[Go-essp-tech] Call for CA and OpenID Trust root Certificates

Rachana Ananthakrishnan ranantha at mcs.anl.gov
Thu Sep 9 08:14:25 MDT 2010 

Hi Luca,

This is the second time this has been referenced on this mailing list  
- but there has not been any information on how this is governed, or  
how to get access to the site? The site itself doesn't provide much  
information on the intended purpose either. I am fine hosting it  
there, provided we agree on some process for maintaining these, and  
understand ownership when things are moved there.

Thanks,
Rachana

On Sep 9, 2010, at 9:07 AM, Cinquini, Luca (3880) wrote:

> Hi Neill,
> may I suggest again that this information be placed somewhere in  
> esgf.org ?
> Thxs, luca
>
>
>
>
> On Sep 9, 2010, at 8:01 AM, "neillm at mcs.anl.gov"  
> <neillm at mcs.anl.gov> wrote:
>
>> Hello Estani,
>>
>> I somehow missed your latest, my apologies.  I'll have those  
>> integrated as well as Stephen's shortly.
>>
>> We are working on have a central place to store these, but it's not  
>> resolved yet.
>>
>> The requirement is that it be HTTPS accessible.  If someone has  
>> access to something like that, I'm all for moving the page there.   
>> The document needs to be updated with each certificate that changes  
>> and also the truststore needs to be regenerated, so I don't think  
>> public FTP is the best option.
>>
>> I do agree that a UofC Wiki is not the ideal final resting place  
>> for this information though.
>>
>> -Neill.
>>
>> ----- Original Message -----
>> From: "Estanislao Gonzalez" <estanislao.gonzalez at zmaw.de>
>> To: "stephen pascoe" <stephen.pascoe at stfc.ac.uk>
>> Cc: neillm at mcs.anl.gov, go-essp-tech at ucar.edu, "philip kershaw" <philip.kershaw at stfc.ac.uk 
>> >
>> Sent: Thursday, September 9, 2010 8:35:27 AM GMT -06:00 US/Canada  
>> Central
>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root  
>> Certificates
>>
>> Hi all,
>>
>> I see the trusted certificates are quiet old. I've already changed  
>> them
>> as requested so that the naming scheme would be more ESG-conform, but
>> the certificates are still the older ones.
>>
>> Would it be possible to upload the certificates somewhere? maybe a  
>> pub ftp?
>> That way we could just upload the certificates if the were changed.  
>> We
>> could later on delete the ones we don't require.
>>
>>
>> Thanks,
>> Estani
>>
>> stephen.pascoe at stfc.ac.uk wrote:
>>>
>>> Hi Neil,
>>>
>>> Updating our trustroots using your wiki page below I notice that the
>>> esg-truststore.ks file is missing 2 of our certificates that are  
>>> in the
>>> tarball esg_trusted_certificates-08-24-2010.tar.gz.  These are
>>> cf22df3a.0 and ece35fd4.0
>>>
>>> I can guess how this happened.  Phil provided PEM files containing  
>>> both
>>> the certificate text and BEGIN CERTIFICATE sections.  I've noticed
>>> keytool fails unless PEM files only contain the BEGIN CERTIFICATE  
>>> block.
>>>
>>> Those using esg-truststore.ks need to import the certificates into  
>>> the
>>> keystore in order for it to work with BADC.  One possible recipe is:
>>>
>>> $ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/ 
>>> cf22df3a.0
>>>
>>>> cf22df3a_bare.0
>>>>
>>> $ keytool -import -keystore esg-truststore.ts -alias cf22df3a -file
>>> cf22df3a_bare.0
>>> $ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/ 
>>> ece35fd4.0
>>>
>>>> ece35fd4_bare.0
>>>>
>>> $ keytool -import -keystore esg-truststore.ts -alias ece35fd4 -file
>>> ece35fd4_bare.0
>>>
>>> I hope this can be reflected in esg-truststore.ks soon.
>>>
>>> Cheers,
>>> Stephen.
>>>
>>> ---
>>> Stephen Pascoe  +44 (0)1235 445980
>>> British Atmospheric Data Centre
>>> Rutherford Appleton Laboratory
>>>
>>> -----Original Message-----
>>> From: go-essp-tech-bounces at ucar.edu
>>> [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of neillm at mcs.anl.gov
>>> Sent: 17 August 2010 22:42
>>> To: go-essp-tech at ucar.edu
>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>> Certificates
>>>
>>> Hello,
>>>
>>> According to the document here:
>>>
>>> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRo
>>> ots
>>>
>>> PCMDI, NCAR and ORNL still need to update their DNs to something  
