Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI-InSPIRE:JRA1 SHA2 Readiness"

From EGIWiki
Jump to navigation Jump to search
 
(15 intermediate revisions by 8 users not shown)
Line 1: Line 1:
{{EGI-Inspire_menubar}}
{{TOC_right}}
= Operational Tools SHA2 Support Status =
= Operational Tools SHA2 Support Status =




== GOCDB ==
== GOCDB ==
Adding some useful info for other PTs about how to get a SHA2 cert and the CA certs (originally via P.Solagna via D.Groep):
* We have tested a SHA2 user cert on GOCDB and no problems.  


The easiest is to get an instant certificate from CILogon, using their (unaccredited) OpenID provider like Google:
If using Apache2 - Should be handled by Apache without tool modification.
Adding some useful info for other PTs about how to get a SHA2 cert and the CA certs for testing (originally via P.Solagna via D.Groep):
 
The easiest is to get an instant <b>SHA2 test certificate</b> from CILogon, using their (<b>unaccredited</b>) OpenID provider like Google:


* https://cilogon.org/
* https://cilogon.org/
Line 11: Line 16:
and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl:
and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl:
<pre>
<pre>
  openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys  openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts  chmod 0600 userkey.pem
  openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys
  openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts
  chmod 0400 userkey.pem
</pre>
</pre>
and give your passphrase a few times ;-)  
and give your passphrase a few times ;-)  
You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository:
You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository:
* https://dist.eugridpma.info/distribution/current/experimental
* https://dist.eugridpma.info/distribution/current/experimental
<pre>
# rpm -ql ca_cilogon-openid.noarch
/etc/grid-security/certificates
/etc/grid-security/certificates/3d863bc5.0
/etc/grid-security/certificates/3d863bc5.namespaces
/etc/grid-security/certificates/3d863bc5.signing_policy
/etc/grid-security/certificates/9629661e.0
/etc/grid-security/certificates/9629661e.namespaces
/etc/grid-security/certificates/9629661e.signing_policy
/etc/grid-security/certificates/cilogon-openid.crl_url
/etc/grid-security/certificates/cilogon-openid.info
/etc/grid-security/certificates/cilogon-openid.namespaces
/etc/grid-security/certificates/cilogon-openid.pem
/etc/grid-security/certificates/cilogon-openid.signing_policy
</pre>


== SAM ==
== SAM ==
SAM uses certificates in following components:
* Apache 2 - SHA-2 supported natively
* probes - SHA-2 readiness depends on probes.


== Operations Portal ==
== Operations Portal ==
'''Ok:'''User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.


== Accounting Portal ==
== Accounting Portal ==
'''Ok:'''User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.


== Accounting Repository ==
== Accounting Repository ==
The apel-broker server which runs ActiveMQ uses Sun Java which supports SHA-2


== Metrics Portal ==
== Metrics Portal ==
'''Ok:'''User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.


== Messaging ==
== Messaging ==
test-msg02.afroditi.hellasgrid.gr running with the SHA-2 test CA. Everything works fine.


== GGUS ==
== GGUS ==
No problems with SHA2 user certs on GGUS.

Latest revision as of 22:06, 24 December 2014

EGI Inspire Main page



Operational Tools SHA2 Support Status

GOCDB

  • We have tested a SHA2 user cert on GOCDB and no problems.

If using Apache2 - Should be handled by Apache without tool modification. Adding some useful info for other PTs about how to get a SHA2 cert and the CA certs for testing (originally via P.Solagna via D.Groep):

The easiest is to get an instant SHA2 test certificate from CILogon, using their (unaccredited) OpenID provider like Google:

and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl:

 openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys  
 openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts  
 chmod 0400 userkey.pem

and give your passphrase a few times ;-) You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository:

# rpm -ql ca_cilogon-openid.noarch
/etc/grid-security/certificates
/etc/grid-security/certificates/3d863bc5.0
/etc/grid-security/certificates/3d863bc5.namespaces
/etc/grid-security/certificates/3d863bc5.signing_policy
/etc/grid-security/certificates/9629661e.0
/etc/grid-security/certificates/9629661e.namespaces
/etc/grid-security/certificates/9629661e.signing_policy
/etc/grid-security/certificates/cilogon-openid.crl_url
/etc/grid-security/certificates/cilogon-openid.info
/etc/grid-security/certificates/cilogon-openid.namespaces
/etc/grid-security/certificates/cilogon-openid.pem
/etc/grid-security/certificates/cilogon-openid.signing_policy

SAM

SAM uses certificates in following components:

  • Apache 2 - SHA-2 supported natively
  • probes - SHA-2 readiness depends on probes.

Operations Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Accounting Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Accounting Repository

The apel-broker server which runs ActiveMQ uses Sun Java which supports SHA-2

Metrics Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Messaging

test-msg02.afroditi.hellasgrid.gr running with the SHA-2 test CA. Everything works fine.

GGUS

No problems with SHA2 user certs on GGUS.