[Go-essp-tech] [ESG-CET] Gateway 1.3.0 release production registry file

Estanislao Gonzalez gonzalez at dkrz.de
Fri Jun 17 04:04:04 MDT 2011 

Checking expiration is quite trivial in our case, this will do:

days=3
cert=path_to_cert
openssl x509 -noout -in $cert -checkend $((60*60*24*days)) || echo 
"certificate $cert expires in less than $days days"

The tricky part is not to send an email *every* time the test fails... 
the script should  also track all sent mails (just store $cert and 
time_stamp in a file). I think notification should be done in 90, 60, 
30, 7, 1, 0 days before expiration, sounds ok?

Cheers,
Estani

Am 17.06.2011 11:51, schrieb philip.kershaw at stfc.ac.uk:
> Sounds a really good idea!  I have tried scripting checks for cert. expiry
> against the system date.  It's not too hard to do.
>
> Cheers,
> Phil
>
> On 17/06/2011 10:08, "Estanislao Gonzalez"<gonzalez at dkrz.de>  wrote:
>
>> Hi,
>>
>> is it possible to add a small test to the script being started by the
>> cronjob to:
>> - remove invalid certificates (e.g. expired)
>> - notify about that and which certificates are expiring soon? (e.g. by
>> sending  email to esgf-node-dev with cert name)
>>
>> That will help I think...
>>
>> Thanks,
>> Estani
>>
>> Am 17.06.2011 00:16, schrieb Neill Miller:
>>> Hello,
>>>
>>> Regarding the truststore, I just removed the expired RapidSSL cert.  In
>>> the future, we should make an effort to point out which certs need to be
>>> added/removed explicitly by hash so that in gets done properly.  In this
>>> case, we needed to remove c4a11bb8 and replace it with 7d2cc546.  If
>>> there are others, let me (or another committer to esg-certs) know.
>>>
>>> Cron will take some time to update most likely, unless Gavin kicks it
>>> manually.
>>>
>>> thanks,
>>> -Neill.
>>>
>>> ----- Original Message -----
>>> From: "Nathan Hook"<nhook at ucar.edu>
>>> To: "Luca Cinquini (3880)"<Luca.Cinquini at jpl.nasa.gov>
>>> Cc: go-essp-tech at ucar.edu, "ESG CET"<esg-cet at earthsystemgrid.org>
>>> Sent: Thursday, June 16, 2011 4:17:51 PM
>>> Subject: Re: [Go-essp-tech] [ESG-CET] Gateway 1.3.0 release
>>> production	registry file
>>>
>>> Hi Luca,
>>>
>>> There are a couple issues causing the login issues between the jpl and
>>> ncar gateway:
>>>
>>> First, the jpl gateway does not seem to be running the latest RC version
>>> of the Gateway.  From the footer on the jpl site:
>>> Gateway Portal Software version: 1.3.0-RC2-20110505-170449
>>>
>>> Currently we should be testing RC4.  RC2 and RC4 are incompatible for
>>> openid logins because of an upgrade to openid4java that now signs
>>> attributes.  Please see the following jira ticket:
>>> https://vets.development.ucar.edu/jira/browse/GTWY-2379
>>>
>>>
>>> Second, the esg-truststore.ts truststore contains two entries for
>>> esg-gateway.jpl.nasa.gov and the expired certificate appears before the
>>> new valid certificate.
>>> https://rainbow.llnl.gov/dist/certs/esg-truststore.ts
>>>
>>>
>>> Once the esg-truststore.ts file is updated properly we will update our
>>> prototype truststores and test again.
>>>
>>>
>>> Regards,
>>>
>>> Nathan
>>>
>>>
>>> FYI, the ssl provider picked for jpl (RapidSSL) does not seem to be
>>> trusted by the default java truststore (cacerts or jssecacerts), which
>>> in the future could potentially cause debugging issues for external java
>>> clients accessing your site.  If this is a known issue please disregard.
