GT 4.1.0 SimpleCA: Admin Guide

1. Introduction

This guide contains advanced configuration information for system administrators working with SimpleCA. It provides references to information on procedures typically performed by system administrators, including installation, configuring, deploying, and testing the installation.

[Important]Important

This information is in addition to the basic Globus Toolkit prerequisite, overview, installation, security configuration instructions in the GT 4.1.0 System Administrator's Guide. Read through this guide before continuing!

The following are instructions for how to use SimpleCA to set up certificates for a GT 4.1.0 installation.

SimpleCA provides a wrapper around the OpenSSL CA functionality and is sufficient for simple Grid services. Alternatively, you can use OpenSSL's CA.sh command on its own. SimpleCA is suitable for testing or when a certificate authority (CA) is not available. You can find other CA options in Obtaining host certificates.

2. Building and Installing

2.1. Create users

Make sure you have the following users on your machine:

  • Your user account, which will be used to run the client programs.
  • A generic globus account, which will be used to perform administrative tasks such as starting and stopping the container, deploying services, etc. This user will also be in charge of managing the SimpleCA. To do this, make sure this account has read and write permissions in the $GLOBUS_LOCATION directory.

2.2. Run the setup script

A script was installed to set up a new SimpleCA. You only need to run this script once per Grid.

Run the setup script:

$GLOBUS_LOCATION/setup/globus/setup-simple-ca 
        

2.2.1. 2.1 Configure the subject name

This script prompts you for information about the CA you wish to create:

                The unique subject name for this CA is:
                cn=Globus Simple CA, ou=simpleCA-mayed.mcs.anl.gov, ou=GlobusTest, o=Grid
                
                Do you want to keep this as the CA subject (y/n) [y]:

where:

Table 1. CA Name components

cnRepresents "common name". It identifies this particular certificate as the CA Certificate within the "GlobusTest/simpleCA-hostname" domain, which in this case is Globus Simple CA.
ouRepresents "organizational unit". It identifies this CA from other CAs created by SimpleCA by other people. The second "ou" is specific to your hostname (in this case GlobusTest).
oRepresents "organization". It identifies the Grid.

Press y to keep the default subject name (recommended).

2.2.2. Configure the CA's email

The next prompt looks like:

                Enter the email of the CA (this is the email where certificate
                requests will be sent to be signed by the CA):

Enter the email address where you intend to receive certificate requests. It should be your real email address that you check, not the address of the globus user.

2.2.3. Configure the expiration date

Then you'll see:

                The CA certificate has an expiration date. Keep in mind that 
                once the CA certificate has expired, all the certificates 
                signed by that CA become invalid.  A CA should regenerate 
                the CA certificate and start re-issuing ca-setup packages 
                before the actual CA certificate expires.  This can be done 
                by re-running this setup script.  Enter the number of DAYS 
                the CA certificate should last before it expires.
                [default: 5 years (1825 days)]:

This is the number of days for which the CA certificate is valid. Once this time expires, the CA certificate will have to be recreated and all of its certificates regranted.

Accept the default (recommended).

2.2.4. Enter a passphrase

Next you'll see:

                Generating a 1024 bit RSA private key
                ........++++++
                ................++++++
                writing new private key to '/home/globus/.globus/simpleCA//private/cakey.pem'
                Enter PEM pass phrase:

The passphrase of the CA certificate will be used only when signing certificates (with grid-cert-sign). It should be hard to guess, as its compromise may compromise all the certificates signed by the CA.

Enter your passphrase.

[Important]Important:

Your passphrase must not contain any spaces.

2.2.5. Confirm generated certificate

Finally you'll see the following:

                A self-signed certificate has been generated 
                for the Certificate Authority with the subject: 
                
                /O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/CN=Globus Simple CA
                
                If this is invalid, rerun this script 
                
                setup/globus/setup-simple-ca
                
                and enter the appropriate fields.
                
                -------------------------------------------------------------------
                
                The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cak ey.pem
                The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem
                
                The distribution package built for this CA is stored in
                
                /home/globus/.globus/simpleCA//globus_simple_ca_68ea3306_setup-0.17.tar.gz

This information will be important for setting up other machines in your grid. The number 68ea3306 in the last line is known as your CA hash. It will be an 8 hexadecimal digit string.

Press any key to acknowledge this screen.

Your CA setup package finishes installing and ends the procedure with the following reminder:

                ***************************************************************************
                
                Note: To complete setup of the GSI software you need to run the
                following script as root to configure your security configuration
                directory:
                
                /opt/gt4/setup/globus_simple_ca_68ea3306_setup/setup-gsi
                
                For further information on using the setup-gsi script, use the -help
                option.  The -default option sets this security configuration to be 
                the default, and -nonroot can be used on systems where root access is 
                not available.
                
                ***************************************************************************
                
                setup-ssl-utils: Complete
            

We'll run the setup-gsi script in the next section. For now, just notice that it refers to your $GLOBUS_LOCATION and the CA Hash from the last message.

