[Go-essp-tech] Call for CA and OpenID Trust root Certificates
martin.juckes at stfc.ac.uk
martin.juckes at stfc.ac.uk
Fri Sep 10 03:28:42 MDT 2010
Hi Stephen,
I don't think you can put the problem entirely in the GO-ESSP Pis court: esgf.org contributes to the fragmentation because it makes no attempt to say what ESGF is ("ESGF is a non-profit organization formed by participates in the GO-ESSP collaboration to bring their knowledge and experience to bear on critical Earth System federations in the dissemination of climate data and related products" - from the PCMDI page) or link to associated web-sites. Esgf.org might be good as an idea, but as a web site it still has a lot of problems.
It would be useful to have a clear set of requirements. I get the impression from Phil that https is more or less essential. The other requirement appears to be the people can put stuff there: can we get a bit clearer on these requirements?
Cheers,
Martin
From: go-essp-tech-bounces at ucar.edu [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of stephen.pascoe at stfc.ac.uk
Sent: 10 September 2010 10:00
To: asim at lbl.gov; gavin at llnl.gov
Cc: Luca.Cinquini at jpl.nasa.gov; go-essp-tech at ucar.edu
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root Certificates
I know the sudden emergence of esgf.org must be disconcerting to some who weren't directly involved in it's inception; and I agree that governance is a piece of the puzzle we critically need to sort out. The balls in GO-ESSP PIs there.
However, I just want to stress that the status quo is unsustainable and a huge barrier to adoption: information on the ESGF software is fragmented throughout a handful of institutional websites with very little organisation or cross-linking. I feel the only solution is to manage top-level information from an institution-neutral site, which esgf.org is.
On the specific point of managing trustroots. I'm not sure why reading of the trustroots over HTTP would be a problem. Updating them obviously has to be controlled. Esgf.org has the technical infrastructure through it's git repository which I regularly write to using an ssh key pair. Governance could also be enforced by having separate update and master branches a master branches. I'm sure Gavin could put together a hook to automatically build the keystore.
However, if ANL are working on an alternative that's great but I think it should be at least *linked* from esgf.org.
Cheers,
Stephen.
---
Stephen Pascoe +44 (0)1235 445980
British Atmospheric Data Centre
Rutherford Appleton Laboratory
________________________________
From: go-essp-tech-bounces at ucar.edu [mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of Alex Sim
Sent: 09 September 2010 19:11
To: Gavin M. Bell
Cc: Cinquini, Luca (3880); go-essp-tech at ucar.edu
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root Certificates
I somewhat agree with Rachana that hosting them on esgf.org is not a problem but we need some kind of governance on the info, before making them available on the web. This includes more of policy issues as well. One example is how a gateway is decided to be trusted and included in the trusted list, as anyone can download and install an ESG gateway/MyProxy server and generate a CA.
-- Alex
On 9/9/10 10:51 AM, Gavin M. Bell wrote:
Hi Rachana,
If we are looking for a place to house this information then, I agree with Luca, that esgf.org is available and probably the most amenable site for doing so. At the moment the issue is that Neill would like the information hosted behind an https site 'somewhere', under that requirement - esgf.org is as good a place as any, IMHO. Also, we can host that information from another server here at LLNL, I am thinking the distribution machine here. In the context of esgf, one scenario is that, we treat the key storage, management and information (web page) in the same way we treat the projects hosted there. This makes it easy to maintain, etc..
Neill, no worries, we can find a place for you (your stuff... our certs). I guess what would be good to know is, how 'on fire' is this request? I can make the spare cycles to make this happen for you, but manage my expectations so I can give this the priority is requires. Is there a due date you have in mind?
On 9/9/10 7:14 AM, Rachana Ananthakrishnan wrote:
Hi Luca,
This is the second time this has been referenced on this mailing list
- but there has not been any information on how this is governed, or
how to get access to the site? The site itself doesn't provide much
information on the intended purpose either. I am fine hosting it
there, provided we agree on some process for maintaining these, and
understand ownership when things are moved there.
Thanks,
Rachana
On Sep 9, 2010, at 9:07 AM, Cinquini, Luca (3880) wrote:
Hi Neill,
may I suggest again that this information be placed somewhere in
esgf.org ?
Thxs, luca
On Sep 9, 2010, at 8:01 AM, "neillm at mcs.anl.gov" <mailto:neillm at mcs.anl.gov>
<neillm at mcs.anl.gov> <mailto:neillm at mcs.anl.gov> wrote:
Hello Estani,
I somehow missed your latest, my apologies. I'll have those
integrated as well as Stephen's shortly.
We are working on have a central place to store these, but it's not
resolved yet.
The requirement is that it be HTTPS accessible. If someone has
access to something like that, I'm all for moving the page there.
The document needs to be updated with each certificate that changes
and also the truststore needs to be regenerated, so I don't think
public FTP is the best option.
I do agree that a UofC Wiki is not the ideal final resting place
for this information though.
-Neill.