>>>
>>>
>>>
>>>
>>> On 6/16/2011 6:52 AM, Cinquini, Luca (3880) wrote:
>>>> Hi Nate,
>>>> 	I updated to the latest version of the federation registry but I
>>>> still cannot log in into the esg.prototype.ucar.edu site with a JPL
>>>> openid. Are you using the latest ESG truststore ? The old one had an
>>>> expired JPL certificate.
>>>> thanks, Luca
>>>>
>>>> On Jun 15, 2011, at 10:31 PM, Nathan Wilhelmi wrote:
>>>>
>>>>> Hi Luca,
>>>>>
>>>>> I believe the production openid provider value was wrong, I corrected
>>>>> in
>>>>> both the production and test registry files. It has been updated on
>>>>> our
>>>>> staging instance as well.
>>>>>
>>>>> Thanks!
>>>>> -Nate
>>>>>
>>>>> On 06/15/2011 09:31 AM, Cinquini, Luca (3880) wrote:
>>>>>> Hi Nate,
>>>>>> 	I installed this file on the JPL production gateway, and then tried
>>>>>> to use a JPL openid
>>>>>> (https://esg-gateway.jpl.nasa.gov/myopenid/cinquiniluca) at this site:
>>>>>>
>>>>>> http://esg.prototype.ucar.edu/home.htm
>>>>>>
>>>>>> but it says "invalid openid" - does this site use the updated
>>>>>> gateway registry ?
>>>>>>
>>>>>> You could also try the opposite - use a test NCAR openid to log onto
>>>>>> the esg-gateway.jpl.nasa.gov site.
>>>>>>
>>>>>> thanks, Luca
>>>>>>
>>>>>>
>>>>>> On Jun 14, 2011, at 9:08 PM, Nathan Wilhelmi wrote:
>>>>>>
>>>>>>> Hi Luca,
>>>>>>>
>>>>>>> I added the production JPL openid provider to the test registry
>>>>>>> file:
>>>>>>>
>>>>>>> https://vets.development.ucar.edu/registry/federation-registry-m2.xml
>>>>>>>
>>>>>>> This has been reharvested by the gateway if you want to give it a
>>>>>>> try.
>>>>>>>
>>>>>>> Thanks!
>>>>>>> -Nate
>>>>>>>
>>>>>>> On 06/14/2011 05:17 AM, Cinquini, Luca (3880) wrote:
>>>>>>>> It seems to be behind a firewall ?
>>>>>>>> Luca
>>>>>>>>
>>>>>>>> On Jun 13, 2011, at 9:44 PM, Nathan Wilhelmi wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Per the last go-essp call I have put together a production
>>>>>>>>> registry
>>>>>>>>> document based on the information that I know. If you have a
>>>>>>>>> gateway in
>>>>>>>>> the production federation could you please review for accuracy.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://vets.development.ucar.edu/registry/federation-registry-prod
>>>>>>>>> uction.xml
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>>
>>>>>>>>> -Nate
>>>>>>>>> _______________________________________________
>>>>>>>>> ESG-CET mailing list
>>>>>>>>> ESG-CET at earthsystemgrid.org
>>>>>>>>> http://mailman.ucar.edu/mailman/listinfo/esg-cet
>>>> _______________________________________________
>>>> ESG-CET mailing list
>>>> ESG-CET at earthsystemgrid.org
>>>> http://mailman.ucar.edu/mailman/listinfo/esg-cet
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>
>> -- 
>> Estanislao Gonzalez
>>
>> Max-Planck-Institut für Meteorologie (MPI-M)
>> Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
>> Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany
>>
>> Phone:   +49 (40) 46 00 94-126
>> E-Mail:  gonzalez at dkrz.de
>>
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech


-- 
Estanislao Gonzalez

Max-Planck-Institut für Meteorologie (MPI-M)
Deutsches Klimarechenzentrum (DKRZ) - German Climate Computing Centre
Room 108 - Bundesstrasse 45a, D-20146 Hamburg, Germany

Phone:   +49 (40) 46 00 94-126
E-Mail:  gonzalez at dkrz.de

More information about the GO-ESSP-TECH mailing list