[Go-essp-tech] [ESG-CET] Gateway 1.3.0 release production registry file
Neill Miller
neillm at mcs.anl.gov
Thu Jun 16 16:16:47 MDT 2011
Hello,
Regarding the truststore, I just removed the expired RapidSSL cert. In the future, we should make an effort to point out which certs need to be added/removed explicitly by hash so that in gets done properly. In this case, we needed to remove c4a11bb8 and replace it with 7d2cc546. If there are others, let me (or another committer to esg-certs) know.
Cron will take some time to update most likely, unless Gavin kicks it manually.
thanks,
-Neill.
----- Original Message -----
From: "Nathan Hook" <nhook at ucar.edu>
To: "Luca Cinquini (3880)" <Luca.Cinquini at jpl.nasa.gov>
Cc: go-essp-tech at ucar.edu, "ESG CET" <esg-cet at earthsystemgrid.org>
Sent: Thursday, June 16, 2011 4:17:51 PM
Subject: Re: [Go-essp-tech] [ESG-CET] Gateway 1.3.0 release production registry file
Hi Luca,
There are a couple issues causing the login issues between the jpl and
ncar gateway:
First, the jpl gateway does not seem to be running the latest RC version
of the Gateway. From the footer on the jpl site:
Gateway Portal Software version: 1.3.0-RC2-20110505-170449
Currently we should be testing RC4. RC2 and RC4 are incompatible for
openid logins because of an upgrade to openid4java that now signs
attributes. Please see the following jira ticket:
https://vets.development.ucar.edu/jira/browse/GTWY-2379
Second, the esg-truststore.ts truststore contains two entries for
esg-gateway.jpl.nasa.gov and the expired certificate appears before the
new valid certificate.
https://rainbow.llnl.gov/dist/certs/esg-truststore.ts
Once the esg-truststore.ts file is updated properly we will update our
prototype truststores and test again.
Regards,
Nathan
FYI, the ssl provider picked for jpl (RapidSSL) does not seem to be
trusted by the default java truststore (cacerts or jssecacerts), which
in the future could potentially cause debugging issues for external java
clients accessing your site. If this is a known issue please disregard.
On 6/16/2011 6:52 AM, Cinquini, Luca (3880) wrote:
> Hi Nate,
> I updated to the latest version of the federation registry but I still cannot log in into the esg.prototype.ucar.edu site with a JPL openid. Are you using the latest ESG truststore ? The old one had an expired JPL certificate.
> thanks, Luca
>
> On Jun 15, 2011, at 10:31 PM, Nathan Wilhelmi wrote:
>
>> Hi Luca,
>>
>> I believe the production openid provider value was wrong, I corrected in
>> both the production and test registry files. It has been updated on our
>> staging instance as well.
>>
>> Thanks!
>> -Nate
>>
>> On 06/15/2011 09:31 AM, Cinquini, Luca (3880) wrote:
>>> Hi Nate,
>>> I installed this file on the JPL production gateway, and then tried to use a JPL openid (https://esg-gateway.jpl.nasa.gov/myopenid/cinquiniluca) at this site:
>>>
>>> http://esg.prototype.ucar.edu/home.htm
>>>
>>> but it says "invalid openid" - does this site use the updated gateway registry ?
>>>
>>> You could also try the opposite - use a test NCAR openid to log onto the esg-gateway.jpl.nasa.gov site.
>>>
>>> thanks, Luca
>>>
>>>
>>> On Jun 14, 2011, at 9:08 PM, Nathan Wilhelmi wrote:
>>>
>>>> Hi Luca,
>>>>
>>>> I added the production JPL openid provider to the test registry file:
>>>> https://vets.development.ucar.edu/registry/federation-registry-m2.xml
>>>>
>>>> This has been reharvested by the gateway if you want to give it a try.
>>>>
>>>> Thanks!
>>>> -Nate
>>>>
>>>> On 06/14/2011 05:17 AM, Cinquini, Luca (3880) wrote:
>>>>> It seems to be behind a firewall ?
>>>>> Luca
>>>>>
>>>>> On Jun 13, 2011, at 9:44 PM, Nathan Wilhelmi wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Per the last go-essp call I have put together a production registry
>>>>>> document based on the information that I know. If you have a gateway in
>>>>>> the production federation could you please review for accuracy.
>>>>>>
>>>>>> https://vets.development.ucar.edu/registry/federation-registry-production.xml
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> -Nate
>>>>>> _______________________________________________
>>>>>> ESG-CET mailing list
>>>>>> ESG-CET at earthsystemgrid.org
>>>>>> http://mailman.ucar.edu/mailman/listinfo/esg-cet
>>
>
> _______________________________________________
> ESG-CET mailing list
> ESG-CET at earthsystemgrid.org
> http://mailman.ucar.edu/mailman/listinfo/esg-cet
_______________________________________________
GO-ESSP-TECH mailing list
GO-ESSP-TECH at ucar.edu
http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
More information about the GO-ESSP-TECH
mailing list