Difference between revisions of "EGI-InSPIRE:JRA1 SHA2 Readiness"

From EGIWiki
Jump to: navigation, search
(Created page with "= Operational Tools SHA2 Support Status = == GOCDB == == SAM == == Operations Portal == == Accounting Portal == == Accounting Repository == == Metrics Portal == == Messag...")
 
 
(16 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 +
{{EGI-Inspire_menubar}}
 +
{{TOC_right}}
 
= Operational Tools SHA2 Support Status =
 
= Operational Tools SHA2 Support Status =
  
  
 
== GOCDB ==
 
== GOCDB ==
 +
* We have tested a SHA2 user cert on GOCDB and no problems.
 +
 +
If using Apache2 - Should be handled by Apache without tool modification.
 +
Adding some useful info for other PTs about how to get a SHA2 cert and the CA certs for testing (originally via P.Solagna via D.Groep):
 +
 +
The easiest is to get an instant <b>SHA2 test certificate</b> from CILogon, using their (<b>unaccredited</b>) OpenID provider like Google:
 +
 +
* https://cilogon.org/
 +
 +
and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl:
 +
<pre>
 +
openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys 
 +
openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts 
 +
chmod 0400 userkey.pem
 +
</pre>
 +
and give your passphrase a few times ;-)
 +
You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository:
 +
* https://dist.eugridpma.info/distribution/current/experimental
 +
<pre>
 +
# rpm -ql ca_cilogon-openid.noarch
 +
/etc/grid-security/certificates
 +
/etc/grid-security/certificates/3d863bc5.0
 +
/etc/grid-security/certificates/3d863bc5.namespaces
 +
/etc/grid-security/certificates/3d863bc5.signing_policy
 +
/etc/grid-security/certificates/9629661e.0
 +
/etc/grid-security/certificates/9629661e.namespaces
 +
/etc/grid-security/certificates/9629661e.signing_policy
 +
/etc/grid-security/certificates/cilogon-openid.crl_url
 +
/etc/grid-security/certificates/cilogon-openid.info
 +
/etc/grid-security/certificates/cilogon-openid.namespaces
 +
/etc/grid-security/certificates/cilogon-openid.pem
 +
/etc/grid-security/certificates/cilogon-openid.signing_policy
 +
</pre>
  
 
== SAM ==
 
== SAM ==
 +
 +
SAM uses certificates in following components:
 +
* Apache 2 - SHA-2 supported natively
 +
* probes - SHA-2 readiness depends on probes.
  
 
== Operations Portal ==
 
== Operations Portal ==
 +
'''Ok:'''User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.
  
 
== Accounting Portal ==
 
== Accounting Portal ==
 +
'''Ok:'''User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.
  
 
== Accounting Repository ==
 
== Accounting Repository ==
 +
The apel-broker server which runs ActiveMQ uses Sun Java which supports SHA-2
  
 
== Metrics Portal ==
 
== Metrics Portal ==
 +
'''Ok:'''User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.
  
 
== Messaging ==
 
== Messaging ==
 +
test-msg02.afroditi.hellasgrid.gr running with the SHA-2 test CA. Everything works fine.
  
 
== GGUS ==
 
== GGUS ==
 +
No problems with SHA2 user certs on GGUS.

Latest revision as of 23:06, 24 December 2014

EGI Inspire Main page



Operational Tools SHA2 Support Status

GOCDB

  • We have tested a SHA2 user cert on GOCDB and no problems.

If using Apache2 - Should be handled by Apache without tool modification. Adding some useful info for other PTs about how to get a SHA2 cert and the CA certs for testing (originally via P.Solagna via D.Groep):

The easiest is to get an instant SHA2 test certificate from CILogon, using their (unaccredited) OpenID provider like Google:

and select "Google" from the list of IdPs. After signing in to Google and typing in a password, you can download a pkcs#12 file with your new certificate and private key (you have ~ 2min to do this). To get the conventional usercert.pem and userkey.pem, use openssl:

 openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys  
 openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts  
 chmod 0400 userkey.pem

and give your passphrase a few times ;-) You can install the unaccredited OpenID CA just like the other IGTF CAs, but from the experimental repository:

# rpm -ql ca_cilogon-openid.noarch
/etc/grid-security/certificates
/etc/grid-security/certificates/3d863bc5.0
/etc/grid-security/certificates/3d863bc5.namespaces
/etc/grid-security/certificates/3d863bc5.signing_policy
/etc/grid-security/certificates/9629661e.0
/etc/grid-security/certificates/9629661e.namespaces
/etc/grid-security/certificates/9629661e.signing_policy
/etc/grid-security/certificates/cilogon-openid.crl_url
/etc/grid-security/certificates/cilogon-openid.info
/etc/grid-security/certificates/cilogon-openid.namespaces
/etc/grid-security/certificates/cilogon-openid.pem
/etc/grid-security/certificates/cilogon-openid.signing_policy

SAM

SAM uses certificates in following components:

  • Apache 2 - SHA-2 supported natively
  • probes - SHA-2 readiness depends on probes.

Operations Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Accounting Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Accounting Repository

The apel-broker server which runs ActiveMQ uses Sun Java which supports SHA-2

Metrics Portal

Ok:User authentication using SHA-2 signed certificates has been successfully tested by SA2 verifiers.

Messaging

test-msg02.afroditi.hellasgrid.gr running with the SHA-2 test CA. Everything works fine.

GGUS

No problems with SHA2 user certs on GGUS.