Note: This version of the VDT (1.2.4) is no longer supported. Feel free to look through the documentation and install it, but we cannot guarantee support for it. The current stable release is 2.0.0.

Setting up CA files in VDT 1.2.4

VDT comes with a set of files for well-known CAs (Certificate Authorities). More specifically these files are public keys and signing policies for various CAs.Having public keys for certain CAs installed in an appropriate location (see below) allows you to authenticate against remote hosts and services certified by these CA's.

The VDT gives the user an option to install CA files into one of three locations:

1) /etc/grid-security/certificates (if user has access to these directories)
2) $VDT_LOCATION/globus/share/certificates
3) Don't install in any location

For example, during a typical installation the user will se the following question:

VDT typically installs public certificates and signing policy files 
for the well-known public CA's. This is necessary in order for you to 
perform GSI authentication with any remote Grid services (that have 
service/host certificates signed by these CA's).

For more information please refer to the Globus documentation:
http://www.globus.org/security/config.html

You have the following options on installing CA files:
    r (root)  - install into /etc/grid-security/certificates
        (existing CA files will be preserved)
    l (local) - install into $VDT_LOCATION/globus/share/certificates
    n (no)    - do not install

Notice that there are three options. How do you know which one to choose?

If you are installing the VDT as root and you intend for this to be the main Globus installation on your computer it makes sense to install the certificates in /etc/grid-security/certificates (the root option). Note that this option will only be available to users installing as "root".
If you will have multiple Globus installations and this will not be the installation used for the services (gatekeeper, gridftp, etc.) OR if you want to use the certificates from the current installation without overwriting your existing certificates in /etc/grid-security then you should choose the local option.
If you already have CA files installed into /etc/grid-security/certicicates (e.g. by a system administrator) and would like to use them instead choose the no option.

In either case, VDT does the following as part of installation of CA files (DOE-EDG-Certificates package)

Creates a symlink $VDT_LOCATION/globus/TRUSTED_CA to point to the true location of the certificates directory (based on user's choice discussed above)
Sets X509_CERT_DIR environment variable in the $VDT_LOCATION/setup.*sh files to point to $VDT_LOCATION/globus/TRUSTED_CA. This ensures that Globus components always use the trusted CAs' files from the VDT installation, provided, of course, that the user sources the corresponding setup.*sh file before using VDT components (as any good user should).