====== GROW Certificates ====== ===== GROW Certificate Information ===== Here is a list of the certificates that we use here at GROW. ==== grow-grid.its.uiowa.edu ==== ^ File Name ^ Location ^ Permissions ^ Owner ^ | hostcert.pem | /etc/grid-locations | 444 | root:root | | hostkey.pem | /etc/grid-locations | 400 | root:root | | containercert.pem | /etc/grid-locations | 444 | daemon:daemon | | containerkey.pem | /etc/grid-locations | 400 | daemon:daemon | | rsvrcert.pem | /etc/grid-locations/rsv | 444 | rsv:users | | rsvkey.pem | /etc/grid-locations/rsv | 400 | rsv:users | | httpcert.pem | /etc/grid-locations/http | 444 | tomcat:daemon | | httpkey.pem | /etc/grid-locations/http | 400 | tomcat:daemon | | bestmancert.pem | /etc/grid-locations/bestman | 444 | bestman:root | | bestmankey.pem | /etc/grid-locations/bestman | 400 | bestman:root | ==== dynes-fdt.physics.uiowa.edu ==== ^ File Name ^ Location ^ Permissions ^ Owner ^ | dynes-fdt.physics.uiowa.educert.pem | /home/admin | 444 | admin:admin | | dynes-fdt.physics.uiowa.edukey.pem | /home/admin | 400 | admin:admin | ==== dynes-idc.net.uiowa.edu ==== ^ File Name ^ Location ^ Permissions ^ Owner ^ | dynes-idc.net.uiowa.educert.pem | /home/admin | 444 | admin:admin | | dynes-idc.net.uiowa.edukey.pem | /home/admin | 400 | admin:admin | The Certificate Scripts Package must be installed in order to install certificates! Check [[https://www.opensciencegrid.org/bin/view/Documentation/Release3/GetHostServiceCertificates#Requirements|here]] for requirements before continuing. ===== Requesting Certificates ===== [[https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/GetHostServiceCertificates|Here]] are the official instructions to retrieve host certificates. The cert-request script will prompt you for for: * Reason for request * Administrators name * Full hostname of server * Administrators email * Phone number * Choose a registration authority (Choose OSG) * Choose a VO (Choose CMS or OSG) * Confirms that you are authorized to install the certificate on the host. If the script runs without error, you will then be given a certificate request id which can be used to identify the response email to a particular certificate request. You will also have two files in your current directory (where hostname is replaced with the hostname you supplied to the script): * hostnamekey.pem * hostname.req Now you must wait for a response from DOEGrids which will contain a serial code needed to retrieve the certificate. Certificate renewal is the same process as requesting a new certificate. ===== View Certificate Information ===== Be sure to change "hostcert.pem" to the name and location of the certificate you wish to work with. ==== openssl method ==== You can view the expiration of certificates by running this command. [user@grow-grid grid-security]# openssl x509 -in /etc/grid-security/hostcert.pem -subject -issuer -dates -noout subject= /DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu issuer= /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 notBefore=Jul 14 14:57:09 2011 GMT notAfter=Jul 13 14:57:09 2012 GMT ==== grid-cert-info method ==== This method requires the Certificate Scripts Package to be installed [user@grow-grid grid-security]# grid-cert-info -file ./hostcert.pem ====== Host Certificate ====== ===== Request Host ===== Submit a request for a host certificate. [root@grow-grid grid-security]# cert-request -ou s -dir . -label grow-grid.its.uiowa.edu ===== Retrieve Host ===== Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate by running this command. [root@grow-grid grid-security]# cert-retrieve -serial 0xYYYY -label grow-grid.its.uiowa.edu -dir . -prefix grow-grid.its.uiowa.edu %% checking CertLib version, V2-7, This is the latest version, released 18 May 2009. using CA doegrids Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0xYYYY Checking that the certificate and ./grow-grid.its.uiowa.edukey.pem match writing RSA key ./grow-grid.its.uiowa.educert.pem and ./grow-grid.its.uiowa.edukey.pem now contain your new credential %% ===== Verify Host ===== Check to make sure the certificate matches your machine hostname. [root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.educert.pem -subject /DC=org/DC=doegrids/OU=Services/CN=rsv/grow-grid.its.uiowa.edu Now execute: [root@grow-grid grid-security]# hostname -f grow-grid.its.uiowa.edu ===== Edit