>>> more
>>> official.  This is a CMIP5 blocker as far as I know.
>>>
>>> -Neill.
>>>
>>> ----- Original Message -----
>>> From: "Neill Miller" <neillm at mcs.anl.gov>
>>> To: go-essp-tech at ucar.edu
>>> Sent: Wednesday, August 11, 2010 11:30:30 AM GMT -06:00 US/Canada
>>> Central
>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>> Certificates
>>>
>>> Hello,
>>>
>>> Has anyone made any progress on generating new CA certificates  
>>> without
>>> default simpleCA DNs?  Someone has already sent me new  
>>> certificates for
>>> their site, so aside from that of course.  Please let me know, or  
>>> send
>>> me updated certs and I'll get them online as soon as I can.
>>>
>>> thanks,
>>> -Neill.
>>>
>>> ----- Original Message -----
>>> From: "Neill Miller" <neillm at mcs.anl.gov>
>>> To: asim at lbl.gov
>>> Cc: go-essp-tech at ucar.edu
>>> Sent: Friday, August 6, 2010 11:24:04 AM GMT -06:00 US/Canada  
>>> Central
>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>> Certificates
>>>
>>> Hello Alex,
>>>
>>> It's a good thing to bring up actually.  Each gateway that runs a CA
>>> gets to more or less specify their DN to be anything they want.   
>>> Going
>>> forward, it's important to name them something more appropriate.  I
>>> agree that it doesn't look good to have GlobusTest in the DN as  
>>> well (as
>>> we've discussed this before), so there are at least 2 options to
>>> consider here:
>>>
>>> 1) Allow everyone to get their gateway working as it is now (since  
>>> it's
>>> not a functional thing, but a perception/cosmetic issue), or
>>> 2) Request that everyone start over with their CAs in order to fix  
>>> the
>>> DN*.
>>>
>>> Maybe Gavin (actually, Eric if I'm following correctly) could  
>>> describe
>>> how this step is done and whether or not it's automated away?  If  
>>> it's
>>> automated and hidden from the user in the script, it's likely even
>>> starting over won't change anything for most people.
>>>
>>> *This is something that can be done without replacing the entire  
>>> gateway
>>> stack.  As a matter of fact, it's just a couple commands and then
>>> tracking the proper certificates from there.  If this second  
>>> option is
>>> chosen, I can document what each Gateway needs to do in order to  
>>> remedy
>>> the situation.
>>>
>>> But I'd still like to know how this is done at the Gateway install  
>>> time
>>> so that any NEW gateway installs won't have to do anything special  
>>> and
>>> will have more valid looking (default) DNs.
>>>
>>> Sound reasonable?
>>>
>>> -Neill.
>>>
>>> ----- Original Message -----
>>> From: "Alex Sim" <asim at lbl.gov>
>>> To: neillm at mcs.anl.gov
>>> Cc: go-essp-tech at ucar.edu
>>> Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada  
>>> Central
>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>> Certificates
>>>
>>> I hate to bring this up again, but the DN format has to work out
>>> without GlobusTest in it.
>>>
>>> -- Alex
>>>
>>>
>>> On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
>>>
>>>> Hello,
>>>>
>>>> Thanks to everyone that has submitted their certificate  
>>>> information!
>>>>
>>> At the moment, I have a list of MyProxy and OpenID trusted  
>>> certificates
>>> listed here:
>>>
>>>> http://www.ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrust
>>>> Roots
>>>>
>>>> While this page is obviously not complete, please verify that the
>>>>
>>> certificates that you've sent appear in the listings.  I'd like to  
>>> know
>>> roughly how many more I should be expecting before moving on to  
>>> fill in
>>> the other details as well, so if you know you haven't sent yours  
>>> in yet,
>>> please let me know (off-list is fine).
>>>
>>>> thanks,
>>>> -Neill.
>>>>
>>>> ----- Original Message -----
>>>> From: neillm at mcs.anl.gov
>>>> To: go-essp-tech at ucar.edu
>>>> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada  
>>>> Central
>>>> Subject: [Go-essp-tech] Call for CA and OpenID Trust root  
>>>> Certificates
>>>>
>>>> Hello,
>>>>
>>>> As discussed on the call just now, I need all OpenID trust root
>>>>
>>> certificates in addition to the hostname of the machine.
>>>
