[Go-essp-tech] Call for CA and OpenID Trust root Certificates
Alex Sim
asim at lbl.gov
Thu Sep 9 12:10:54 MDT 2010
I somewhat agree with Rachana that hosting them on esgf.org is not a
problem but we need some kind of governance on the info, before making
them available on the web. This includes more of policy issues as well.
One example is how a gateway is decided to be trusted and included in
the trusted list, as anyone can download and install an ESG
gateway/MyProxy server and generate a CA.
-- Alex
On 9/9/10 10:51 AM, Gavin M. Bell wrote:
> Hi Rachana,
>
> If we are looking for a place to house this information then, I agree
> with Luca, that esgf.org is available and probably the most amenable
> site for doing so. At the moment the issue is that Neill would like
> the information hosted behind an https site 'somewhere', under that
> requirement - esgf.org is as good a place as any, IMHO. Also, we can
> host that information from another server here at LLNL, I am thinking
> the distribution machine here. In the context of esgf, one scenario
> is that, we treat the key storage, management and information (web
> page) in the same way we treat the projects hosted there. This makes
> it easy to maintain, etc..
>
> Neill, no worries, we can find a place for you (your stuff... our
> certs). I guess what would be good to know is, how 'on fire' is this
> request? I can make the spare cycles to make this happen for you, but
> manage my expectations so I can give this the priority is requires.
> Is there a due date you have in mind?
>
>
> On 9/9/10 7:14 AM, Rachana Ananthakrishnan wrote:
>> Hi Luca,
>>
>> This is the second time this has been referenced on this mailing list
>> - but there has not been any information on how this is governed, or
>> how to get access to the site? The site itself doesn't provide much
>> information on the intended purpose either. I am fine hosting it
>> there, provided we agree on some process for maintaining these, and
>> understand ownership when things are moved there.
>>
>> Thanks,
>> Rachana
>>
>> On Sep 9, 2010, at 9:07 AM, Cinquini, Luca (3880) wrote:
>>
>>> Hi Neill,
>>> may I suggest again that this information be placed somewhere in
>>> esgf.org ?
>>> Thxs, luca
>>>
>>>
>>>
>>>
>>> On Sep 9, 2010, at 8:01 AM, "neillm at mcs.anl.gov"
>>> <neillm at mcs.anl.gov> wrote:
>>>
>>>> Hello Estani,
>>>>
>>>> I somehow missed your latest, my apologies. I'll have those
>>>> integrated as well as Stephen's shortly.
>>>>
>>>> We are working on have a central place to store these, but it's not
>>>> resolved yet.
>>>>
>>>> The requirement is that it be HTTPS accessible. If someone has
>>>> access to something like that, I'm all for moving the page there.
>>>> The document needs to be updated with each certificate that changes
>>>> and also the truststore needs to be regenerated, so I don't think
>>>> public FTP is the best option.
>>>>
>>>> I do agree that a UofC Wiki is not the ideal final resting place
>>>> for this information though.
>>>>
>>>> -Neill.
>>>>
>>>> ----- Original Message -----
>>>> From: "Estanislao Gonzalez" <estanislao.gonzalez at zmaw.de>
>>>> To: "stephen pascoe" <stephen.pascoe at stfc.ac.uk>
>>>> Cc: neillm at mcs.anl.gov, go-essp-tech at ucar.edu, "philip kershaw" <philip.kershaw at stfc.ac.uk
>>>> Sent: Thursday, September 9, 2010 8:35:27 AM GMT -06:00 US/Canada
>>>> Central
>>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>>> Certificates
>>>>
>>>> Hi all,
>>>>
>>>> I see the trusted certificates are quiet old. I've already changed
>>>> them
>>>> as requested so that the naming scheme would be more ESG-conform, but
>>>> the certificates are still the older ones.
>>>>
>>>> Would it be possible to upload the certificates somewhere? maybe a
>>>> pub ftp?
>>>> That way we could just upload the certificates if the were changed.
>>>> We
>>>> could later on delete the ones we don't require.
