- What are Globus Connect Personal and Globus Connect Server?
- What is an "endpoint"?
- How can I create an endpoint?
- How do I create an endpoint on Amazon S3?
- Are transfers between Globus Connect Personal endpoints possible?
- How does Globus Connect Personal work?
- What can I do if my endpoint does not support timestamp preservation?
- Can I force encryption on an endpoint?
- What does "You are not an admin of the MyProxy Delegation Service" mean?
- How do I fix Globus Connect Server version 4 file permission errors?
- Does Globus Connect Server version 4 require an X.509 certificate to be installed?
- Can I use a different PAM module for authenticating users to Globus Connect Server endpoint?
- How do I manage roles on my endpoint?
- How can I set a custom home directory for my Globus Connect Server version 4 endpoint?
- What is the Console?
Globus Connect is easy-to-install, pre-configured software that turns your laptop, server, cluster or other local resource into a Globus endpoint.
There are two versions of Globus Connect, one for use with personal machines such as your laptop, and another for use with server-class machines such as campus computing clusters and lab servers.
Globus Connect Personal is used to create an endpoint on a single-user system, e.g. on a laptop or a personal desktop machine. We sometimes refer to this as a "personal endpoint". Use Globus Connect Personal to enable file transfer to and from your personal machine (laptop or desktop.) A Globus Connect Personal endpoint is intended to be used only by a single user.
Globus Connect Server is used to create an endpoint on a multi-user system, e.g. on a campus HPC cluster or a lab server. We sometimes refer to this as a "server endpoint". Globus Connect Server enables system administrators to turn shared resources such as campus clusters and lab servers into a Globus endpoint. If it is made publicly visible, a Globus Connect Server endpoint can be used by multiple Globus users.
An "endpoint" is one of the two file transfer locations – either the source or the destination – between which files can move. Once a resource (server, cluster, storage system, laptop, or other system) is defined as an endpoint, it will be available to authorized users who can transfer files to or from this endpoint.
Globus endpoints are named using the following format:
<globus-username>#<endpoint-name>. For example, the XSEDE project has a Globus account under the username "xsede" and so it’s endpoints are named
xsede#stampede (for the Stampede system at Texas Advanced Computing Center) and
xsede#kraken (for the Kraken system at the National Institute for Computational Sciences). Likewise, an individual that has a Globus account under the username "maxim" might have a personal endpoint called
If you wish to create an endpoint on a personal machine (laptop, personal desktop computer, etc.) please see the instructions for setting up a Globus Connect Personal endpoint here: Mac OS X, Windows, Linux.
If you are setting up an endpoint on a multi-user machine (e.g. HPC cluster, lab server, etc.) please follow the instructions in the Globus Connect Server Installation Guide.
Instructions for setting up an S3 endpoint are available here. Please note that S3 endpoints require a Globus subscription - if you’re not a current Globus subscriber, please complete this form to start your free one-month trial, which will allow you to experiment with and test all Globus premium features.
Yes. To transfer between two Globus Connect Personal (GCP) endpoints, one of the users must create a share hosted on their GCP endpoint, then grant the other user(s) access to that share. Any user that has access to that share (via an individual permission or group permission ACL) can transfer between it and their GCP endpoint. To create a share, the GCP endpoint needs to be created by a user who is in a Globus Plus group, or it has to be an actual managed endpoint, set by a subscription manager. Your account may be upgraded to Globus Plus if your institution subscribes to a Globus subscription.
Globus Connect Personal communicates with the Globus service to receive the commands needed to perform and manage transfers. File data itself is always transferred directly between the Globus Connect Personal endpoint and the destination endpoint – data does not "flow through" Globus in any way.
In the event that you see an error like this - Message: This server version does not support timestamp preservation, follow the steps below.
Cancel your job and restart it without the timestamp preservation option.
Also, restart with the 'Transfer & Timer Options' setting:
Globus Connect Server version 5 Endpoint
$ globus-connect-server collection update --force-encryption $MY_COLLECTION_ID
When the 'force encryption' option is set on a mapped collection, all guest collections backed by that mapped collection will also force encryption for transfers.
If a Globus Connect Server version 5 endpoint has High Assurance storage gateways, then all collections backed by those storage gateways will force encryption on all transfers.
Globus Connect Personal and Globus Connect Server version 4 Endpoint
The administrator of a Globus Connect Personal or Globus Connect Server version 4 endpoint can force encryption for their endpoint in two different ways:
Look the endpoint up in the collections page in the Globus web interface, click the endpoint, click the 'edit attributes' button in the Overview tab, and then select 'yes' for the 'force encryption' option.
The administrator of the endpoint can use the endpoint modify command in the Command Line Interface (CLI) to force encryption. See documentation for the update command. Example:
$ globus endpoint update --force-encryption $MY_ENDPOINT_ID
When the 'force encryption' option is set on an endpoint, all shares hosted on that endpoint will also force encryption for transfers.
To only force encryption on specific shares on an endpoint, simply leave the 'force encryption' option set to 'no' for the endpoint itself, and then enable the 'force encryption' option for the particular share(s) in question using the same two methods discussed above.
