<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
I somewhat agree with Rachana that hosting them on esgf.org is not a
problem but we need some kind of governance on the info, before
making them available on the web. This includes more of policy
issues as well. One example is how a gateway is decided to be
trusted and included in the trusted list, as anyone can download and
install an ESG gateway/MyProxy server and generate a CA.<br>
<br>
<pre class="moz-signature" cols="72">-- Alex
</pre>
<br>
On 9/9/10 10:51 AM, Gavin M. Bell wrote:
<blockquote cite="mid:4C891E9F.6000100@llnl.gov" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
Hi Rachana, <br>
<br>
If we are looking for a place to house this information then, I
agree with Luca, that esgf.org is available and probably the most
amenable site for doing so. At the moment the issue is that Neill
would like the information hosted behind an https site
'somewhere', under that requirement - esgf.org is as good a place
as any, IMHO. Also, we can host that information from another
server here at LLNL, I am thinking the distribution machine here.
In the context of esgf, one scenario is that, we treat the key
storage, management and information (web page) in the same way we
treat the projects hosted there. This makes it easy to maintain,
etc..<br>
<br>
Neill, no worries, we can find a place for you (your stuff... our
certs). I guess what would be good to know is, how 'on fire' is
this request? I can make the spare cycles to make this happen for
you, but manage my expectations so I can give this the priority is
requires. Is there a due date you have in mind?<br>
<br>
<br>
On 9/9/10 7:14 AM, Rachana Ananthakrishnan wrote:
<blockquote
cite="mid:A4D2BCAE-58E5-4F40-ACB4-11F2C186DEC1@mcs.anl.gov"
type="cite">
<pre wrap="">Hi Luca,
This is the second time this has been referenced on this mailing list
- but there has not been any information on how this is governed, or
how to get access to the site? The site itself doesn't provide much
information on the intended purpose either. I am fine hosting it
there, provided we agree on some process for maintaining these, and
understand ownership when things are moved there.
Thanks,
Rachana
On Sep 9, 2010, at 9:07 AM, Cinquini, Luca (3880) wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Neill,
may I suggest again that this information be placed somewhere in
esgf.org ?
Thxs, luca
On Sep 9, 2010, at 8:01 AM, <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:neillm@mcs.anl.gov">"neillm@mcs.anl.gov"</a>
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:neillm@mcs.anl.gov"><neillm@mcs.anl.gov></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello Estani,
I somehow missed your latest, my apologies. I'll have those
integrated as well as Stephen's shortly.
We are working on have a central place to store these, but it's not
resolved yet.
The requirement is that it be HTTPS accessible. If someone has
access to something like that, I'm all for moving the page there.
The document needs to be updated with each certificate that changes
and also the truststore needs to be regenerated, so I don't think
public FTP is the best option.
I do agree that a UofC Wiki is not the ideal final resting place
for this information though.
-Neill.
----- Original Message -----
From: "Estanislao Gonzalez" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:estanislao.gonzalez@zmaw.de"><estanislao.gonzalez@zmaw.de></a>
To: "stephen pascoe" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:stephen.pascoe@stfc.ac.uk"><stephen.pascoe@stfc.ac.uk></a>
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:neillm@mcs.anl.gov">neillm@mcs.anl.gov</a>, <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:go-essp-tech@ucar.edu">go-essp-tech@ucar.edu</a>, "philip kershaw" <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:philip.kershaw@stfc.ac.uk">philip.kershaw@stfc.ac.uk</a>
</pre>
<blockquote type="cite"> </blockquote>
<pre wrap="">Sent: Thursday, September 9, 2010 8:35:27 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hi all,
I see the trusted certificates are quiet old. I've already changed
them
as requested so that the naming scheme would be more ESG-conform, but
the certificates are still the older ones.
Would it be possible to upload the certificates somewhere? maybe a
pub ftp?
That way we could just upload the certificates if the were changed.
We
could later on delete the ones we don't require.
Thanks,
Estani
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:stephen.pascoe@stfc.ac.uk">stephen.pascoe@stfc.ac.uk</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Neil,
Updating our trustroots using your wiki page below I notice that the
esg-truststore.ks file is missing 2 of our certificates that are
in the
tarball esg_trusted_certificates-08-24-2010.tar.gz. These are
cf22df3a.0 and ece35fd4.0
I can guess how this happened. Phil provided PEM files containing
both
the certificate text and BEGIN CERTIFICATE sections. I've noticed
keytool fails unless PEM files only contain the BEGIN CERTIFICATE
block.
Those using esg-truststore.ks need to import the certificates into
the
keystore in order for it to work with BADC. One possible recipe is:
$ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/
cf22df3a.0
</pre>
<blockquote type="cite">
<pre wrap="">cf22df3a_bare.0
</pre>
</blockquote>
<pre wrap="">$ keytool -import -keystore esg-truststore.ts -alias cf22df3a -file
cf22df3a_bare.0
$ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/
ece35fd4.0
</pre>
<blockquote type="cite">
<pre wrap="">ece35fd4_bare.0
</pre>
</blockquote>
<pre wrap="">$ keytool -import -keystore esg-truststore.ts -alias ece35fd4 -file
ece35fd4_bare.0
I hope this can be reflected in esg-truststore.ks soon.
