[AG-TECH] AG 2.0 Alpha 3 (and Simple CA)

Ti Leggett leggett at mcs.anl.gov
Mon Feb 24 19:18:11 CST 2003


I would say no, it's not sufficient. While this will work with your
machine and internal organizational unit (OU) it will not work with the
rest of the AG2 community. That's because your cert will have been
signed by the CA with O=Foo Bar/OU=foo.bar.com/CN=ca.foo.bar.com

Now on your AG node this might be fine, but now on your node you will
only accept certs that have been signed by globus.org (since that comes
with globus) and your CA. If someone from outside comes in with an
O=Access Grid/OU=agdev-ca.mcs.anl.gov/ signed cert, they'll be denied
because your node doesn't recognize that as a validly signed cert (since
it's not from globus and not from foo.bar).

Now, if you try and take your personal foo.bar signed cert to someone
else's node (or venue for that matter), you'll get denied because that
resource won't recognize foo.bar as a validly signed cert.

What you *really* wanted to do was add your CA to your trusted certs
list. That way you'll accept your certs, globus certs, and agdev certs.
All you have to do there is:

${GPT_LOCATION}/sbin/globus-build -install-only
globus_simple_ca_8dd8e752_setup-0.12.tar.gz

sed -e 's,globus-sh-tools-vars.sh,globus-sh-tools.sh,g' <
${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752 >
${GLOBUS_LOCATION/setup/globus/setup-ssl-utils.8dd8e752.sed
mv -f ${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752.sed
${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752
chmod 0755 ${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752

${GLOBUS_LOCATION}/setup/globus_simple_ca_8dd8e752/setup-gsi


That will install you CA's cert and make everything happy. You might not
have to do the sed stuff in the middle though I found recently installed
simple_ca assume they're installing into gt2.2 and this doesn't work for
our gt2.0 installations (don't even get me started on this)...

Did that make sense?

On Mon, 2003-02-24 at 18:59, Randy Groves wrote:
> Well, I might have answered most of my question.  For those that might be 
> in a similar situation, I was able to configure the 2.0 version of the 
> data-management package to at least successfully run grid-proxy-init with a 
> cert from my internal SimpleCA.
> 
> What I did was to run the data-managment install package, then only run the 
> initial 'setup-gsi' and NOT the CA specific setup that follows.   I then 
> installed the  package that SimpleCA generates, which in my case is:
> 
> globus_simple_ca_8dd8e752_setup-0.12.tar.gz
> 
> The install had no complaints, but I did get an error when I ran the 
> gpt-postinstall, complaining about not finding 
> /usr/lib/globus/setup/globus-sh-tools-vars.sh.
> 
> A little poking made it obvious that this had been renamed from 
> globus-sh-tools.sh in later versions.  A symbolic link from one to the 
> other took care of this.
> 
> After running the setup-gsi that results from this process, I am now able 
> to grid-proxy-init with my own internal cert.
> 
> Now the next question, which I will probably be poking at, is - is this 
> sufficient to run AG2.0a3?
> 
> -randy
> 
> 




More information about the ag-tech mailing list