>>>>
>>>>
>>>> Thanks,
>>>> Estani
>>>>
>>>> stephen.pascoe at stfc.ac.uk wrote:
>>>>> Hi Neil,
>>>>>
>>>>> Updating our trustroots using your wiki page below I notice that the
>>>>> esg-truststore.ks file is missing 2 of our certificates that are
>>>>> in the
>>>>> tarball esg_trusted_certificates-08-24-2010.tar.gz. These are
>>>>> cf22df3a.0 and ece35fd4.0
>>>>>
>>>>> I can guess how this happened. Phil provided PEM files containing
>>>>> both
>>>>> the certificate text and BEGIN CERTIFICATE sections. I've noticed
>>>>> keytool fails unless PEM files only contain the BEGIN CERTIFICATE
>>>>> block.
>>>>>
>>>>> Those using esg-truststore.ks need to import the certificates into
>>>>> the
>>>>> keystore in order for it to work with BADC. One possible recipe is:
>>>>>
>>>>> $ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/
>>>>> cf22df3a.0
>>>>>
>>>>>> cf22df3a_bare.0
>>>>>>
>>>>> $ keytool -import -keystore esg-truststore.ts -alias cf22df3a -file
>>>>> cf22df3a_bare.0
>>>>> $ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/
>>>>> ece35fd4.0
>>>>>
>>>>>> ece35fd4_bare.0
>>>>>>
>>>>> $ keytool -import -keystore esg-truststore.ts -alias ece35fd4 -file
>>>>> ece35fd4_bare.0
>>>>>
>>>>> I hope this can be reflected in esg-truststore.ks soon.
>>>>>
>>>>> Cheers,
>>>>> Stephen.
>>>>>
>>>>> ---
>>>>> Stephen Pascoe +44 (0)1235 445980
>>>>> British Atmospheric Data Centre
>>>>> Rutherford Appleton Laboratory
>>>>>
>>>>> -----Original Message-----
>>>>> From: go-essp-tech-bounces at ucar.edu
>>>>> [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of neillm at mcs.anl.gov
>>>>> Sent: 17 August 2010 22:42
>>>>> To: go-essp-tech at ucar.edu
>>>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>>>> Certificates
>>>>>
>>>>> Hello,
>>>>>
>>>>> According to the document here:
>>>>>
>>>>> http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRo
>>>>> ots
>>>>>
>>>>> PCMDI, NCAR and ORNL still need to update their DNs to something
>>>>> more
>>>>> official. This is a CMIP5 blocker as far as I know.
>>>>>
>>>>> -Neill.
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Neill Miller" <neillm at mcs.anl.gov>
>>>>> To: go-essp-tech at ucar.edu
>>>>> Sent: Wednesday, August 11, 2010 11:30:30 AM GMT -06:00 US/Canada
>>>>> Central
>>>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>>>> Certificates
>>>>>
>>>>> Hello,
>>>>>
>>>>> Has anyone made any progress on generating new CA certificates
>>>>> without
>>>>> default simpleCA DNs? Someone has already sent me new
>>>>> certificates for
>>>>> their site, so aside from that of course. Please let me know, or
>>>>> send
>>>>> me updated certs and I'll get them online as soon as I can.
>>>>>
>>>>> thanks,
>>>>> -Neill.
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Neill Miller" <neillm at mcs.anl.gov>
>>>>> To: asim at lbl.gov
>>>>> Cc: go-essp-tech at ucar.edu
>>>>> Sent: Friday, August 6, 2010 11:24:04 AM GMT -06:00 US/Canada
>>>>> Central
>>>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>>>> Certificates
>>>>>
>>>>> Hello Alex,
>>>>>
>>>>> It's a good thing to bring up actually. Each gateway that runs a CA
>>>>> gets to more or less specify their DN to be anything they want.
>>>>> Going
>>>>> forward, it's important to name them something more appropriate. I
>>>>> agree that it doesn't look good to have GlobusTest in the DN as
>>>>> well (as
>>>>> we've discussed this before), so there are at least 2 options to
>>>>> consider here:
>>>>>
>>>>> 1) Allow everyone to get their gateway working as it is now (since
>>>>> it's
>>>>> not a functional thing, but a perception/cosmetic issue), or
>>>>> 2) Request that everyone start over with their CAs in order to fix
>>>>> the
>>>>> DN*.
