Jump to content France-Français
Accueil HP.com France Produits et Services Support et Pilotes Espaces Comment Acheter
» Contacter HP
Accueil HP.com France
 Technologies  >  Grid  >  Globus

Globus Toolkit on multi-homed hosts
» 

Grandes entreprises
» Produits
» Services Business et Systèmes d'information
» Solutions
» Partenaires
» Support
» Technologies d'entreprise
» TV, actualités et bibliothèque
Dynamic cloud services at HP Labs
Define your datacenter infrastructure
Content starts here

Multi-homed host overview

RFC1208 defines a multi-homed host as:

"A computer connected to more than one physical data link. The data links may or may not be attached to the same network."


Each network interface on a multi-homed host has a unique address that commonly resolves to a unique name. However, since Globus must be configured using a single host name (for reasons explained below), care must be taken in choosing this Globus Canonical Host Name (GCHN). Local users and system services should always set the $GLOBUS_HOSTNAME environment variable to the GCHN to avoid host authentication failures.

GSI certificates

Globus uses Grid Security Infrastructure (GSI) certificates (public key cryptography) to authenticate users, hosts, and services. GSI server certificates include the host name in the subject which must match the server name as determined by the client. This is because the Globus client-side code does a reverse (DNS PTR record) lookup on the server socket peer address and uses the resulting host name to compare with the host name found in the certificate. The following note sent to the PMA mailing list identifies the reasons behind this choice: "Since GSI only supports one name per certificate and only one certificate per server we had to pick a single name to expect in the certificate. Instead of forcing the user to supply the right name we decided the inverse dns record was the way to go."

The ramifications of this decision are as follows:

  • Server applications (e.g., Gatekeeper, GridFTP), client applications (e.g., globus-url-copy) and certificates must agree on a GCHN taken from one externally-resolvable interface address. Attempting to use an internal IP address would make it impossible for hosts outside the internal network to communicate, and using the internal host name will likely cause the client-side certificate comparison to fail (and ultimately result in an authentication failure).
  • A host alias (DNS CNAME record) must not be used by server applications or in certificates. This is because the comparison of the alias against the actual host name (from the client-side PTR lookup of the socket peer address) will fail. Interestingly, RFC2595, "Using TLS with IMAP, POP3 and ACAP," Section 2.4 "Server Identity Check," mandates the exact opposite: a client-specified CNAME must never be canonicalized.

Getting started

»  Contact HP
»  HP Grid Consulting Services

Globus Toolkit         feedback form

»  Send questions or feedback on the Globus Toolkit for HP platforms

Grid computing

»  HP grid computing
»  HP Labs grid technical reports
»  Computational and data grids
»  HP Collaboration and Competency Network
»  Globus Alliance
»  Globus Toolkit

HP platforms

»  HP Unified Cluster Portfolio
»  Linux
»  HP-UX 11i
»  XC Clusters
»  HP Integrity servers
»  HP Tru64 UNIX®

Determining the Globus Canonical Host Name (GCHN)

On HP XC Clusters, it is recommended that one obtain a new virtual IP address and corresponding hostname (GCHN) specifically for globus (see Globus on XC Clusters for more information). Similarly, on Alpha TruCluster or AlphaServer SC systems, it may be desirable to use the existing cluster alias for the GCHN (see Globus on TruClusters for more information). If either of these methods are chosen, skip ahead to the next section. Otherwise, select the GCHN by identifying the name of an externally-resolvable interface as follows:
  • Determine the IP address of an external interface. A list of interfaces (and their addresses) is usually available from the command 
        $ ifconfig -a
    On the XC Cluster, use the head node (if it's externally accessible) or one of the login nodes.
  • Map this address back to its canonical host name. Note that, it may matter if the name is fully-qualified (the client-side host name comparison uses a simple string match). If, after reading gethostbyaddr(3), this process seems confusing, compile and run the "ghba.c" program with the interface address as the argument (e.g. "ghba 192.168.1.1"); it will display the canonical host name for an address.

If the canonical host name is not fully-qualified, now would be a good time to change this. Strictly speaking, one could configure Globus to use an unqualified host name for Globus and its certificates, however that would require all clients to resolve the address to its unqualified form (e.g., through an entry in the "/etc/hosts" file). And, managing the host list would likely prove unwieldy as more nodes are added to a grid.

Configuring Globus on a multi-homed host

Build the Globus Toolkit from source or binary bundles following the instructions available from Globus. After the build completes:
  • Set the $GLOBUS_HOSTNAME environment variable to the GCHN (as determined above): 
        (sh)  $ GLOBUS_HOSTNAME=host.dom.ain; export GLOBUS_HOSTNAME
    (csh) % setenv GLOBUS_HOSTNAME host.dom.ain
    Then run either "make install" (for GT4) or the Globus post-install script (for GT2). Setting this environment variable is necessary because many configuration files created during the post-install process have hardcoded host names (e.g., some job managers and MDS configuration files). By setting $GLOBUS_HOSTNAME before the installation step, these hardcoded host names will be correctly initialized to the GCHN.
  • Request the Host and LDAP certificates, being sure to use the GCHN.
  • Use env(1) to set $GLOBUS_HOSTNAME for Globus services launched out of inetd(8). For example: 
        gsiftp stream tcp nowait root /usr/bin/env \
       env GLOBUS_HOSTNAME=host.dom.ain LD_LIBRARY_PATH=/globus/active/gtk/lib \
       /globus/active/gtk/sbin/globus-gridftp-server -i
  • Follow the Globus configuration instructions (add ports to "/etc/services", etc.).
  • Ensure that local users set $GLOBUS_HOSTNAME to the GCHN before running any applications.
  • Globus should now function on the multi-homed host (but not yet on an XC Cluster, TruCluster or AlphaServer SC). Any messages coming from Globus utilities of the form: 
        GRAM Job submission failed because authentication failed:
        Unexpected Gatekeeper or Service Name
        Mutual authentication failed 
    Expected target subject name= [...]
    Target returned subject name= [...]
    indicate the wrong host name was used in one of the preceding steps.
About PDF files: The PDF files on this site can be read online or printed using Adobe® Acrobat® Reader. If you do not have this software on your system, you may download it from Adobe's website. 
Version imprimable
Respect de la vie privée L'utilisation de ce site implique que vous en acceptez les conditions
© 2008 Hewlett-Packard Development Company, L.P.