[Go-essp-tech] Call for CA and OpenID Trust root Certificates

Rachana Ananthakrishnan ranantha at mcs.anl.gov
Fri Aug 6 12:02:40 MDT 2010 

Neill, thanks for pulling this together!

I second the need for CA name changes. We have had long threads on  
this before, and strongly urged CA with more meaningful DNs. The  
following need to be changed:

1. pcmdi3.llnl.gov
9388e5cb
CN=Globus Simple CA, OU=simpleCA-pcmdi3.llnl.gov, OU=GlobusTest, O=Grid
2. esg2-gw.ccs.ornl.gov
bd26fc83
CN=Globus Simple CA, OU=simpleCA-esg2-gw.ccs.ornl.gov, OU=GlobusTest,  
O=Grid
3. ipcc-ar5.dkrz.de
6263ffd6
CN=Globus Simple CA, OU=simpleCA-ipcc-ar5.dkrz.de, OU=GlobusTest, O=Grid
4. albedo2.dkrz.de
cc6a674f
CN=Globus Simple CA, OU=simpleCA-albedo2.dkrz.de, OU=GlobusTest, /O=Grid

There is no need to have anything Globus or Simple CA in the DN names.  
Globus SimpleCA is a tool that lets you manage a CA, and nothing in  
the certificates needs to use this. Can owners of these CAs please  
make needed changes? Note, this means that you are creating new key  
pairs and such.  I can forward along the thread with suggestions, if  
you need help.

In current deployments, what is the implication of the change. Users  
have short term certificates, so once the CA is changed, they will  
start to receive certificates certificated by the CA in about 12  
hours. So if we keep the old CA around for that transition period, I  
don't expect any disruptions. Please let me know if there are other  
impacts to consider.

One more question, why is this a trusted CA in the federation?

1. esgdev.ci.uchicago.edu
ecdb249f
CN=Globus Simple CA, OU=simpleCA-esgdev.ci.uchicago.edu,  
OU=GlobusTest, O=Grid

Seems like something introduced for testing, and should be removed  
from this list first, and then when this is provisioned will be  
removed from any site that trusts this now.

Rachana

On Aug 6, 2010, at 11:24 AM, Neill Miller wrote:

