Configuring a Secure Globus Container

In order to run services securely over https, you must run a secure container. Running a secure container requires container credentials or a host certificate and corresponding private key. For the purposes of this tutorial we have provided a host certificate and private key which can be found in the certificates directory of the training distribution. The host certificate is contained in the file localhost-cert.pem and the private key is contained in the file localhost-key.pem. It should be noted that these credentials SHOULD NOT be used or accepted as valid credentials in a production environment, they are intended only for the purposes of this tutorial. Running a secure Globus container requires the creation of a security descriptor which tells Globus how to configure the default container and this includes the specification of the host certificate and private key. We have provided an example security descriptor for this tutorial, which can be found in the certificates directory of the training distribution in the file security-descriptor.xml. To start a secure Globus container, do the following:

Using a new command prompt, change to the Globus location directory and start up Globus. (If globus is already running, be sure to terminate it before you proceed with starting another one.)

%> cd %GLOBUS_LOCATION%\bin
%> globus-start-container.bat -containerDesc ..\..\certificates\security-descriptor.xml

If the command completes successfully, you should see the following output:

Starting SOAP server at: https://127.0.0.1:8443/wsrf/services/
With the following services:

[1]: https://127.0.0.1:8443/wsrf/services/AdminService
[2]: https://127.0.0.1:8443/wsrf/services/AuthzCalloutTestService
[3]: https://127.0.0.1:8443/wsrf/services/ContainerRegistryEntryService
[4]: https://127.0.0.1:8443/wsrf/services/ContainerRegistryService
[5]: https://127.0.0.1:8443/wsrf/services/CounterService
[6]: https://127.0.0.1:8443/wsrf/services/ManagementService
[7]: https://127.0.0.1:8443/wsrf/services/NotificationConsumerFactoryService
[8]: https://127.0.0.1:8443/wsrf/services/NotificationConsumerService
[9]: https://127.0.0.1:8443/wsrf/services/NotificationTestService
[10]: https://127.0.0.1:8443/wsrf/services/PersistenceTestSubscriptionManager
[11]: https://127.0.0.1:8443/wsrf/services/ResolutionService
[12]: https://127.0.0.1:8443/wsrf/services/SampleAuthzService
[13]: https://127.0.0.1:8443/wsrf/services/SecureCounterService
[14]: https://127.0.0.1:8443/wsrf/services/SecurityTestService
[15]: https://127.0.0.1:8443/wsrf/services/ShutdownService
[16]: https://127.0.0.1:8443/wsrf/services/SubscriptionManagerService
[17]: https://127.0.0.1:8443/wsrf/services/TestAuthzService
[18]: https://127.0.0.1:8443/wsrf/services/TestCounterService
[19]: https://127.0.0.1:8443/wsrf/services/TestEnumService
[20]: https://127.0.0.1:8443/wsrf/services/TestRPCService
[21]: https://127.0.0.1:8443/wsrf/services/TestService
[22]: https://127.0.0.1:8443/wsrf/services/TestServiceRequest
[23]: https://127.0.0.1:8443/wsrf/services/TestServiceWrongWSDL
[24]: https://127.0.0.1:8443/wsrf/services/TransferService
[25]: https://127.0.0.1:8443/wsrf/services/Version
[26]: https://127.0.0.1:8443/wsrf/services/WidgetNotificationService
[27]: https://127.0.0.1:8443/wsrf/services/WidgetService
[28]: https://127.0.0.1:8443/wsrf/services/cagrid/CaGridTutorialService
[29]: https://127.0.0.1:8443/wsrf/services/gsi/AuthenticationService

Note the https protocol and change of port to 8433 from the standard Globus startup.

Syncing with the Trust Fabric

Advanced Session

Registering for a Grid Account