[Go-essp-tech] Call for CA and OpenID Trust root Certificates
Cinquini, Luca (3880)
Luca.Cinquini at jpl.nasa.gov
Fri Aug 6 12:18:44 MDT 2010
Hi Rachana,
the DN of each user is stored in the gateway database and used to match the DN in the certificate when client authentication is required - at this time only when the user uses the PCMDI publisher. So I believe that if the CA DN for a gateway is changed, all user DNs in the database need to be changed - although this can be done by running a script.
thanks, Luca
On Aug 6, 2010, at 12:02 PM, Rachana Ananthakrishnan wrote:
> Neill, thanks for pulling this together!
>
> I second the need for CA name changes. We have had long threads on
> this before, and strongly urged CA with more meaningful DNs. The
> following need to be changed:
>
> 1. pcmdi3.llnl.gov
> 9388e5cb
> CN=Globus Simple CA, OU=simpleCA-pcmdi3.llnl.gov, OU=GlobusTest, O=Grid
> 2. esg2-gw.ccs.ornl.gov
> bd26fc83
> CN=Globus Simple CA, OU=simpleCA-esg2-gw.ccs.ornl.gov, OU=GlobusTest,
> O=Grid
> 3. ipcc-ar5.dkrz.de
> 6263ffd6
> CN=Globus Simple CA, OU=simpleCA-ipcc-ar5.dkrz.de, OU=GlobusTest, O=Grid
> 4. albedo2.dkrz.de
> cc6a674f
> CN=Globus Simple CA, OU=simpleCA-albedo2.dkrz.de, OU=GlobusTest, /O=Grid
>
> There is no need to have anything Globus or Simple CA in the DN names.
> Globus SimpleCA is a tool that lets you manage a CA, and nothing in
> the certificates needs to use this. Can owners of these CAs please
> make needed changes? Note, this means that you are creating new key
> pairs and such. I can forward along the thread with suggestions, if
> you need help.
>
> In current deployments, what is the implication of the change. Users
> have short term certificates, so once the CA is changed, they will
> start to receive certificates certificated by the CA in about 12
> hours. So if we keep the old CA around for that transition period, I
> don't expect any disruptions. Please let me know if there are other
> impacts to consider.
>
> One more question, why is this a trusted CA in the federation?
>
> 1. esgdev.ci.uchicago.edu
> ecdb249f
> CN=Globus Simple CA, OU=simpleCA-esgdev.ci.uchicago.edu,
> OU=GlobusTest, O=Grid
>
> Seems like something introduced for testing, and should be removed
> from this list first, and then when this is provisioned will be
> removed from any site that trusts this now.
>
> Rachana
>
> On Aug 6, 2010, at 11:24 AM, Neill Miller wrote:
>
>> Hello Alex,
>>
>> It's a good thing to bring up actually. Each gateway that runs a CA
>> gets to more or less specify their DN to be anything they want.
>> Going forward, it's important to name them something more
>> appropriate. I agree that it doesn't look good to have GlobusTest
>> in the DN as well (as we've discussed this before), so there are at
>> least 2 options to consider here:
>>
>> 1) Allow everyone to get their gateway working as it is now (since
>> it's not a functional thing, but a perception/cosmetic issue), or
>> 2) Request that everyone start over with their CAs in order to fix
>> the DN*.
>>
>> Maybe Gavin (actually, Eric if I'm following correctly) could
>> describe how this step is done and whether or not it's automated
>> away? If it's automated and hidden from the user in the script,
>> it's likely even starting over won't change anything for most people.
>>
>> *This is something that can be done without replacing the entire
>> gateway stack. As a matter of fact, it's just a couple commands and
>> then tracking the proper certificates from there. If this second
>> option is chosen, I can document what each Gateway needs to do in
>> order to remedy the situation.
>>
>> But I'd still like to know how this is done at the Gateway install
>> time so that any NEW gateway installs won't have to do anything
>> special and will have more valid looking (default) DNs.
>>
>> Sound reasonable?
>>
>> -Neill.
>>
>> ----- Original Message -----
>> From: "Alex Sim" <asim at lbl.gov>
>> To: neillm at mcs.anl.gov
>> Cc: go-essp-tech at ucar.edu
>> Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada Central
>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>> Certificates
>>
>> I hate to bring this up again, but the DN format has to work out
>> without GlobusTest in it.
