wang
Enter GRID pass phrase for this identity:123456 输入用户证书的密码
Creating proxy ...++++++++++++
........++++++++++++
Done
Proxy Verify OK
Your proxy is valid until: Wed May 27 06:43:36 2009
配置gridftp服务
以root用户执行如下命令:
[root@wang136 grid-security]# cd /etc/xinetd.d/
[root@wang136 xinetd.d]# vi gridftp
service gsiftp
{
instances = 100
protocol = tcp
socket_type = stream
wait = no
user = root
env += GLOBUS_LOCATION=/usr/local/globus-
env += LD_LIBRARY_PATH=/usr/local/globus-
server = /usr/local/globus-
server_args = -i
log_on_success += DURATION
disable = no
}
[root@wang136 xinetd.d]# vi /etc/services 末尾添加如下内容
gsiftp 2811/tcp
[root@wang136 xinetd.d]# service xinetd reload
Reloading configuration: [ OK ]
[root@wang136 xinetd.d]# netstat -an |grep 2811
tcp 0 0
主机已经配置了hostcert,我们使用root启动了gridftp-server。
以nimbus用户做个实验:
[nimbus@wang136 bin]$ pwd
/usr/local/globus-
[nimbus@wang136 bin]$ ./globus-url-copy gsiftp://wang136.hrwang.com/etc/group file:///tmp/nimbus.group.copy
[nimbus@wang136 bin]$ ls -l /tmp/nimbus.group.copy
-rw-rw-r-- 1 nimbus nimbus 760 May 26 18:52 /tmp/nimbus.group.copy
[nimbus@wang136 bin]$ diff /etc/group /tmp/nimbus.group.copy
验证调整GT
以globus用户执行
[globus@wang136 globus-
/usr/local/globus-
[globus@wang136 globus-
注1:将所有”GSISecureConversation”转换成”GSITransport”。将”self”改为”gridmap”
[globus@wang136 globus-
Starting SOAP server at:
With the following services:
[1]: AdminService
[2]: AuthzCalloutTestService
[3]: ContainerRegistryEntryService
[4]: ContainerRegistryService
[5]: CounterService
[6]: JWSCoreVersion
[7]: ManagementService
[8]: NotificationConsumerFactoryService
[9]: NotificationConsumerService
[10]: NotificationTestService
[11]: PersistenceTestSubscriptionManager
[12]: SampleAuthzService
[13]: SecureCounterService
[14]: SecurityTestService
[15]: ShutdownService
[16]: SubscriptionManagerService
[17]: TestAuthzService
[18]: TestRPCService
[19]: TestService
[20]: TestServiceRequest
[21]: TestServiceWrongWSDL
[22]: Version
[23]: WidgetNotificationService
[24]: WidgetService
[25]: gsi/AuthenticationService
可以看到[13]: SecureCounterService
使用nimbus用户执行如下:
[nimbus@wang136 bin]$ /usr/local/globus-
Got notification with value: 3
Counter has value: 3
Got notification with value: 13
安装Nimbus-TP2.2
[root@wang136 opt]# pwd 软件放在/opt目录下
/opt
[root@wang136 opt]# tar zxvf nimbus-TP2.2.tar.gz
[root@wang136 opt]# chown -R globus:globus nimbus-TP2.2
切换到globus用户下,执行
[globus@wang136 nimbus-TP2.2]$ pwd
/opt/nimbus-TP2.2
[globus@wang136 nimbus-TP2.2]$ ./bin/all-build-and-install.sh
[echo] **** Module: /opt/nimbus-TP2.2/autoconfiguration
[echo] Installing: Nimbus auto-configuration tools GAR package
[echo] Deploying gar with profile:
[echo] Installed: Nimbus auto-configuration tools GAR package
[echo]
[echo] NOTES: To run the auto-configuration program, launch:
[echo] /usr/local/globus-
[echo]
[echo] To run the cloud configuration admin helper, launch:
[echo] /usr/local/globus-
[echo]
BUILD SUCCESSFUL
Total time: 2 minutes 3 seconds
Successful: Nimbus - build and install all
[globus@wang136 nimbus]$ cp /etc/grid-security/grid-mapfile /usr/local/globus-
注:两处的文件内容保持一致。
