Chapter 6. Basic Security Configuration

1. Set environment variables

In order for the system to know the location of the Globus Toolkit commands you just installed, you must set an environment variable and source the script.

  1. As globus, set GLOBUS_LOCATION to where you installed the Globus Toolkit. This will be one of the following:

    • Using Bourne shells:

      globus$ export GLOBUS_LOCATION=/path/to/install
    • Using csh:

      globus$ setenv GLOBUS_LOCATION /path/to/install
  2. Source $GLOBUS_LOCATION/etc/globus-user-env.{sh,csh} depending on your shell.

    • Use .sh for Bourne shell:

      globus$ . $GLOBUS_LOCATION/etc/
    • Use .csh for C shell.

      globus$ source $GLOBUS_LOCATION/etc/globus-user-env.csh

2. Obtain host certificates

You must have X509 certificates to use the GT 4.0 software securely (referred to in this documentation as host certificates). For an overview of certificates for GSI (security) see GSI Configuration Information and GSI Environmental Variables.

Host certificates must:

  • consist of the following two files: hostcert.pem and hostkey.pem
  • be in the appropriate directory for secure services: /etc/grid-security/
  • be for a machine which has a consistent name in DNS; you should not run it on a computer using DHCP where a different name could be assigned to your computer.

You have the following options:

2.1.  Request a certificate from an existing CA

Your best option is to use an already existing CA. You may have access to one from the company you work for or an organization you are affiliated with. Some universities provide certificates for their members and affiliates. Contact your support organization for details about how to acquire a certificate. You may find your CA listed in the TERENA Repository.

If you already have a CA, you will need to follow their configuration directions. If they include a CA setup package, follow the CAs instruction on how to install the setup package. If they do not, you will need to create an /etc/grid-security/certificates directory and include the CA cert and signing policy in that directory. See Configuring a Trusted CA for more details.

This type of certificate is best for service deployment and Grid inter-operation.

2.2. SimpleCA

SimpleCA provides a wrapper around the OpenSSL CA functionality and is sufficient for simple Grid services. Alternatively, you can use OpenSSL's command on its own. Instructions on how to use the SimpleCA can be found in Chapter 7, SimpleCA Admin Guide.

SimpleCA is suitable for testing or when a certificate authority is not available.

2.3. Low-trust certificate

Globus offers a low-trust certificate available at This option should only be used as a last resort because it does not fulfill some of the duties of a real Certificate Authority.

This type of certificate is best suited for short term testing.

3. Make the host credentials accessible by the container

The host key (/etc/grid-security/hostkey.pem) is only readable to root. The container (hosting environment) will be running as a non-root user (probably the globus user) and in order to have a set of host credentials which are readable by the container, we need to copy the host certificate and key and change the ownership to the container user.


This step assumes you have obtained a signed host certificate from your CA.

As root, run:

root# cd /etc/grid-security
root# cp hostkey.pem containerkey.pem
root# cp hostcert.pem containercert.pem
root# chown globus.globus containerkey.pem containercert.pem

At this point the certificates in /etc/grid-security should look something like:

root# ls -l *.pem
-rw-r--r-- 1 globus globus 1785 Oct 14 14:47 containercert.pem
-r-------- 1 globus globus  887 Oct 14 14:47 containerkey.pem
-rw-r--r-- 1 root   root   1785 Oct 14 14:42 hostcert.pem
-r-------- 1 root   root    887 Sep 29 09:59 hostkey.pem

4. Add authorization

Add authorizations for users:

Create /etc/grid-security/grid-mapfile as root.

You need two pieces of information:

  • the subject name of a user
  • the account name it should map to.

The syntax is one line per user, with the certificate subject followed by the user account name.

Run grid-cert-info to get your subject name, and whoami to get the account name:

bacon$ grid-cert-info -subject
/O=Grid/OU=GlobusTest/ Bacon
bacon$ whoami

You may add the line by running the following as root:

root# $GLOBUS_LOCATION/sbin/grid-mapfile-add-entry -dn \
"/O=Grid/OU=GlobusTest/ Bacon" \
-ln bacon

The corresponding line in the grid-mapfile should look like:

"/O=Grid/OU=GlobusTest/ Bacon" bacon

The quotes around the subject name are important, because it contains spaces.

5. Verify Basic Security

Now that you have installed a trusted CA, acquired a hostcert and acquired a usercert, you may verify that your security setup is complete. As your user account, run the following command:

bacon$ grid-proxy-init -verify -debug

User Cert File: /home/bacon/.globus/usercert.pem
User Key File: /home/bacon/.globus/userkey.pem

Trusted CA Cert Dir: /etc/grid-security/certificates

Output File: /tmp/x509up_u506
Your identity: /DC=org/DC=doegrids/OU=People/CN=Charles Bacon 332900
Enter GRID pass phrase for this identity:
Creating proxy ...++++++++++++
Proxy Verify OK
Your proxy is valid until: Fri Jan 28 23:13:22 2005

There are a few things you can notice from this command. Your usercert and key are located in $HOME/.globus/. The proxy certificate is created in /tmp/. The "up" stands for "user proxy", and the _u506 will be your UNIX userid. It also prints out your distinguished name (DN), and the proxy is valid for 12 hours.

If this command succeeds, your single node is correctly configured.

6. Firewall configuration

For information on configuring services in the presence of a firewall, see the firewall PDF.

7. Syslog logging

The GT4 webservices container is capable of logging authorization decisions to syslog. This procedure has been documented as a Grid HOWTO at NCSA.