Setup Certificates Update

From PRAGMAgridWIKI

Contents 1 Auto-update With IGTF-PRAGMA COMBO Distribution (recommended) 2 Auto-update With Seperate IGTF, PRAGMA Distributions 3 Manual-update With Seperate IGTF, PRAGMA Distributions 3.1 Install and update from IGTF distribution 3.2 Install and update from non-IGTF PRAGMA certs distribution 3.3 Setup CRL auto-update 3.4 Check certificate expiration date - script by Nadya Williams 4 Setup auto-synch grid-mapfile with PRAGMA VO groups

Auto-update With IGTF-PRAGMA COMBO Distribution (recommended)

• If pacman has not been installed, install pacman

# wget http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-latest.tar.gz
# cd /opt
# tar xvzf /root/pacman-latest.tar.gz
# cd pacman-3.26/
# source ./setup.sh

• If VDT certificate updater has not been installed (VDT certificate updater 1.8.1 or older will not work, since it ignores the cacerts_url entry in the configuration file, so you will need to upgrade to the current version)

# mkdir vdt
# cd vdt
# pacman -get http://vdt.cs.wisc.edu/vdt_1101_cache:CA-Certificates

The installation will ask series questions. This example is based on answering all questions "yes".

• Add this line in /opt/vdt/vdt/etc/vdt-update-certs.conf

cacerts_url=http://rocks56.sdsc.edu/certs/igtf-pragma-ca-certs-version

• Run

# . $VDT_LOCATION/setup.sh
# . $VDT_LOCATION/vdt-questions.sh
# $VDT_LOCATION/vdt/sbin/vdt-setup-ca-certificates --root

Note: use "--root" option if your certificates directory is /etc/grid-security/certificates. Otherwise, use "--local".

• Check VDT services

# vdt-control --list
Service            | Type   | Desired State
-------------------+--------+--------------
fetch-crl          | cron   | enable
vdt-rotate-logs    | cron   | enable
vdt-update-certs   | cron   | enable

• Enable all relevant vdt services

If any of the above services is not enabled, enable it by running

# vdt-control --enable <service-name>

• Activate all VDT services

# vdt-control --on

• Check the results in $VDT_LOCATION/vdt/var/log/vdt-update-certs.log and /etc/grid-security/certificates.

Auto-update With Seperate IGTF, PRAGMA Distributions

See an example

Manual-update With Seperate IGTF, PRAGMA Distributions

Install and update from IGTF distribution

• download accredited installation bundle igtf-policy-installation-bundle-<version>.tar.gz from https://dist.eugridpma.info/distribution/igtf/current/accredited
• execute the following commands as any user:

$ gunzip -c igtf-policy-installation-bundle-<version>.tar.gz | tar xvf -
$ cd igtf-policy-installation-bundle-<version>
$ ./configure --with-profile=classic

NOTE: for multiple profiles, use multiple arguments as in:

$ ./configure --with-profile=classic --with-profile=slcs

• Become a superuser and execute the actual install

# cd <path>gtf-policy-installation-bundle-<version>
# make install

• Find obsolite CA files, for example, assume the current version is 1.24 and there is no ~.info files for non-IGTF CAs, run

$ grep version /etc/grid-security/certificates/*.info | grep -v '1\.24'

• The above command should print out the hash and other info of all obsolite CAs. Examine before removing the obsolite CAs files from /etc/grid-security/certificates directory.

Install and update from non-IGTF PRAGMA certs distribution

For clean install, fetch the latest bundle from https://goc.pragma-grid.net/secure/certificates/pragma-certs.tar.gz, then unzip and untar to get all non-IGTF PRAGMA CA files.
Currently, incremental update is done by announcing individual update request in Update log and pragma-grid-team mailing list. Site administrator need to manually update the CA files. When we change to IGTF distribution standard in the future, will update this procedure then.

