Installation of gridftp

This installation procedure is condensed and slightly altered from the very good related webpage of Gabriele Garzoglio. The information on Gabriele's webpage is more detailed and more general than needed for this purpose.

New installation
Upgrade
Certificate renewal

New installation

Sam station products installation
If you don't have the sam station products installed please follow the instructions for the station installation before continuing.

Request a sam service certificate

Log in as user sam and execute the following commands to install the certificate authority files and request a certificate for the sam service:

. ~/setups.sh
setup sam
ups install_ca sam_gsi_config -q vdt

setup sam_gsi_config -q vdt
export DIR=`sam_gsi_read_config  | grep SAM_GSI_GRIDFTP_CERT_DIR | awk '{print $2}'`
export CA=`sam_gsi_read_config  | grep SAM_GSI_GRIDFTP_DEFAULT_CA | awk '{print $2}'`
cp $DIR/globus-user-ssl.conf.$CA `dirname $DIR`/globus-user-ssl.conf
cp $DIR/globus-host-ssl.conf.$CA `dirname $DIR`/globus-host-ssl.conf

sam_cert_request --name="[name]" --email="[email]" --phone="[phone-number]"

Replace [name], [email] and [phone-number] with your name, email address and telephone number. Please avoid any spaces: e.g. John_Doe.

A request will be sent automatically to the CA. You can check the status of the request with the request ID printed in the line

Submission request id: fixed.requestId = XXXXX;

on this web page. Click on Retrieval, enter the request ID and click submit.

Register your sam service certificate
Send an email to cdfsam-admin@fnal.gov and cdfdh_oper@fnal.gov and ask to add your sam server certificate to the central sam_gridftp grid-mapfile AND to the gridftp DCache door (if applicable). This email is also important for the approval of the certificate so that it can be verified that you are a CDF collaborator. Don't send an email to d0sam-admin@fnal.gov, even is the output of sam_cert_request tells you to do so.

Include your certificate subject to the email body as reported by sam_cert_request. The certificate subject is a string of the form
```
/DC=org/DC=doegrids/OU=People/CN=sam/cdfsam22.fnal.gov
```
Install your sam service certificate
The CA will send you an email with a link to your certificate. The format you are interested in is right below "Base 64 encoded certificate". You need to cut and paste it in you certificate file. Be sure to also copy the lines BEGIN CERTIFICATE and END CERTIFICATE.

You can find the location of your certificate file with the command
```
setup sam_gsi_config -q vdt
sam_gsi_read_config SAM_GSI_GRIDFTP_X509_CERT
```
The file is empty up to now. So you can add your certificate.
Test your certificate
Do the following steps only after the previous steps are completed.
```
setup sam_gsi_config -q vdt

export X509_USER_CERT=`sam_gsi_read_config SAM_GSI_GRIDFTP_X509_CERT`
export X509_USER_KEY=`sam_gsi_read_config SAM_GSI_GRIDFTP_X509_KEY`
export X509_CERT_DIR=`sam_gsi_read_config SAM_GSI_GRIDFTP_CERT_DIR`

grid-proxy-init
grid-proxy-destroy
```
The last two commands create and destroy a valid proxy, if everything is OK.
IMPORTANT: You must destroy the proxy (grid-proxy-destroy command) after the test in order for sam_gridftp to work correctly afterwards.
Get the grid-mapfile
Ontain the current grid-mapfile with
```
setup sam_gsi_config_util -q vdt
sam_gsi_get_gridmap --overwrite-gridmap
```
You may want to establish a cron job as user sam that keeps the grid-mapfile up to date. Create the file crontab.dat with the following lines and replace [email] with the email address of the station administrator:
```
MAILTO="[email]"
# Minute Hour Day-Of-Month Month Day-Of-Week Command
0 * * * * . /home/sam/setups.sh && setup sam_gsi_config_util -q vdt && sam_gsi_get_gridmap --overwrite-gridmap --no-default-gridmap > /dev/null 2>&1
```
It can be made a cronjob by executing the following command:
```
crontab crontab.dat
```
Enable file copy via gridftp
The sam_cp_config.py file determines which protocol is used to transfer files between nodes. You can find the location of the configuration file with
```
setup sam_cp_config -q vdt
echo $SAM_CP_CONFIG_FILE
```
Make sure sam_gridftp and dcache_gridftp are listed as available protocols for your node in the DOMAIN_CAPABILITY_MAP. dcache_gridftp should be enabled for enstore and sam_gridftp for all nodes. For further information about the configuration file read Ulrich's webpage.
Start gridftp server
Find out which version of gridftp is installed and declared current with:
```
ups list -Kversion sam_gridftp -q vdt
```
Add the gridftp daemon to the server list file ~sam/private/[nodename]_server_list.txt and replace [version] with the version number obtained above:
```
gridftp prd [version]
```
In order to run the gridftp server you have to restart or at least update your SAM station:
```
ups update sam_bootstrap
```
Test of sam gridftp
In order to test gridftp access to enstore (via dCache) type:
```
samcp -v -d  enstore:/pnfs/cdfen/filesets/SM/SM48/SM4836/SM4836.2/ei031c2b.0001met0 /tmp/
```
Check the debug messages for the line
```
Accessing the gridftp door.
```
If you instead see the line
```
Accessing the weakly authenticated ftp door.
```
gridftp is not used and you should revise the sam cp configuration