Host ===== Change the certificate and key names to hostcert.pem and hostkey.pem and edit the file permissions. [root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.educert.pem /etc/grid-security/hostcert.pem [root@grow-grid ~]# chmod 444 /etc/grid-security/hostcert.pem [root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edukey.pem /etc/grid-security/hostkey.pem [root@grow-grid ~]# chmod 400 /etc/grid-security/hostkey.pem ====== Container Certificate ====== We will use the host certificate as the container certificate. This is the only instance where using a copy of the host certificate is allowed. [root@grid-0-0 ~]# cp /etc/grid-security/grow-grid.its.uiowa.educert.pem /etc/grid-security/containercert.pem [root@grid-0-0 ~]# cp /etc/grid-security/grow-grid.its.uiowa.edukey.pem /etc/grid-security/containerkey.pem Change ownership on the container certificate. [root@grid-0-0 ~]# chown daemon:daemon /etc/grid-security/containercert.pem [root@grid-0-0 ~]# chown daemon:daemon /etc/grid-security/containerkey.pem ====== HTTP Service Certificate ====== ===== Request HTTP ===== [root@grow-grid grid-security]# cert-request -ou s -service http -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-http ===== Retrieve HTTP ===== [root@grow-grid grid-security]# cert-retrieve -serial 0xYYYYY -label grow-grid.its.uiowa.edu-http -dir . -prefix grow-grid.its.uiowa.edu-http checking CertLib version, V2-7, This is the latest version, released 18 May 2009. using CA doegrids Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11526 Checking that the certificate and ./grow-grid.its.uiowa.edu-httpkey.pem match writing RSA key previous ./grow-grid.its.uiowa.edu-httpkey.pem exists previous ./grow-grid.its.uiowa.edu-httpkey.pem exists, overwrite? (N,y): y mv: `./grow-grid.its.uiowa.edu-httpkey.pem' and `./grow-grid.its.uiowa.edu-httpkey.pem' are the same file ./grow-grid.its.uiowa.edu-httpcert.pem and ./grow-grid.its.uiowa.edu-httpkey.pem now contain your new credential ===== Verifiy HTTP ===== Check to make sure the certificate matches your machine hostname. [root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-httpcert.pem -subject /DC=org/DC=doegrids/OU=Services/CN=http/grow-grid.its.uiowa.edu Now execute: [root@grow-grid grid-security]# hostname -f grow-grid.its.uiowa.edu The host names in red above should match. ===== Edit HTTP ===== Change the certificate and key names to httpcert.pem and httpkey.pem and edit the file permissions and ownerships. [root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-httpcert.pem /etc/grid-security/http/httpcert.pem [root@grow-grid ~]# chmod 444 /etc/grid-security/http/httpcert.pem [root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-httpkey.pem /etc/grid-security/http/httpkey.pem [root@grow-grid ~]# chmod 400 /etc/grid-security/http/httpkey.pem [root@grow-grid ~]# chown tomcat:daemon /etc/grid-security/http/http* ====== RSV Service Certificate ====== ===== Request RSV ===== [root@grow-grid grid-security]# cert-request -ou s -service rsv -host grow-grid.its.uiowa.edu -dir . -label grow-grid.its.uiowa.edu-rsv ===== Retrieve RSV ===== Once you have a reply from DOEGrids with a serial number in 0xYYYY format you can retrieve the certificate by running this command. [root@grow-grid grid-security]# cert-retrieve -serial 0xYYYY -label grow-grid.its.uiowa.edu-rsv -dir . -prefix grow-grid.its.uiowa.edu-rsv %%checking CertLib version, V2-7, This is the latest version, released 18 May 2009. using CA doegrids Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11507 Checking that the certificate and ./grow-grid.its.uiowa.edu-rsvkey.pem match writing RSA key previous ./grow-grid.its.uiowa.edu-rsvkey.pem exists previous ./grow-grid.its.uiowa.edu-rsvkey.pem exists, overwrite? (N,y): y mv: `./grow-grid.its.uiowa.edu-rsvkey.pem' and `./grow-grid.its.uiowa.edu-rsvkey.pem' are the same file ./grow-grid.its.uiowa.edu-rsvcert.pem and ./grow-grid.its.uiowa.edu-rsvkey.pem now contain your new credential %% ===== Verify RSV ===== Check to make sure the certificate matches your machine hostname. [root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-rsvcert.pem -subject /DC=org/DC=doegrids/OU=Services/CN=grow-grid.its.uiowa.edu Now execute: [root@grow-grid grid-security grow-grid.its.uiowa.edu The host names in red above should match. ===== Edit RSV ===== Change the certificate and key