Bug 6337 - Cannot configure globus to use different certificate path than default
: Cannot configure globus to use different certificate path than default
Status: RESOLVED WONTFIX
: GRAM
gt2 Gatekeeper/Jobmanager
: 4.0.7
: PC Linux
: P3 normal
: ---
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2008-08-25 15:50 by
Modified: 2012-09-12 10:43 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2008-08-25 15:50:49
We're trying to set up globus to use a different certificate and key than the
default (/etc/grid-security/host*.pem) by configuring globus-job-manager.conf. 
The contents of globus-job-manager.conf are:
        -home "/opt/OSG-1.0.0/globus"
        -globus-gatekeeper-port 2119
        -x509_cert_dir /etc/grid-security/certificates
        -x509_user_cert /etc/grid-security/backup/f5certs/hostcert.pem
        -x509_user_key /etc/grid-security/backup/f5certs/hostkey.pem
        -globus-host-cputype i686
        -globus-host-manufacturer pc
        -globus-host-osname Linux
        -globus-host-osversion 2.6.9-42.0.10.ELsmp
        -globus-tcp-port-range 20000,30000
        -globus-toolkit-version 4.0.7
        -save-logfile on_error
        -state-file-dir /opt/OSG-1.0.0/globus/tmp/gram_job_state
        -machine-type unknown
        -extra-envvars LD_LIBRARY_PATH
I also tried:
        -home "/opt/OSG-1.0.0/globus"
        -globus-gatekeeper-port 2119
        -x509_cert_dir /etc/grid-security/certificates
        -globus-host-cputype i686
        -globus-host-manufacturer pc
        -globus-host-osname Linux
        -globus-host-osversion 2.6.9-42.0.10.ELsmp
        -globus-tcp-port-range 20000,30000
        -globus-toolkit-version 4.0.7
        -save-logfile on_error
        -state-file-dir /opt/OSG-1.0.0/globus/tmp/gram_job_state
        -machine-type unknown
        -extra-envvars
LD_LIBRARY_PATH:X509_USER_CERT=/etc/grid-security/backup/f5certs/hostcert.pem:X509_USER_KEY=/etc/grid-security/backup/f5certs/hostkey.pem
since running "globus-job-manager -help" doesn't show the x509_user_cert and
x509_user_key options. 

But neither version makes a difference after restarting, namely, if the default
cert and key are not in place, I cannot do a globus-job-submit.  Any ideas?

Ultimately what we're trying to do is to set up multiple gatekeepers load
balanced behind one virtual IP on an F5 switch.  The problem is that if we
configure globus to return a url for checking the status with the name of the
virtual IP, then when checking the status, the F5 switch is likely to not route
the request to the host where the job was submitted.  Therefore, we need to
configure globus to return a url with the real name of the host so we can
contact it directly.  However, it has been configured to use a certificate with
the name of the virtual IP in it for the sake of the submission, so the result
is that the status request fails.  Therefore we need globus to use one
certificate for port 2119 and another for other ports (for checking status). 
We are playing around with setting up xinetd to change the environmental
variables such that this will be possible.  However, the first step is to
figure out how to configure globus to use another path than the default for the
host certificate, which we can't figure out.

Thanks,
Jay Packard
BNL
------- Comment #1 From 2012-09-12 10:43:59 -------
We've migrated our issue tracking software to jira.globus.org. Any new issues
should be added here:

http://jira.globus.org/secure/VersionBoard.jspa?selectedProjectId=10363

As this issue hasn't been commented on in several years, we're closing it. If
you feel it is still relevant, please add it to jira.