<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffcc" text="#000000">
Hello Everyone, <br>
<br>
I want to take a moment to address a couple of issues:<br>
<b>1) </b>the issue of certificates in ESGF and how things play
with each other<br>
<b>2)</b> ESGF P2P "Data" Node maintenance<br>
<br>
<b>1)</b><br>
Everyone using secured globus services need to fulfill the "secured"
part of that description by providing a valid key pair for these
services to use. You must to do just to get the services running.
This keypair is stored as /etc/grid-security/host{cert,key}.pem
files.<br>
This keypair can be gotten from any number of commercial (cartel)
CAs.<br>
To get some handle on the number of possible CAs out there we are
*strongly* recommending using DOE-Grids as the primary CA for ESGF.<br>
(There will be more information about this to come)<br>
<br>
That pretty much does it for that set of certs.<br>
<br>
Now, for the federation services - primarily the globus secured
services MyProxy and GridFTP, that are apart of the ESGF Node stack,
there are other certificates involved. To be terribly pedantic,
actually one certificate and one key.<br>
<br>
The way we are using MyProxy requires that we install what is called
a SimpleCA. The SimpleCA is like any CA... signs certs. In our
case MyProxy is distributing signed certificates that have been
signed by an installed SimpleCA.<br>
In order to services to trust each other they must be able to
inspect submitted certificates against a stack of blessed CA
certificates. If a submitted certificate can be verified by a known
CA certificate then that bit of the security gauntlet is passed
(there are some other downstream checks against policy files and ids
- not germane to this discussion at the moment).<br>
<br>
What this means is that ALL SimpleCA certificates need to be
submitted and reviewed and disseminated to establish federation wide
trust.<br>
<br>
I have tried to make this process as simple as possible by codifying
it in the esg-node script. Right now it is the script under the
development branch, however, I have tested it and it is working
well.<br>
<br>
On the host that is running MyProxy and the SimpleCA do the
following:<br>
<br>
Get the latest script from devel<br>
<br>
%><b> esg-bootstrap --devel</b><br>
<br>
<small>if you think your bootstrap script is too old get the latest:<br>
%> cd /usr/local/bin <br>
%> wget
<a class="moz-txt-link-freetext" href="http://rainbow.llnl.gov/dist/esgf-installer/esg-bootstrap">http://rainbow.llnl.gov/dist/esgf-installer/esg-bootstrap</a><br>
%> chmod 755 esg-bootstrap</small><br>
<small>then run the previous command.</small><br>
<br>
Double check that you have the devel version of the script<br>
<br>
%> <b>esg-node --version</b><br>
<i>Version: v1.1.1-bay_ridge-release-<b>9</b>-gd20d36c-<b>devel</b><br>
Release: bay_ridge<br>
Earth Systems Grid Federation (<a class="moz-txt-link-freetext" href="http://esgf.org">http://esgf.org</a>)<br>
ESGF Node Installation Script</i><br>
<br>
Run the script so that it pulls down all the federation
certificates.<br>
<br>
%> <b>esg-node --fetch-esgf-certs</b><br>
<br>
There are two possible results<br>
a)<br>
<i>checking for MY cert: /etc/grid-security/certificates/44529084.0<br>
Local CA cert file detected.... [OK]</i><br>
<br>
If this is the output then you don't have to do anything :-) <br>
Otherwise<br>
<br>
b)<br>
<i>checking for MY cert: /etc/grid-security/certificates/7335e89e.0<br>
Integrating in local simpleCA_cert... <br>
`/home/esg-user/.globus/simpleCA/cacert.pem' ->
`/etc/grid-security/certificates/7335e89e.0'<br>
globus_simple_ca_7335e89e_setup-0.20/7335e89e.signing_policy<br>
My CA Cert now posted @ <a class="moz-txt-link-freetext" href="http://esgf-node3.llnl.gov/cacert.pem">http://esgf-node3.llnl.gov/cacert.pem</a> <br>
[OK]<br>
<br>
----------------------------------------------------------------------<br>
If you have not done so, please attach the files:<br>
/etc/grid-security/certificates/7335e89e.0<br>
/etc/grid-security/certificates/7335e89e.signing_policy<br>
/etc/grid-security/hostcert.pem<br>
<br>
to an email addressed to <a class="moz-txt-link-abbreviated" href="mailto:esgf-ca@lists.llnl.gov">esgf-ca@lists.llnl.gov</a><br>
<br>
Include your name, organization, contact information and the
context in which you are<br>
joining the ESGF federation.<br>
<br>
If you are able, please cryptographically sign the email with
your<br>
personal signature, preferably endorsed by your organization<br>
<br>
Thank you :-)<br>
----------------------------------------------------------------------</i><br>
<br>
