CERN Accelerating science

How to configure a standalone gridftp server to access the IPv6 Testbed

Follow these steps to add to SLC5 a standalone gridftp (both server and client) installation allowing access to the IPV6 testbed VO:

  1. Install these packages, available from the EPEL repository, available by default on SLC5:
    yum install globus-gridftp-server.x86_64
    yum install globus-gridftp-server-progs.x86_64
    yum install globus-gridmap-callout-error.x86_64
    yum install voms-clients.x86_64
    yum install globus-gass-copy-progs.x86_64
    yum install fetch-crl.noarch
  2. Create /etc/gridftp.conf
    cp /etc/gridftp.conf.default /etc/gridftp.conf
  3. Add The following to /etc/gridftp.conf to enable logging:
    log_level ERROR,WARN,INFO
    log_single /var/log/gridftp/gridftp-auth.log
    log_transfer /var/log/gridftp/gridftp.log
    log_module stdio_ng
  4.  mkdir /var/log/gridftp 
  5. Add a logrotate.d entry for the gridftp logs (e.g. /etc/logrotate.d/gridftp):
    /var/log/gridftp/*log {
        rotate 40
  6. Make sure the griftp server can be contacted through your firewalls. Add file /etc/sysconfig/globus-gridftp-server with the allowed port range for the control connections. E.g., for ports 20000-21000:
    export GLOBUS_TCP_PORT_RANGE=20000,21000
  7. Then open on all relevant firewalls TCP ports 2811, plus the port range above. For standard firewall installations on SL or RedHat-based systems add the following lines in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (before last line):
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2811 -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20000:21000 -j ACCEPT
    Reload the firewall:
    /etc/init.d/iptables restart
    /etc/init.d/ip6tables restart
  8. Check that the system hostname(s) does not appear on neither of the lines starting with or ::1 in the /etc/hosts file
  9. Add file egi-trustanchors.repo to /etc/yum.repos.d with the following contents:
  10. Install the CA certificates, and start the CRL update processes:
    yum update
    yum install ca_policy_igtf-classic
    chkconfig --level 2345 fetch-crl-boot on
    chkconfig --level 2345 fetch-crl-cron on
    service fetch-crl-cron start
  11. Confirm that the signed host certificate and key are installed as: /etc/grid-security/host(cert|key).pem. Make sure the key file has mode 0400.
  12. Install our VOMS server certificate (new certificate valid until October 15, 2013):
    cd /etc/grid-security/vomsdir
  13. Download this RPM for VOMS-based GSI authorisation:
    cd /tmp
    rpm -ihv ipv6-user-map-plugin-0.1-4.x86_64.rpm
  14. Start the gridftp server:
    chkconfig --level 2345 globus-gridftp-server on
    service globus-gridftp-server start
  15. To get a VOMS certificate for testing:
    1. on a UI node, create a file vomses (default location: ~/.glite/vomses) containing the following line:
      "" "" "15013" "/C=IT/O=INFN/OU=Host/L=CNAF/" "" 

      Put your personal usercert.pem and userkey/pem in ~/.globus (your homedirectory, not root).

    2. use command voms-proxy-init -userconf /path/to/vomses -voms