This error message occurs if you run the
globus-connect-servser-web-setup command multiple times using different Globus usernames. As a workaround to get rid of this error, run this command as root, and then rerun the setup script:
$ rm /var/lib/myproxy-oauth/myproxy-oauth.db
If you are not using an OAuth server in your configuration (if you are using, for example,
IdentityMethod = MyProxy in your configuration), you can disable the OAuth server by commenting out the
Server = %(HOSTNAME)s line in the [OAuth] section of the configuration file.
If you experience issues with Globus Connect Server version 4 related to file permissions, e.g. 500-globus_sysconfig: File has bad permissions: Could not read /var/lib/globus-connect-server/grid-security/certificates, ensure that your Globus Connect Server installation has the correct permissions set. /var/lib/globus-connect-server should have the following permissions:
755 root.root /var/lib/globus-connect-server 755 root.root /var/lib/globus-connect-server/gridftp.d 755 root.root /var/lib/globus-connect-server/myproxy.d 755 root.root /var/lib/globus-connect-server/grid-security 755 root.root /var/lib/globus-connect-server/grid-security/certificates 700 root.root /var/lib/globus-connect-server/myproxy-ca 700 root.root /var/lib/globus-connect-server/myproxy-ca/private 700 root.root /var/lib/globus-connect-server/myproxy-ca/newcerts 700 root.root /var/lib/globus-connect-server/myproxy-ca/certs 700 root.root /var/lib/globus-connect-server/myproxy-ca/store 700 root.root /var/lib/globus-connect-server/myproxy-ca/crl
The files in /var/lib/globus-connect-server/grid-security/certificates should all have permissions set to 644.
If you have configured a Globus Connect Server version 4 endpoint and have selected the MyProxy identity provider option for use with your endpoint, then your endpoint will be running two key components: a GridFTP server and a MyProxy server. By default, certificates for both of these components are automatically installed so there is no need to add or configure X.509 certificates separately. You may choose to configure Globus Connect Server to use a certificate other than the default one installed. Please refer to the Globus Connect Server configuration section to see how that can be set up.
If you install Globus Connect Server and select the MyProxy OAuth option, an additional component is installed, namely an OAuth server (either on an existing web server or as part of a new Apache server installation). In this instance, you will need a certificate to be installed on the Apache server and this certificate should be issued by a Certificate Authority (CA) that is automatically trusted by the browser.
Globus Connect Server version 5 Endpoint
The Globus OIDC server (which is an optional identity provider option for Globus Connect Server version 5) will use the PAM
login service by default, but can be configured to use a different PAM service if desired. We discuss how to configure the Globus OIDC server to use a different PAM service in our doc here.
Globus Connect Server version 4 Endpoint
By default, when configured to use the MyProxy identity provider, Globus Connect Server uses the same PAM module as the
login command on your server. If you would like to use a different PAM module for authenticating Globus users to the endpoint, you can edit the
/var/lib/globus-connect-server/myproxy-server.conf file and modify the
pam_id parameter. For example, you can set
sshd for it to use the same PAM module used by SSH.
You can also create a completely new PAM configuration for Globus Connect Server use and place the file in
Note that the
/var/lib/globus-connect-server/myproxy-server.conf file is overwritten when you run a setup command execution, and you will need to manually update the file.
The Globus web app provides an interface to manage roles on the endpoint on the Endpoints page. You can see a description of the supported roles here. Once you select your endpoint, you can choose the Roles tab to grant/revoke various roles on the endpoint.
Note that your endpoint needs to be covered under a subscription as managed endpoint to be able to set roles on the endpoint.
You can also use the Transfer API to manage roles on an endpoint.
On a Globus Connect Server version 4 endpoint, the
/~/ path translates to the home directory of the local user mapped to by the activation credentials of the Globus user accessing the endpoint. By default, the
/~/ path will map to the home directory for the local user as reported by the operating system. It is possible to override this behavior using the
home_dir GridFTP option, so as to make the
/~/ path translate to a path other than the user’s home directory as reported by the operating system. The
home_dir GridFTP option respects the
$USER variable, which translates as the username of the local user mapped to by the activation credentials of the Globus user accessing the endpoint.
For example, let’s say that the system hosting our endpoint has a path
/data/project/, which contains sub-directories with names that match the usernames of their owners. Let’s also say that the home directories for users on this system are located under
/home/. Let’s then say that we want to configure our endpoint to use a custom home directory, such that the
/~/ path will map to the user’s sub-directory in the
/data/project/ path. To do this, we could create a custom GridFTP config file in the
/etc/gridftp.d/ directory specifying the following:
$ cat > /etc/gridftp.d/custom-home-dir home_dir /data/project/$USER <Ctrl-d>
The Console provides a web interface for Administrators, Activity Managers, and Activity Monitors to monitor or manage activity on managed collections. It also allows Administrators to find and edit (managed and unmanaged) GCSv5 endpoints.
The Dashboard tab includes an interactive, graphical representation of activity across all of your managed collections where green represents transfers that are making progress (or queued), orange represents transfers that are paused, and red represents tasks that are being retried because of errors. The Dashboard tab also includes a list of all your managed collections. GCSv5 endpoints do not appear on the Dashboard tab because they do not support data access. If you have a role on a mapped collection, you can view the activity of any guest collections by selecting the funnel icon of the mapped collection.
The Activity tab can be used to view and manage active tasks across all of your managed collections. Completed tasks may also be viewed in the Activity tab on a per collection basis. Tasks are visible for ninety days after completion and event logs are visible thirty days after task completion.