Configuring the GridFTP.NET Server
Towards the end of the
GridFTP installation process, the GridFTP Configuration Tool will be run
automatically. These instructions will help you use this tool to configure your
GridFTP server. If at any time after installing the GridFTP server, you wish to
change its configuration, you can do so by running the GridFTPConfig.exe program located in the Bin sub-directory of the
directory where GridFTP was installed and again following these instructions.
The configuration tool sets
parameters in a configuration file named dotNetGridFTPServiceConfiguration.xml which resides in a system directory (usually
something like %SYSTEMROOT%\system32, most commonly C:\Windows\system32). The configuration file can be inspected or edited
by hand if needed, but the configuration tool is recommended as it is easier to
use.
Here is a description of the .NET GridFTP server settings you can configure with the configuration tool:
Host Cert: The
host certificate the server should use. This is required for GridFTP’s GSI
authentication which is based on PKI and SSL. Clicking the Select button will bring up the Certificate Selection Dialog which
lets you choose a certificate from the Windows Certificate Store to use as the
host certificate:
Depending on where the certificate you want to use resides, you might need to change the Certificate Location and Store Name settings. Local Machine/Personal is the most common location for host certificates. For instructions on importing a host certificate into the store, click here.
The certificate you select as the host certificate must have an associated private key and the private key must be marked ‘exportable’ for GridFTP to be able to use it. If there is a problem with the host certificate you selected, this will be indicated below the subject name in the Configuration Tool:
If you do not see an error message, it is a good indication that the selected certificate will work with the server.
Authorization Type: GridFTP.NET supports a number of different authorization mechanisms
through the Authorization Handler
Framework whose parameters can be set using the GridFTP Configuration Tool.
We recommend the use of the GridMap authorization type. You can configure your
GridMap authorization system based on how you want your GridFTP server to be
used. Follow the instructions for the scenario that most closely resembles the
way in which you wish to use your GridFTP server.
·
I want to expose a portion of my disk for read-only access by authorized
clients
o First, create a GridMap file containing the Distinguished Names (DNs) of all clients that you wish to authorize, one per line.
o
NOTE: This file should
not be placed in the Server Root directory because this may allow it to be read
or modified by GridFTP users.
o This file must be readable by the 'Network Service' account - to do this, navigate to the file in Windows Explorer and right click on it. Then select "Properties" and click on the "Security" tab. Click the "Add" button and type "Service" (without the quotes) into the box labeled "Enter the object names to select (examples):". Click the "Check Names" button and you word "Service" should now be underlined. Then click "OK" and you will go back to the main security tab. With the "SERVICE" line selected in the "Group or user names" (upper) part of the window, check that the "Read" box is checked in the "Allow" column in the "Permissions for SERVICE" (lower) part of the window. Finally, click "OK".
o Now click the “Browse” button next to the box labeled “Grid Map” and navigate to the file you just created. Once you have selected that file hit “OK” and the file’s name and path should appear in the “Grid Map” box.
o If you wish to have a log of the authorization
decisions made by your GridFTP server, click the “Browse” button next to the
“Authorization Log” box and navigate to the file you wish to append with this
information.
o NOTE: This file should not be placed in your Server Root directory or its potentially sensitive information may be visible to GridFTP users.
o The log file must be both readable and writable by the ‘Network Service’ account - to do this, navigate to the file in Windows Explorer and right click on it. Then select "Properties" and click on the "Security" tab. Click the "Add" button and type "Service" (without the quotes) into the box labeled "Enter the object names to select (examples):". Click the "Check Names" button and you word "Service" should now be underlined. Then click "OK" and you will go back to the main security tab. With the "SERVICE" line selected in the "Group or user names" (upper) part of the window, check that the "Read" box and the “Write” box are checked in the "Allow" column in the "Permissions for SERVICE" (lower) part of the window. Finally, click "OK".
o Check both the “Configure GridFTP root directory for
read only access” box and the “Use default GridFTP user account to access
files” box below the “Authorization Log”
o Click the “Finish” button.
o NOTE: All accesses to your GridFTP server’s root
directory will be made under the Windows account named “Network Service” – a low privilege account typically used for remote access on Windows
machines. The GridFTP Configuration tool will set the permissions on the
GridFTP Server’s root directory to allow read-only access to this account. Any
files created in this directory will inherit these permissions.
o NOTE: In this configuration, remote users will not be
allowed to upload data to your GridFTP server.