If you see this output then please follow the instructions and send
the particular files indicated for your host to the
<a class="moz-txt-link-abbreviated" href="mailto:esgf-ca@lists.llnl.gov">esgf-ca@lists.llnl.gov</a><br>
list. We will be do our due diligence to verify the certificate. A
successful vetting will result in your certificate being added to
the set of trusted federation certs. Once your certificate is added
when you run the command above again to fetch the certificates. You
should get the output from the previous section a).<br>
<br>
What is important to understand is that all CA certs that sign certs
being distributed by MyProxy need to be in the curated federation
set of certs if you wish to be a first class member of the
federation.<br>
<br>
This brings us to <b>node</b> <b>maintenance</b>... <br>
<b>2)</b><br>
To make sure you have the latest script you should regularly run <br>
%> <b>esg-node --check</b><br>
<br>
If you are up-to-date it will simply return you to the prompt, with
success ($? == 0).<br>
<br>
Otherwise you will get this:<br>
<br>
<i>WARNING: /usr/local/bin/esg-node could not be verified!! <br>
(This file, /usr/local/bin/esg-node, may have been tampered with
or there is a newer version posted at the distribution server.<br>
Please update this script.)<br>
<br>
Do you wish to Update and exit [u], continue anyway [c] or simply
exit [x]? [u/c/X]: </i><br>
<br>
You then enter in the appropriate response (You have one minute to
enter a response or it will simply 'X' exit)<br>
<br>
You can have this be less interactive by providing the response in
the same command line.<br>
<br>
%> <b>esg-node --check u</b><br>
<i>WARNING: /usr/local/bin/esg-node could not be verified!! <br>
(This file, /usr/local/bin/esg-node, may have been tampered with
or there is a newer version posted at the distribution server.<br>
Please update this script.)<br>
<br>
Updating local script with script from distribution server...<br>
(Setup to pull from DEVELOPMENT tree...)<br>
checking for updates for the ESGF Node<br>
Update Available @
<a class="moz-txt-link-freetext" href="http://198.128.245.140/dist/devel/esgf-installer/esg-node">http://198.128.245.140/dist/devel/esgf-installer/esg-node</a><br>
`esg-node' -> `esg-node.bak'<br>
--18:51:48--
<a class="moz-txt-link-freetext" href="http://198.128.245.140/dist/devel/esgf-installer/esg-node">http://198.128.245.140/dist/devel/esgf-installer/esg-node</a><br>
Connecting to 198.128.245.140:80... connected.<br>
HTTP request sent, awaiting response... 200 OK<br>
Length: 251764 (246K) [text/plain]<br>
Saving to: `esg-node'<br>
<br>
100%[==========================================================================================================================================================>]
251,764 --.-K/s in 0.008s <br>
<br>
18:51:48 (29.1 MB/s) - `esg-node' saved [251764/251764]<br>
<br>
Updated ESGF Node install script from PCMDI's ESGF distribution
site at LLNL<br>
Please re-run this updated script /usr/local/bin/esg-node</i><br>
<br>
This last form is meant to be more amenable to being called in an
automated fashion.<br>
(i.e. in a cronjob script)<br>
<br>
To keep your node in good shape stay updated by:<br>
- regularly check for ESGF P2P Node updates<br>
- regularly fetch ESGF federation certificates<br>
- regularly run the esg-node --update.<br>
<br>
There is an initial early release of the latest node, release name
"Bay Ridge"<br>
We plan on putting out another release soon that improve on what we
have.<br>
What I have discussed in this email will be in the next release
version coming soon.<br>
We will continue to grow moving forward and doing our best to
support the community.<br>
<br>
Check with the latest as we begin to post more documentation on the
web site <a class="moz-txt-link-freetext" href="http://esgf.org">http://esgf.org</a> and the wiki <a class="moz-txt-link-freetext" href="http://esgf.org/wiki">http://esgf.org/wiki</a><br>
The ESGF.org blog will also be restarted to provide news and
information with associated Atom/RSS Feeds<br>
Every ESGF P2P Data Node provides an RSS feed of all the lastest
publications et. al. so you may keep abreast of what is made public
as they are published.<br>
<br>
<br>
Thank you.<br>
<br>
<pre class="moz-signature" cols="72">--
Gavin M. Bell
Lawrence Livermore National Labs
--
"Never mistake a clear view for a short distance."
-Paul Saffo
(GPG Key - <a class="moz-txt-link-freetext" href="http://rainbow.llnl.gov/dist/keys/gavin.asc">http://rainbow.llnl.gov/dist/keys/gavin.asc</a>)
A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E
</pre>
</body>
</html>