Our SSL CA Configuration

Ti Leggett leggett at mcs.anl.gov
Thu May 8 12:07:42 CDT 2003 

So let me throw out a scenario where the CA is on net and how we can
secure it.

+ Only those who are CA operators can login to the machine
+ Only SSHv2 is allowed and only from a select few IPs
+ Use tcp wrappers healthily
+ Use iptables healthily
+ In order to even connect to the web you must have a validly signed CA
Operator certificate (i.e., the server will do reverse client SSL
authentication)
+ You can only connect to the web server from a select few hosts
+ The private key will only be readable by who ever it is that needs to
read it
+ The CA server will not be directly accessible from the RA server or
any other publicly available server
+ Add your own new security measure here

On Thu, 2003-05-08 at 10:18, Ti Leggett wrote:
> Continuing on. Does anyone have strong feelings against putting the CA
> and RA on the same server? There's several things we can do to lock down
> the CA side of things, but it just makes life a little easier if we do
> this.
> 
> On Wed, 2003-05-07 at 13:45, Ti Leggett wrote:
> > I'm trying to sort through the hierarchy of what we want our CA to look
> > like and what we'll be signing. Those things with (CA) are CA's and are
> > responsible for signing underneath them. Tell me if this looks correct:
> > 
> > /O=Access Grid/ (CA)
> >   |
> >   +- /O=Access Grid/OU=Developers/
> >   |  |
> >   |  +- /O=Access Grid/OU=Developers/CN=Ti Leggett
> >   |
> >   +- /O=Access Grid/OU=Services/
> >   |  |
> >   |  +- /O=Access Grid/OU=Services/CN=AGNodeService/scraz.mcs.anl.gov
> >   |
> >   +- /O=SCGlobal2003/ (CA)
> >   |  |
> >   |  +- /O=SCGlobal2003/OU=Participant/
> >   |  |  |
> >   |  |  +- /O=SCGlobal2003/OU=Participant/CN=Ti Leggett/
> >   |  ...
> >   |
> >   +- /O=Access Grid Anonymous/ (CA)
> >      |
> >      +- /O=Access Grid Anonymous/OU=User/
> >      |  |
> >      |  + /O=Access Grid Anonymous/OU=User/CN=Anonymous User/
> >      |
> >      +- /O=Access Grid Anonymous/OU=Service/
> >         |
> >         +- /O=Access Grid
> > Anonymous/OU=Service/CN=AGNodeService/localhost
> > 
> > Is this what we're looking at?
> > 
>

More information about the ag-dev mailing list