Friday, 7 February 2014

Globus Toolkit can be downloaded from http://toolkit.globus.org/toolkit/downloads/latest-stable/

Installation Procedure:


1. Installing Naive Linux Packages:


1.1 Enabling the Globus Repository:

The Debian packages in the OS-specific repositories are located at stable repository and testing repository.
To install from binary debs, get the appropriate configuration deb from the link above, install it with
# dpkg -i globus-repository-5.2-stable-distro_0.0.3_all.deb
# apt-get update

1.2 Installing the Toolkit on Debian Based System:

  • Install GridFTP client
    # tasksel install globus-data-management-client
  • Install GRAM client
    # tasksel install globus-resource-management-client
  • Install GridFTP server
    # tasksel install globus-data-management-server
  • Install GRAM server
    # tasksel install globus-resource-management-server
    This will install GRAM, but only with a fork LRM. To install a PBS LRM using the scheduler event generator, for example:
    # apt-get install globus-gram-job-manager-pbs-setup-seg
  • Install GridFTP server and client
    # tasksel install globus-gridftp
  • Install GRAM server and client
    # tasksel install globus-gram5

 2. Basic Security Configurations


2.1 Obtain host certificates:

Host certificates must:

  • consist of the following two files: hostcert.pem and hostkey.pem
  • be in the appropriate directory for secure services: /etc/grid-security/
  • be for a machine which has a consistent name in DNS; you should not run it on a computer using DHCP where a different name could be assigned to your computer.
You have the following options:
1)  Request a certificate from an existing CA
2) SimpleCA: Instructions on how to install SimpleCA can be find out at:  Installing SimpleCA.


2.2 Add Authorization

Installing Globus services on your resources doesn't automatically authorize your local users to use these services. Each user must have their own user certificate, and each user certificate must be mapped to a local account.
Add authorizations for users:
Create /etc/grid-security/grid-mapfile as root.
You need two pieces of information:

  • the subject name of a user
  • the account name it should map to.
The syntax is one line per user, with the certificate subject followed by the user account name.
Run grid-cert-info to get your subject name, and whoami to get the account name:
gtuser$ grid-cert-info -subject
/O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=GT User
gtuser$ whoami
gtuser
You may add the line by running the following as root:
root# $GLOBUS_LOCATION/sbin/grid-mapfile-add-entry -dn \
"/O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=GT User" \
-ln gtuser
The corresponding line in the grid-mapfile should look like:
"/O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=GT User" gtuser

2.3 Verify Basic Security:

Now that you have installed a trusted CA, acquired a hostcert and acquired a usercert, you may verify that your security setup is complete. As your user account, run the following command:
gtuser$ grid-proxy-init -verify -debug

User Cert File: /home/gtuser/.globus/usercert.pem
User Key File: /home/gtuser/.globus/userkey.pem

Trusted CA Cert Dir: /etc/grid-security/certificates

Output File: /tmp/x509up_u506
Your identity: /DC=org/DC=doegrids/OU=People/CN=GT User 332900
Enter GRID pass phrase for this identity:
Creating proxy ...++++++++++++
..................++++++++++++
 Done
Proxy Verify OK
Your proxy is valid until: Fri Jan 28 23:13:22 2005
There are a few things you can notice from this command. Your usercert and key are located in $HOME/.globus/. The proxy certificate is created in /tmp/. The "up" stands for "user proxy", and the _u506 will be your UNIX userid. It also prints out your distinguished name (DN), and the proxy is valid for 12 hours.
If this command succeeds, your single node is correctly configured.

3. Firewall Configuration:


3.1. Client Site Firewall Requirements

This section describes the requirements placed on firewalls at sites containing Globus Toolkit clients.server sites will also have client site requirements.
3.1.1. Allowed Outgoing Ports
Clients need to be able to make outgoing connections freely from ephemeral ports on hosts at the client site to all ports at server sites.
3.1.2. Allowed Incoming Ports
To allow these callbacks, client sites should allow incoming connection in the ephemeral port range. Client sites wishing to restrict incoming connections in the ephemeral port range should select a port range for their site. The size of this range should be approximately 10 ports per expected simultaneous user on a given host, though this may vary depending on the actual usage characteristics. Hosts on which clients run should have the GLOBUS_TCP_PORT_RANGE environment variable set for the users to reflect the site’s chosen range.

3.1.3. Network Address Translation (NAT)
Clients behind NATs will be restricted as described in Section 4.1.2, “Allowed Incoming Ports” unless the firewall and site hosts are configured to allow incoming connections.
This configuration involves:
  • Select a separate portion of the ephemeral port range for each host at the site on which clients will be running (e.g. 45000-45099 for host A, 45100-45199 for host B, etc.).
  • Configure the NAT to direct incoming connections in the port range for each host back to the appropriate host (e.g., configure 45000-45099 on the NAT to forward to 45000-45099 on host A).
  • Configure the Globus Toolkit clients on each site host to use the selected port range for the host using the techniques described in Section 2.1, “If client is behind a firewall”.
  • Configure Globus Toolkit clients to advertise the firewall as the hostname to use for callbacks from the server host. This is done using the GLOBUS_HOSTNAME environment variable. The client must also have the GLOBUS_HOSTNAME environment variable set to the hostname of the external side of the NAT firewall. This will cause the client software to advertise the firewall's hostname as the hostname to be used for callbacks causing connections from the server intended for it to go to the firewall (which redirects them to the client).

3.2. Server Site Firewall Requirements

This section describes firewall policy requirements at sites that host Grid services. Sites that host Grid services often host Grid clients, however the policy requirements described in this section are adequate for clients as well.
3.2.1. Allowed Incoming Ports
A server site should allow incoming connections to the well-known Grid Service Ports as well as ephemeral ports. These ports are 22/tcp (for gsi-enabled openssh), 2119/tcp (for GRAM) and 2811/tcp for GridFTP.
A server not allowing incoming connections in the ephemeral port range will have the following restrictions:
  • If port 2119/tcp is open, GRAM will allow jobs to be submitted, but further management of the jobs will not be possible.
  • While it will be possible to make GridFTP control connections if port 2811/tcp is open, it will not possible to actually get or put files.
Server sites wishing to restrict incoming connections in the ephemeral port range should select a range of port numbers. The size of this range should be approximately 20 ports per expected simultaneous user on a given host, though this may vary depending on the actual usage characteristics. While it will take some operational experience to determine just how big this range needs to be, it is suggested that any major server site open a port range of at least a few hundred ports. Grid Services should configured as described in Section to reflect the site’s chosen range.
3.2.2. Allowed Outgoing Ports
Server sites should allow outgoing connections freely from ephemeral ports at the server site to ephemeral ports at client sites as well as to Grid Service Ports at other sites.
3.2.3.  Network Address Translation (NAT)
Grid services are not supported to work behind NAT firewalls because the security mechanisms employed by Globus require knowledge of the actual IP address of the host that is being connected to.
We do note there have been some successes in running GT services behind NAT firewalls.

3.3. Controlling The Ephemeral Port Range

Controllable ephemeral ports in the Globus Toolkit can be restricted to a given range. setting the environment variable GLOBUS_TCP_PORT_RANGE can restrict ephemeral ports. The value of this variable should be formatted as min,max (a comma separated pair). This will cause the GT libraries (specifically GlobusIO) to select port numbers for controllable ports in that specified range.
% GLOBUS_TCP_PORT_RANGE=40000,40010
% export GLOBUS_TCP_PORT_RANGE
% globus-gass-server
https://globicus.lbl.gov:40000
^C
%

The Quickstart Guide walks you through setting up basic services on multiple machines.
Reference :