„PRACE User Support” változatai közötti eltérés
(→User Guide to create a digital certification request with openssl) |
|||
| 8. sor: | 8. sor: | ||
| − | + | <nowiki>#</nowiki>''purpose of the certificate''<br/> | |
| − | + | {| class="wikitable" border="0" | |
| − | |||
|- | |- | ||
|1.organizationalUnitName | |1.organizationalUnitName | ||
|= Organizational Unit Name<br/> | |= Organizational Unit Name<br/> | ||
| − | 1.organizationalUnitName_default = GRID # Ezek lehetnek: GRID, HBONE, General Purpose<br/> | + | |- |
| − | 2.organizationalUnitName | + | |1.organizationalUnitName_default |
| − | 2.organizationalUnitName_default = NIIF # | + | |= GRID # ''Ezek lehetnek: GRID, HBONE, General Purpose''<br/> |
| − | commonName = Common Name (YOUR name) # | + | |- |
| − | commonName_max = 64A | + | |2.organizationalUnitName |
| + | | = Second Organizational Unit Name<br/> | ||
| + | |- | ||
| + | |2.organizationalUnitName_default | ||
| + | |= NIIF # ''For example: BME, ELTE, SZFKI, SZTAKI, NIIF, ...''<br/> | ||
| + | |- | ||
| + | |commonName | ||
| + | |= Common Name (YOUR name) # ''User Name.''<br/> | ||
| + | |- | ||
| + | |commonName_max | ||
| + | |= 64A | ||
|} | |} | ||
| − | + | :2. Create PKCS#10 reqquest | |
| + | |||
| + | :* No existing secret key: | ||
| + | Run the | ||
| + | <code> | ||
| + | openssl req -newkey rsa:1024 -config ./niif_ca_user_openssl.cnf -out new_csr.pem | ||
| + | </code> | ||
| + | command, and answer the appearing questions at the prompt. The Institute (NIIF CA) and country (HU) datas should not be changed, or the request is going to be invalid. The certification request and the corresponding private key will be saved in the new_csr.pem and privkey.pem files. To gain acces to the private key, during the generating given "pass phrase" password must be used. In case of a forgotten password, the certificate will be unusable. | ||
| + | |||
| + | :* Existing private key (extend) | ||
| + | |||
| + | If there is an existing, previously generated private key (it must be at least a 1024 bit RSA key), which can be found in the old_key.pem file, then the following command creates the CSR | ||
| + | <code> | ||
| + | openssl req -new -key ./old_key.pem -config ./niif_ca_user_openssl.cnf -out new_csr.pem | ||
| + | </code> | ||
| + | |||
| + | |||
| + | How to send the PKCS#10 to the CA: | ||
| − | |||
==== Access with GSI-SSH ==== | ==== Access with GSI-SSH ==== | ||
A lap 2013. június 21., 13:50-kori változata
User Guide to create a digital certification request with openssl
This paragraph gives a short overview about how to require a digital certificate from NIIF CA for users using openssl with the PKCS#10 format.The latest version of the openssl program can be downloaded from: Windows, Linux.
- 1. Download the openssl configuration file
- To generate the CSR, there is a prewritten niif_ca_user_openssl.cnf file on the NIIF CA website.
- The following modifications must be done in the config:
#purpose of the certificate
| 1.organizationalUnitName | = Organizational Unit Name |
| 1.organizationalUnitName_default | = GRID # Ezek lehetnek: GRID, HBONE, General Purpose |
| 2.organizationalUnitName | = Second Organizational Unit Name |
| 2.organizationalUnitName_default | = NIIF # For example: BME, ELTE, SZFKI, SZTAKI, NIIF, ... |
| commonName | = Common Name (YOUR name) # User Name. |
| commonName_max | = 64A |
- 2. Create PKCS#10 reqquest
- No existing secret key:
Run the
openssl req -newkey rsa:1024 -config ./niif_ca_user_openssl.cnf -out new_csr.pem
command, and answer the appearing questions at the prompt. The Institute (NIIF CA) and country (HU) datas should not be changed, or the request is going to be invalid. The certification request and the corresponding private key will be saved in the new_csr.pem and privkey.pem files. To gain acces to the private key, during the generating given "pass phrase" password must be used. In case of a forgotten password, the certificate will be unusable.
- Existing private key (extend)
If there is an existing, previously generated private key (it must be at least a 1024 bit RSA key), which can be found in the old_key.pem file, then the following command creates the CSR
openssl req -new -key ./old_key.pem -config ./niif_ca_user_openssl.cnf -out new_csr.pem
How to send the PKCS#10 to the CA:
Access with GSI-SSH
A user can access to the supercomputers by using the GSI-SSH protocol.
It requires a machine with a Globus installation that provides the gsissh client.
The needed credentials (these mean the private and public keys) must be created before entering the machine with the
grid-proxy-init
or
arcproxy
commands.
By default, the proxies are valid for 12 hours. It is possible to modify this default value with the following commands:
arcproxy -c validityPeriod=86400
or
grid-proxy-init -hours 24
Both of the previous commands set the validation of the proxies to 24 hours. Using the arcproxy, the validation time must be given is seconds.
To enter the site, the
gsissh -p 2222 login.budapest.hpc.niif.hu
command has to be used.
GridFTP file transfer
In order to use GridFTP for file transfer, one needs a GridFTP client program that provides the interface between the user and a remote GridFTP server. There are several clients available for GridFTP, one of which is globus-url-copy, a command line tool which can transfer files using the GridFTP protocol as well as other protocols such as http and ftp. globus-url-copy is distributed with the Globus Toolkit and usually available on machines that have the Globus Toolkit installed.
Syntax
globus-url-copy [options] sourceURL destinationURL
- [options] The optional command line switches as described later.
- sourceURL The URL of the file(s) to be copied. If it is a directory, it must end with a slash (/), and all files within that directory will be copied.
- destURL The URL to which to copy the file(s). To copy several files to one destination URL, destURL must be a directory and be terminated with a slash (/).
Globus-url-copy supports multiple protocols, so the format of the source and destination URLs can be either
file://path
when you refer to a local file or directory or
protocol://host[:port]/path
when you refer to a remote file or directory.
globus-url-copy is supporting other protocols such as http, https, ftp and gsiftp as well.
- Example:
globus-url-copy file://task/myfile.c gsiftp://login.budapest.hpc.hu/home/task/myfile.c
This command uploads the myfile.c file from the locak task folder to the remote machine's home/task folder.
Command line options for globus-url-copy [options]
- -help Prints usage information for the globus-url-copy program.
- -version Prints the version of the globus-url-copy program.
- -vb During the transfer, displays: (1) number of bytes transferred (2) performance since the last update (every 5 seconds) (3) average performance for the whole transfer
The following table lists parameters which you can set to optimize the performance of your data transfer:
- -tcp-bs <size>Specifies the size (in bytes) of the TCP buffer to be used by the underlying GridFTP data channels.
- -p <number of parallel streams> Specifies the number of parallel streams to be used in the GridFTP transfer.
- -stripe Use this parameter to initiate a “striped” GridFTP transfer that uses more than one node at the source and destination. As multiple nodes contribute to the transfer, each using its own network interface, a larger amount of the network bandwidth can be consumed than with a single system. Thus, at least for “big” (> 100 MB) files, striping can considerably improve performance.