Setup CRL auto-update

See https://dist.eugridpma.info/distribution/util/fetch-crl.

Check certificate expiration date - script by Nadya Williams

The CertTIme script checks the expiration time (next update) for certificates and crls. The output is sorted and gives the number of days till the next update. Negative number of days means the expired certificate. This script can be run periodically by any user to monitor the certificates expiration. The script was updated on 10.06.2009 to accommodate the change of the CRL files format from text to CRL PEM.

Setup auto-synch grid-mapfile with PRAGMA VO groups

In PRAGMA grid, a VOMRS server is used to manage user membership in groups corresponding to individual projects.
See an example below on how to configure mappings from the VOMRS project groups to local accounts on a site system using VDT and edg-mkgridmap.
There are two alternative non-VDT methods - install from RPM or use a callout to a GUMS server. See examples documented by Vladimir. Also see PRIMA examples.

• If pacman has not been installed, install pacman

[root@rocks-96 ~]# wget http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-latest.tar.gz
[root@rocks-96 ~]# cd /opt
[root@rocks-96 opt]# tar xvzf /root/pacman-latest.tar.gz
[root@rocks-96 opt]# cd pacman-3.26/
[root@rocks-96 pacman-3.26]# source ./setup.sh

• Install edg-mkgridmap

note - please backup your existing /etc/grid-security/grid-mapfile and answer the questions according to your site requirements and policies.

[root@rocks-96 opt]# mkdir vdt
[root@rocks-96 opt]# cd vdt
[root@rocks-96 vdt]# pacman -get http://vdt.cs.wisc.edu/vdt_1100_cache:EDG-Make-Gridmap
Do you want to add [http://vdt.cs.wisc.edu/vdt_1100_cache] to [trusted.caches]? (y/n/yall): y
Beginning VDT prerequisite checking script vdt-common/vdt-prereq-check...       
All prerequisite checks are satisfied.
VDT 1.10.0 installs a variety of software, each with its own license.
In order to continue, you must agree to the licenses.
You can view the licenses online at:
     http://vdt.cs.wisc.edu/licenses/1.10.0
After the installation has completed, you will also be able to view the licenses in the "licenses" directory.
Do you agree to the licenses? [y/n] y
Several services provided by the VDT create unbounded log files.
If you wish, we can rotate those file on a daily basis.
Would you like to setup daily rotation of VDT log files?
Possible answers:
    y: Yes, I want the service to run automatically (once enabled)
    n: No, I do NOT want the service to run automatically
Note: Services are enabled with vdt-control; see 'post-install/README'.
y
Do you want to run a cron job that will update the CA certificate revocation lists automatically? 
This will use the fetch-crl program that comes with the VDT. 
The cron job will run at a random time between midnight and 6:00am.
We select a random time to avoid having all VDT installations fetching CRLs at the same time.
Do you want to update the CA certification revocation lists (CRLs) automatically? [y/n] y

The VDT typically installs public certificates and signing policy files for the well-known public CA's.
This is necessary in order for you to perform GSI authentication with any remote Grid services 
(that have service/host certificates signed by these CA's).
For more information please refer to the VDT documentation:
http://vdt.cs.wisc.edu/releases/1.10.0/setup_ca.html
Where would you like to install CA files?
Choices:
        r (root)  - install into /etc/grid-security/certificates (existing CA files will be preserved)
        l (local) - install into $VDT_LOCATION/globus/share/certificates
        n (no)    - do not install
r
Do you want edg-mkgridmap daemon to be run automatically?
If so, we will run it four times a day via cron.
edg-mkgridmap will update your gridmap file by communicating with VOMS servers.
This will only be useful if you are part of a Virtual Organization (VO) or you allow users from VOs.
Do you want edg-mkgridmap daemon to be run via cron? [y/n] y
Do you want to automatically update your CA certificates?
If so, we will check for updates once a day via cron.
Do you want to automatically update your CA Certificates? [y/n] y

• Configure vdt-update-certs

If you answered "yes" to automatically update your CA certificaes in the step above, but have not setup automatically update your certificates before, then configure vdt-update-certs. Otherwise, skip this step. To configure vdt-update-certs place non-igtf certs files (for example, files in PRAGMA CA tarball) in /etc/grid-secrity/non-igtf-certs directory, then edit /opt/vdt/vdt/etc/vdt-update-certs.conf to include each non-igtf cert files.

