GT 2.4 GSI: The /etc/grid-security directory

The directory /etc/grid-security is a directory used to hold configuration information and private information used by the GSI libraries. It should be on local disk e.g. not NFS-mounted. It and it's contents should not be writable by any untrusted users (generally this means only by root). Except for the private key of the host (hostkey.pem), all the contents may be world-readable.

Contents of this web page:

Creating /etc/grid-security

1) Create the directory /etc/grid-security and make it world-readable

# mkdir /etc/grid-security
# chmod 0755 /etc/grid-security

2) In /etc/grid-security make the certificates directory. This can either be a copy of or a symlink to $GSI_INSTALL_PATH/share/certificates (for a GSI installation) or $GLOBUS_INSTALL_PATH/share/certifcates (for a Globus installation). In any case this directory should be non-writable by anyone except trusted users and should be world readable.

# ln -s ${GSI_INSTALL_PATH}/share/certificates /etc/grid-security/certificates

The following steps are only needed if you plan on running GSI-bases services (e.g. gsiftpd, sshd, Globus gatekeeper)

3) Create /etc/grid-security/grid-mapfile if needed

This is a file used to hold authorization information and mappings from grid identities to local userids for users.  Please see the grid-mapfile web page for details on creating this file.

4) Create hostkey.pem and hostcert.pem if needed

These files contain the host's private key and X509 certificate. Please see the web page on acquiring a host certificate for details on creating these files.

Note that as stated on the page referred to by the URL above, grid-cert-request currently creates the file userkey.pem and usercert.pem which you will need to symlink to hostkey.pem and hostcert.pem. This is due to the GSI transition as something that is always part of Globus to a package that can be stand-alone and will go away in future versions. Sorry for the inconvience.

Contents of /etc/grid-security

The following files or directories are normally found in /etc/grid-security:

certificates/

This directory contains the X509 certificates of all CAs trusted by this system. For a user to authenticate with GSI to any GSI-based service on this system, the certificate of the CA that signed the user's certificate must be in this directory. All the contents of this directory are used by both GSI-based clients and GSI-based services and should be world-readable.

CA's certificates are stored in files whose names are based on a hash of the CA identity for quick location. These filenames typically look like 42864e48.0

Certificate Revolacation Lists CRLs may also be stored in this directory. The CRLs follow the CA certificate hash naming convention, with an extra "r", for example: 42864e48.r0.

Current this is often a symlink to:

$GLOBUS_INSTALL_PATH/share/certificates

or

$GSI_INSTALL_PATH/share/certificates

certificates/ca-signing-policy.conf

This file contains a list of trusted CAs and the certificates names they are allowed to sign. A CA must be listed in this file in order for it to be trusted. Please see the ca-signing-policy.conf documentation for more details on this file. This file should be world-readable.

 

The following files or directories are normally only found in /etc/grid-security if GSI-based services are present on the system:

grid-mapfile

This file contains authorization information and information to map grid identiies (e.g. X509 subject names) to local system identities (e.g. Unix user IDs). For more information on this file please see the grid-mapfile web page. This file need only be readable by processes that do GSI-based services, but there is no know vulnerability caused by it being world-readable.

hostkey.pem

This file contains the RSA private key for the host used for doing mutual authentication with connecting clients. This file should be readable only by trusted GSI-based services, typically this means unix permissions of 0400. Currently this file a symlink to globus-host.key

userkey.pem

The host key as created by grid-cert-request. This file will go away in a future revision. hostkey.pem should be a symlink to this file.

hostcert.pem

This file contains the X509 certificate for the host used for doing mutual authentication with connecting clients. This file is a matched pair with the host key in hostkey.pem. hostcert.pem however is public information (it is passed to every connecting client) so is typically world-readable, however nothing besides GSI-based daemons is known to read this file.

Currently this file a symlink to globus-host.cert.

usercert.pem

The host certificate as returned by the CA as a result of running grid-cert-request. This file will go away in a future revision. hostcert.pem should be a symlink to this file.