EGI IGTF Release

From EGIWiki
Revision as of 13:39, 26 November 2010 by Davidg (talk | contribs)
Jump to: navigation, search

To ensure interoperability within and outside of EGI, the Policy on Approved Certification Authorities defined a common set of trust anchors ("Certification Authorities" or "CAs") that all sites in EGI should install. In short, all CAs accredited to the International Grid Trust Federation under the classic, MICS or SLCS Authentication Profiles are approved for use in EGI. Of course, sites may add additional CAs as long as the integrity of the infrastructure as a whole is not compromised. Also, if there are site or national policies/regulations that prevent you from installing a CA, these regulations take precedence -- but you then must inform the EGI Security Officer (see EGI_CSIRT:Main_Page) about this exception.

Installation

To install the EGI trust anchors on a system that uses the RedHat Package Manager (RPM) based package management system, we provide a convenience package to manage the installation. To install the currently valid distribution, all RPM packages are provided at

http://repository.egi.eu/sw/production/cas/1/current/

The current version is 1.37, based on the IGTF release with the same version number. Install the meta-package ca-policy-egi-core and its dependencies to implement the core EGI policy on trusted CAs.

Using YUM package management

Add the following repo-file to the /etc/yum.repos.d/ directory:

[EGI-trustanchors]
name=EGI-trustanchors
baseurl=http://repository.egi.eu/sw/production/cas/1/current/
gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3
gpgcheck=1
enabled=1

and then update your installation. How to update depends on your previous activity:

yum clean cache metadata 
yum update lcg-CA 
and you are done. This will update the packages installed to the latest version, and also install the new ca-policy-egi-core package as well as a ca-policy-lcg package. All packages encode the same set of dependencies
  • if you are upgrading from a previous EGI version only, just run
yum update ca-policy-egi-core
although at timmes you may need to clean the yum cache using yum clean cache metadata
  • if you are installing the EGI trust anchors for the first time, run
yum install ca-policy-egi-core

Using the distribution on other platforms

The trust anchors are provided also as simple 'tar-balls' for installation on other platforms. Since there is no dependency management in this case, please review the release notes carefully for any security issues or withdrawn CAs. The tar files can be found in the EGI repository at

http://repository.egi.eu/sw/production/cas/1/current/tgz/

Installing the distribution using Quattor

Quattor templates are povided as drop-in replacements for both QWG and CDB installations. Update your software repository (re-generating the repository templates as needed) and obtain the new CA templates from:

Patches and work-arounds

We provide here a workaround for the issue summarised in comment #57 of bug #48458. The following rpm has been added to the repository: dummy-ca-certs-20090630-1.noarch.rpm. Please note that:

  • This rpm is not added to the lcg-CA metapackage dependencies
  • If you want to install it you should run: yum install dummy-ca-certs