[Go-essp-tech] [ESG-CET] Gateway 1.3.0 release production registry file
Estanislao Gonzalez
gonzalez at dkrz.de
Fri Jun 17 03:08:39 MDT 2011
Hi,
is it possible to add a small test to the script being started by the
cronjob to:
- remove invalid certificates (e.g. expired)
- notify about that and which certificates are expiring soon? (e.g. by
sending email to esgf-node-dev with cert name)
That will help I think...
Thanks,
Estani
Am 17.06.2011 00:16, schrieb Neill Miller:
> Hello,
>
> Regarding the truststore, I just removed the expired RapidSSL cert. In the future, we should make an effort to point out which certs need to be added/removed explicitly by hash so that in gets done properly. In this case, we needed to remove c4a11bb8 and replace it with 7d2cc546. If there are others, let me (or another committer to esg-certs) know.
>
> Cron will take some time to update most likely, unless Gavin kicks it manually.
>
> thanks,
> -Neill.
>
> ----- Original Message -----
> From: "Nathan Hook"<nhook at ucar.edu>
> To: "Luca Cinquini (3880)"<Luca.Cinquini at jpl.nasa.gov>
> Cc: go-essp-tech at ucar.edu, "ESG CET"<esg-cet at earthsystemgrid.org>
> Sent: Thursday, June 16, 2011 4:17:51 PM
> Subject: Re: [Go-essp-tech] [ESG-CET] Gateway 1.3.0 release production registry file
>
> Hi Luca,
>
> There are a couple issues causing the login issues between the jpl and
> ncar gateway:
>
> First, the jpl gateway does not seem to be running the latest RC version
> of the Gateway. From the footer on the jpl site:
> Gateway Portal Software version: 1.3.0-RC2-20110505-170449
>
> Currently we should be testing RC4. RC2 and RC4 are incompatible for
> openid logins because of an upgrade to openid4java that now signs
> attributes. Please see the following jira ticket:
> https://vets.development.ucar.edu/jira/browse/GTWY-2379
>
>
> Second, the esg-truststore.ts truststore contains two entries for
> esg-gateway.jpl.nasa.gov and the expired certificate appears before the
> new valid certificate.
> https://rainbow.llnl.gov/dist/certs/esg-truststore.ts
>
>
> Once the esg-truststore.ts file is updated properly we will update our
> prototype truststores and test again.
>
>
> Regards,
>
> Nathan
>
>
> FYI, the ssl provider picked for jpl (RapidSSL) does not seem to be
> trusted by the default java truststore (cacerts or jssecacerts), which
> in the future could potentially cause debugging issues for external java
> clients accessing your site. If this is a known issue please disregard.
>
>
>
>
> On 6/16/2011 6:52 AM, Cinquini, Luca (3880) wrote:
>> Hi Nate,
>> I updated to the latest version of the federation registry but I still cannot log in into the esg.prototype.ucar.edu site with a JPL openid. Are you using the latest ESG truststore ? The old one had an expired JPL certificate.
>> thanks, Luca
>>
>> On Jun 15, 2011, at 10:31 PM, Nathan Wilhelmi wrote:
>>
>>> Hi Luca,
>>>
>>> I believe the production openid provider value was wrong, I corrected in
>>> both the production and test registry files. It has been updated on our
>>> staging instance as well.
>>>
>>> Thanks!
>>> -Nate
>>>
>>> On 06/15/2011 09:31 AM, Cinquini, Luca (3880) wrote:
>>>> Hi Nate,
>>>> I installed this file on the JPL production gateway, and then tried to use a JPL openid (https://esg-gateway.jpl.nasa.gov/myopenid/cinquiniluca) at this site:
>>>>
>>>> http://esg.prototype.ucar.edu/home.htm
>>>>
>>>> but it says "invalid openid" - does this site use the updated gateway registry ?
>>>>
>>>> You could also try the opposite - use a test NCAR openid to log onto the esg-gateway.jpl.nasa.gov site.
>>>>
>>>> thanks, Luca
>>>>
>>>>
>>>> On Jun 14, 2011, at 9:08 PM, Nathan Wilhelmi wrote:
>>>>
>>>>> Hi Luca,
>>>>>
>>>>> I added the production JPL openid provider to the test registry file:
>>>>> https://vets.development.ucar.edu/registry/federation-registry-m2.xml
>>>>>
>>>>> This has been reharvested by the gateway if you want to give it a try.
>>>>>
>>>>> Thanks!
>>>>> -Nate
>>>>>
>>>>> On 06/14/2011 05:17 AM, Cinquini, Luca (3880) wrote:
>>>>>> It seems to be behind a firewall ?
>>>>>> Luca
>>>>>>
>>>>>> On Jun 13, 2011, at 9:44 PM, Nathan Wilhelmi wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Per the last go-essp call I have put together a production registry
>>>>>>> document based on the information that I know. If you have a gateway in
>>>>>>> the production federation could you please review for accuracy.
>>>>>>>
>>>>>>> https://vets.development.ucar.edu/registry/federation-registry-production.xml
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> -Nate
>>>>>>> _______________________________________________
>>>>>>> ESG-CET mailing list
>>>>>>> ESG-CET at earthsystemgrid.org
>>>>>>> http://mailman.ucar.edu/mailman/listinfo/esg-cet
>> _______________________________________________
>> ESG-CET mailing list
>> ESG-CET at earthsystemgrid.org
>> http://mailman.ucar.edu/mailman/listinfo/esg-cet
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
--
Estanislao Gonzalez
Max-Planck-Institut für Meteorologie (MPI-M)
Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
Phone: +49 (40) 46 00 94-126
E-Mail: gonzalez at dkrz.de
More information about the GO-ESSP-TECH
mailing list