>>>>>
>>>>> Maybe Gavin (actually, Eric if I'm following correctly) could
>>>>> describe
>>>>> how this step is done and whether or not it's automated away? If
>>>>> it's
>>>>> automated and hidden from the user in the script, it's likely even
>>>>> starting over won't change anything for most people.
>>>>>
>>>>> *This is something that can be done without replacing the entire
>>>>> gateway
>>>>> stack. As a matter of fact, it's just a couple commands and then
>>>>> tracking the proper certificates from there. If this second
>>>>> option is
>>>>> chosen, I can document what each Gateway needs to do in order to
>>>>> remedy
>>>>> the situation.
>>>>>
>>>>> But I'd still like to know how this is done at the Gateway install
>>>>> time
>>>>> so that any NEW gateway installs won't have to do anything special
>>>>> and
>>>>> will have more valid looking (default) DNs.
>>>>>
>>>>> Sound reasonable?
>>>>>
>>>>> -Neill.
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Alex Sim" <asim at lbl.gov>
>>>>> To: neillm at mcs.anl.gov
>>>>> Cc: go-essp-tech at ucar.edu
>>>>> Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada
>>>>> Central
>>>>> Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
>>>>> Certificates
>>>>>
>>>>> I hate to bring this up again, but the DN format has to work out
>>>>> without GlobusTest in it.
>>>>>
>>>>> -- Alex
>>>>>
>>>>>
>>>>> On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Thanks to everyone that has submitted their certificate
>>>>>> information!
>>>>>>
>>>>> At the moment, I have a list of MyProxy and OpenID trusted
>>>>> certificates
>>>>> listed here:
>>>>>
>>>>>> http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrust
>>>>>> Roots
>>>>>>
>>>>>> While this page is obviously not complete, please verify that the
>>>>>>
>>>>> certificates that you've sent appear in the listings. I'd like to
>>>>> know
>>>>> roughly how many more I should be expecting before moving on to
>>>>> fill in
>>>>> the other details as well, so if you know you haven't sent yours
>>>>> in yet,
>>>>> please let me know (off-list is fine).
>>>>>
>>>>>> thanks,
>>>>>> -Neill.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: neillm at mcs.anl.gov
>>>>>> To: go-essp-tech at ucar.edu
>>>>>> Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada
>>>>>> Central
>>>>>> Subject: [Go-essp-tech] Call for CA and OpenID Trust root
>>>>>> Certificates
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> As discussed on the call just now, I need all OpenID trust root
>>>>>>
>>>>> certificates in addition to the hostname of the machine.
>>>>>
>>>>>> For anyone that has already submitted theirs (i.e. Luca, Phil), if
>>>>>>
>>>>> there are helpful commands that you can share with others, please
>>>>> do so
>>>>> in follow-up to this.
>>>>>
>>>>>> A helpful page that shows commands for working with your java
>>>>>>
>>>>> key/trust store is here:
>>>>>
>>>>>> http://*www.*sslshopper.com/article-most-common-java-keytool-keystore-co
>>>>>> mmands.html
>>>>>>
>>>>>> I also need everyone managing a MyProxy CA to send me their CA
>>>>>>
>>>>> certificates. If you're running a MyProxy CA, there are 2 simple
>>>>> ways
>>>>> to find out which certs are needed (please pick one, not both):
>>>>>
>>>>>> 1) Login to the MyProxy CA host and run "ls -al ~/.globus/
>>>>>> simpleCA/"
>>>>>>
>>>>> as the user that runs the CA.
>>>>>
>>>>>> In this listing, you'll see a file called
>>>>>>
>>>>> "globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a
>>>>> hash
>>>>> of the CA certificate. Please send the files
>>>>> /etc/grid-security/certificates/XXXXXXXX.0 and
>>>>> /etc/grid-security/certificates/XXXXXXXX.signing_policy as well as
>>>>> the
>>>>> hostname of the CA machine.
