Difference between revisions of "EGI-InSPIRE:JRA1 SHA2 Readiness"
(→GGUS) |
|||
(6 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
{{EGI-Inspire_menubar}} | |||
{{TOC_right}} | |||
= Operational Tools SHA2 Support Status = | = Operational Tools SHA2 Support Status = | ||
Line 15: | Line 16: | ||
and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl: | and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl: | ||
<pre> | <pre> | ||
openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts chmod | openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys | ||
openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts | |||
chmod 0400 userkey.pem | |||
</pre> | </pre> | ||
and give your passphrase a few times ;-) | and give your passphrase a few times ;-) | ||
You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository: | You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository: | ||
* https://dist.eugridpma.info/distribution/current/experimental | * https://dist.eugridpma.info/distribution/current/experimental | ||
<pre> | |||
# rpm -ql ca_cilogon-openid.noarch | |||
/etc/grid-security/certificates | |||
/etc/grid-security/certificates/3d863bc5.0 | |||
/etc/grid-security/certificates/3d863bc5.namespaces | |||
/etc/grid-security/certificates/3d863bc5.signing_policy | |||
/etc/grid-security/certificates/9629661e.0 | |||
/etc/grid-security/certificates/9629661e.namespaces | |||
/etc/grid-security/certificates/9629661e.signing_policy | |||
/etc/grid-security/certificates/cilogon-openid.crl_url | |||
/etc/grid-security/certificates/cilogon-openid.info | |||
/etc/grid-security/certificates/cilogon-openid.namespaces | |||
/etc/grid-security/certificates/cilogon-openid.pem | |||
/etc/grid-security/certificates/cilogon-openid.signing_policy | |||
</pre> | |||
== SAM == | == SAM == | ||
Line 34: | Line 52: | ||
== Accounting Repository == | == Accounting Repository == | ||
The apel-broker server which runs ActiveMQ uses Sun Java which supports SHA-2 | |||
== Metrics Portal == | == Metrics Portal == | ||
Line 39: | Line 58: | ||
== Messaging == | == Messaging == | ||
test-msg02.afroditi.hellasgrid.gr running with the SHA-2 test CA. Everything works fine. | |||
== GGUS == | == GGUS == | ||
No problems with SHA2 user certs on GGUS. | No problems with SHA2 user certs on GGUS. |
Latest revision as of 23:06, 24 December 2014
EGI Inspire Main page |
Operational Tools SHA2 Support Status
GOCDB
- We have tested a SHA2 user cert on GOCDB and no problems.
If using Apache2 - Should be handled by Apache without tool modification. Adding some useful info for other PTs about how to get a SHA2 cert and the CA certs for testing (originally via P.Solagna via D.Groep):
The easiest is to get an instant SHA2 test certificate from CILogon, using their (unaccredited) OpenID provider like Google:
and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl:
openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts chmod 0400 userkey.pem
and give your passphrase a few times ;-) You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository:
# rpm -ql ca_cilogon-openid.noarch /etc/grid-security/certificates /etc/grid-security/certificates/3d863bc5.0 /etc/grid-security/certificates/3d863bc5.namespaces /etc/grid-security/certificates/3d863bc5.signing_policy /etc/grid-security/certificates/9629661e.0 /etc/grid-security/certificates/9629661e.namespaces /etc/grid-security/certificates/9629661e.signing_policy /etc/grid-security/certificates/cilogon-openid.crl_url /etc/grid-security/certificates/cilogon-openid.info /etc/grid-security/certificates/cilogon-openid.namespaces /etc/grid-security/certificates/cilogon-openid.pem /etc/grid-security/certificates/cilogon-openid.signing_policy
SAM
SAM uses certificates in following components:
- Apache 2 - SHA-2 supported natively
- probes - SHA-2 readiness depends on probes.
Operations Portal
Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.
Accounting Portal
Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.
Accounting Repository
The apel-broker server which runs ActiveMQ uses Sun Java which supports SHA-2
Metrics Portal
Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.
Messaging
test-msg02.afroditi.hellasgrid.gr running with the SHA-2 test CA. Everything works fine.
GGUS
No problems with SHA2 user certs on GGUS.