Globus Research Data Management: Endpoint Configuration and Deployment. Steve Tuecke Vas Vasiliadis

Similar documents
athenahealth Interface Connectivity SSH Implementation Guide

Globus Research Data Management: Introduction and Service Overview

insync Installation Guide

IBM WebSphere Application Server Version 7.0

USER CONFERENCE 2011 SAN FRANCISCO APRIL Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB

globus online Integrating with Globus Online Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Dragonframe License Manager User Guide Version 1.2.2

Campus Network Design Science DMZ

WHMCS LUXCLOUD MODULE

SUSE Manager in the Public Cloud. SUSE Manager Server in the Public Cloud

VXOA AMI on Amazon Web Services

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

A Guide to New Features in Propalms OneGate 4.0

GlobalSCAPE DMZ Gateway, v1. User Guide

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

FaxCore 2007 Getting Started Guide (v1.0)

Advanced Configuration Administration Guide

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

VoIPon Tel: +44 (0) Fax: +44 (0)

F-Secure Messaging Security Gateway. Deployment Guide

Authentication Methods

Setting Up Scan to SMB on TaskALFA series MFP s.

Configuration Guide. BES12 Cloud

Password Reset PRO INSTALLATION GUIDE

Fundamentals of Data Movement Hardware

How to configure the TopCloudXL WHMCS plugin (version 2+) Update: Version: 2.2

Secure Messaging Server Console... 2

Laboration 3 - Administration

F-SECURE MESSAGING SECURITY GATEWAY

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

IIS, FTP Server and Windows

Globus Auth. Steve Tuecke. The University of Chicago

MultiSite Manager. Setup Guide

Clustered Data ONTAP 8.3

M2M Series Routers. Port Forwarding / DMZ Setup

Setting up pfsense as a Stateful Bridging Firewall.

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.2

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.0

VMware Identity Manager Connector Installation and Configuration

NSi Mobile Installation Guide. Version 6.2

ThinPoint Quick Start Guide

Server Installation Manual 4.4.1

OneLogin Integration User Guide

GRAVITYZONE HERE. Deployment Guide VLE Environment

Talari Virtual Appliance CT800. Getting Started Guide

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

Configuration Guide BES12. Version 12.1

Department of Veterans Affairs VistA Integration Adapter Release Enhancement Manual

TIBCO Spotfire Platform IT Brief

MultiSite Manager. Setup Guide

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

CycleServer Grid Engine Support Install Guide. version 1.25

Configuration Guide BES12. Version 12.3

Running Knn Spark on EC2 Documentation

Installing Policy Patrol on a separate machine

VERALAB LDAP Configuration Guide

Sophos for Microsoft SharePoint startup guide

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Server Software Installation Guide

NEFSIS DEDICATED SERVER

Setup Guide Access Manager 3.2 SP3

I N S T A L L A T I O N M A N U A L

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

BlackBerry Enterprise Service 10. Version: Configuration Guide

VMware vcenter Log Insight Security Guide

Flexible Identity Federation

Deploy Remote Desktop Gateway on the AWS Cloud

Deploy the ExtraHop Discover Appliance with Hyper-V

Step by step guide for installing highly available System Centre 2012 Virtual Machine Manager Management server:

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.0

Comodo Endpoint Security Manager SME Software Version 2.1

LifeSize Transit Deployment Guide June 2011

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

RingStor User Manual. Version 2.1 Last Update on September 17th, RingStor, Inc. 197 Route 18 South, Ste 3000 East Brunswick, NJ

FortyCloud Installation Guide. Installing FortyCloud Gateways Using AMIs (AWS Billing)

Amazon EFS (Preview) User Guide

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Tutorial: Using HortonWorks Sandbox 2.3 on Amazon Web Services

Load Balancing Microsoft AD FS. Deployment Guide

INSTALLATION GUIDE. Snow License Manager Version 7.0 Release date Document date

System Administration Training Guide. S100 Installation and Site Management

Installation and configuration guide

Pexip Reverse Proxy and TURN Server Deployment Guide

HP Client Automation Standard Fast Track guide

Cisco Expressway Basic Configuration

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

Getting Started with Clearlogin A Guide for Administrators V1.01

Grandstream Networks, Inc. UCM6510 Basic Configuration Guide

NAS 224 Remote Access Manual Configuration

WhatsUp Gold v16.3 Installation and Configuration Guide

Transcription:

Globus Research Data Management: Endpoint Configuration and Deployment Steve Tuecke Vas Vasiliadis

Presentations and other useful information available at globusworld.org/tutorial 2

Agenda Globus Connect Server overview Demonstration and exercise 4: Installing Globus Connect Server Exercise 5: Configuring Globus Connect Server Common Globus Connect Server configurations Advanced endpoint configuration Deployment best practice: Science DMZ Wrap-up and general Q&A 3

Globus Connect Server Overview 4

Globus Connect Server Globus Connect Server MyProxy CA OAuth Server GridFTP Server Local Storage System (HPC cluster, campus server, ) Local system users Create endpoint in minutes; no complex software install Enable all users with local accounts to transfer files Native packages: RPMs and DEBs 5

6

What we are going to do: Server (AWS EC2) ssh 1 Install Globus Connect Server Access server as: rccadmin/gw2015 Update repo Install package Setup Globus Connect Server 2 Log into Globus (using Globus username) Test Endpoint 3 4 Access the newly created endpoint (as user researcher ) Transfer a file 7

Globus Connect Server Demonstration 8

Exercise 4: Set up a Globus Connect Server endpoint and transfer files Goal for this session: turn a storage resource into a Globus endpoint Each of you is provided with an Amazon EC2 server for this tutorial Step 1: Create a Globus account (if you do not have one already) 9

Step 2: Log into your host Your slip of paper has the host information Log in as user rccadmin : Ssh rccadmin@ec2-x-x-x-x.compute-1.amazonaws.com The password is gw2015 NB: Please sudo su before continuing User rccadmin has passwordless sudo privileges 10

Step 3: Install Globus Connect Server Cheat sheet : globusworld.org/tutorial $ sudo su $ curl LOs http://toolkit.globus.org/ftppub/globusconnect-server/globus-connect-serverrepo_latest_all.deb $ dpkg i globus-connect-server-repo_latest_all.deb $ apt-get update $ apt-get -y install globus-connect-server $ globus-connect-server-setup Use your Globus username/password here You have a working Globus endpoint! 11

Step 4: Access your Globus endpoint Go to Manage Data à Transfer Files Access the endpoint you just created Enter: <username>#ec2- in Endpoint field Log in as user researcher (pwd: gw2015); you should see the user s home directory Transfer files Between esnet#???-diskpt1 and your endpoint 12

Exercise 5: Configuring Globus Connect Server Globus Connect Server configuration is stored in: /etc/globus-connect-server.conf To enable configuration changes you must run: globus-connect-server-setup Rinse and repeat NB: Please sudo su before continuing 13

Configuration file walkthrough Structure based on.ini format: [Section] Option Most common options to configure Name Public RestrictedPaths Sharing SharingRestrictedPaths IdentityMethod (CILogon, Oauth) 14

Changing your endpoint name Edit /etc/globus-connectserver.conf Set [Endpoint] Name = dtn Run globus-connect-server-setup Enter your username/password when prompted Access the endpoint in your browser using the new endpoint name You may need to refresh your browser to see the new name in the endpoint list 15

Making your endpoint public Try to access the endpoint created by the person sitting next to you You will get the following message: Could not find endpoint with name dtn owned by user <neighbor s username> 16

Making your endpoint public Edit: /etc/globus-connect-server.conf Uncomment [Endpoint] Public option Replace False with True Run globus-connect-server-setup Try accessing your neighbor s endpoint: you will be prompted for credentials you can access the endpoint as the researcher user 17

Common Globus Connect Server Configurations 18

Firewall configuration Allow inbound connections to port 2811 (GridFTP control channel) 7512 (MyProxy CA) or 443 (OAuth) Allow inbound connections to ports 50000-51000 (GridFTP data channel) If transfers to/from this machine will happen only from/ to a known set of endpoints (not common), you can restrict connections to this port range only from those machines If your firewall restricts outbound connections Allow outbound connections if the source port is in the range 50000-51000 19

Using MyProxy OAuth server MyProxy without OAuth (we just did this!) Site passwords flow through Globus to site MyProxy server Globus does not store passwords Still a security concern for some sites Web-based endpoint activation Sites run a MyProxy OAuth server o MyProxy OAuth server in Globus Connect Server Users enter username/password only on site s webpage to access an endpoint Globus gets short-term X.509 credential via OAuth protocol 20

Enable sharing on your endpoint Edit: /etc/globus-connect-server.conf Uncomment [GridFTP] Sharing = True Run globus-connect-server-setup Go to the Web UI Start Transfer page* Select the endpoint* Create shared endpoints and grant access to other Globus users* * Note: Creation of shared endpoints requires a Globus Provider plan for the managed endpoint Contact support@globus.org for a one-month free trial 22

Advanced Endpoint Configuration 23

Select configuration scenarios Customizing filesystem access Using host certificates Using CILogon certificates Enabling sharing on GT GridFTP server Configuring multiple GridFTP servers Setting up an anonymous endpoint 24

Path Restriction Default configuration: All paths allowed, access control handled by the OS Use RestrictPaths to customize Specifies a comma separated list of full paths that clients may access Each path may be prefixed by R (read) and/or W (write), or N (none) to explicitly deny access to a path '~ for authenticated user s home directory, and * may be used for simple wildcard matching. E.g. Full access to home directory, read access to /data: RestrictPaths = RW~,R/data E.g. Full access to home directory, deny hidden files: RestrictPaths = RW~,N~/.* 25

Sharing Path Restriction Further restrict the paths on which your users are allowed to create shared endpoints Use SharingRestrictPaths to customize Same syntax as RestrictPaths E.g. Full access to home directory, deny hidden files: SharingRestrictPaths = RW~,N~/.* E.g. Full access to public folder under home directory: SharingRestrictPaths = RW~/public E.g. Full access to /proj, read access to /scratch: SharingRestrictPaths = RW/proj,R/scratch 26

Control sharing access to specific accounts SharingStateDir can be used to control sharing access to individual accounts For instance, with SharingStateDir = "/var/globus/sharing/$user user "bob" would be enabled for sharing only if a path exists with the name "/var/globus/sharing/bob/" and is writable by bob. 27

Using a host certificate for GridFTP You can use your GridFTP server with non-globus clients Requires a host certificate, e.g. from OSG Comment out Set FetchCredentialFromRelay = True CertificateFile = <path_to_host_certificate> KeyFile = <path_to_private key_associated_with_host_certificate> TrustedCertificateDirectory = <path_to_trust_roots> 28

Single Sign-On with InCommon/CILogon Requirements Your organization s Shibboleth server must release the eppn attribute to CILogon Your local resource account names must match your institutional identity (InCommon ID) Set AuthorizationMethod = CILogon in the Globus Connect Server configuration Set CILogonIdentityProvider = <your_institution_as_listed_in_cilogon_i dentity_provider_list> Add CILogon CA to your trustroots /var/lib/globus-connect-server/grid-security/certificates/ Visit ca.cilogon.org/downloads for certificates 29

Enabling Sharing on a GT GridFTP Installation Get Globus Sharing CA certificates http:// toolkit.globus.org/toolkit/docs/latest-stable/gridftp/ securityd2b.tar.gz Add to your trusted certificates directory (/etc/gridsecurity/certificates) Use '-sharing-dn' option in the server as follows: globusgridftp-server -sharing-dn "/C=US/O=Globus Consortium/ OU=Globus Connect User/CN= transfer Use '-sharing-rp' option to restrict the file paths allowed for sharing: globus-gridftp-server -sharing-rp <path> http://toolkit.globus.org/toolkit/docs/latest-stable/gridftp/ admin 30

Deployment Scenarios Globus Connect Server components globus-connect-server-io, -id, -web Default: -io and id (no web) on single server Common options Multiple io servers for load balancing, failover, and performance No -id server, e.g. third-party IdP such as CILogon -id on separate server, e.g. non-dtn nodes -web on either id server or separate server for OAuth interface 31

Setting up multiple io servers Guidelines Use the same.conf file on all servers First install on the server running the id component, then all others 1. Install Globus Connect Server on all servers 2. Edit.conf file on one of the servers and set [MyProxy] Server to the hostname of the server you want the id component installed on 3. Copy the configuration file to all servers /etc/globus-connect-server.conf 4. Run globus-connect-server-setup on the server running the id component 5. Run globus-connect-server-setup on all other servers 6. Repeat steps 2-5 as necessary to update configurations 32

Deployment Best Practice: Science DMZ 33

Researchers don t realize full benefits of existing IT infrastructure Impedance mismatch between research computing systems and the WAN Network misconfiguration (10 x 1Gb/s links 1 x 10Gb/s link) Indiscriminate security policies TCP: small amount of packet loss = huge difference in performance 34

Science DMZ Components Friction free network path Dedicated, high-performance data transfer nodes (DTNs) Performance measurement/test node User engagement and education LOTS of great info available at: fasterdata.es.net/science-dmz 35

Typical deployment Border Router perfsonar Enterprise Border Router/Firewall Science DMZ + WAN perfsonar 10G Clean, High-bandwidth WAN path 10GE 10GE Site / Campus access to Science DMZ resources Science DMZ Switch/Router 10GE Site / Campus LAN Globus 10GE Per-service security policy control points perfsonar High performance Data Transfer Node with high-speed storage Details at: fasterdata.es.net 36

Network paths Lab1 DTN security filters Lab1 DTN 10GE DTN TCP ports 50000-51000 DATA DTN Lab2 DTN 10GE Lab2 DTN security filters Lab1 Science DMZ TCP ports 443, 2811, 7512 TCP ports 443, 2811, 7512 Lab2 Science DMZ 100GE Orchestration Orchestration 10GE Lab1 Border Router Lab2 Border Router 100GE Amazon AWS 10GE ESnet Router 100GE ESnet 100GE ESnet Router Logical data path Logical control path Physical data path Physical control path Lab1 DTN security filters Lab2 DTN security filters 37

Enable your campus systems Signup: globus.org/signup Enable your resource: globus.org/globusconnect-server Need help? support.globus.org Subscribe to help make Globus self-sustaining globus.org/provider-plans Follow us: @globusonline 38

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information