• Create UNIX accounts for the PRAGMA VO groups to map onto.

For example, create account "pragmauser" for PRAGMA USERS group, "afguser" for Avian-Flu-Grid group.

• Create /opt/vdt/edg/etc/edg-mkgridmap.conf file as

[root@rocks-96 etc]# cat /opt/vdt/edg/etc/edg-mkgridmap.conf 
group vomss://vomrs-pragma.sdsc.edu:8443/voms/PRAGMA?/PRAGMA/Avian-Flu-Grid afguser
group vomss://vomrs-pragma.sdsc.edu:8443/voms/PRAGMA?/PRAGMA/USERS pragmauser

gmf_local /opt/vdt/edg/etc/grid-mapfile-local

Note - to add new groups in the future, simply add group/user mappings in the /opt/vdt/edg/etc/edg-mkgridmap.conf file.

• Copy /etc/grid-security/grid-mapfile to /opt/vdt/edg/etc/grid-mapfile-local file

• Create /opt/vdt/edg/log/edg-mkgridmap.log (use touch command)

• Backup and remove /etc/grid-security/grid-mapfile

• Run edg-mkgridmap for the first time

[root@rocks-96 opt]# touch /opt/vdt/edg/etc/grid-mapfile-local
[root@rocks-96 opt]# /opt/vdt/edg/sbin/edg-mkgridmap --output=/etc/grid-security/grid-mapfile

• Check the results in /etc/grid-security-grid-mapfile. If no problem, then start cron service

[root@rocks-96 vdt]# source setup.sh
[root@rocks-96 vdt]# vdt-control --on edg-mkgridmap
enabling cron service edg-mkgridmap... no crontab for root
ok
[root@rocks-96 vdt]# crontab -l
18 1,7,13,19 * * * /opt/vdt/edg/sbin/edg-mkgridmap >> /opt/vdt/edg/log/edg-mkgridmap.log 2>&1

Note - the "no crontab for root" error can be ignored.

• Install VOMS-Client

[root@rocks-96 vdt]# pacman -get http://vdt.cs.wisc.edu/vdt_1100_cache:VOMS-Client

• Create /opt/vdt/glite/etc/vomses/PRAGMA file as

[root@rocks-96 glite]# cat /opt/vdt/glite/etc/vomses/PRAGMA
"PRAGMA" "vomrs-pragma.sdsc.edu" "15001" "/DC=NET/DC=PRAGMA-GRID/OU=SDSC/CN=vomrs-pragma.sdsc.edu" "PRAGMA" "https://vomrs-pragma.sdsc.edu:443/vomrs/PRAGMA/services/VOMRS?WSDL"

• Add VDT software path to pragma profile

Add "source /opt/vdt/setup.sh" in /etc/profile.d/pragma.sh.

• Test VOMS client

Login to a VO group user account. For example, if user Cindy Zheng is a member of PRAGMA/USERS group,

[zhengc@rocks-96 ~]$ voms-proxy-init -voms PRAGMA -order /PRAGMA/USERS
Enter GRID pass phrase:
Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc
Creating temporary proxy ..................................................... Done
Contacting  vomrs-pragma.sdsc.edu:15001 [/DC=NET/DC=PRAGMA-GRID/OU=SDSC/CN=vomrs-pragma.sdsc.edu] "PRAGMA" Done
Creating proxy ................................. Done
Your proxy is valid until Fri Aug 22 02:26:38 2008

That's it. Congratulations!