Thursday, July 31, 2008

PHINMS Certificates in Globus

Thanks to Vaughn McMullin, we were able to come up with a repeatable process for installing existing PHINMS user certificates on Globus nodes. The following is a high level description of the process:

1.Export your PHINMS certificate with Internet Explorer using the Personal Information Exchange PKCS12 option.

2.Check the, “Include all certificates and certificate paths” box. NOTE: This should be the only option checked.

3.Upload the exported certificates to the Globus node. (Root, Intermediate, and Private)

4.Use Portecle to view the exported certificates. Portcle is started using the following command: java -jar portecle.jar

5.Use the PEM Encoding option in Portecle to generate a PEM file that Globus can understand.

6.Create a hash name for the PEM file that was created using the following command: openssl x509 -in yourfile.pem -noout -hash

7.Rename the file to the hash number displayed in the following format: hash.0

8.Manually create a signing policy named (hash.signing_policy) Use the following link as a guide to create a signing policy for PHINMS certificates:

9.Copy the new files to /etc/grid-security/certificates

10.Verify proper installation by running the following command: openssl verify -verbose -CApath /opt/vdt/globus/TRUSTED_CA -purpose sslclient /home/your_user/your.pem

No comments: