VDT comes with a set of files for well-known CAs (Certificate Authorities). More specifically these files are public keys and signing policies for various CAs.Having public keys for certain CAs installed in an appropriate location (see below) allows you to authenticate against remote hosts and services certified by these CA's.
As of VDT 1.11.0, the VDT gives the user an option to install CA files into any directory. Common installation directories are:
/etc/grid-security/certificates(if user has access to these directories)
/nfs/certificatesto share the certificates on NFS to worker nodes)
How do you know which one to choose?
/etc/grid-security/certificates. Note that this option will only be available to users installing as "root".
/etc/grid-securitythen you should choose the 'local' option.
/etc/grid-security/certificates(e.g. by a system administrator) and would like to use them, you will need to create a symlink from
$VDT_LOCATION/globus/TRUSTED_CApointing at your certificates.
When the CA Certificates are installed, the VDT does the following as part of the install process:
$VDT_LOCATION/globus/TRUSTED_CAto point to the true location of the
certificatesdirectory (based on user's choice discussed above)
X509_CERT_DIRenvironment variable in the
$VDT_LOCATION/setup.*shfiles to point to
$VDT_LOCATION/globus/TRUSTED_CA. This ensures that Globus components always use the trusted CAs' files from the VDT installation, provided, of course, that the user
sources the corresponding
setup.*shfile before using VDT components (as any good user should).