Cheers,
Stephen.
---
Stephen Pascoe +44 (0)1235 445980
British Atmospheric Data Centre
Rutherford Appleton Laboratory
-----Original Message-----
From: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:go-essp-tech-bounces@ucar.edu">go-essp-tech-bounces@ucar.edu</a>
[<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:go-essp-tech-bounces@ucar.edu">mailto:go-essp-tech-bounces@ucar.edu</a>] On Behalf Of <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:neillm@mcs.anl.gov">neillm@mcs.anl.gov</a>
Sent: 17 August 2010 22:42
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:go-essp-tech@ucar.edu">go-essp-tech@ucar.edu</a>
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hello,
According to the document here:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRo">http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRo</a>
ots
PCMDI, NCAR and ORNL still need to update their DNs to something
more
official. This is a CMIP5 blocker as far as I know.
-Neill.
----- Original Message -----
From: "Neill Miller" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:neillm@mcs.anl.gov"><neillm@mcs.anl.gov></a>
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:go-essp-tech@ucar.edu">go-essp-tech@ucar.edu</a>
Sent: Wednesday, August 11, 2010 11:30:30 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hello,
Has anyone made any progress on generating new CA certificates
without
default simpleCA DNs? Someone has already sent me new
certificates for
their site, so aside from that of course. Please let me know, or
send
me updated certs and I'll get them online as soon as I can.
thanks,
-Neill.
----- Original Message -----
From: "Neill Miller" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:neillm@mcs.anl.gov"><neillm@mcs.anl.gov></a>
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:asim@lbl.gov">asim@lbl.gov</a>
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:go-essp-tech@ucar.edu">go-essp-tech@ucar.edu</a>
Sent: Friday, August 6, 2010 11:24:04 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hello Alex,
It's a good thing to bring up actually. Each gateway that runs a CA
gets to more or less specify their DN to be anything they want.
Going
forward, it's important to name them something more appropriate. I
agree that it doesn't look good to have GlobusTest in the DN as
well (as
we've discussed this before), so there are at least 2 options to
consider here:
1) Allow everyone to get their gateway working as it is now (since
it's
not a functional thing, but a perception/cosmetic issue), or
2) Request that everyone start over with their CAs in order to fix
the
DN*.
Maybe Gavin (actually, Eric if I'm following correctly) could
describe
how this step is done and whether or not it's automated away? If
it's
automated and hidden from the user in the script, it's likely even
starting over won't change anything for most people.
*This is something that can be done without replacing the entire
gateway
stack. As a matter of fact, it's just a couple commands and then
tracking the proper certificates from there. If this second
option is
chosen, I can document what each Gateway needs to do in order to
remedy
the situation.
But I'd still like to know how this is done at the Gateway install
time
so that any NEW gateway installs won't have to do anything special
and
will have more valid looking (default) DNs.
Sound reasonable?
-Neill.
----- Original Message -----
From: "Alex Sim" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:asim@lbl.gov"><asim@lbl.gov></a>
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:neillm@mcs.anl.gov">neillm@mcs.anl.gov</a>
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:go-essp-tech@ucar.edu">go-essp-tech@ucar.edu</a>
Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
I hate to bring this up again, but the DN format has to work out
without GlobusTest in it.
-- Alex
On 8/6/10 8:49 AM, <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:neillm@mcs.anl.gov">neillm@mcs.anl.gov</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello,
Thanks to everyone that has submitted their certificate
information!
</pre>
</blockquote>
<pre wrap="">At the moment, I have a list of MyProxy and OpenID trusted
certificates
listed here:
</pre>
<blockquote type="cite">
<pre wrap=""><a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrust">http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrust</a>
Roots
While this page is obviously not complete, please verify that the
</pre>
</blockquote>
<pre wrap="">certificates that you've sent appear in the listings. I'd like to
know
roughly how many more I should be expecting before moving on to
fill in
the other details as well, so if you know you haven't sent yours
in yet,
please let me know (off-list is fine).
</pre>
<blockquote type="cite">
<pre wrap="">thanks,
-Neill.
----- Original Message -----
From: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:neillm@mcs.anl.gov">neillm@mcs.anl.gov</a>
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:go-essp-tech@ucar.edu">go-essp-tech@ucar.edu</a>
Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada
Central
Subject: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hello,
As discussed on the call just now, I need all OpenID trust root
</pre>
</blockquote>
<pre wrap="">certificates in addition to the hostname of the machine.
</pre>
<blockquote type="cite">
<pre wrap="">For anyone that has already submitted theirs (i.e. Luca, Phil), if
</pre>
</blockquote>
<pre wrap="">there are helpful commands that you can share with others, please
do so
in follow-up to this.
