CERN Accelerating science

How to configure a standalone gridftp server to access the IPv6 Testbed

Follow these steps to add to SLC5 a standalone gridftp (both server and client) installation allowing access to the IPV6 testbed VO:

  1. Install these packages, available from the EPEL repository, available by default on SLC5:
    yum install globus-gridftp-server.x86_64
    yum install globus-gridftp-server-progs.x86_64
    yum install globus-gridmap-callout-error.x86_64
    yum install voms-clients.x86_64
    yum install globus-gass-copy-progs.x86_64
    yum install fetch-crl.noarch
    
  2. Create /etc/gridftp.conf
    cp /etc/gridftp.conf.default /etc/gridftp.conf
    
  3. Add The following to /etc/gridftp.conf to enable logging:
    log_level ERROR,WARN,INFO
    log_single /var/log/gridftp/gridftp-auth.log
    log_transfer /var/log/gridftp/gridftp.log
    log_module stdio_ng
    
  4.  mkdir /var/log/gridftp 
  5. Add a logrotate.d entry for the gridftp logs (e.g. /etc/logrotate.d/gridftp):
    /var/log/gridftp/*log {
        missingok
        compress
        weekly
        delaycompress
        rotate 40
    }
    
  6. Make sure the griftp server can be contacted through your firewalls. Add file /etc/sysconfig/globus-gridftp-server with the allowed port range for the control connections. E.g., for ports 20000-21000:
    export GLOBUS_TCP_PORT_RANGE=20000,21000
    
  7. Then open on all relevant firewalls TCP ports 2811, plus the port range above. For standard firewall installations on SL or RedHat-based systems add the following lines in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (before last line):
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2811 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20000:21000 -j ACCEPT
    
    Reload the firewall:
    
    /etc/init.d/iptables restart
    /etc/init.d/ip6tables restart
    
  8. Check that the system hostname(s) does not appear on neither of the lines starting with 127.0.0.1 or ::1 in the /etc/hosts file
  9. Add file egi-trustanchors.repo to /etc/yum.repos.d with the following contents:
    [EGI-trustanchors]
    name=EGI-trustanchors
    baseurl=http://repository.egi.eu/sw/production/cas/1/current/
    gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3
    gpgcheck=1
    enabled=1
    
  10. Install the CA certificates, and start the CRL update processes:
    yum update
    yum install ca_policy_igtf-classic
    chkconfig --level 2345 fetch-crl-boot on
    chkconfig --level 2345 fetch-crl-cron on
    service fetch-crl-cron start
    
  11. Confirm that the signed host certificate and key are installed as: /etc/grid-security/host(cert|key).pem. Make sure the key file has mode 0400.
  12. Install our VOMS server certificate (new certificate valid until October 15, 2013):
    cd /etc/grid-security/vomsdir
    wget http://www.mi.infn.it/ipv6/voms2.cnaf.infn.it.pem
    
  13. Download this RPM for VOMS-based GSI authorisation:
    cd /tmp
    wget http://www.mi.infn.it/ipv6/ipv6-user-map-plugin-0.1-4.x86_64.rpm
    rpm -ihv ipv6-user-map-plugin-0.1-4.x86_64.rpm
    
  14. Start the gridftp server:
    chkconfig --level 2345 globus-gridftp-server on
    service globus-gridftp-server start
    
  15. To get a VOMS certificate for testing:
    1. on a UI node, create a file vomses (default location: ~/.glite/vomses) containing the following line:
      "ipv6.hepix.org" "voms2.cnaf.infn.it" "15013" "/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it" "ipv6.hepix.org" 

      Put your personal usercert.pem and userkey/pem in ~/.globus (your homedirectory, not root).

    2. use command voms-proxy-init -userconf /path/to/vomses -voms ipv6.hepix.org