> Hello Alex,
>
> It's a good thing to bring up actually.  Each gateway that runs a CA  
> gets to more or less specify their DN to be anything they want.   
> Going forward, it's important to name them something more  
> appropriate.  I agree that it doesn't look good to have GlobusTest  
> in the DN as well (as we've discussed this before), so there are at  
> least 2 options to consider here:
>
> 1) Allow everyone to get their gateway working as it is now (since  
> it's not a functional thing, but a perception/cosmetic issue), or
> 2) Request that everyone start over with their CAs in order to fix  
> the DN*.
>
> Maybe Gavin (actually, Eric if I'm following correctly) could  
> describe how this step is done and whether or not it's automated  
> away?  If it's automated and hidden from the user in the script,  
> it's likely even starting over won't change anything for most people.
>
> *This is something that can be done without replacing the entire  
> gateway stack.  As a matter of fact, it's just a couple commands and  
> then tracking the proper certificates from there.  If this second  
> option is chosen, I can document what each Gateway needs to do in  
> order to remedy the situation.
>
> But I'd still like to know how this is done at the Gateway install  
> time so that any NEW gateway installs won't have to do anything  
> special and will have more valid looking (default) DNs.
>
> Sound reasonable?
>
> -Neill.
>
> ----- Original Message -----
> From: "Alex Sim" <asim at lbl.gov>
> To: neillm at mcs.anl.gov
> Cc: go-essp-tech at ucar.edu
> Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root  
> Certificates
>
> I hate to bring this up again, but the DN format has to work out
> without GlobusTest in it.
>
> -- Alex
>
>
> On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
>> Hello,
>>
>> Thanks to everyone that has submitted their certificate  
>> information!  At the moment, I have a list of MyProxy and OpenID  
>> trusted certificates listed here:
>>
>> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRoots
>>
>> While this page is obviously not complete, please verify that the  
>> certificates that you've sent appear in the listings.  I'd like to  
>> know roughly how many more I should be expecting before moving on  
>> to fill in the other details as well, so if you know you haven't  
>> sent yours in yet, please let me know (off-list is fine).
>>
>> thanks,
>> -Neill.
>>
>> ----- Original Message -----
>> From: neillm at mcs.anl.gov
>> To: go-essp-tech at ucar.edu
>> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada  
>> Central
>> Subject: [Go-essp-tech] Call for CA and OpenID Trust root  
>> Certificates
>>
>> Hello,
>>
>> As discussed on the call just now, I need all OpenID trust root  
>> certificates in addition to the hostname of the machine.
>>
>> For anyone that has already submitted theirs (i.e. Luca, Phil), if  
>> there are helpful commands that you can share with others, please  
>> do so in follow-up to this.
>>
>> A helpful page that shows commands for working with your java key/ 
>> trust store is here:
>>
>> http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
>>
>> I also need everyone managing a MyProxy CA to send me their CA  
>> certificates.  If you're running a MyProxy CA, there are 2 simple  
>> ways to find out which certs are needed (please pick one, not both):
>>
>> 1) Login to the MyProxy CA host and run "ls -al ~/.globus/ 
>> simpleCA/" as the user that runs the CA.
>>
>> In this listing, you'll see a file called  
>> "globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a  
>> hash of the CA certificate.  Please send the files /etc/grid- 
>> security/certificates/XXXXXXXX.0 and /etc/grid-security/ 
>> certificates/XXXXXXXX.signing_policy as well as the hostname of the  
>> CA machine.
>>
>> 2) Another method of finding which cert to send is to run the "grid- 
>> default-ca" program:
>>
>> --------------------------------------------------------------------
>> $GLOBUS_LOCATION/bin/grid-default-ca
>>
>> The available CA configurations installed on this host are:
>>
>> Directory: /etc/grid-security/certificates
>>
>> 1) 0ba75d15 -  /O=Grid/OU=GlobusTest2/OU=simpleCA- 
>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>> 2) 1c3f2ca8 -  /DC=org/DC=DOEGrids/OU=Certificate Authorities/ 
>> CN=DOEGrids CA 1
>> 3) 3de8c5e9 -  /O=Grid/OU=GlobusTest/OU=simpleCA- 
>> vm-125-67.ci.uchicago.edu/CN=Globus Simple CA
>> 4) 519bfbae -  /O=Grid/OU=GlobusTest/OU=simpleCA- 
>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>> 5) 6349a761 -  /O=DOE Science Grid/OU=Certificate Authorities/ 
>> CN=Certificate Manager
>> 6) 9388e5cb -  /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/ 
>> CN=Globus Simple CA
>> 7) 9d8753eb -  /DC=net/DC=es/OU=Certificate Authorities/OU=DOE  
>> Science Grid/CN=pki1
>> 8) d1b603c3 -  /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/ 
>> CN=ESnet Root CA 1
>> 9) ecdb249f -  /O=Grid/OU=GlobusTest/OU=simpleCA- 
>> esgdev.ci.uchicago.edu/CN=Globus Simple CA
>>
>>
>> The default CA is: /O=Grid/OU=GlobusTest2/OU=simpleCA- 
>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>>         Location: /etc/grid-security/certificates/0ba75d15.0
>>
>> Enter the index number of the CA to set as the default [q to quit]
>> --------------------------------------------------------------------
>>
>> To avoid changing anything, press "q" to quit.
>>
>> Near the bottom, we are told which CA is currently our default.   
>> Please send the file located at the listed "Location" in addition  
>> to the XXXXXXXX.signing_policy file located in the same directory.   
>> Please also send the DN listed with that file and the hostname of  
>> the CA machine.
>>
>> IMPORTANT: For the MyProxy CA certificates, I need both the ".0"  
>> AND the ".signing_policy" files together.  Please also send the  
>> machine's hostname.
>>
>> -Neill.
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

Rachana Ananthakrishnan
Argonne National Lab | University of Chicago

More information about the GO-ESSP-TECH mailing list