----- Original Message -----
From: "Estanislao Gonzalez" <estanislao.gonzalez at zmaw.de> <mailto:estanislao.gonzalez at zmaw.de>
To: "stephen pascoe" <stephen.pascoe at stfc.ac.uk> <mailto:stephen.pascoe at stfc.ac.uk>
Cc: neillm at mcs.anl.gov, go-essp-tech at ucar.edu, "philip kershaw" <philip.kershaw at stfc.ac.uk
Sent: Thursday, September 9, 2010 8:35:27 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hi all,
I see the trusted certificates are quiet old. I've already changed
them
as requested so that the naming scheme would be more ESG-conform, but
the certificates are still the older ones.
Would it be possible to upload the certificates somewhere? maybe a
pub ftp?
That way we could just upload the certificates if the were changed.
We
could later on delete the ones we don't require.
Thanks,
Estani
stephen.pascoe at stfc.ac.uk wrote:
Hi Neil,
Updating our trustroots using your wiki page below I notice that the
esg-truststore.ks file is missing 2 of our certificates that are
in the
tarball esg_trusted_certificates-08-24-2010.tar.gz. These are
cf22df3a.0 and ece35fd4.0
I can guess how this happened. Phil provided PEM files containing
both
the certificate text and BEGIN CERTIFICATE sections. I've noticed
keytool fails unless PEM files only contain the BEGIN CERTIFICATE
block.
Those using esg-truststore.ks need to import the certificates into
the
keystore in order for it to work with BADC. One possible recipe is:
$ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/
cf22df3a.0
cf22df3a_bare.0
$ keytool -import -keystore esg-truststore.ts -alias cf22df3a -file
cf22df3a_bare.0
$ sed -n '/BEGIN CERT/,/END CERT/ p' esg_trusted_certificates/
ece35fd4.0
ece35fd4_bare.0
$ keytool -import -keystore esg-truststore.ts -alias ece35fd4 -file
ece35fd4_bare.0
I hope this can be reflected in esg-truststore.ks soon.
Cheers,
Stephen.
---
Stephen Pascoe +44 (0)1235 445980
British Atmospheric Data Centre
Rutherford Appleton Laboratory
-----Original Message-----
From: go-essp-tech-bounces at ucar.edu
[mailto:go-essp-tech-bounces at ucar.edu] On Behalf Of neillm at mcs.anl.gov
Sent: 17 August 2010 22:42
To: go-essp-tech at ucar.edu
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hello,
According to the document here:
http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrustRo
ots
PCMDI, NCAR and ORNL still need to update their DNs to something
more
official. This is a CMIP5 blocker as far as I know.
-Neill.
----- Original Message -----
From: "Neill Miller" <neillm at mcs.anl.gov> <mailto:neillm at mcs.anl.gov>
To: go-essp-tech at ucar.edu
Sent: Wednesday, August 11, 2010 11:30:30 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hello,
Has anyone made any progress on generating new CA certificates
without
default simpleCA DNs? Someone has already sent me new
certificates for
their site, so aside from that of course. Please let me know, or
send
me updated certs and I'll get them online as soon as I can.
thanks,
-Neill.
----- Original Message -----
From: "Neill Miller" <neillm at mcs.anl.gov> <mailto:neillm at mcs.anl.gov>
To: asim at lbl.gov
Cc: go-essp-tech at ucar.edu
Sent: Friday, August 6, 2010 11:24:04 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hello Alex,
It's a good thing to bring up actually. Each gateway that runs a CA
gets to more or less specify their DN to be anything they want.
Going
forward, it's important to name them something more appropriate. I
agree that it doesn't look good to have GlobusTest in the DN as
well (as
we've discussed this before), so there are at least 2 options to
consider here:
1) Allow everyone to get their gateway working as it is now (since
it's
not a functional thing, but a perception/cosmetic issue), or
2) Request that everyone start over with their CAs in order to fix
the
DN*.
Maybe Gavin (actually, Eric if I'm following correctly) could
describe
how this step is done and whether or not it's automated away? If
it's
automated and hidden from the user in the script, it's likely even
starting over won't change anything for most people.
*This is something that can be done without replacing the entire
gateway
stack. As a matter of fact, it's just a couple commands and then
tracking the proper certificates from there. If this second
option is
chosen, I can document what each Gateway needs to do in order to
remedy
the situation.
But I'd still like to know how this is done at the Gateway install
time
so that any NEW gateway installs won't have to do anything special
and
will have more valid looking (default) DNs.
Sound reasonable?
-Neill.
----- Original Message -----
From: "Alex Sim" <asim at lbl.gov> <mailto:asim at lbl.gov>
To: neillm at mcs.anl.gov
Cc: go-essp-tech at ucar.edu
Sent: Friday, August 6, 2010 11:04:56 AM GMT -06:00 US/Canada
Central
Subject: Re: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
I hate to bring this up again, but the DN format has to work out
without GlobusTest in it.