>>
>> -- Alex
>>
>>
>> On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
>>> Hello,
>>>
>>> Thanks to everyone that has submitted their certificate
>>> information! At the moment, I have a list of MyProxy and OpenID
>>> trusted certificates listed here:
>>>
>>> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRoots
>>>
>>> While this page is obviously not complete, please verify that the
>>> certificates that you've sent appear in the listings. I'd like to
>>> know roughly how many more I should be expecting before moving on
>>> to fill in the other details as well, so if you know you haven't
>>> sent yours in yet, please let me know (off-list is fine).
>>>
>>> thanks,
>>> -Neill.
>>>
>>> ----- Original Message -----
>>> From: neillm at mcs.anl.gov
>>> To: go-essp-tech at ucar.edu
>>> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada
>>> Central
>>> Subject: [Go-essp-tech] Call for CA and OpenID Trust root
>>> Certificates
>>>
>>> Hello,
>>>
>>> As discussed on the call just now, I need all OpenID trust root
>>> certificates in addition to the hostname of the machine.
>>>
>>> For anyone that has already submitted theirs (i.e. Luca, Phil), if
>>> there are helpful commands that you can share with others, please
>>> do so in follow-up to this.
>>>
>>> A helpful page that shows commands for working with your java key/
>>> trust store is here:
>>>
>>> http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
>>>
>>> I also need everyone managing a MyProxy CA to send me their CA
>>> certificates. If you're running a MyProxy CA, there are 2 simple
>>> ways to find out which certs are needed (please pick one, not both):
>>>
>>> 1) Login to the MyProxy CA host and run "ls -al ~/.globus/
>>> simpleCA/" as the user that runs the CA.
>>>
>>> In this listing, you'll see a file called
>>> "globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a
>>> hash of the CA certificate. Please send the files /etc/grid-
>>> security/certificates/XXXXXXXX.0 and /etc/grid-security/
>>> certificates/XXXXXXXX.signing_policy as well as the hostname of the
>>> CA machine.
>>>
>>> 2) Another method of finding which cert to send is to run the "grid-
>>> default-ca" program:
>>>
>>> --------------------------------------------------------------------
>>> $GLOBUS_LOCATION/bin/grid-default-ca
>>>
>>> The available CA configurations installed on this host are:
>>>
>>> Directory: /etc/grid-security/certificates
>>>
>>> 1) 0ba75d15 - /O=Grid/OU=GlobusTest2/OU=simpleCA-
>>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>>> 2) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate Authorities/
>>> CN=DOEGrids CA 1
>>> 3) 3de8c5e9 - /O=Grid/OU=GlobusTest/OU=simpleCA-
>>> vm-125-67.ci.uchicago.edu/CN=Globus Simple CA
>>> 4) 519bfbae - /O=Grid/OU=GlobusTest/OU=simpleCA-
>>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>>> 5) 6349a761 - /O=DOE Science Grid/OU=Certificate Authorities/
>>> CN=Certificate Manager
>>> 6) 9388e5cb - /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/
>>> CN=Globus Simple CA
>>> 7) 9d8753eb - /DC=net/DC=es/OU=Certificate Authorities/OU=DOE
>>> Science Grid/CN=pki1
>>> 8) d1b603c3 - /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/
>>> CN=ESnet Root CA 1
>>> 9) ecdb249f - /O=Grid/OU=GlobusTest/OU=simpleCA-
>>> esgdev.ci.uchicago.edu/CN=Globus Simple CA
>>>
>>>
>>> The default CA is: /O=Grid/OU=GlobusTest2/OU=simpleCA-
>>> vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>>> Location: /etc/grid-security/certificates/0ba75d15.0
>>>
>>> Enter the index number of the CA to set as the default [q to quit]
>>> --------------------------------------------------------------------
>>>
>>> To avoid changing anything, press "q" to quit.
>>>
>>> Near the bottom, we are told which CA is currently our default.
>>> Please send the file located at the listed "Location" in addition
>>> to the XXXXXXXX.signing_policy file located in the same directory.
>>> Please also send the DN listed with that file and the hostname of
>>> the CA machine.
>>>
>>> IMPORTANT: For the MyProxy CA certificates, I need both the ".0"
>>> AND the ".signing_policy" files together. Please also send the
>>> machine's hostname.
>>>
>>> -Neill.
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
> Rachana Ananthakrishnan
> Argonne National Lab | University of Chicago
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
More information about the GO-ESSP-TECH
mailing list