Tags:
tag this topic
create new tag
view all tags
<!-- keep this as a security measure: #uncomment if the subject should only be modifiable by the listed groups # * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.CMSAdminGroup # * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.CMSAdminGroup #uncomment this if you want the page only be viewable by the listed groups # * Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.CMSAdminGroup --> %TOC% This page is an up-to-date version of ObtainingHostCertificates ---+ %ICON{todo}% Obtaining host certificates for Grid servers Certificates now agaim come from QuoVadis. Their services have been contracted by SwiNG (now EnhanceR) and the University of Berne is our liaison for the service. The way to order new host certificates is described here https://wiki.chipp.ch/twiki/bin/view/CmsTier3/GridHostCert ---+ Certificates for LDAP service and LDAP clients The ldap service and client certificates are special in the sense that they are based upon our own Tier-3 CA, since there was no possibility at the foundation of the Tier-3 to have the Identity management included with the central AD (same as for SLS), and we had many external users. Also, we wanted to manage grid user attributes like the x509 grid certificate DN in the LDAP database to automate tasks (e.g. automatic generation of authorization configurations for the grid storage). We are still running the LDAP server as of 2020, and should consider integration with PSI AD. The machinery for using the Tier-3 CA is located on the t3admin02 node in =/root/clusteradmin/etc/cluster-ca= You will find a readme there containing <verbatim> Use the cluster-ca.sh script to produce the certificate. The config files are already prepared. Just use something like ./cluster-ca.sh -r ./pki -s t3admin01.psi.ch The certificates are then found under the ./pki/certs directory. You may have to first remove any old cert and csr files for that node (e.g. if you want to renew). The script will tell you. Derek cluster-ca.sh help text: ------------------------------- Synopsis: cluster-ca.sh [options] --rootca cluster-ca.sh [options] -s server.domain.org Options: -r path : Path to repository directory (/root/clusteradmin/etc/cluster-ca/test-CA) -s hostname : server hostname for which to produce a cert -t template : template SSL config name to use for producing server request and cert files (default.cnf) -d : debug mode E.g. For producing a Certificate for our LDAP master server: First copy away the old cert /root/clusteradmin/etc/cluster-ca/pki/certs/t3admin01.psi.ch-cert.pem (leave the key in place!!!), and then run ./cluster-ca.sh -r ./pki -s t3admin01.psi.ch </verbatim> ---++ Producing a certificate for the LDAP service On t3admin02 go to the following directory <pre>cd /root/clusteradmin/etc/cluster-ca </pre> Ensure that the CA root certificate is still OK: <pre> openssl x509 -in /root/clusteradmin/etc/cluster-ca/pki/rootca/rootca-cert.pem -dates -subject -noout notBefore=Apr 1 12:16:43 2019 GMT notAfter=Mar 30 12:16:43 2024 GMT subject= /C=CH/ST=Aargau/L=Villigen/O=PSI/CN=PSI CMS Tier-3 Cluster Root CA </pre> The CA root certificate is distributed to all client nodes (basically all cluster nodes). Without it, our CA will not be accepted on the nodes. If the CA root certificate needs to be regenerated, *you must copy it to all the client nodes (and also to the LDAP server)*. * for SL6 nodes that use =nslcd=: copy it to =/etc/openldap/certs/08a2f47c.0= (The filename is a hash that is obtained by using =openssl x509 -noout -hash -in rootca-cert.pem=). * for SL7 nodes using =sssd=: copy it to =/etc/openldap/cacerts/cacert.pem= Now we can generate the new service certificate for LDAP (or for another service). <pre> cd /root/clusteradmin/etc/cluster-ca # move the old cert and the old csr (signing request) away. Usually you should keep the existing key!!! mv pki/certs/t3ldap01.psi.ch-cert.pem pki/certs/OLD-CERTS/t3ldap01.psi.ch-csr.pem.till20190715 mv pki/certs/t3ldap01.psi.ch-csr.pem pki/certs/OLD-CERTS/t3ldap01.psi.ch-cert.pem.till20190715 # generate the cert ./cluster-ca.sh -r ./pki -s t3ldap01.psi.ch </pre> The resulting certificate will be generated under =/pki/certs=. The signing is done with the root CA certificate that is stored within =pki/rootca= based on the template in =pki/template=. <pre> Note: Conf file (./pki/certs/t3ldap01.psi.ch.cnf) already exists for this server. Will use old one Note: Keyfile (./pki/certs/t3ldap01.psi.ch-key.pem) already exists. Using old one /usr/bin/openssl req -new -key ./pki/certs/t3ldap01.psi.ch-key.pem -sha256 -out ./pki/certs/t3ldap01.psi.ch-csr.pem -config ./pki/certs/t3ldap01.psi.ch.cnf /usr/bin/openssl x509 -req -in ./pki/certs/t3ldap01.psi.ch-csr.pem -sha256 -extfile ./pki/certs/t3ldap01.psi.ch.cnf -extensions certificate_extensions -CA ./pki/rootca/rootca-cert.pem -CAkey ./pki/rootca/rootca-key.pem -CAcreateserial -passin file:./pki/rootca/rootca.pwd -out ./pki/certs/t3ldap01.psi.ch-cert.pem -days 365 Signature ok subject=/C=CH/ST=Aargau/L=Villigen/O=PSI CMS Tier-3/CN=t3ldap01.psi.ch Getting CA Private Key subject= /C=CH/ST=Aargau/L=Villigen/O=PSI CMS Tier-3/CN=t3ldap01.psi.ch notBefore=Jul 15 09:51:59 2019 GMT notAfter=Jul 14 09:51:59 2020 GMT issuer= /C=CH/ST=Aargau/L=Villigen/O=PSI/CN=PSI CMS Tier-3 Cluster Root CA </pre> Then copy the certificate (and potentially also the key, if you changed it) to the LDAP service: <pre>scp /root/clusteradmin/etc/cluster-ca/pki/certs/t3ldap01.psi.ch-cert.pem t3ldap01:/etc/pki/tls/certs/slapd-cert.pem</pre> The location of the LDAP service certificate is defined in the =slapd= configuration file =/etc/openldap/slapd.conf= Log in to the LDAP server and Confirm that the dates look right: <pre>openssl x509 -in /etc/pki/tls/certs/slapd-cert.pem -subject -dates -noout </pre> Restart ldap to make it reread its certificate and key: <pre>/etc/init.d/ldap restart</pre> *from any client node* (e.g. UI) test whether the certificate is active in the service by using openssl to retrieve and interpret the certificate directly from the service! <pre>echo | openssl s_client -connect t3ldap01.psi.ch:636 2> /dev/null | openssl x509 -subject -dates -noout</pre> -- Main.DerekFeichtinger - 2019-07-15
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r6
<
r5
<
r4
<
r3
<
r2
|
B
acklinks
|
V
iew topic
|
Ra
w
edit
|
M
ore topic actions
Topic revision: r6 - 2020-06-09
-
DerekFeichtinger
CmsTier3
Log In
CmsTier3 Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
User Pages
Main Page
Policies
Monitoring Storage Space
Monitoring Slurm Usage
Physics Groups
Steering Board Meetings
Admin Pages
AdminArea
Cluster Specs
Home
Site map
CmsTier3 web
LCGTier2 web
PhaseC web
Main web
Sandbox web
TWiki web
CmsTier3 Web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
P
P
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Account
Log In
E
dit
A
ttach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback