If you plan to install standard Globus Toolkit services on the host, we recommend that you install and test the Globus Toolkit services before installing CredentialManager. This will ensure that your Globus security environment is correctly configured and ready for the CredentialManager installation. However, it is not required that you install any standard Globus Toolkit services on the host. The CredentialManager software distribution contains all needed software.
Deploy the CredentialManager Factory service on the host where you want to run client programs. (instructions here).
The CredentialManager package is installed with a set of default parameters from the credentialmanager-config.wsdd file included in $GLOBUS_LOCATION/server-config.wsdd after deployment. Edit $GLOBUS_LOCATION/server-config.wsdd to change these or any other parameters for the CredentialManager package. We will introduce some of them in this section.
The CredentialManagerFactoryService is configured to use gridmap authorization by default. If using the default gridmap authorization for the CredentialManagerFactoryService, you will need to add users to the gridmap file, which is at the location specified in $GLOBUS_LOCATION/server-config.wsdd (/etc/grid-security/grid-mapfile by default). The syntax is to have one line per user, with the certificate subject followed by the user account name, like the following:
"/O=Grid/O=Globus/OU=mcs.anl.gov/CN=Charles Bacon" bacon
The CredentialManager runs in a Globus OGSA container and requires that the container be run with credentials for authentication. The GT 3.0 Admin Guide contains instructions for acquiring certificates and installing and configuring MMJFS. See here for more information on configuring the Grid Security Infrastructure. If using key and certificate files in non-default locations, set the X509_USER_CERT and X509_USER_KEY and/or X509_USER_PROXY environment variables before starting the container. Note that if you run the container with a regular user proxy, you will need to periodically renew it with grid-proxy-init and you will need to specify '-auth self' for all client commands.
The CredentialManager instances are configured to periodically subscribe to an IndexService running at the same container once per hour by default. The CredentialManager service instances can use the base of their instance handle to construct the IndexService handle. An option parameter 'instance-indexserviceurl' would only need to be set when using an IndexService that is remote from the service instance. An option parameter 'instance-issubscriptionperiod' can be set to specify both the subscription lifetime and the subscription frequency to the IndexService. For instance, if the parameter 'instance-issubscriptionperiod' is set 2 hours, the service instances will subscribe to the IndexService once per two hours and the subscription lifetime will also be 2 hours.
The quality of the password in int command is not checked by default. If the quality check is required, a cracklib_dict file can be installed and the optional parameter 'cracklib_dict' has to be set to give the path to the cracklib_dict file.
To verify your CredentialManager installation and configuration, you can run the globus-start-container directly from your shell. If using a host certificate, you will need to run globus-start-container as root. First, make sure your Globus environment is setup in your shell. Set the GLOBUS_LOCATION environment variable to the location of your Globus installation.
In another shell, you can run the CredentialManager client programs at $GLOBUS_LOCATION/bin. Refer to the User's Guide for examples.