[Go-essp-tech] Call for CA and OpenID Trust root Certificates

Feiyi Wang fwang2 at ornl.gov
Thu Aug 19 11:19:50 MDT 2010 

  Neill

We will work with you to get our (ORNL) DN corrected.

Thanks

Feiyi

On 8/17/10 5:41 PM, neillm at mcs.anl.gov wrote:
> Hello,
>
> According to the document here:
>
> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRoots
>
> PCMDI, NCAR and ORNL still need to update their DNs to something more official.  This is a CMIP5 blocker as far as I know.
>
> -Neill.
>
> ----- Original Message -----
> From: "Neill Miller"<neillm at mcs.anl.gov>
> To: go-essp-tech at ucar.edu
> Sent: Wednesday, August 11, 2010 11:30:30 AM GMT -06:00 US/Canada Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root Certificates
>
> Hello,
>
> Has anyone made any progress on generating new CA certificates without default simpleCA DNs?  Someone has already sent me new certificates for their site, so aside from that of course.  Please let me know, or send me updated certs and I'll get them online as soon as I can.
>
> thanks,
> -Neill.
>
> ----- Original Message -----
> From: "Neill Miller"<neillm at mcs.anl.gov>
> To: asim at lbl.gov
> Cc: go-essp-tech at ucar.edu
> Sent: Friday, August 6, 2010 11:24:04 AM GMT -06:00 US/Canada Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root Certificates
>
> Hello Alex,
>
> It's a good thing to bring up actually.  Each gateway that runs a CA gets to more or less specify their DN to be anything they want.  Going forward, it's important to name them something more appropriate.  I agree that it doesn't look good to have GlobusTest in the DN as well (as we've discussed this before), so there are at least 2 options to consider here:
>
> 1) Allow everyone to get their gateway working as it is now (since it's not a functional thing, but a perception/cosmetic issue), or
> 2) Request that everyone start over with their CAs in order to fix the DN*.
>
> Maybe Gavin (actually, Eric if I'm following correctly) could describe how this step is done and whether or not it's automated away?  If it's automated and hidden from the user in the script, it's likely even starting over won't change anything for most people.
>
> *This is something that can be done without replacing the entire gateway stack.  As a matter of fact, it's just a couple commands and then tracking the proper certificates from there.  If this second option is chosen, I can document what each Gateway needs to do in order to remedy the situation.
>
> But I'd still like to know how this is done at the Gateway install time so that any NEW gateway installs won't have to do anything special and will have more valid looking (default) DNs.
>
> Sound reasonable?
>
> -Neill.
>
> ----- Original Message -----
> From: "Alex Sim"<asim at lbl.gov>
> To: neillm at mcs.anl.gov
> Cc: go-essp-tech at ucar.edu
> Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada Central
> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root Certificates
>
>   I hate to bring this up again, but the DN format has to work out
> without GlobusTest in it.
>
> -- Alex
>
>
> On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
>> Hello,
>>
>> Thanks to everyone that has submitted their certificate information!  At the moment, I have a list of MyProxy and OpenID trusted certificates listed here:
>>
>> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRoots
>>
>> While this page is obviously not complete, please verify that the certificates that you've sent appear in the listings.  I'd like to know roughly how many more I should be expecting before moving on to fill in the other details as well, so if you know you haven't sent yours in yet, please let me know (off-list is fine).
>>
>> thanks,
>> -Neill.
>>
>> ----- Original Message -----
>> From: neillm at mcs.anl.gov
>> To: go-essp-tech at ucar.edu
>> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada Central
>> Subject: [Go-essp-tech] Call for CA and OpenID Trust root Certificates
>>
>> Hello,
>>
>> As discussed on the call just now, I need all OpenID trust root certificates in addition to the hostname of the machine.
>>
>> For anyone that has already submitted theirs (i.e. Luca, Phil), if there are helpful commands that you can share with others, please do so in follow-up to this.
>>
>> A helpful page that shows commands for working with your java key/trust store is here:
>>
>> http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
>>
>> I also need everyone managing a MyProxy CA to send me their CA certificates.  If you're running a MyProxy CA, there are 2 simple ways to find out which certs are needed (please pick one, not both):
>>
>> 1) Login to the MyProxy CA host and run "ls -al ~/.globus/simpleCA/" as the user that runs the CA.
>>
>> In this listing, you'll see a file called "globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a hash of the CA certificate.  Please send the files /etc/grid-security/certificates/XXXXXXXX.0 and /etc/grid-security/certificates/XXXXXXXX.signing_policy as well as the hostname of the CA machine.
>>
>> 2) Another method of finding which cert to send is to run the "grid-default-ca" program:
>>
>> --------------------------------------------------------------------
>> $GLOBUS_LOCATION/bin/grid-default-ca
>>
>> The available CA configurations installed on this host are:
>>
>> Directory: /etc/grid-security/certificates
>>
>> 1) 0ba75d15 -  /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>> 2) 1c3f2ca8 -  /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
>> 3) 3de8c5e9 -  /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-67.ci.uchicago.edu/CN=Globus Simple CA
>> 4) 519bfbae -  /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>> 5) 6349a761 -  /O=DOE Science Grid/OU=Certificate Authorities/CN=Certificate Manager
>> 6) 9388e5cb -  /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus Simple CA
>> 7) 9d8753eb -  /DC=net/DC=es/OU=Certificate Authorities/OU=DOE Science Grid/CN=pki1
>> 8) d1b603c3 -  /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1
>> 9) ecdb249f -  /O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=Globus Simple CA
>>
>>
>> The default CA is: /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus Simple CA
>>           Location: /etc/grid-security/certificates/0ba75d15.0
>>
>> Enter the index number of the CA to set as the default [q to quit]
>> --------------------------------------------------------------------
>>
>> To avoid changing anything, press "q" to quit.
>>
>> Near the bottom, we are told which CA is currently our default.  Please send the file located at the listed "Location" in addition to the XXXXXXXX.signing_policy file located in the same directory.  Please also send the DN listed with that file and the hostname of the CA machine.
>>
>> IMPORTANT: For the MyProxy CA certificates, I need both the ".0" AND the ".signing_policy" files together.  Please also send the machine's hostname.
>>
>> -Neill.
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

More information about the GO-ESSP-TECH mailing list