[AG-TECH] AG 2.0 Alpha 3 (and Simple CA)

Ti Leggett leggett at mcs.anl.gov
Tue Feb 25 09:23:15 CST 2003


We're running a Globus Simple CA currently so they are globus-y like
certs but reflecting what their use will be. In the future we will be
running OpenCA. However, there's no reason for a user to install a CA,
unless they, like you, want to have an internal OU. All a user needs to
do is generate a request against our CA (where our == AG Dev and after
development is done the production Access Grid CA)

On Mon, 2003-02-24 at 19:59, Randy Groves wrote:
> Thanks for the reply!  I should have prefaced my question and later note 
> with the fact that I'm setting up a completely internal AG, that will have 
> no interaction (at least not for the forseeable future) with the AG-Grid at 
> large.  So for my immediate testing, it sounds like what I did will 
> work.  But perhaps I should revise this so that I can cover all the bases 
> when necessary.  I'll take a look.
> 
> I hadn't done a cert request (since I hadn't installed the AG CA) - are the 
> certs that I would get 'normal' (i.e., typical Globus) certs, or are you 
> generating an 'AG' cert under the Grid umbrella?  I will be installing also 
> on my external node - so I'll get a 'real' cert for this.
> 
> Of course, since I'm restricted to unicast only on this link, this setup 
> may have minimal interaction capabilities.
> 
> -randy
> 
> At 07:18 PM 2/24/2003 -0600, Ti Leggett wrote:
> >I would say no, it's not sufficient. While this will work with your
> >machine and internal organizational unit (OU) it will not work with the
> >rest of the AG2 community. That's because your cert will have been
> >signed by the CA with O=Foo Bar/OU=foo.bar.com/CN=ca.foo.bar.com
> >
> >Now on your AG node this might be fine, but now on your node you will
> >only accept certs that have been signed by globus.org (since that comes
> >with globus) and your CA. If someone from outside comes in with an
> >O=Access Grid/OU=agdev-ca.mcs.anl.gov/ signed cert, they'll be denied
> >because your node doesn't recognize that as a validly signed cert (since
> >it's not from globus and not from foo.bar).
> >
> >Now, if you try and take your personal foo.bar signed cert to someone
> >else's node (or venue for that matter), you'll get denied because that
> >resource won't recognize foo.bar as a validly signed cert.
> >
> >What you *really* wanted to do was add your CA to your trusted certs
> >list. That way you'll accept your certs, globus certs, and agdev certs.
> >All you have to do there is:
> >
> >${GPT_LOCATION}/sbin/globus-build -install-only
> >globus_simple_ca_8dd8e752_setup-0.12.tar.gz
> >
> >sed -e 's,globus-sh-tools-vars.sh,globus-sh-tools.sh,g' <
> >${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752 >
> >${GLOBUS_LOCATION/setup/globus/setup-ssl-utils.8dd8e752.sed
> >mv -f ${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752.sed
> >${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752
> >chmod 0755 ${GLOBUS_LOCATION}/setup/globus/setup-ssl-utils.8dd8e752
> >
> >${GLOBUS_LOCATION}/setup/globus_simple_ca_8dd8e752/setup-gsi
> >
> >
> >That will install you CA's cert and make everything happy. You might not
> >have to do the sed stuff in the middle though I found recently installed
> >simple_ca assume they're installing into gt2.2 and this doesn't work for
> >our gt2.0 installations (don't even get me started on this)...
> >
> >Did that make sense?
> >
> >On Mon, 2003-02-24 at 18:59, Randy Groves wrote:
> > > Well, I might have answered most of my question.  For those that might be
> > > in a similar situation, I was able to configure the 2.0 version of the
> > > data-management package to at least successfully run grid-proxy-init 
> > with a
> > > cert from my internal SimpleCA.
> > >
> > > What I did was to run the data-managment install package, then only run 
> > the
> > > initial 'setup-gsi' and NOT the CA specific setup that follows.   I then
> > > installed the  package that SimpleCA generates, which in my case is:
> > >
> > > globus_simple_ca_8dd8e752_setup-0.12.tar.gz
> > >
> > > The install had no complaints, but I did get an error when I ran the
> > > gpt-postinstall, complaining about not finding
> > > /usr/lib/globus/setup/globus-sh-tools-vars.sh.
> > >
> > > A little poking made it obvious that this had been renamed from
> > > globus-sh-tools.sh in later versions.  A symbolic link from one to the
> > > other took care of this.
> > >
> > > After running the setup-gsi that results from this process, I am now able
> > > to grid-proxy-init with my own internal cert.
> > >
> > > Now the next question, which I will probably be poking at, is - is this
> > > sufficient to run AG2.0a3?
> > >
> > > -randy
> > >
> > >
> 
> 
> 




More information about the ag-tech mailing list