[Go-essp-tech] Call for CA and OpenID Trust root Certificates

Cinquini, Luca (3880) Luca.Cinquini at jpl.nasa.gov
Fri Aug 6 12:18:44 MDT 2010 

Hi Rachana,
	the DN of each user is stored in the gateway database and used to match the DN in the certificate when client authentication is required - at this time only when the user uses the PCMDI publisher. So I believe that if the CA DN for a gateway is changed, all user DNs in the database need to be changed - although this can be done by running a script.
thanks, Luca
 
On Aug 6, 2010, at 12:02 PM, Rachana Ananthakrishnan wrote:

> Neill, thanks for pulling this together!
> 
> I second the need for CA name changes. We have had long threads on  
> this before, and strongly urged CA with more meaningful DNs. The  
> following need to be changed:
> 
> 1. pcmdi3.llnl.gov
> 9388e5cb
> CN=Globus Simple CA, OU=simpleCA-pcmdi3.llnl.gov, OU=GlobusTest, O=Grid
> 2. esg2-gw.ccs.ornl.gov
> bd26fc83
> CN=Globus Simple CA, OU=simpleCA-esg2-gw.ccs.ornl.gov, OU=GlobusTest,  
> O=Grid
> 3. ipcc-ar5.dkrz.de
> 6263ffd6
> CN=Globus Simple CA, OU=simpleCA-ipcc-ar5.dkrz.de, OU=GlobusTest, O=Grid
> 4. albedo2.dkrz.de
> cc6a674f
> CN=Globus Simple CA, OU=simpleCA-albedo2.dkrz.de, OU=GlobusTest, /O=Grid
> 
> There is no need to have anything Globus or Simple CA in the DN names.  
> Globus SimpleCA is a tool that lets you manage a CA, and nothing in  
> the certificates needs to use this. Can owners of these CAs please  
> make needed changes? Note, this means that you are creating new key  
> pairs and such.  I can forward along the thread with suggestions, if  
> you need help.
> 
> In current deployments, what is the implication of the change. Users  
> have short term certificates, so once the CA is changed, they will  
> start to receive certificates certificated by the CA in about 12  
> hours. So if we keep the old CA around for that transition period, I  
> don't expect any disruptions. Please let me know if there are other  
> impacts to consider.
> 
> One more question, why is this a trusted CA in the federation?
> 
> 1. esgdev.ci.uchicago.edu
> ecdb249f
> CN=Globus Simple CA, OU=simpleCA-esgdev.ci.uchicago.edu,  
> OU=GlobusTest, O=Grid
> 
> Seems like something introduced for testing, and should be removed  
> from this list first, and then when this is provisioned will be  
> removed from any site that trusts this now.
> 
> Rachana
> 
> On Aug 6, 2010, at 11:24 AM, Neill Miller wrote:
> 
>> Hello Alex,
>> 
>> It's a good thing to bring up actually.  Each gateway that runs a CA  
>> gets to more or less specify their DN to be anything they want.   
>> Going forward, it's important to name them something more  
>> appropriate.  I agree that it doesn't look good to have GlobusTest  
>> in the DN as well (as we've discussed this before), so there are at  
>> least 2 options to consider here:
>> 
>> 1) Allow everyone to get their gateway working as it is now (since  
>> it's not a functional thing, but a perception/cosmetic issue), or
>> 2) Request that everyone start over with their CAs in order to fix  
>> the DN*.
>> 
>> Maybe Gavin (actually, Eric if I'm following correctly) could  
>> describe how this step is done and whether or not it's automated  
>> away?  If it's automated and hidden from the user in the script,  
>> it's likely even starting over won't change anything for most people.
>> 
>> *This is something that can be done without replacing the entire  
>> gateway stack.  As a matter of fact, it's just a couple commands and  
>> then tracking the proper certificates from there.  If this second  
>> option is chosen, I can document what each Gateway needs to do in  
>> order to remedy the situation.
>> 
>> But I'd still like to know how this is done at the Gateway install  
>> time so that any NEW gateway installs won't have to do anything  
>> special and will have more valid looking (default) DNs.
>> 
>> Sound reasonable?
>> 
>> -Neill.
>> 
>> ----- Original Message -----
>> From: "Alex Sim" <asim at lbl.gov>
>> To: neillm at mcs.anl.gov
>> Cc: go-essp-tech at ucar.edu
>> Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada Central
>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root  
>> Certificates
>> 
>> I hate to bring this up again, but the DN format has to work out
>> without GlobusTest in it.
>> 
>> -- Alex
>> 
>> 
>> On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
>>> Hello,
>>> 
>>> Thanks to everyone that has submitted their certificate  
