Project

General

Profile

Install a CDF Station from Scratch

These directions assume you are using a 64-bit Scientific Linux 6 system.

System/OS level setup

Some packages you need will need to be installed at the system level;
this includes some 32-bit rpms for compatability, and GRID software.

Install 32-bit packages for compatability

yum install glibc-2.12-1.47.el6_2.9.i686
yum install zlib-1.2.3-25.el6.i686
yum install zlib.i686
yum install libstdc++.i686

Install GRID software.

In our tests, we used the OSG client install version 3.1.4,
see their Install page
for instructions.

Any GRID client suite that puts software in /usr/bin, etc. should work with
the configuration we setup.

Create a "sam" account

You could install this stuff under any random user account, but "sam" is the
usual one.

Install SAM ups products

Bootstrap ups/upd

These days, this is very simple; just:

cd
mkdir products
wget ftp://ftp.fnal.gov/products/bootstrap/v3_0/bootstrapLinux64bit+2.6-2.12.tgz
tar -C products -xzvf bootstrapLinux64bit+2.6-2.12.tgz
. products/setups.sh

Install SAM parts

setup upd
upd install -G -c sam_products cdf_Jun2012

If you get a ups declare error in the middle of this, just re-run it.

Configure various packages

install CDF sam_configs

You could run "ups tailor sam_config" and setup just the sam_configs you want,
but the easy way is to dump in a tarfile with them already configured.

wget  http://www-oss.fnal.gov/~mengel/sam_configs.tgz
tar -C products -xzvf sam_configs.tgz

Tailor sam_dcache_cp

Run the tailor script, and take the defaults:

ups tailor sam_dcache_cp

This looks like:

Default configuration values of the dcache doors:

DCache Door Configuration:
  Protocol        = WeakFTP
  Node            = cdfdca1.fnal.gov
  Port            = 25126
  Mounting Point    = /pnfs/cdfen/

DCache Door Configuration:
  Protocol        = GridFTP
  Node            = cdfdca1.fnal.gov
  Port            = 2811
  Mounting Point    = /pnfs/cdfen/

Do you accept the defaults ? (default: yes)

The tailoring of sam_dcache_cp is complete.

Configure sam_cp to use dcache for enstore urls

setup sam_cp
vi $SAM_CP_CONFIG_FILE

You want to change the "'.'" entry in the DOMAIN_CAPABILITY_MAP
to try 'dcache_gridftp' first; that is change:

DOMAIN_CAPABILITY_MAP = { 'enstore'      : [ 'dcache', \
                                             'dcache_gridftp', ],
                          '.'            : [ 'sam_gridftp', ],

to
DOMAIN_CAPABILITY_MAP = { 'enstore'      : [ 'dcache', \
                                             'dcache_gridftp', ],
                          '.'            : [ 'dcache_gridftp', 'sam_gridftp', ],

Tailor sam_gsi_config

You run

ups tailor sam_gsi_config -q vdt

and take the defaults, and answering "cdf" for the "D0 or CDF" question.

This looks like:

[sam@fermicloud025 ~]$ ups tailor sam_gs_-config -q vdt
INFORMATIONAL: Product 'sam_gs_-config' (with qualifiers 'vdt'), has no current chain (or may not exist)
[sam@fermicloud025 ~]$ ups tailor sam_gsi_config -q vdt
Running sam_gsi_config v2_3_3 -q vdt tailoring script
Where do you want to store the sam service certificates (this MUST be a *non-exported* area writable by user sam) [default: /home/sam/private/gsi]? 
Do you want to configure GSI for gridftp [default: yes]? 
You answered yes
Are you installing gridftp for d0 or cdf? cdf
Do you want to configure GSI for the JIM client [default: no]? 
You answered no
Do you want to configure GSI to run a gatekeeper (answer yes if you are installing JIM execution site; you will need access to root) [default: no]? 
You answered no
Do you want to configure GSI for jim_advertise (answer yes if you are also installing a gatekeeper, unless you are an expert) [default: no]? 
You answered no
Do you want to configure GSI to run a JIM submission site [default: no]? 
You answered no
Do you want to configure GSI to run a JIM gridftp server for intra-cluster transfers [default: no]? 
You answered no
Configuring sam_gsi_config for vdt 1.1.14 ...

Your answers and the default configuration have been recorded to
/home/sam/products/sam_gsi_config/sam_gsi_config.fermicloud025.fnal.gov.conf
You can edit this file for a custom installation.

You now need to execute the following commands
To complete the installation:

To intall GSI for gridftp, execute as user sam
  ups install_ca sam_gsi_config v2_3_3 -q vdt
Creating edg-make-gridmap configuration file /home/sam/products/sam_gsi_config/edg_make_gridmap-gridftp.conf ...
You have not configured gatekeeper with sam_gsi_config. Skipping this configuration step.
You have not configured jim_gridftp with sam_gsi_config. Skipping this configuration step.

Then, last but not least, you need to run:

ups install_ca sam_gsi_config v2_3_3 -q vdt

to install the CA certificates.

Install X509 certificates

You want to get a sam X509 certificate/key pair for your instance, and install it in
PEM Format in:
$HOME/private/gsi/samserver.cert
$HOME/private/gsi/samserver.key

Request certificate

. ~/setups.sh
setup sam
ups install_ca sam_gsi_config -q vdt

setup sam_gsi_config -q vdt
export DIR=`sam_gsi_read_config  | grep SAM_GSI_GRIDFTP_CERT_DIR | awk '{print $2}'`
export CA=`sam_gsi_read_config  | grep SAM_GSI_GRIDFTP_DEFAULT_CA | awk '{print $2}'`
cp $DIR/globus-user-ssl.conf.$CA `dirname $DIR`/globus-user-ssl.conf
cp $DIR/globus-host-ssl.conf.$CA `dirname $DIR`/globus-host-ssl.conf

sam_cert_request --name="[name]" --email="[email]" --phone="[phone-number]" 


Replace [name], [email] and [phone-number] with your name, email address and
telephone number.
Please avoid any spaces: e.g. John_Doe.

A request will be sent automatically to the CA.
You can check the status of the request with the request ID printed in the line

Submission request id: fixed.requestId = <i>XXXXX</i>;

on this web page
Click on Retrieval, enter the request ID and click submit.

Register ceritificate

Send an email to cdfsam-admin and cdfdh_oper
and ask to add your sam server certificate to the central sam_gridftp
grid-mapfile AND to the gridftp DCache door (if applicable).
This email is also important for the approval of the certificate
so that it can be verified that you are a CDF collaborator.

Don't send an email to , even is the output of
sam_cert_request tells you to do so.

Include your certificate subject to the email body as
reported by sam_cert_request.
The certificate subject is a string of the form

/DC=org/DC=doegrids/OU=People/CN=sam/cdfsam22.fnal.gov

Install certificate

The CA will send you an email with a link to your certificate.
The format you are interested in is right below "Base 64 encoded certificate".
You need to cut and paste it in you certificate file.
Be sure to also copy the lines BEGIN CERTIFICATE and
END CERTIFICATE

You can find the location of your certificate file with the command

setup sam_gsi_config -q vdt
sam_gsi_read_config SAM_GSI_GRIDFTP_X509_CERT

The file is empty up to now. So you can add your certificate.