The globus toolkit install is well documented in the System Administration Guide. The following local choices and modifications are applied:
OpenLDAP sorces were retreives from the Globus site and contain the required `time-out patch'. They were built using the default options. A special version (for i386-linux) that includes the ldbm backend is available. This installation can be used to evaluate a regular LDAP direcroty for other purposes.
Globus in installed in /global/ices/toolset/globus.
It contains a `localoize.nikhef' directory with
some per-host setups.
These files were modified:
etc/grid-info.conf - this file is modified by
globus_setup and contains information on the GIIS.
Modify this file in the installdir and every deploy dir to
change, e.g., the port the GIIS listens to (30001).
Our info model is MDS_SITE_INDEX.
etc/grid-info-hosts.conf - lists the hosts in the
microgrid. It was redistributed to all deploy directories
after Globus was deployed on all four hosts.
etc/globus-services.conf
etc/globus-services - unchanged, it contains only a
fork-style job manager. This is a per-resource file, generated
from a system-wide file etc/globus-services.conf.
Modify the latter file and rerun globus-local-deploy
on the relevant machine.
etc/globus-gatekeepers.conf - the default was changed
to `daemon'. The original `inetd' requires root privilege to
install. It contains explicit entries for the four hosts,
although that might be unneccesary.
etc/grid-mapfile - changed and distributed to
all four hosts after deployment. It contains some sample
entries for `David Groep', `Kors Bos', `Victor Klos' and
`EMIN-meet shared account'. Currently, they all map
to `davidg', the user running the gatekeeper.
etc/globus-jobmanager.conf - this file seems modified
but is actually a default. It is updates by
SXXglobus start to reflects a possibly changed
certificate subject of the gatekeeper (see sources).
sbin/globus-startup-lib.sh - this file
contains the uid used by the SXX startup scripts to run
commands that do not need root priviliges.
It is set at local-deploy time to the user performing
the deployment. The statement says: GLOBUS_UID="gridadm".
share/certificates - the directosy is used for a
hash-based certificate lookup from SSL. It contains
the certificates for the two new CAs (nikCA and nikhefCA),
whose hashes are `cee276c0' and `263d1de6', respectively.
share/certificates/ca-signing-policy.conf -
This file was extended to allow: (1) the nikCA authority
to sign `/O=Vlab/O=Globus/' certificates and (2) the nikhefCA
to sign `/C=NL/O=NIKHEF/' as well as `/O=Vlab/O=Globus/'
certificates. This file has the regular EACL format used
by OpenSSL (SSLeay).
Optionally, you can distrust the Globus CA to sign Globus certificates `/O=Grid/O=Globus/' and `/C=US/O=Globus/' if needed. It seems better not to allow acces (using the grid mapfile) to any `/O=Grid/O=Globus/' credentials.
The relevant scripts are (almost) identical to the `demoCA'
shipped with SSLeay. The nikhefCA uses a local configuration
file, the nikCA still uses the global ssleay.cnf in
the toolset/ssl directory.
A `signmail' script automated the process to signeing incoming certification requests, generated by either `globus-local-deploy' (for Grid hosts) or `grid-cert-request' (for Grid users).
globus_setup script was called without
the -classic option).
The MDS/GIIS setup options - MDS host is `bilbo.nikhef.nl', MDS port is 30001 and the Organization DN is `dc=nikhef, dc=nl, o=Grid'. This DN is compatible with the default Globus install (it uses the o=Grid as the base DN for the DIT).
The security (GSI) setup options - base DN for hosts is
`c=nl, o=nikhef', the base DN for users is (also)
`c=nl, o=nikhef'. If you modify these values directly in
etc/grid-security.conf, run grid-cert-request-config
from the tools directory afterwards.
To `localize' a newly deployed globus system, and to propagate changes in
the local setup to all relevant hosts, a `localize' distribution script
Dist.sh is available in the deploy directory localize.nikhef.
Changes in global configuration should be propagated using this script.
Mapfiles are stored in a central location localize.nikhef/mapfiles/.
Add and remove users there and use ./Dist.sh to propagate.