Globus Tools and Grid Services

Overview

Globus client tools require a user to have a valid Grid certificate signed by an authorized certificate authority (CA). Grid services at the CI accept certificates signed by a variety of CAs, the most common of which is DOEgrids. If you do not have a valid signed certificate, please contact the principle investigator of your project for assistance and sponsorship.

Standard Globus services and tools

Grid services and tools at the CI are typically based on version 5 the standard Globus Toolkit.

Globus tools are added to one's path through Modules by loading the globus module.

In order to use your DN on CI Globus services, run the gx-request -interactive after updating your Modules configuration. Allow one hour for the update to take effect. If you are unable to authenticate after this time, please contact support@ci.uchicago.edu .

Open Science Grid

OSG client tools are provided through softenv. To add the necessary paths and environmental settings to use OSG tools, add the following macro to your ~/.soft file:

+osg-client

Users may notice failures of other tools or applications due to the extensive configuration needed for OSG client tools. When using OSG tools, it is recommended that other Globus macros in one's ~/.soft= file be disabled to avoid path-related conflicts. Undesirable behavior in LDAP and Java may also occur due to order of precedence in the path as well.

The OSG distributes Grid software that diverges from that of a standard Globus installation. Notable differences include:

GUMS and the absence of /etc/grid-security/grid-mapfile: Instead of using the grid-mapfile to map a user's DN to a local Unix account, most OSG sites use a Grid User Management System (GUMS) server when authenticating a Grid submission. OSG sites at the CI (e.g., Teraport) use GUMS to map DNs to both OSG virtual organizations (VOs) and local accounts.

If you wish to have your DN mapped to your local account on a CI OSG resource, email support@ci.uchicago.edu.

Virtual Organization Membership Service (VOMS) and voms-proxy tools: OSG VOs provide their DN-to-account mappings through a VOMS service. The GUMS service is configured to collect these maps from the respective VOs' VOMS services.

Often times a user will have the same DN mapped to multiple accounts (VO or local). In order to instruct the the proxy to map the DN to the preferred account, users should use voms-proxy-init and voms-proxy-info instead of the respective grid-proxy tools.

VOMS service mappings, provided by the vomses file, are necessary for voms-proxy tools. It is recommended that users copy the vomses file to their local directory prior to use:

$ cp /soft/osg-client-1.0.0-r1/glite/etc/vomses ~/.globus/

voms-proxy-init can then be used after setting the VOMS_USERCONF environmental variable:

$ export VOMS_USERCONF=~/.globus/vomses
$ voms-proxy-init -voms VO

-- GregCross - 01 May 2009