Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI-InSPIRE:JRA1 SHA2 Readiness"

From EGIWiki
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
[[Category: EGI-InSPIRE]]
{{EGI-Inspire_menubar}}
{{TOC_right}}
= Operational Tools SHA2 Support Status =
= Operational Tools SHA2 Support Status =



Latest revision as of 22:06, 24 December 2014

EGI Inspire Main page



Operational Tools SHA2 Support Status

GOCDB

  • We have tested a SHA2 user cert on GOCDB and no problems.

If using Apache2 - Should be handled by Apache without tool modification. Adding some useful info for other PTs about how to get a SHA2 cert and the CA certs for testing (originally via P.Solagna via D.Groep):

The easiest is to get an instant SHA2 test certificate from CILogon, using their (unaccredited) OpenID provider like Google:

and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl:

 openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys  
 openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts  
 chmod 0400 userkey.pem

and give your passphrase a few times ;-) You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository:

# rpm -ql ca_cilogon-openid.noarch
/etc/grid-security/certificates
/etc/grid-security/certificates/3d863bc5.0
/etc/grid-security/certificates/3d863bc5.namespaces
/etc/grid-security/certificates/3d863bc5.signing_policy
/etc/grid-security/certificates/9629661e.0
/etc/grid-security/certificates/9629661e.namespaces
/etc/grid-security/certificates/9629661e.signing_policy
/etc/grid-security/certificates/cilogon-openid.crl_url
/etc/grid-security/certificates/cilogon-openid.info
/etc/grid-security/certificates/cilogon-openid.namespaces
/etc/grid-security/certificates/cilogon-openid.pem
/etc/grid-security/certificates/cilogon-openid.signing_policy

SAM

SAM uses certificates in following components:

  • Apache 2 - SHA-2 supported natively
  • probes - SHA-2 readiness depends on probes.

Operations Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Accounting Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Accounting Repository

The apel-broker server which runs ActiveMQ uses Sun Java which supports SHA-2

Metrics Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Messaging

test-msg02.afroditi.hellasgrid.gr running with the SHA-2 test CA. Everything works fine.

GGUS

No problems with SHA2 user certs on GGUS.