>>> information!  At the moment, I have a list of MyProxy and OpenID  
>>> trusted certificates listed here:
>>> 
>>> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRoots
>>> 
>>> While this page is obviously not complete, please verify that the  
>>> certificates that you've sent appear in the listings.  I'd like to  
>>> know roughly how many more I should be expecting before moving on  
>>> to fill in the other details as well, so if you know you haven't  
>>> sent yours in yet, please let me know (off-list is fine).
>>> 
>>> thanks,
>>> -Neill.
>>> 
>>> ----- Original Message -----
>>> From: neillm at mcs.anl.gov
>>> To: go-essp-tech at ucar.edu
>>> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada  
>>> Central
>>> Subject: [Go-essp-tech] Call for CA and OpenID Trust root  
>>> Certificates
>>> 
>>> Hello,
>>> 
>>> As discussed on the call just now, I need all OpenID trust root  
>>> certificates in addition to the hostname of the machine.
>>> 
>>> For anyone that has already submitted theirs (i.e. Luca, Phil), if  
>>> there are helpful commands that you can share with others, please  
>>> do so in follow-up to this.
>>> 
>>> A helpful page that shows commands for working with your java key/ 
>>> trust store is here:
>>> 
>>> http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
>>> 
>>> I also need everyone managing a MyProxy CA to send me their CA  
>>> certificates.  If you're running a MyProxy CA, there are 2 simple  
>>> ways to find out which certs are needed (please pick one, not both):
>>> 
>>> 1) Login to the MyProxy CA host and run "ls -al ~/.globus/ 
>>> simpleCA/" as the user that runs the CA.
>>> 
>>> In this listing, you'll see a file called  
>>> "globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a  
>>> hash of the CA certificate.  Please send the files /etc/grid- 
>>> security/certificates/XXXXXXXX.0 and /etc/grid-security/ 
>>> certificates/XXXXXXXX.signing_policy as well as the hostname of the  
>>> CA machine.
>>> 
>>> 2) Another method of finding which cert to send is to run the "grid- 
>>> default-ca" program:
>>> 
>>> --------------------------------------------------------------------
>>> $GLOBUS_LOCATION/bin/grid-default-ca
>>> 
>>> The available CA configurations installed on this host are:
>>> 
>>> Directory: /etc/grid-security/certificates
>>> 
>>> 1) 0ba75d15 -  /O=Grid/OU=GlobusTest2/OU=simpleCA- 
>>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>>> 2) 1c3f2ca8 -  /DC=org/DC=DOEGrids/OU=Certificate Authorities/ 
>>> CN=DOEGrids CA 1
>>> 3) 3de8c5e9 -  /O=Grid/OU=GlobusTest/OU=simpleCA- 
>>> vm-125-67.ci.uchicago.edu/CN=Globus Simple CA
>>> 4) 519bfbae -  /O=Grid/OU=GlobusTest/OU=simpleCA- 
>>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>>> 5) 6349a761 -  /O=DOE Science Grid/OU=Certificate Authorities/ 
>>> CN=Certificate Manager
>>> 6) 9388e5cb -  /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/ 
>>> CN=Globus Simple CA
>>> 7) 9d8753eb -  /DC=net/DC=es/OU=Certificate Authorities/OU=DOE  
>>> Science Grid/CN=pki1
>>> 8) d1b603c3 -  /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/ 
>>> CN=ESnet Root CA 1
>>> 9) ecdb249f -  /O=Grid/OU=GlobusTest/OU=simpleCA- 
>>> esgdev.ci.uchicago.edu/CN=Globus Simple CA
>>> 
>>> 
>>> The default CA is: /O=Grid/OU=GlobusTest2/OU=simpleCA- 
>>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>>>        Location: /etc/grid-security/certificates/0ba75d15.0
>>> 
>>> Enter the index number of the CA to set as the default [q to quit]
>>> --------------------------------------------------------------------
>>> 
>>> To avoid changing anything, press "q" to quit.
>>> 
>>> Near the bottom, we are told which CA is currently our default.   
>>> Please send the file located at the listed "Location" in addition  
>>> to the XXXXXXXX.signing_policy file located in the same directory.   
>>> Please also send the DN listed with that file and the hostname of  
>>> the CA machine.
>>> 
>>> IMPORTANT: For the MyProxy CA certificates, I need both the ".0"  
>>> AND the ".signing_policy" files together.  Please also send the  
>>> machine's hostname.
>>> 
>>> -Neill.
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>> 
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> 
> Rachana Ananthakrishnan
> Argonne National Lab | University of Chicago
> 
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

More information about the GO-ESSP-TECH mailing list