Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

certificates_requests [2016/12/05 14:43] (Version actuelle)
Ligne 1: Ligne 1:
 +Modifié par Kurca, le 13 Jun 2012\\
 +\\
 +
 +====== Certificates Requests ======
 +
 +\\
 +\\
 +
 +====== Chapitre 1 : Exporting your key pair for use by Globus grid-proxy-init ======
 +
 +o Export or '​backup'​ your certificate. The interface for this varies from\\
 +browser to browser. Internet Explorer starts with "Tools -> Internet Options\\
 +-> Content";​ Netscape Communicator has a "​Security"​ button on the top menu\\
 +bar; Mozilla starts with "Edit -> Preferences -> Privacy and Security ->\\
 +Certificates"​. The exported file will probably have the extension .p12 or\\
 +.pfx.\\
 +o Guard this file carefully. Store it off your computer, or remove it once you\\
 +are finished with this process.\\
 +o Copy the above PKCS#12 file to the computer where you will run\\
 +grid-proxy-init.\\
 +o Extract your certificate (which contains the public key) and the private key:\\
 ++ Certificate:​
 +<​code>​
 +openssl pkcs12 -in YourCert.p12 -clcerts -nokeys -out $HOME/​.globus/​usercert.pem
 +</​code>​
 ++ To get the encrypted private key :
 +<​code>​
 +openssl pkcs12 -in YourCert.p12 -nocerts -out $HOME/​.globus/​userkey.pem
 +</​code>​
 +You must set the mode on your userkey.pem file to read/write only by the owner, otherwise grid-proxy-init will not use it(chmod go-rw $HOME/​.globus/​userkey.pem). ​
 +====== Chapitre 2 : CA certicate chains ======
 +
 +CNRS:
 +<​code>​
 +http://​igc.services.cnrs.fr/​GRID-FR/?​lang=fr&​cmd=search_CA_certificate&​body=view_ca.html
 +</​code>​
 +Terena Academic CA Repository:
 +<​code>​
 +http://​www.tacar.org/  ​
 +</​code>​
 +
 +====== Chapitre 3 : SAM Service Certificate ======
 +
 +<​code>​
 +ATTENTION: sam_gsi_config on ccd0 puts the new samkey into file:
 +samkey.pem.old.1131458229 !!!!!!
 +  and creates a circular links in /​d0products/​products/​gsi/:​
 +    samkey.pem-->/​d0products/​products/​gsi/​samkey.pem
 +    samcert.pem-->/​d0products/​products/​gsi/​samcert.pem
 +</​code>​
 +As user SAM:
 +<​code>​
 +1. save current ​ key and cert  ​
 +       ​samkey.pem --> samkey.pem.old ​
 +       ​samcert.pem-->​samcert.pem.old ​
 +2. setup sam_gsi_config -q vdt 
 +3. ask for sam service certificate : sam_cert_request
 +      ... follow instructions on the screen
 +sam_cert_request --name=Tibor_Kurca --email=kurca@in2p3.fr ​ --phone=+33-4-72-43-11-98 --force ​
 +
 +4. save by this request newly generated key  ​
 +          samkey.pem -->​samkey.pem.new ​
 +          and wait for corresponding new certificate
 +5. go back to the "​old"​ key and cert until you get the new samcert.pem
 +           ​samcert.pem.old --> samcert.pem
 +           ​samkey.pem.old --> samkey.pem
 +6. when obtained new service certificate :
 +         copy it into samcert.pem
 +         move samkey.pem.new-->​samkey.pem ​
 +
 +7. Test readability of the new certificate ​
 +           ​grid-cert-info -all -file /​d0products/​products/​gsi/​samcert.pem
 +8. get locations of all certfificates: ​
 +             ​sam_gsi_read_config
 +
 +
 +9.You don' have to send a mail to DOEGrids-CA-1@doegrids.org
 +     and even not to go to the http://​pki1.doegrids.org/​ca/​
 +     .... it worked without this .... 10.8.2010 ​
 +
 +9b. If your "​sam_cert_request"​ commands finished correctly, the request
 +       is sent to DOEGrids by filling automatically the webpage...
 +           In this case it creates the correct affiliation OSG/Dzero
 +       and going to web  request is not really necessary (if it works) ​
 +        ..... well, it's better to go to the web page and paste the request
 +        there http://​pki1.doegrids.org/​ca/​
 +        And with FNAL affiliation you have to use FNAL email address !!!
 +
 +10. Send a mail in parallel to DO person who shall be asked by DOEGrids CA
 +       to confirm/​approve your request. ​
 +       ​Currently it is Alan Jonckheere <​jonckheere@fnal.gov> ​
 +       This will accelerate the whole process. You should explain in your
 +       mail that you have asked for certificate and that your system ​
 +       ​administrators are aware about it (you'​ll need some privilleges).
 +
 +</​code>​
 +
 +====== Chapitre 4 : Host certificate ======
 +
 +http:​%%//​%%www-d0.fnal.gov/​computing/​grid/​SAMGridManual.htm#​_Toc172968558\\
 +\\
 +As user Root do:\\
 +1. Submit (or create?) your requests with the command line interface as below *\\
 +2. go to the web page for DOE certificate requests\\
 +https:​%%//​%%pki1.doegrids.org/​ca/​ %%**%%\\
 +\\
 +3. Copy and paste from newrequest/​hostcert_request.pem\\
 +certificate request onto this web page\\
 +4. You will get e-mail from D0-administrator asking confirmation that you have\\
 +asked for this certificate and that machine system administrators are aware\\
 +about it.\\
 +..... NOT the case any more ! Currently with the request submission from\\
 +the web page you also confirm that you are the system administrator and\\
 +that you have the needed rights.\\
 +\\
 +Operations\\
 +You need to request a host certificate to a Certificate Authority (CA) for your gateway node (typically 1 day response). SAM-Grid works mostly with the DOEGrids CA, but other CAs may be trusted as well. Contact d0sam-admin@fnal.gov or cdfsam-admin@fnal.gov for more information.
 +<​code>​
 +*
 +newgrp ccin2p3
 +rootacc
 +source ~kurca/​samgrid/​setup.csh
 +setup vdt
 +</​code>​
 +<​code>​
 +for ccsvli50.in2p3.fr !
 +setenv GRID_SECURITY_DIR /​etc/​samgrid-security
 +</​code>​
 +in the /​etc/​samgrid-security is grid_security.conf which sets on basic configuration for certificate request command
 +<​code>​
 +grid-cert-request -host ccsvli50.in2p3.fr -dir /​etc/​samgrid-security/​newrequest
 +</​code>​
 +with " -dir /​etc/​samgrid-security/​newrequest"​ one sets explicitly file name,\\
 +default would be overwriting the existing certificate\\
 +\\
 +\\
 +Follow instructions at http:​%%//​%%www.ppdg.net/​RA/​request_host.htm,​ in particular you need to fill in a certificate request form. ----from this page it's not working!!!!!!
 +<​code>​
 +**
 +Fill in certificate request form from the page:
 +https://​pki1.doegrids.org/​ca/​
 +</​code>​
 +<​code>​
 +for affiliation use OSG-Dzero !!!!!
 +</​code>​
 +
  
  • certificates_requests.txt
  • Dernière modification: 2016/12/05 14:43
  • (modification externe)