[Go-essp-tech] [ESG-CET] Gateway 1.3.0 release production registry file

Fri Jun 17 03:51:48 MDT 2011

Sounds a really good idea!  I have tried scripting checks for cert. expiry
against the system date.  It's not too hard to do.

Cheers,
Phil

On 17/06/2011 10:08, "Estanislao Gonzalez" <gonzalez at dkrz.de> wrote:

>Hi,
>
>is it possible to add a small test to the script being started by the
>cronjob to:
>- remove invalid certificates (e.g. expired)
>- notify about that and which certificates are expiring soon? (e.g. by
>sending  email to esgf-node-dev with cert name)
>
>That will help I think...
>
>Thanks,
>Estani
>
>Am 17.06.2011 00:16, schrieb Neill Miller:
>> Hello,
>>
>> Regarding the truststore, I just removed the expired RapidSSL cert.  In
>>the future, we should make an effort to point out which certs need to be
>>added/removed explicitly by hash so that in gets done properly.  In this
>>case, we needed to remove c4a11bb8 and replace it with 7d2cc546.  If
>>there are others, let me (or another committer to esg-certs) know.
>>
>> Cron will take some time to update most likely, unless Gavin kicks it
>>manually.
>>
>> thanks,
>> -Neill.
>>
>> ----- Original Message -----
>> From: "Nathan Hook"<nhook at ucar.edu>
>> To: "Luca Cinquini (3880)"<Luca.Cinquini at jpl.nasa.gov>
>> Cc: go-essp-tech at ucar.edu, "ESG CET"<esg-cet at earthsystemgrid.org>
>> Sent: Thursday, June 16, 2011 4:17:51 PM
>> Subject: Re: [Go-essp-tech] [ESG-CET] Gateway 1.3.0 release
>>production	registry file
>>
>> Hi Luca,
>>
>> There are a couple issues causing the login issues between the jpl and
>> ncar gateway:
>>
>> First, the jpl gateway does not seem to be running the latest RC version
>> of the Gateway.  From the footer on the jpl site:
>> Gateway Portal Software version: 1.3.0-RC2-20110505-170449
>>
>> Currently we should be testing RC4.  RC2 and RC4 are incompatible for
>> openid logins because of an upgrade to openid4java that now signs
>> attributes.  Please see the following jira ticket:
>> https://vets.development.ucar.edu/jira/browse/GTWY-2379
>>
>>
>> Second, the esg-truststore.ts truststore contains two entries for
>> esg-gateway.jpl.nasa.gov and the expired certificate appears before the
>> new valid certificate.
>> https://rainbow.llnl.gov/dist/certs/esg-truststore.ts
>>
>>
>> Once the esg-truststore.ts file is updated properly we will update our
>> prototype truststores and test again.
>>
>>
>> Regards,
>>
>> Nathan
>>
>>
>> FYI, the ssl provider picked for jpl (RapidSSL) does not seem to be
>> trusted by the default java truststore (cacerts or jssecacerts), which
>> in the future could potentially cause debugging issues for external java
>> clients accessing your site.  If this is a known issue please disregard.
>>
>>
>>
>>
>> On 6/16/2011 6:52 AM, Cinquini, Luca (3880) wrote:
>>> Hi Nate,
>>> 	I updated to the latest version of the federation registry but I
>>>still cannot log in into the esg.prototype.ucar.edu site with a JPL
>>>openid. Are you using the latest ESG truststore ? The old one had an
>>>expired JPL certificate.
>>> thanks, Luca
>>>
>>> On Jun 15, 2011, at 10:31 PM, Nathan Wilhelmi wrote:
>>>
>>>> Hi Luca,
>>>>
>>>> I believe the production openid provider value was wrong, I corrected
>>>>in
>>>> both the production and test registry files. It has been updated on
>>>>our
>>>> staging instance as well.
>>>>
>>>> Thanks!
>>>> -Nate
>>>>
>>>> On 06/15/2011 09:31 AM, Cinquini, Luca (3880) wrote:
>>>>> Hi Nate,
>>>>> 	I installed this file on the JPL production gateway, and then tried
>>>>>to use a JPL openid
>>>>>(https://esg-gateway.jpl.nasa.gov/myopenid/cinquiniluca) at this site:
>>>>>
>>>>> http://esg.prototype.ucar.edu/home.htm
>>>>>
>>>>> but it says "invalid openid" - does this site use the updated
>>>>>gateway registry ?
>>>>>
>>>>> You could also try the opposite - use a test NCAR openid to log onto
>>>>>the esg-gateway.jpl.nasa.gov site.
>>>>>
>>>>> thanks, Luca
>>>>>
>>>>>
>>>>> On Jun 14, 2011, at 9:08 PM, Nathan Wilhelmi wrote:
>>>>>
>>>>>> Hi Luca,
>>>>>>
>>>>>> I added the production JPL openid provider to the test registry
>>>>>>file:
>>>>>> 
>>>>>>https://vets.development.ucar.edu/registry/federation-registry-m2.xml
>>>>>>
>>>>>> This has been reharvested by the gateway if you want to give it a
>>>>>>try.
>>>>>>
>>>>>> Thanks!
>>>>>> -Nate
>>>>>>
>>>>>> On 06/14/2011 05:17 AM, Cinquini, Luca (3880) wrote:
>>>>>>> It seems to be behind a firewall ?
>>>>>>> Luca
>>>>>>>
>>>>>>> On Jun 13, 2011, at 9:44 PM, Nathan Wilhelmi wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Per the last go-essp call I have put together a production
>>>>>>>>registry
>>>>>>>> document based on the information that I know. If you have a
>>>>>>>>gateway in
>>>>>>>> the production federation could you please review for accuracy.
>>>>>>>>
>>>>>>>> 
>>>>>>>>https://vets.development.ucar.edu/registry/federation-registry-prod
>>>>>>>>uction.xml
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> -Nate
>>>>>>>> _______________________________________________
>>>>>>>> ESG-CET mailing list
>>>>>>>> ESG-CET at earthsystemgrid.org
>>>>>>>> http://mailman.ucar.edu/mailman/listinfo/esg-cet
>>> _______________________________________________
>>> ESG-CET mailing list
>>> ESG-CET at earthsystemgrid.org
>>> http://mailman.ucar.edu/mailman/listinfo/esg-cet
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
>
>-- 
>Estanislao Gonzalez
>
>Max-Planck-Institut für Meteorologie (MPI-M)
>Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
>Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
>
>Phone:   +49 (40) 46 00 94-126
>E-Mail:  gonzalez at dkrz.de
>
>_______________________________________________
>GO-ESSP-TECH mailing list
>GO-ESSP-TECH at ucar.edu
>http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

-- 
Scanned by iCritical.