>>>>>
>>>>>> 2) Another method of finding which cert to send is to run the
>>>>>>
>>>>> "grid-default-ca" program:
>>>>>
>>>>>> --------------------------------------------------------------------
>>>>>> $GLOBUS_LOCATION/bin/grid-default-ca
>>>>>>
>>>>>> The available CA configurations installed on this host are:
>>>>>>
>>>>>> Directory: /etc/grid-security/certificates
>>>>>>
>>>>>> 1) 0ba75d15 -
>>>>>> /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/
>>>>>> CN=Globus
>>>>>>
>>>>>> Simple CA
>>>>>> 2) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate
>>>>>> Authorities/CN=DOEGrids CA 1
>>>>>> 3) 3de8c5e9 -
>>>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-67.ci.uchicago.edu/
>>>>>> CN=Globus
>>>>>> Simple CA
>>>>>> 4) 519bfbae -
>>>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-66.ci.uchicago.edu/
>>>>>> CN=Globus
>>>>>> Simple CA
>>>>>> 5) 6349a761 - /O=DOE Science Grid/OU=Certificate
>>>>>> Authorities/CN=Certificate Manager
>>>>>> 6) 9388e5cb -
>>>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus
>>>>>> Simple CA
>>>>>> 7) 9d8753eb - /DC=net/DC=es/OU=Certificate Authorities/OU=DOE
>>>>>> Science
>>>>>>
>>>>>> Grid/CN=pki1
>>>>>> 8) d1b603c3 - /DC=net/DC=ES/O=ESnet/OU=Certificate
>>>>>> Authorities/CN=ESnet Root CA 1
>>>>>> 9) ecdb249f -
>>>>>> /O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=Globus
>>>>>> Simple CA
>>>>>>
>>>>>>
>>>>>> The default CA is:
>>>>>>
>>>>> /O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/
>>>>> CN=Globus
>>>>> Simple CA
>>>>>
>>>>>> Location: /etc/grid-security/certificates/0ba75d15.0
>>>>>>
>>>>>> Enter the index number of the CA to set as the default [q to quit]
>>>>>> --------------------------------------------------------------------
>>>>>>
>>>>>> To avoid changing anything, press "q" to quit.
>>>>>>
>>>>>> Near the bottom, we are told which CA is currently our default.
>>>>>>
>>>>> Please send the file located at the listed "Location" in addition
>>>>> to the
>>>>> XXXXXXXX.signing_policy file located in the same directory.
>>>>> Please also
>>>>> send the DN listed with that file and the hostname of the CA
>>>>> machine.
>>>>>
>>>>>> IMPORTANT: For the MyProxy CA certificates, I need both the ".0"
>>>>>> AND
>>>>>>
>>>>> the ".signing_policy" files together. Please also send the
>>>>> machine's
>>>>> hostname.
>>>>>
>>>>>> -Neill.
>>>>>> _______________________________________________
>>>>>> GO-ESSP-TECH mailing list
>>>>>> GO-ESSP-TECH at ucar.edu
>>>>>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>>> _______________________________________________
>>>>>> GO-ESSP-TECH mailing list
>>>>>> GO-ESSP-TECH at ucar.edu
>>>>>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> GO-ESSP-TECH mailing list
>>>>> GO-ESSP-TECH at ucar.edu
>>>>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>> _______________________________________________
>>>>> GO-ESSP-TECH mailing list
>>>>> GO-ESSP-TECH at ucar.edu
>>>>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>> _______________________________________________
>>>>> GO-ESSP-TECH mailing list
>>>>> GO-ESSP-TECH at ucar.edu
>>>>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>>
>>>> --
>>>> Estanislao Gonzalez
>>>>
>>>> Max-Planck-Institut für Meteorologie (MPI-M)
>>>> Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
>>>> Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
>>>>
>>>> Phone: +49 (40) 46 00 94-126
>>>> E-Mail: estanislao.gonzalez at zmaw.de
>>>>
>>>> _______________________________________________
>>>> GO-ESSP-TECH mailing list
>>>> GO-ESSP-TECH at ucar.edu
>>>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>> Rachana Ananthakrishnan
>> Argonne National Lab | University of Chicago
>>
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>
>>
>
> --
> Gavin M. Bell
> Lawrence Livermore National Labs
> --
>
> "Never mistake a clear view for a short distance."
> -Paul Saffo
>
> (GPG Key - http://rainbow.llnl.gov/dist/keys/gavin.asc)
>
> A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E
>
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20100909/2d461f0f/attachment-0001.html
More information about the GO-ESSP-TECH
mailing list