·
I want to expose a portion of my disk for read/write access by
authorized clients
o First, create a GridMap file containing the Distinguished Names (DNs) of all clients that you wish to authorize, one per line.
o NOTE: This file should not be placed in the Server Root directory because this may allow it to be read or modified by GridFTP users.
o This file must be readable by the 'Network Service' account - to do this, navigate to the file in Windows Explorer and right click on it. Then select "Properties" and click on the "Security" tab. Click the "Add" button and type "Service" (without the quotes) into the box labeled "Enter the object names to select (examples):". Click the "Check Names" button and you word "Service" should now be underlined. Then click "OK" and you will go back to the main security tab. With the "SERVICE" line selected in the "Group or user names" (upper) part of the window, check that the "Read" box is checked in the "Allow" column in the "Permissions for SERVICE" (lower) part of the window. Finally, click "OK".
o Now click the “Browse” button next to the box labeled
“Grid Map” and navigate to the file you just created. Once you have selected
that file hit “OK” and the file’s name and path should appear in the “Grid Map”
box.
o If you wish to have a log of the authorization
decisions made by your GridFTP server, click the “Browse” button next to the
“Authorization Log” box and navigate to the file you wish to append with this
information.
o NOTE: This file should not be placed in your Server Root directory or its potentially sensitive information may be visible to GridFTP users.
o The log file must be both readable and writable by the ‘Network Service’ account - to do this, navigate to the file in Windows Explorer and right click on it. Then select "Properties" and click on the "Security" tab. Click the "Add" button and type "Service" (without the quotes) into the box labeled "Enter the object names to select (examples):". Click the "Check Names" button and you word "Service" should now be underlined. Then click "OK" and you will go back to the main security tab. With the "SERVICE" line selected in the "Group or user names" (upper) part of the window, check that the "Read" box and the “Write” box are checked in the "Allow" column in the "Permissions for SERVICE" (lower) part of the window. Finally, click "OK".
o Check the “Use default GridFTP user account to access
files” box below the “Authorization Log” and make sure the “Configure GridFTP
root directory for read-only access” box is *UNCHECKED*
o Click the “Finished” button.
o NOTE: All accesses to your GridFTP server’s root
directory will be made under the Windows account named “Network Service” – a low privilege account typically used for remote access on Windows
machines. The GridFTP Configuration tool will set the permissions on the
GridFTP Server’s root directory to allow read/write access to this account. Any
files created in this directory will inherit these permissions.
·
I want remote clients to access files on a portion of my disk using
local Windows accounts, and therefore using the local file system’s file
permissions
o First, create a GridMap file containing, for each authorized client, the Distinguished Name (DN) of that client and the username and password of the local Windows account that you would like that remote user to run as.
o
NOTE: This file
should not be placed in the Server Root directory because this may allow it to
be read or modified by GridFTP users.
o This file must be readable by the 'Network Service' account - to do this, navigate to the file in Windows Explorer and right click on it. Then select "Properties" and click on the "Security" tab. Click the "Add" button and type "Service" (without the quotes) into the box labeled "Enter the object names to select (examples):". Click the "Check Names" button and you word "Service" should now be underlined. Then click "OK" and you will go back to the main security tab. With the "SERVICE" line selected in the "Group or user names" (upper) part of the window, check that the "Read" box is checked in the "Allow" column in the "Permissions for SERVICE" (lower) part of the window. Finally, click "OK".
o Now click the “Browse” button next to the box labeled
“Grid Map” and navigate to the file you just created. Once you have selected
that file hit “OK” and the file’s name and path should appear in the “Grid Map”
box.
o If you wish to have a log of the authorization
decisions made by your GridFTP server, click the “Browse” button next to the
“Authorization Log” box and navigate to the file you wish to append with this
information.
o NOTE: This file should not be placed in your Server Root directory or its potentially sensitive information may be visible to GridFTP users.
o The log file must be both readable and writable by the ‘Network Service’ account - to do this, navigate to the file in Windows Explorer and right click on it. Then select "Properties" and click on the "Security" tab. Click the "Add" button and type "Service" (without the quotes) into the box labeled "Enter the object names to select (examples):". Click the "Check Names" button and you word "Service" should now be underlined. Then click "OK" and you will go back to the main security tab. With the "SERVICE" line selected in the "Group or user names" (upper) part of the window, check that the "Read" box and the “Write” box are checked in the "Allow" column in the "Permissions for SERVICE" (lower) part of the window. Finally, click "OK".
o DO NOT check either of the check boxes below
“Authorization Log”.
o Click the “Finished” button.
The
Authorization handler can be configured in several other ways including
“Simple”, “SAML” and “XACML”. Documentation on each of these can he found here. If you find that you wish to use one of these other
authorization modes, please contact us – we can help you with system configuration issues.
** Now your GridFTP Server
is running. Simply copy any data you wish into the GridFTP Server’s root
directory and it will be available to remote clients.