2.2.6. Complete setup of GSI

To finish the setup of GSI, we'll run the script noted in the previous step.

Run the following as root (or, if no root privileges are available, add the -nonroot option to the command line):

$GLOBUS_LOCATION/setup/globus_simple_ca_CA_Hash_setup/setup-gsi -default

The output should look like:

                setup-gsi: Configuring GSI security
                Installing /etc/grid-security/certificates//grid-security.conf.CA_Hash...
                Running grid-security-config...
                Installing Globus CA certificate into trusted CA certificate directory...
                Installing Globus CA signing policy into trusted CA certificate directory...
                setup-gsi: Complete

2.3. Host certificates

You must request and sign a host certificate and then copy it into the appropriate directory for secure services. The certificate must be for a machine which has a consistent name in DNS; you should not run it on a computer using DHCP, where a different name could be assigned to your computer.

2.3.1. 3.1 Request a host certificate

As root, run:

grid-cert-request -host 'hostname'

This creates the following files:

  • /etc/grid-security/hostkey.pem
  • /etc/grid-security/hostcert_request.pem
  • (an empty) /etc/grid-security/hostcert.pem

Note: If you are using your own CA, follow their instructions about creating a hostcert (one which has a commonName (CN) of your hostname), then place the cert and key in the /etc/grid-security/ location. You may then proceed to Section 2.4, “User certificates”.

2.3.2. Sign the host certificate

  1. As globus, run:

    grid-ca-sign -in hostcert_request.pem -out hostsigned.pem

  2. A signed host certificate, named hostsigned.pem, is written to the current directory.
  3. When prompted for a passphrase enter the one you specified in Section 2.2.4, “Enter a passphrase” (for the private key of the CA certificate).
  4. As root move the signed host certificate to /etc/grid-security/hostcert.pem.

The certificate should be owned by root and be read-only for other users.

The key should be read-only by root.

2.4. User certificates

Users also must request user certificates, which you will sign using the globus user.

2.4.1. Request a user certificate

As your normal user account (not globus), run:

grid-cert-request

After you enter a passphrase, this creates

  • ~$USER/.globus/usercert.pem (empty)
  • ~$USER/.globus/userkey.pem
  • ~$USER/.globus/usercert_request.pem

Email the usercert_request.pem file to the SimpleCA maintainer.

2.4.2. Sign the user certificate

  1. As the SimpleCA owner globus, run:

    grid-ca-sign -in usercert_request.pem -out signed.pem

  2. When prompted for a password enter the one you specified in Section 2.2.4, “Enter a passphrase” (for the private key of the CA certificate).
  3. Now send the signed copy (signed.pem) back to the user who requested the certificate.
  4. As your normal user account (not globus), copy the signed user certificate into >~/.globus/ and rename it as usercert.pem, thus replacing the empty file.

The certificate should be owned by the user and be read-only for other users.

The key should be read-only by the owner.

3. Configuring

[high-level characterization of the configuration options for the component here]

3.1. Configure SimpleCA for multiple machines

So far, you have a single machine configured with SimpleCA certificates. Recall that in Section 2.2.5, “Confirm generated certificate” a CA setup package was created in .globus/simpleCA/globus_simple_ca_HASH_setup-0.17.tar.gz. If you want to use your certificates on another machine, you must install that CA setup package on that machine.

To install it, copy that package to the second machine and run:

$GLOBUS_LOCATION/sbin/gpt-build globus_simple_ca_HASH_setup-0.17.tar.gz gcc32dbg
$GLOBUS_LOCATION/sbin/gpt-postinstall

Then you will have to perform setup-gsi -default from Section 2.2.6, “Complete setup of GSI”.

If you are going to run services on the second host, it will need its own host certificate (Section 2.3, “Host certificates”) and grid-mapfile (as described in the basic configuration instructions in Section 4, “Add authorization”).

You may re-use your user certificates on the new host. You will need to copy the requests to the host where the SimpleCA was first installed in order to sign them.

4. Deploying

[information about deploying the component into various containers/environments]

5. Testing

To verify that the SimpleCA certificate is installed in /etc/grid-security/certificates and that your certificate is in place with the correct permissions, run:

user$ grid-proxy-init -debug -verify

After entering your passphrase, successful output looks like:

        [bacon@mayed schedulers]$ grid-proxy-init -debug -verify
        
        User Cert File: /home/user/.globus/usercert.pem
        User Key File: /home/user/.globus/userkey.pem
        
        Trusted CA Cert Dir: /etc/grid-security/certificates
        
        Output File: /tmp/x509up_u1817
        Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-mayed.mcs.anl.gov/OU=mcs.anl.gov/CN=User Name
        Enter GRID pass phrase for this identity:
        Creating proxy ..............................++++++++++++
        ...............++++++++++++
        Done
        Proxy Verify OK
        Your proxy is valid until: Sat Mar 20 03:01:46 2004

6. Security Considerations

[describe security considerations relevant for this component]

7. Troubleshooting

[help for common problems sysadmins may experience]