[AG-TECH] AG 2.0 Alpha 3 (and Simple CA)

Randy Groves randy.groves at boeing.com
Mon Feb 24 19:59:50 CST 2003


Thanks for the reply!  I should have prefaced my question and later note 
with the fact that I'm setting up a completely internal AG, that will have 
no interaction (at least not for the forseeable future) with the AG-Grid at 
large.  So for my immediate testing, it sounds like what I did will 
work.  But perhaps I should revise this so that I can cover all the bases 
when necessary.  I'll take a look.

I hadn't done a cert request (since I hadn't installed the AG CA) - are the 
certs that I would get 'normal' (i.e., typical Globus) certs, or are you 
generating an 'AG' cert under the Grid umbrella?  I will be installing also 
on my external node - so I'll get a 'real' cert for this.

Of course, since I'm restricted to unicast only on this link, this setup 
may have minimal interaction capabilities.

-randy

At 07:18 PM 2/24/2003 -0600, Ti Leggett wrote:
>I would say no, it's not sufficient. While this will work with your
>machine and internal organizational unit (OU) it will not work with the
>rest of the AG2 community. That's because your cert will have been
>signed by the CA with O=Foo Bar/OU=foo.bar.com/CN=ca.foo.bar.com
>
>Now on your AG node this might be fine, but now on your node you will
>only accept certs that have been signed by globus.org (since that comes
>with globus) and your CA. If someone from outside comes in with an
>O=Access Grid/OU=agdev-ca.mcs.anl.gov/ signed cert, they'll be denied
>because your node doesn't recognize that as a validly signed cert (since
>it's not from globus and not from foo.bar).
>
>Now, if you try and take your personal foo.bar signed cert to someone
>else's node (or venue for that matter), you'll get denied because that
>resource won't recognize foo.bar as a validly signed cert.
>
>What you *really* wanted to do was add your CA to your trusted certs
>list. That way you'll accept your certs, globus certs, and agdev certs.
>All you have to do there is:
>
>${GPT_LOCATION}/sbin/globus-build -install-only
>globus_simple_ca_8dd8e752_setup-0.12.tar.gz
>
>sed -e 's,globus-sh-tools-vars.sh,globus-sh-tools.sh,g' <
>${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752 >
>${GLOBUS_LOCATION/setup/globus/setup-ssl-utils.8dd8e752.sed
>mv -f ${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752.sed
>${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752
>chmod 0755 ${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752
>
>${GLOBUS_LOCATION}/setup/globus_simple_ca_8dd8e752/setup-gsi
>
>
>That will install you CA's cert and make everything happy. You might not
>have to do the sed stuff in the middle though I found recently installed
>simple_ca assume they're installing into gt2.2 and this doesn't work for
>our gt2.0 installations (don't even get me started on this)...
>
>Did that make sense?
>
>On Mon, 2003-02-24 at 18:59, Randy Groves wrote:
> > Well, I might have answered most of my question.  For those that might be
> > in a similar situation, I was able to configure the 2.0 version of the
> > data-management package to at least successfully run grid-proxy-init 
> with a
> > cert from my internal SimpleCA.
> >
> > What I did was to run the data-managment install package, then only run 
> the
> > initial 'setup-gsi' and NOT the CA specific setup that follows.   I then
> > installed the  package that SimpleCA generates, which in my case is:
> >
> > globus_simple_ca_8dd8e752_setup-0.12.tar.gz
> >
> > The install had no complaints, but I did get an error when I ran the
> > gpt-postinstall, complaining about not finding
> > /usr/lib/globus/setup/globus-sh-tools-vars.sh.
> >
> > A little poking made it obvious that this had been renamed from
> > globus-sh-tools.sh in later versions.  A symbolic link from one to the
> > other took care of this.
> >
> > After running the setup-gsi that results from this process, I am now able
> > to grid-proxy-init with my own internal cert.
> >
> > Now the next question, which I will probably be poking at, is - is this
> > sufficient to run AG2.0a3?
> >
> > -randy
> >
> >






More information about the ag-tech mailing list