More tests for finer diagnostics are available here.

Upgrade

If you are updating the SAM station software with init_sam you should check your configuration in particular the sam cp configuration.
You may also want to repeat the test of sam gridftp.

Certificate renewal

Certificates are only valid for a limited time period. You should request a new certificate before the current one expires.
You can find out the expiration date of your certificate with:

. ~/setups.sh
setup sam_gsi_config -q vdt
export X509_USER_CERT=`sam_gsi_read_config SAM_GSI_GRIDFTP_X509_CERT`
grid-cert-info

These are the steps to obtain a new certificate:

Setup sam_gsi_config

. ~/setups.sh
setup sam_gsi_config -q vdt

Backup of old certificate

Make a backup copy of your old certificate:

export X509_USER_CERT=`sam_gsi_read_config SAM_GSI_GRIDFTP_X509_CERT`
export X509_USER_KEY=`sam_gsi_read_config SAM_GSI_GRIDFTP_X509_KEY`
cp $X509_USER_CERT $X509_USER_CERT.old
cp $X509_USER_KEY $X509_USER_KEY.old

Request new certificate
A new certificate is requested with:
```
sam_cert_request --name="[name]" --email="[email]" --phone="[phone-number]" --force
```
Replace [name], [email] and [phone-number] with your name, email address and telephone number. Please avoid white spaces, e.g. John_Doe.

The request will be sent automatically to the CA.
A certificate renewal does not require to send an email to any admin list.

Restore old certificate

If your old certificate is not yet expired you can use it until you get the new one from the CA. But make sure not to overwrite the new key.

export X509_USER_CERT=`sam_gsi_read_config SAM_GSI_GRIDFTP_X509_CERT`
export X509_USER_KEY=`sam_gsi_read_config SAM_GSI_GRIDFTP_X509_KEY`
cp $X509_USER_KEY $X509_USER_KEY.new
cp $X509_USER_CERT.old $X509_USER_CERT
cp $X509_USER_KEY.old $X509_USER_KEY

Install new certificate
The CA will send you an email with a link to your certificate. The format you are interested in is right below "Base 64 encoded certificate". You need to cut and paste it in you certificate file. Be sure to also copy the lines BEGIN CERTIFICATE and END CERTIFICATE. You can find the location of your certificate file with the command
```
setup sam_gsi_config -q vdt
sam_gsi_read_config SAM_GSI_GRIDFTP_X509_CERT
```
If you did not restore the old certificate in the previous step, the file is empty and you can add your certificate.

Otherwise you have to replace it with the new one and you have to restore the new key:
```
export X509_USER_KEY=`sam_gsi_read_config SAM_GSI_GRIDFTP_X509_KEY`
cp $X509_USER_KEY.new $X509_USER_KEY
```
Test new certificate
Repeat the test of the certificate and the test of sam gridftp.

top

Return to SAM installation main page

Return to main CDF Grid page

Thomas Kuhr