[AG-TECH] AG 2.0 Alpha 3 (and Simple CA)
Ti Leggett
leggett at mcs.anl.gov
Tue Feb 25 09:23:15 CST 2003
We're running a Globus Simple CA currently so they are globus-y like
certs but reflecting what their use will be. In the future we will be
running OpenCA. However, there's no reason for a user to install a CA,
unless they, like you, want to have an internal OU. All a user needs to
do is generate a request against our CA (where our == AG Dev and after
development is done the production Access Grid CA)
On Mon, 2003-02-24 at 19:59, Randy Groves wrote:
> Thanks for the reply! I should have prefaced my question and later note
> with the fact that I'm setting up a completely internal AG, that will have
> no interaction (at least not for the forseeable future) with the AG-Grid at
> large. So for my immediate testing, it sounds like what I did will
> work. But perhaps I should revise this so that I can cover all the bases
> when necessary. I'll take a look.
>
> I hadn't done a cert request (since I hadn't installed the AG CA) - are the
> certs that I would get 'normal' (i.e., typical Globus) certs, or are you
> generating an 'AG' cert under the Grid umbrella? I will be installing also
> on my external node - so I'll get a 'real' cert for this.
>
> Of course, since I'm restricted to unicast only on this link, this setup
> may have minimal interaction capabilities.
>
> -randy
>
> At 07:18 PM 2/24/2003 -0600, Ti Leggett wrote:
> >I would say no, it's not sufficient. While this will work with your
> >machine and internal organizational unit (OU) it will not work with the
> >rest of the AG2 community. That's because your cert will have been
> >signed by the CA with O=Foo Bar/OU=foo.bar.com/CN=ca.foo.bar.com
> >
> >Now on your AG node this might be fine, but now on your node you will
> >only accept certs that have been signed by globus.org (since that comes
> >with globus) and your CA. If someone from outside comes in with an
> >O=Access Grid/OU=agdev-ca.mcs.anl.gov/ signed cert, they'll be denied
> >because your node doesn't recognize that as a validly signed cert (since
> >it's not from globus and not from foo.bar).
> >
> >Now, if you try and take your personal foo.bar signed cert to someone
> >else's node (or venue for that matter), you'll get denied because that
> >resource won't recognize foo.bar as a validly signed cert.
> >
> >What you *really* wanted to do was add your CA to your trusted certs
> >list. That way you'll accept your certs, globus certs, and agdev certs.
> >All you have to do there is:
> >
> >${GPT_LOCATION}/sbin/globus-build -install-only
> >globus_simple_ca_8dd8e752_setup-0.12.tar.gz
> >
> >sed -e 's,globus-sh-tools-vars.sh,globus-sh-tools.sh,g' <
> >${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752 >
> >${GLOBUS_LOCATION/setup/globus/setup-ssl-utils.8dd8e752.sed
> >mv -f ${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752.sed
> >${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752
> >chmod 0755 ${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752
> >
> >${GLOBUS_LOCATION}/setup/globus_simple_ca_8dd8e752/setup-gsi
> >
> >
> >That will install you CA's cert and make everything happy. You might not
> >have to do the sed stuff in the middle though I found recently installed
> >simple_ca assume they're installing into gt2.2 and this doesn't work for
> >our gt2.0 installations (don't even get me started on this)...
> >
> >Did that make sense?
> >
> >On Mon, 2003-02-24 at 18:59, Randy Groves wrote:
> > > Well, I might have answered most of my question. For those that might be
> > > in a similar situation, I was able to configure the 2.0 version of the
> > > data-management package to at least successfully run grid-proxy-init
> > with a
> > > cert from my internal SimpleCA.
> > >
> > > What I did was to run the data-managment install package, then only run
> > the
> > > initial 'setup-gsi' and NOT the CA specific setup that follows. I then
> > > installed the package that SimpleCA generates, which in my case is:
> > >
> > > globus_simple_ca_8dd8e752_setup-0.12.tar.gz
> > >
> > > The install had no complaints, but I did get an error when I ran the
> > > gpt-postinstall, complaining about not finding
> > > /usr/lib/globus/setup/globus-sh-tools-vars.sh.
> > >
> > > A little poking made it obvious that this had been renamed from
> > > globus-sh-tools.sh in later versions. A symbolic link from one to the
> > > other took care of this.
> > >
> > > After running the setup-gsi that results from this process, I am now able
> > > to grid-proxy-init with my own internal cert.
> > >
> > > Now the next question, which I will probably be poking at, is - is this
> > > sufficient to run AG2.0a3?
> > >
> > > -randy
> > >
> > >
>
>
>
More information about the ag-tech
mailing list