[Go-essp-tech] ESGF P2P Node: Getting our certificate house in order and node maintenance

Gavin M. Bell gavin at llnl.gov
Wed Oct 12 20:13:24 MDT 2011 

 Hello Everyone,

I want to take a moment to address a couple of issues:
*1) *the issue of certificates in ESGF and how things play with each other
*2)* ESGF P2P "Data" Node maintenance

*1)*
Everyone using secured globus services need to fulfill the "secured"
part of that description by providing a valid key pair for these
services to use.  You must to do just to get the services running.  This
keypair is stored as /etc/grid-security/host{cert,key}.pem files.
This keypair can be gotten from any number of commercial (cartel) CAs.
To get some handle on the number of possible CAs out there we are
*strongly* recommending using DOE-Grids as the primary CA for ESGF.
(There will be more information about this to come)

That pretty much does it for that set of certs.

Now, for the federation services - primarily the globus secured services
MyProxy and GridFTP, that are apart of the ESGF Node stack, there are
other certificates involved.  To be terribly pedantic, actually one
certificate and one key.

The way we are using MyProxy requires that we install what is called a
SimpleCA.  The SimpleCA is like any CA... signs certs.  In our case
MyProxy is distributing signed certificates that have been signed by an
installed SimpleCA.
In order to services to trust each other they must be able to inspect
submitted certificates against a stack of blessed CA certificates.  If a
submitted certificate can be verified by a known CA certificate then
that bit of the security gauntlet is passed (there are some other
downstream checks against policy files and ids - not germane to this
discussion at the moment).

What this means is that ALL SimpleCA certificates need to be submitted
and reviewed and disseminated to establish federation wide trust.

I have tried to make this process as simple as possible by codifying it
in the esg-node script.  Right now it is the script under the
development branch, however, I have tested it and it is working well.

On the host that is running MyProxy and the SimpleCA do the following:

Get the latest script from devel

%>* esg-bootstrap --devel*

if you think your bootstrap script is too old get the latest:
%> cd /usr/local/bin
%> wget http://rainbow.llnl.gov/dist/esgf-installer/esg-bootstrap
%> chmod 755 esg-bootstrap
then run the previous command.

Double check that you have the devel version of the script

%> *esg-node --version*
/Version: v1.1.1-bay_ridge-release-*9*-gd20d36c-*devel*
Release: bay_ridge
Earth Systems Grid Federation (http://esgf.org)
ESGF Node Installation Script/

Run the script so that it pulls down all the federation certificates.

%> *esg-node --fetch-esgf-certs*

There are two possible results
a)
/checking for MY cert: /etc/grid-security/certificates/44529084.0
Local CA cert file detected.... [OK]/

If this is the output then you don't have to do anything :-)
Otherwise

b)
/checking for MY cert: /etc/grid-security/certificates/7335e89e.0
Integrating in local simpleCA_cert...
`/home/esg-user/.globus/simpleCA/cacert.pem' ->
`/etc/grid-security/certificates/7335e89e.0'
globus_simple_ca_7335e89e_setup-0.20/7335e89e.signing_policy
 My CA Cert now posted @ http://esgf-node3.llnl.gov/cacert.pem
[OK]

    ----------------------------------------------------------------------
    If you have not done so, please attach the files:
    /etc/grid-security/certificates/7335e89e.0
    /etc/grid-security/certificates/7335e89e.signing_policy
    /etc/grid-security/hostcert.pem

    to an email addressed to esgf-ca at lists.llnl.gov
   
    Include your name, organization, contact information and the context
in which you are
    joining the ESGF federation.
   
    If you are able, please cryptographically sign the email with your
    personal signature, preferably endorsed by your organization

    Thank you :-)
    ----------------------------------------------------------------------/

If you see this output then please follow the instructions and send the
particular files indicated for your host to the esgf-ca at lists.llnl.gov
list.  We will be do our due diligence to verify the certificate.  A
successful vetting will result in your certificate being added to the
set of trusted federation certs.  Once your certificate is added when
you run the command above again to fetch the certificates.  You should
get the output from the previous section a).

What is important to understand is that all CA certs that sign certs
being distributed by MyProxy need to be in the curated federation set of
certs if you wish to be a first class member of the federation.

This brings us to *node* *maintenance*...
*2)*
To make sure you have the latest script you should regularly run
%> *esg-node --check*

If you are up-to-date it will simply return you to the prompt, with
success ($? == 0).

Otherwise you will get this:

/WARNING: /usr/local/bin/esg-node could not be verified!!
(This file, /usr/local/bin/esg-node, may have been tampered with or
there is a newer version posted at the distribution server.
Please update this script.)

Do you wish to Update and exit [u], continue anyway [c] or simply exit
[x]? [u/c/X]: /

You then enter in the appropriate response (You have one minute to enter
a response or it will simply 'X' exit)

You can have this be less interactive by providing the response in the
same command line.

%> *esg-node --check u*
/WARNING: /usr/local/bin/esg-node could not be verified!!
(This file, /usr/local/bin/esg-node, may have been tampered with or
there is a newer version posted at the distribution server.
Please update this script.)

Updating local script with script from distribution server...
(Setup to pull from DEVELOPMENT tree...)
checking for updates for the ESGF Node
 Update Available @
http://198.128.245.140/dist/devel/esgf-installer/esg-node
`esg-node' -> `esg-node.bak'
--18:51:48--  http://198.128.245.140/dist/devel/esgf-installer/esg-node
Connecting to 198.128.245.140:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 251764 (246K) [text/plain]
Saving to: `esg-node'

100%[==========================================================================================================================================================>]
251,764     --.-K/s   in 0.008s

18:51:48 (29.1 MB/s) - `esg-node' saved [251764/251764]

Updated ESGF Node install script from PCMDI's ESGF distribution site at LLNL
Please re-run this updated script /usr/local/bin/esg-node/

This last form is meant to be more amenable to being called in an
automated fashion.
(i.e. in a cronjob script)

To keep your node in good shape stay updated by:
- regularly check for ESGF P2P Node updates
- regularly fetch ESGF federation certificates
- regularly run the esg-node --update.

There is an initial early release of the latest node, release name "Bay
Ridge"
We plan on putting out another release soon that improve on what we have.
What I have discussed in this email will be in the next release version
coming soon.
We will continue to grow moving forward and doing our best to support
the community.

Check with the latest as we begin to post more documentation on the web
site http://esgf.org and the wiki http://esgf.org/wiki
The ESGF.org blog will also be restarted to provide news and information
with associated Atom/RSS Feeds
Every ESGF P2P Data Node provides an RSS feed of all the lastest
publications et. al. so you may keep abreast of what is made public as
they are published.


Thank you.

-- 
Gavin M. Bell
Lawrence Livermore National Labs
--

 "Never mistake a clear view for a short distance."
       	       -Paul Saffo

(GPG Key - http://rainbow.llnl.gov/dist/keys/gavin.asc)

 A796 CE39 9C31 68A4 52A7  1F6B 66B7 B250 21D5 6D3E

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20111012/592da40f/attachment.html

More information about the GO-ESSP-TECH mailing list