-- Alex
On 8/6/10 8:49 AM, neillm at mcs.anl.gov wrote:
Hello,
Thanks to everyone that has submitted their certificate
information!
At the moment, I have a list of MyProxy and OpenID trusted
certificates
listed here:
http://*www.*ci.uchicago.edu/wiki/bin/view/ESGProject/ESGFederationTrust
Roots
While this page is obviously not complete, please verify that the
certificates that you've sent appear in the listings. I'd like to
know
roughly how many more I should be expecting before moving on to
fill in
the other details as well, so if you know you haven't sent yours
in yet,
please let me know (off-list is fine).
thanks,
-Neill.
----- Original Message -----
From: neillm at mcs.anl.gov
To: go-essp-tech at ucar.edu
Sent: Tuesday, August 3, 2010 10:58:29 AM GMT -06:00 US/Canada
Central
Subject: [Go-essp-tech] Call for CA and OpenID Trust root
Certificates
Hello,
As discussed on the call just now, I need all OpenID trust root
certificates in addition to the hostname of the machine.
For anyone that has already submitted theirs (i.e. Luca, Phil), if
there are helpful commands that you can share with others, please
do so
in follow-up to this.
A helpful page that shows commands for working with your java
key/trust store is here:
http://*www.*sslshopper.com/article-most-common-java-keytool-keystore-co
mmands.html
I also need everyone managing a MyProxy CA to send me their CA
certificates. If you're running a MyProxy CA, there are 2 simple
ways
to find out which certs are needed (please pick one, not both):
1) Login to the MyProxy CA host and run "ls -al ~/.globus/
simpleCA/"
as the user that runs the CA.
In this listing, you'll see a file called
"globus_simple_ca_XXXXXXXX_setup-0.20.tar.gz" where XXXXXXXX is a
hash
of the CA certificate. Please send the files
/etc/grid-security/certificates/XXXXXXXX.0 and
/etc/grid-security/certificates/XXXXXXXX.signing_policy as well as
the
hostname of the CA machine.
2) Another method of finding which cert to send is to run the
"grid-default-ca" program:
--------------------------------------------------------------------
$GLOBUS_LOCATION/bin/grid-default-ca
The available CA configurations installed on this host are:
Directory: /etc/grid-security/certificates
1) 0ba75d15 -
/O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/
CN=Globus
Simple CA
2) 1c3f2ca8 - /DC=org/DC=DOEGrids/OU=Certificate
Authorities/CN=DOEGrids CA 1
3) 3de8c5e9 -
/O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-67.ci.uchicago.edu/
CN=Globus
Simple CA
4) 519bfbae -
/O=Grid/OU=GlobusTest/OU=simpleCA-vm-125-66.ci.uchicago.edu/
CN=Globus
Simple CA
5) 6349a761 - /O=DOE Science Grid/OU=Certificate
Authorities/CN=Certificate Manager
6) 9388e5cb -
/O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus
Simple CA
7) 9d8753eb - /DC=net/DC=es/OU=Certificate Authorities/OU=DOE
Science
Grid/CN=pki1
8) d1b603c3 - /DC=net/DC=ES/O=ESnet/OU=Certificate
Authorities/CN=ESnet Root CA 1
9) ecdb249f -
/O=Grid/OU=GlobusTest/OU=simpleCA-esgdev.ci.uchicago.edu/CN=Globus
Simple CA
The default CA is:
/O=Grid/OU=GlobusTest2/OU=simpleCA-vm-125-66.ci.uchicago.edu/
CN=Globus
Simple CA
Location: /etc/grid-security/certificates/0ba75d15.0
Enter the index number of the CA to set as the default [q to quit]
--------------------------------------------------------------------
To avoid changing anything, press "q" to quit.
Near the bottom, we are told which CA is currently our default.
Please send the file located at the listed "Location" in addition
to the
XXXXXXXX.signing_policy file located in the same directory.
Please also
send the DN listed with that file and the hostname of the CA
machine.
IMPORTANT: For the MyProxy CA certificates, I need both the ".0"
AND
the ".signing_policy" files together. Please also send the
machine's
hostname.
-Neill.
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
--
Estanislao Gonzalez
Max-Planck-Institut für Meteorologie (MPI-M)
Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
Phone: +49 (40) 46 00 94-126
E-Mail: estanislao.gonzalez at zmaw.de
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
Rachana Ananthakrishnan
Argonne National Lab | University of Chicago
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://*mailman.ucar.edu/mailman/listinfo/go-essp-tech
--
Gavin M. Bell
Lawrence Livermore National Labs
--
"Never mistake a clear view for a short distance."
-Paul Saffo
(GPG Key - http://rainbow.llnl.gov/dist/keys/gavin.asc)
A796 CE39 9C31 68A4 52A7 1F6B 66B7 B250 21D5 6D3E
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
--
Scanned by iCritical.
--
Scanned by iCritical.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20100910/2a70b2d5/attachment-0001.html
More information about the GO-ESSP-TECH
mailing list