How to install the APACGrid CA bundle.

Migrated here from old wiki 4/12/2007, DRB

Reviewed DC 20/03/08

• Files should be stored in similar location to repository download: http://projects.gridaus.org.au/dist/gridaus.repo
• ng2.sapac.edu.au needed .../certificates/{globus-host-ssl.conf.1e12d831,globus-user-ssl.conf.1e12d831,grid-security.conf.1e12d831}
  • needed a link to globus-user-ssl.conf (also for host, security) in /etc/grid-security
• ng2 build script should handle this: Ticket #14 Systems Trac (http://projects.gridaus.org.au/trac/systems/)

How to check that an existing CA bundle does "NOT" exist on your system.

• /etc/grid-security does not exist, or
• at least one of the files contained in the APACGrid_CA_Bundle_Full.tar.gz allready exists in /etc/grid-security and /etc/grid-security/certificates.

Minimal APACGrid CA Bundle Install

• cd /etc/grid-security/certificates
• download APACGrid_CA_Bundle_Minimal.tar.gz to the current directory.
• tar -xzvf APACGrid_CA_Bundle_Minimal.tar.gz
• rm APACGrid_CA_Bundle_Minimal.tar.gz
• now ensure that the owner and group of the new files are set appropriately (root.root).
• create links in /etc/grid-security for globus-host-ssl.conf, globus-user-ssl.conf, grid-security.conf (all ending in .1e12d831)
• replace VPAC in each of these files with your own organisational Name as listed here. If it is not listed exactly then send an e-mail to help@arcs.org.au to have it corrected or added.
• replace "hostname.vpac.edu.au" in globus-host-ssl.conf with hostname.yourdomain.

Full APACGrid CA Bundle Install - for if you "DO NOT" already have any CA bundles installed on your machine

• If you don't have an existing /etc/grid-security directory then just download APACGrid_CA_Bundle_Full.tar.gz to your /etc directory.
  • run tar -xzvf APACGrid_CA_Bundle_Full.tar.gz
  • run rm APACGrid_CA_Bundle_Full.tar.gz
  • now ensure that the owner and group is set appropriately.
• If /etc/grid-security does exist but none of the files in APACGrid_CA_Bundle_Full.tar.gz exist in /etc/grid-security and /etc/grid-security/certificates then
  • create a temporary directory in /tmp
  • download APACGrid_CA_Bundle_Full.tar.gz to you temporary directory
  • tar -xzvf APACGrid_CA_Bundle_Full.tar.gz and copy the files from your newly created grid-security directory to their corrorsponding places int /etc/grid-security
  • delete the temporary directory.
  • now ensure that the owner and group of the new files are set appropriately.
• now vi /etc/grid-security/certificates/globus-host-ssl.conf.1e12d831
  • now replace any occurence of "VPAC" to your own organisational Name as listed here. if it is not listed exactly then send an e-mail to camanager@vpac.org to have it corrected or added.
  • now replace any occurrence of "hostname.vpac.edu.au" with hostname.yourdomain.
• now vi /etc/grid-security/certificates/globus-user-ssl.conf.1e12d831
  • now replace any occurrence of "VPAC" to your own organisational Name as listed here. if it is not listed exactly then send and e-mail to camanager@vpac.org to have it corrected or added.

Patching the grid-cert-request script

• The initial grid-cert-request scripts supplied with most versions of Globus instruct users to email their generated request to their CA manager; this procedure is inappropriate for our CA. To rectify this, you should download (into /tmp) and execute http://vpac.org/grid/files/grid-cert-request-patch
  • DC 20/03/08 this patch no longer exists, is not required anyway with correct HostCertificates instructions