GridFTP

Category: Program Dev-Data Movement

Description

GridFTP is a high-performance, secure, reliable data transfer protocol optimized for high-bandwidth wide-area networks. It is based upon the Internet FTP protocol, and it implements extensions for high-performance operation.

GridFTP uses basic Grid security on both control (command) and data channels. Other features include multiple data channels for parallel transfers, partial file transfers, third-party (direct server-to-server) transfers, reusable data channels, and command pipelining.

Use

To use GridFTP, you must have a "certificate". We first show how you use GridFTP assuming you have a certificate. Then we show how to obtain certificates.

Using Gridftp

The client that NICS supports for GridFTP is globus-url-copy. The URL for the NICS GridFTP is gridftp.nics.teragrid.org. A listing of other GridFTP servers around the teragrid can be found here.

For example, to copy everything in Joe's directory on a Lustre file system to the corresponding directory on the XT5, use the following command:

 % globus-url-copy -r \
    gsiftp://gridftp-co.ncsa.teragrid.org:2811/joe/ \
    gsiftp://gridftp.nics.teragrid.org/lustre/scratch/joe/

Note that the tailing forward slashes are required for directories. If the -r (recursive) is omitted and a directory is being transferred, the files in that directory will be transferred, but not the files in subdirectories.

You may also use GridFTP via uberftp, either one-liners or interactively. The syntax of uberftp is very similar to sftp.

Get a certificate

Certificates can be handled locally or remotely. For one-time use, it is generally easier to use the myproxy server method, however, if you are routinely signing in from the same computer, it is probably worthwhile to set up a local grid certificate.

Using the MyProxy Server ("Remote Method")

First, make sure the Globus toolkit is in your path (to check, try which myproxy-init). On Kraken, you must load the Globus module:

 kraken> module load globus

Other sites may have it loaded by default, or by a different mechanism. Now you can get a proxy certificate from the main myproxy server:

 kraken> myproxy-logon [-l TG_Portal_Username]
Enter MyProxy pass phrase: 
A credential has been received for user userjd in /tmp/x509up_u000.

By default, myproxy-logon uses your current username. You must specify your TeraGrid Portal username if it is different. For your pass phrase, enter your TeraGrid Portal password. This credential is only valid for 12 hours by default, though this may be lowered with the -t flag.

Using a Local Grid Certificate ("Local Method")

Getting the Grid Certificate: Once a Year

This method requires that you create a Grid Certificate. This may be used to create proxy certificates, and is valid for a year.

userjd@local:~> ssh userjd@tg-login.ncsa.teragrid.org
[...]
userjd@ncsa:~> ncsa-cert-request
To continue, please enter the NCSA Kerberos password for userjd: 
For increased security, your NCSA default password is also needed.
To continue, please enter the NCSA default password for userjd: 
[...]
Please enter your private key encryption passphrase: 
Verifying private key passphrase, please reenter passphrase: 

Your "NCSA default password" is as it appears on the password sheet you received when first receiving a TeraGrid account—this also had your initial Portal password. When you set your "private key encryption passphrase," note that it must be at least 12 characters.

You should now have a .globus folder with your grid certificate. You need to put this on the machine you wish to log in from, Kraken in this instance. This machine must have Grid capabilities.

userjd@ncsa:~> scp -r \
~/.globus userjd@kraken-pwd.nics.teragrid.org:~/.globus
Creating the Proxy Certificate: Every Time

Now log in to the machine you wish to log in from. Make sure the Globus tools are in the path, and enter the following:

userjd@some:~> grid-proxy-init
Your identity: [...]
Enter GRID pass phrase for this identity:
Creating proxy ............................. Done
Your proxy is valid until: [...]

Enter the 12+ character passphrase you chose when creating the cert, and you should be good to connect to TeraGrid sites without further passwords for the duration of the proxy.

Using the Globus Utilities

Managing Certificates

Proxy certificates are usually valid for 12 hours. If you finish early, it is a good practice to remove the proxy certificate using grid-proxy-destroy. To check a proxy certificate, use grid-proxy-info, or to check a grid certificate, use grid-cert-info. In general, myproxy-* commands communicate with the myproxy server, grid-proxy-* commands deal with your proxy certificate, and grid-cert-* commands deal with your local grid certificate.

GSISSH

This is OpenSSH, which has been modified to use the security described above. If grid-proxy-info shows that you have a proxy, you should be able to connect to any gsissh-enabled machine. Note that not every target supports gsissh: kraken-pwd (tg-login-pwd) does support it, but kraken, login, and verne at NICS only accept OTP authentication. If GSI authentication fails, gsissh will default to standard keyboard-interactive.

  ncsa> gsissh kraken-pwd.nics.teragrid.org

It is not necessary to specify a username, your proxy identity is automatically mapped to the username on the machine you are trying to access.

Using Gridftp

You now have the required proxy certificate and can use GridFTP. The client that NICS supports for GridFTP is globus-url-copy. The URL for the NICS GridFTP is gridftp.nics.teragrid.org. A listing of other GridFTP servers around the teragrid can be found here.

For example, to copy everything in Joe's directory on a Lustre file system to the corresponding directory on the XT5, use the following command:

 % globus-url-copy -r \
    gsiftp://gridftp-co.ncsa.teragrid.org:2811/joe/ \
    gsiftp://gridftp.nics.teragrid.org/lustre/scratch/joe/

Note that the tailing forward slashes are required for directories. If the -r (recursive) is omitted and a directory is being transferred, the files in that directory will be transferred, but not the files in subdirectories.

You may also use GridFTP via uberftp, either one-liners or interactively. The syntax of uberftp is very similar to sftp.

Support

This package has the following support level : Supported

Available Versions

All versions of this software are provided by the system vendor and are not installed by NICS staff.