>>>> For anyone that has already submitted theirs (i.e. Luca, Phil), if
>>>>
>>> there are helpful commands that you can share with others, please  
>>> do so
>>> in follow-up to this.
>>>
>>>> A helpful page that shows commands for working with your java
>>>>
>>> key/trust store is here:
>>>
>>>> http://www.sslshopper.com/article-most-common-java-keytool-keystore-co
>>>> mmands.html
>>>>
>>>> I also need everyone managing a MyProxy CA to send me their CA
>>>>
>>> certificates.  If you're running a MyProxy CA, there are 2 simple  
>>> ways
>>> to find out which certs are needed (please pick one, not both):
>>>
>>>> 1) Login to the MyProxy CA host and run "ls -al ~/.globus/ 
>>>> simpleCA/"
>>>>
>>> as the user that runs the CA.
>>>
>>>> In this listing, you'll see a file called
>>>>
>>> "globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a  
>>> hash
>>> of the CA certificate.  Please send the files
>>> /etc/grid-security/certificates/XXXXXXXX.0 and
>>> /etc/grid-security/certificates/XXXXXXXX.signing_policy as well as  
>>> the
>>> hostname of the CA machine.
>>>
>>>> 2) Another method of finding which cert to send is to run the
>>>>
>>> "grid-default-ca" program:
>>>
>>>> --------------------------------------------------------------------
>>>> $GLOBUS_LOCATION/bin/grid-default-ca
>>>>
>>>> The available CA configurations installed on this host are:
>>>>
>>>> Directory: /etc/grid-security/certificates
>>>>
>>>> 1) 0ba75d15 -
>>>> /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/ 
>>>> CN=Globus
>>>>
>>>
>>>
>>>> Simple CA
>>>> 2) 1c3f2ca8 -  /DC=org/DC=DOEGrids/OU=Certificate
>>>> Authorities/CN=DOEGrids CA 1
>>>> 3) 3de8c5e9 -
>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-67.ci.uchicago.edu/ 
>>>> CN=Globus
>>>> Simple CA
>>>> 4) 519bfbae -
>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-66.ci.uchicago.edu/ 
>>>> CN=Globus
>>>> Simple CA
>>>> 5) 6349a761 -  /O=DOE Science Grid/OU=Certificate
>>>> Authorities/CN=Certificate Manager
>>>> 6) 9388e5cb -
>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus  
>>>> Simple CA
>>>> 7) 9d8753eb -  /DC=net/DC=es/OU=Certificate Authorities/OU=DOE  
>>>> Science
>>>>
>>>
>>>
>>>> Grid/CN=pki1
>>>> 8) d1b603c3 -  /DC=net/DC=ES/O=ESnet/OU=Certificate
>>>> Authorities/CN=ESnet Root CA 1
>>>> 9) ecdb249f -
>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=Globus
>>>> Simple CA
>>>>
>>>>
>>>> The default CA is:
>>>>
>>> /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/ 
>>> CN=Globus
>>> Simple CA
>>>
>>>>        Location: /etc/grid-security/certificates/0ba75d15.0
>>>>
>>>> Enter the index number of the CA to set as the default [q to quit]
>>>> --------------------------------------------------------------------
>>>>
>>>> To avoid changing anything, press "q" to quit.
>>>>
>>>> Near the bottom, we are told which CA is currently our default.
>>>>
>>> Please send the file located at the listed "Location" in addition  
>>> to the
>>> XXXXXXXX.signing_policy file located in the same directory.   
>>> Please also
>>> send the DN listed with that file and the hostname of the CA  
>>> machine.
>>>
>>>> IMPORTANT: For the MyProxy CA certificates, I need both the ".0"  
>>>> AND
>>>>
>>> the ".signing_policy" files together.  Please also send the  
>>> machine's
>>> hostname.
>>>
>>>> -Neill.
>>>> _______________________________________________
>>>> GO-ESSP-TECH mailing list
>>>> GO-ESSP-TECH at ucar.edu
>>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>> _______________________________________________
>>>> GO-ESSP-TECH mailing list
>>>> GO-ESSP-TECH at ucar.edu
>>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>
>>>>
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>
>>
>>
>> --
>> Estanislao Gonzalez
>>
>> Max-Planck-Institut für Meteorologie (MPI-M)
>> Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
>> Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
>>
>> Phone:   +49 (40) 46 00 94-126
>> E-Mail:  estanislao.gonzalez at zmaw.de
>>
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

Rachana Ananthakrishnan
Argonne National Lab | University of Chicago

More information about the GO-ESSP-TECH mailing list