</pre>
<blockquote type="cite">
<pre wrap="">A helpful page that shows commands for working with your java
</pre>
</blockquote>
<pre wrap="">key/trust store is here:
</pre>
<blockquote type="cite">
<pre wrap=""><a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*www.*sslshopper.com/article-most-common-java-keytool-keystore-co">http://*www.*sslshopper.com/article-most-common-java-keytool-keystore-co</a>
mmands.html
I also need everyone managing a MyProxy CA to send me their CA
</pre>
</blockquote>
<pre wrap="">certificates. If you're running a MyProxy CA, there are 2 simple
ways
to find out which certs are needed (please pick one, not both):
</pre>
<blockquote type="cite">
<pre wrap="">1) Login to the MyProxy CA host and run "ls -al ~/.globus/
simpleCA/"
</pre>
</blockquote>
<pre wrap="">as the user that runs the CA.
</pre>
<blockquote type="cite">
<pre wrap="">In this listing, you'll see a file called
</pre>
</blockquote>
<pre wrap="">"globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a
hash
of the CA certificate. Please send the files
/etc/grid-security/certificates/XXXXXXXX.0 and
/etc/grid-security/certificates/XXXXXXXX.signing_policy as well as
the
hostname of the CA machine.
</pre>
<blockquote type="cite">
<pre wrap="">2) Another method of finding which cert to send is to run the
</pre>
</blockquote>
<pre wrap="">"grid-default-ca" program:
</pre>
<blockquote type="cite">
<pre wrap="">--------------------------------------------------------------------
$GLOBUS_LOCATION/bin/grid-default-ca
The available CA configurations installed on this host are:
Directory: /etc/grid-security/certificates
1) 0ba75d15 -
/O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/
CN=Globus
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Simple CA
2) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate
Authorities/CN=DOEGrids CA 1
3) 3de8c5e9 -
/O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-67.ci.uchicago.edu/
CN=Globus
Simple CA
4) 519bfbae -
/O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-66.ci.uchicago.edu/
CN=Globus
Simple CA
5) 6349a761 - /O=DOE Science Grid/OU=Certificate
Authorities/CN=Certificate Manager
6) 9388e5cb -
/O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus
Simple CA
7) 9d8753eb - /DC=net/DC=es/OU=Certificate Authorities/OU=DOE
Science
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Grid/CN=pki1
8) d1b603c3 - /DC=net/DC=ES/O=ESnet/OU=Certificate
Authorities/CN=ESnet Root CA 1
9) ecdb249f -
/O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=Globus
Simple CA
The default CA is:
</pre>
</blockquote>
<pre wrap="">/O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/
CN=Globus
Simple CA
</pre>
<blockquote type="cite">
<pre wrap=""> Location: /etc/grid-security/certificates/0ba75d15.0
Enter the index number of the CA to set as the default [q to quit]
--------------------------------------------------------------------
To avoid changing anything, press "q" to quit.
Near the bottom, we are told which CA is currently our default.
</pre>
</blockquote>
<pre wrap="">Please send the file located at the listed "Location" in addition
to the
XXXXXXXX.signing_policy file located in the same directory.
Please also
send the DN listed with that file and the hostname of the CA
machine.
</pre>
<blockquote type="cite">
<pre wrap="">IMPORTANT: For the MyProxy CA certificates, I need both the ".0"
AND
</pre>
</blockquote>
<pre wrap="">the ".signing_policy" files together. Please also send the
machine's
hostname.
</pre>
<blockquote type="cite">
<pre wrap="">-Neill.
_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
</pre>
</blockquote>
<pre wrap="">
--
Estanislao Gonzalez
Max-Planck-Institut für Meteorologie (MPI-M)
Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
Phone: +49 (40) 46 00 94-126
E-Mail: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:estanislao.gonzalez@zmaw.de">estanislao.gonzalez@zmaw.de</a>
_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
</pre>
</blockquote>
<pre wrap="">Rachana Ananthakrishnan
Argonne National Lab | University of Chicago
_______________________________________________
GO-ESSP-TECH mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Gavin M. Bell
Lawrence Livermore National Labs
--
"Never mistake a clear view for a short distance."
-Paul Saffo
(GPG Key - <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://rainbow.llnl.gov/dist/keys/gavin.asc">http://rainbow.llnl.gov/dist/keys/gavin.asc</a>)
A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
GO-ESSP-TECH mailing list
<a class="moz-txt-link-abbreviated" href="mailto:GO-ESSP-TECH@ucar.edu">GO-ESSP-TECH@ucar.edu</a>
<a class="moz-txt-link-freetext" href="http://mailman.ucar.edu/mailman/listinfo/go-essp-tech">http://mailman.ucar.edu/mailman/listinfo/go-essp-tech</a>
</pre>
</blockquote>
</body>
</html>