Интеграция системы безопасности Грида в систему Облачных вычислений

На данном этапе настроена аутентификация и авторизация пользователей с помощью сертификатов для системы безопасности. Для создания сертификатов будет использоваться SimpleCA, которая поставляется вместе с Globus Toolkit. Для разработки системы безопасности необходимо выполнить следующие шаги:

globus@ubuntu:/usr/local$ source /usr/local/globus-4.0.8/etc/globus-user-env.sh

globus@ubuntu:~$ /usr/local/globus-4.0.8/setup/globus/setup-simple-ca

WARNING: GPT_LOCATION not set, assuming:

GPT_LOCATION=/usr/local/globus-4.0.8

C e r t i f i c a t e A u t h o r i t y S e t u p

This script will setup a Certificate Authority for signing Globus

users certificates. It will also generate a simple CA package

that can be distributed to the users of the CA.

The CA information about the certificates it distributes will

be kept in:

/home/globus/.globus/simpleCA/

ERROR: It looks like a CA has already been setup at this location.

Do you want to overwrite this CA? (y/n) [n]:y

The unique subject name for this CA is:

cn=Globus Simple CA, ou=simpleCA-ubuntu, ou=GlobusTest, o=Grid

Do you want to keep this as the CA subject (y/n) [y]:

Enter the email of the CA (this is the email where certificate

requests will be sent to be signed by the CA):univa@ubuntu

The CA certificate has an expiration date. Keep in mind that

once the CA certificate has expired, all the certificates

signed by that CA become invalid. A CA should regenerate

the CA certificate and start re-issuing ca-setup packages

before the actual CA certificate expires. This can be done

by re-running this setup script. Enter the number of DAYS

the CA certificate should last before it expires.

[default: 5 years (1825 days)]:

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

creating CA config package...done.

A self-signed certificate has been generated

for the Certificate Authority with the subject:

/O=Grid/OU=GlobusTest/OU=simpleCA-ubuntu/CN=Globus Simple CA

If this is invalid, rerun this script

/usr/local/globus-4.0.8/setup/globus/setup-simple-ca

and enter the appropriate fields.

-------------------------------------------------------------------

The private key of the CA is stored in /home/globus/.globus/simpleCA//private/cakey.pem

The public CA certificate is stored in /home/globus/.globus/simpleCA//cacert.pem

The distribution package built for this CA is stored in

/home/globus/.globus/simpleCA//globus_simple_ca_41151393_setup-0.19.tar.gz

This file must be distributed to any host wishing to request

certificates from this CA.

CA setup complete.

The following commands will now be run to setup the security

configuration files for this CA:

$GLOBUS_LOCATION/sbin/gpt-build /home/globus/.globus/simpleCA//globus_simple_ca_41151393_setup-0.19.tar.gz

$GLOBUS_LOCATION/sbin/gpt-postinstall

-------------------------------------------------------------------

setup-ssl-utils: Configuring ssl-utils package

Running setup-ssl-utils-sh-scripts...

******************************************************************

Note: To complete setup of the GSI software you need to run the

following script as root to configure your security configuration

directory:

/usr/local/globus-4.0.8/setup/globus_simple_ca_41151393_setup/setup-gsi

For further information on using the setup-gsi script, use the -help

option. The -default option sets this security configuration to be

the default, and -nonroot can be used on systems where root access is

not available.

******************************************************************

setup-ssl-utils: Complete

globus@ubuntu:~$ ls ~/.globus/

simpleCA

globus@ubuntu:~$ ls ~/.globus/simpleCA/

cacert.pem globus_simple_ca_41151393_setup-0.19.tar.gz newcerts

certs grid-ca-ssl.conf private

crl index.txt serial

root@ubuntu:~#. /etc/profile

root@ubuntu:~#/usr/local/globus4.0.8/setup/globus_simple_ca_41151393_setup/setup-gsi -default

setup-gsi: Configuring GSI security

Making /etc/grid-security...

mkdir /etc/grid-security

Making trusted certs directory: /etc/grid-security/certificates/

mkdir /etc/grid-security/certificates/

Installing /etc/grid-security/certificates//grid-security.conf.41151393...

Running grid-security-config...

Installing Globus CA certificate into trusted CA certificate directory...

Installing Globus CA signing policy into trusted CA certificate directory...

setup-gsi: Complete

root@ubuntu:~# ls /etc/grid-security/

certificates globus-host-ssl.conf globus-user-ssl.conf grid-security.conf

root@ubuntu:~# ls /etc/grid-security/certificates/

41151393.0 globus-user-ssl.conf.41151393

41151393.signing_policy grid-security.conf.41151393

globus-host-ssl.conf.41151393

root@ubuntu:~# source /usr/local/globus-4.0.8/etc/globus-user-env.sh

root@ubuntu:~# grid-cert-request -host `hostname`

The hostname ubuntu does not appear to be fully qualified.

Do you wish to continue? [n]

Aborting

root@ubuntu:~# grid-cert-request -host `hostname`

The hostname ubuntu does not appear to be fully qualified.

Do you wish to continue? [n] y

Generating a 1024 bit RSA private key

.........++++++

.......................................................................................++++++

writing new private key to '/etc/grid-security/hostkey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Level 0 Organization [Grid]:Level 0 Organizational Unit [GlobusTest]:Level 1 Organizational Unit [simpleCA-ubuntu]:Name (e.g., John M. Smith) []:

A private host key and a certificate request has been generated

with the subject:

/O=Grid/OU=GlobusTest/OU=simpleCA-ubuntu/CN=host/ubuntu

----------------------------------------------------------

The private key is stored in /etc/grid-security/hostkey.pem

The request is stored in /etc/grid-security/hostcert_request.pem

Please e-mail the request to the Globus Simple CA univa@ubuntu

You may use a command similar to the following:

cat /etc/grid-security/hostcert_request.pem | mail univa@ubuntu

Only use the above if this machine can send AND receive e-mail. if not, please

mail using some other method.

Your certificate will be mailed to you within two working days.

If you receive no response, contact Globus Simple CA at univa@ubuntu

root@ubuntu:~#

globus@ubuntu:~$ grid-ca-sign -in /etc/grid-security/hostcert_request.pem -out hostsigned.pem

To sign the request

please enter the password for the CA key:

The new signed certificate is at: /home/globus/.globus/simpleCA//newcerts/01.pem

globus@ubuntu:~$

root@ubuntu:~# cp ~globus/hostsigned.pem /etc/grid-security/hostcert.pem

root@ubuntu:~# cd /etc/grid-security/

root@ubuntu:/etc/grid-security# cp hostcert.pem containercert.pem

root@ubuntu:/etc/grid-security# cp hostkey.pem containerket.pem

root@ubuntu:/etc/grid-security# chown globus:globus container*.pem

root@ubuntu:/etc/grid-security# ls -l *.pem

-rw-r--r-- 1 globus globus 2625 2012-07-29 15:44 containercert.pem

-r-------- 1 globus globus 891 2012-07-29 15:44 containerket.pem

-rw-r--r-- 1 root root 2625 2012-07-29 15:42 hostcert.pem

-rw-r--r-- 1 root root 1347 2012-07-29 15:39 hostcert_request.pem

-r-------- 1 root root 891 2012-07-29 15:39 hostkey.pem

root@ubuntu:/etc/grid-security#