[Go-essp-tech] Call for CA and OpenID Trust root Certificates

stephen.pascoe at stfc.ac.uk stephen.pascoe at stfc.ac.uk
Thu Sep 9 07:22:42 MDT 2010 

 
Hi Neil,

Updating our trustroots using your wiki page below I notice that the
esg-truststore.ks file is missing 2 of our certificates that are in the
tarball esg_trusted_certificates-08-24-2010.tar.gz.  These are
cf22df3a.0 and ece35fd4.0

I can guess how this happened.  Phil provided PEM files containing both
the certificate text and BEGIN CERTIFICATE sections.  I've noticed
keytool fails unless PEM files only contain the BEGIN CERTIFICATE block.

Those using esg-truststore.ks need to import the certificates into the
keystore in order for it to work with BADC.  One possible recipe is:

$ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/cf22df3a.0
>cf22df3a_bare.0
$ keytool -import -keystore esg-truststore.ts -alias cf22df3a -file
cf22df3a_bare.0
$ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/ece35fd4.0
>ece35fd4_bare.0
$ keytool -import -keystore esg-truststore.ts -alias ece35fd4 -file
ece35fd4_bare.0

I hope this can be reflected in esg-truststore.ks soon.

Cheers,
Stephen.

---
Stephen Pascoe  +44 (0)1235 445980
British Atmospheric Data Centre
Rutherford Appleton Laboratory

-----Original Message-----
From: go-essp-tech-bounces at ucar.edu
[mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of neillm at mcs.anl.gov
Sent: 17 August 2010 22:42
To: go-essp-tech at ucar.edu
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates

Hello,

According to the document here:

http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRo
ots

PCMDI, NCAR and ORNL still need to update their DNs to something more
official.  This is a CMIP5 blocker as far as I know.

-Neill.

----- Original Message -----
From: "Neill Miller" <neillm at mcs.anl.gov>
To: go-essp-tech at ucar.edu
Sent: Wednesday, August 11, 2010 11:30:30 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates

Hello,

Has anyone made any progress on generating new CA certificates without
default simpleCA DNs?  Someone has already sent me new certificates for
their site, so aside from that of course.  Please let me know, or send
me updated certs and I'll get them online as soon as I can.

thanks,
-Neill.

----- Original Message -----
From: "Neill Miller" <neillm at mcs.anl.gov>
To: asim at lbl.gov
Cc: go-essp-tech at ucar.edu
Sent: Friday, August 6, 2010 11:24:04 AM GMT -06:00 US/Canada Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates

Hello Alex,

It's a good thing to bring up actually.  Each gateway that runs a CA
gets to more or less specify their DN to be anything they want.  Going
forward, it's important to name them something more appropriate.  I
agree that it doesn't look good to have GlobusTest in the DN as well (as
we've discussed this before), so there are at least 2 options to
consider here:

1) Allow everyone to get their gateway working as it is now (since it's
not a functional thing, but a perception/cosmetic issue), or
2) Request that everyone start over with their CAs in order to fix the
DN*.

Maybe Gavin (actually, Eric if I'm following correctly) could describe
how this step is done and whether or not it's automated away?  If it's
automated and hidden from the user in the script, it's likely even
starting over won't change anything for most people.

*This is something that can be done without replacing the entire gateway
stack.  As a matter of fact, it's just a couple commands and then
tracking the proper certificates from there.  If this second option is
chosen, I can document what each Gateway needs to do in order to remedy
the situation.

But I'd still like to know how this is done at the Gateway install time
so that any NEW gateway installs won't have to do anything special and
will have more valid looking (default) DNs.

Sound reasonable?

-Neill.

----- Original Message -----
From: "Alex Sim" <asim at lbl.gov>
To: neillm at mcs.anl.gov
Cc: go-essp-tech at ucar.edu
Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates

 I hate to bring this up again, but the DN format has to work out
without GlobusTest in it.

-- Alex


On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
> Hello,
>
> Thanks to everyone that has submitted their certificate information!
At the moment, I have a list of MyProxy and OpenID trusted certificates
listed here:
>
> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrust
> Roots
>
> While this page is obviously not complete, please verify that the
certificates that you've sent appear in the listings.  I'd like to know
roughly how many more I should be expecting before moving on to fill in
the other details as well, so if you know you haven't sent yours in yet,
please let me know (off-list is fine).
>
> thanks,
> -Neill.
>
> ----- Original Message -----
> From: neillm at mcs.anl.gov
> To: go-essp-tech at ucar.edu
> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada Central
> Subject: [Go-essp-tech] Call for CA and OpenID Trust root Certificates
>
> Hello,
>
> As discussed on the call just now, I need all OpenID trust root
certificates in addition to the hostname of the machine.
>
> For anyone that has already submitted theirs (i.e. Luca, Phil), if
there are helpful commands that you can share with others, please do so
in follow-up to this.
>
> A helpful page that shows commands for working with your java
key/trust store is here:
>
> http://www.sslshopper.com/article-most-common-java-keytool-keystore-co
> mmands.html
>
> I also need everyone managing a MyProxy CA to send me their CA
certificates.  If you're running a MyProxy CA, there are 2 simple ways
to find out which certs are needed (please pick one, not both):
>
> 1) Login to the MyProxy CA host and run "ls -al ~/.globus/simpleCA/"
as the user that runs the CA.
>
> In this listing, you'll see a file called
"globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a hash
of the CA certificate.  Please send the files
/etc/grid-security/certificates/XXXXXXXX.0 and
/etc/grid-security/certificates/XXXXXXXX.signing_policy as well as the
hostname of the CA machine.
>
> 2) Another method of finding which cert to send is to run the
"grid-default-ca" program:
>
> --------------------------------------------------------------------
> $GLOBUS_LOCATION/bin/grid-default-ca
>
> The available CA configurations installed on this host are:
>
> Directory: /etc/grid-security/certificates
>
> 1) 0ba75d15 -  
> /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus

> Simple CA
> 2) 1c3f2ca8 -  /DC=org/DC=DOEGrids/OU=Certificate 
> Authorities/CN=DOEGrids CA 1
> 3) 3de8c5e9 -  
> /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-67.ci.uchicago.edu/CN=Globus 
> Simple CA
> 4) 519bfbae -  
> /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus 
> Simple CA
> 5) 6349a761 -  /O=DOE Science Grid/OU=Certificate 
> Authorities/CN=Certificate Manager
> 6) 9388e5cb -  
> /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus Simple CA
> 7) 9d8753eb -  /DC=net/DC=es/OU=Certificate Authorities/OU=DOE Science

> Grid/CN=pki1
> 8) d1b603c3 -  /DC=net/DC=ES/O=ESnet/OU=Certificate 
> Authorities/CN=ESnet Root CA 1
> 9) ecdb249f -  
> /O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=Globus 
> Simple CA
>
>
> The default CA is:
/O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/CN=Globus
Simple CA
>          Location: /etc/grid-security/certificates/0ba75d15.0
>
> Enter the index number of the CA to set as the default [q to quit]
> --------------------------------------------------------------------
>
> To avoid changing anything, press "q" to quit.
>
> Near the bottom, we are told which CA is currently our default.
Please send the file located at the listed "Location" in addition to the
XXXXXXXX.signing_policy file located in the same directory.  Please also
send the DN listed with that file and the hostname of the CA machine.
>
> IMPORTANT: For the MyProxy CA certificates, I need both the ".0" AND
the ".signing_policy" files together.  Please also send the machine's
hostname.
>
> -Neill.
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
-- 
Scanned by iCritical.

More information about the GO-ESSP-TECH mailing list