names to rsvcert.pem and rsvkey.pem, place them in /etc/grid-security/rsv, and edit the file ownership and permissions. [root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-rsvcert.pem /etc/grid-security/rsv/rsvcert.pem [root@grow-grid ~]# mv /etc/grid-security/grow-grid.its.uiowa.edu-rsvkey.pem /etc/grid-security/rsv/rsvkey.pem [root@grow-grid ~]# chmod 444 /etc/grid-security/rsv/rsvcert.pem [root@grow-grid ~]# chmod 400 /etc/grid-security/rsv/rsvkey.pem [root@grow-grid grid-security]# chown rsv:root /etc/grid-security/rsv/rsvkey.pem [root@grow-grid grid-security]# chown rsv:root /etc/grid-security/rsv/rsvcert.pem ====== Bestman Service Certificate ====== The bestman service certificate will be used by the bestman user and stored at grow-grid.its.uiowa.edu:/etc/grid-security/bestman. ===== Request Bestman ===== [root@grow-grid bestman]# cert-request -ou s -service bestman -host grow-grid.its.uiowa.edu -label bestman-grow-grid.its.uiowa.edu-bestman ===== Retrieve Bestman ===== Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email. [root@grow-grid grid-security]# cert-retrieve -serial 0xYYYYY -label grow-grid.its.uiowa.edu-bestman -dir . -prefix grow-grid.its.uiowa.edu-bestman ===== Verify Bestman ===== Check to make sure the certificate matches your machine hostname. [root@grow-grid grid-security]# grid-cert-info -file ./grow-grid.its.uiowa.edu-bestmancert.pem -subject /DC=org/DC=doegrids/OU=Services/CN=bestman/grow-grid.its.uiowa.edu Now execute: [root@grow-grid grid-security]# hostname -f grow-grid.its.uiowa.edu The host names in red above should match. ===== Edit Bestman ===== Move the certificate and key to the bestman directory and change the owner/permissions as such: [root@grow-grid grid-security]# mv grow-grid.its.uiowa.edu-bestmancert.pem bestman/bestmancert.pem [root@grow-grid grid-security]# mv grow-grid.its.uiowa.edu-bestmankey.pem bestman/bestmankey.pem [root@grow-grid grid-security]# chown bestman:root bestman/bestman* [root@grow-grid bestman]# chmod 400 /etc/grid-security/bestman/bestmankey.pem [root@grow-grid bestman]# chmod 444 /etc/grid-security/bestman/bestmancert.pem ====== DYNES FDT Host Certificate ====== Here is how to view the certificate information if it already exists: [admin@dynes-fdt ~]$ openssl x509 -in /home/admin/dynes-fdt.physics.uiowa.educert.pem -text -noout ===== Request FDT Host ===== I am using grow-grid to request certificates for the dynes equipment in hopes that I will not have to install OSG software on the DYNES equipment. Submit a request for a certificate. [user@grow-grid ~]# cert-request -ou s -dir . -label dynes-fdt.physics.uiowa.edu ===== Retrieve FDT Host ===== Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email. [dsquires@grow-grid ~]$ cert-retrieve -serial 0xYYYYY -label dynes-fdt.physics.uiowa.edu -dir . -prefix dynes-fdt.physics.uiowa.edu %%checking CertLib version, V2-7, This is the latest version, released 18 May 2009. using CA doegrids Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11508 Checking that the certificate and ./dynes-fdt.physics.uiowa.edukey.pem match writing RSA key previous ./dynes-fdt.physics.uiowa.edukey.pem exists previous ./dynes-fdt.physics.uiowa.edukey.pem exists, overwrite? (N,y): y mv: `./dynes-fdt.physics.uiowa.edukey.pem' and `./dynes-fdt.physics.uiowa.edukey.pem' are the same file ./dynes-fdt.physics.uiowa.educert.pem and ./dynes-fdt.physics.uiowa.edukey.pem now contain your new credential %% ===== Verify FDT Host ===== Check to make sure the certificate matches your machine hostname. [user@grow-grid ~]$ grid-cert-info -file ./dynes-idc.net.uiowa.educert.pem -subject /DC=org/DC=doegrids/OU=Services/CN=dynes-fdt-physics.uiowa.edu Now execute: [admin@dynes-fdt ~]$ hostname -f dynes-fdt.physics.uiowa.edu The host names in red above should match. ===== Edit FDT Host ===== Move the certificate and key to the FDT server. These files will be kept in /home/admin. [dsquires@grow-grid ~]$ scp dynes-fdt.physics.uiowa.edu* admin@dynes-fdt.physics.uiowa.edu:/home/admin DYNES Authorized Use Only dynes-fdt.physics.uiowa.educert.pem 100% 1574 1.5KB/s 00:00 dynes-fdt.physics.uiowa.edukey.pem 100% 1675 1.6KB/s 00:00 Verify that the key and certificate are owned by admin:admin and that the permissions are 444 for dynes-fdt.physics.uiowa.educert.pem, and 400 for dynes-fdt.physics.uiowa.edukey.pem. [admin@dynes-fdt ~]$ ls -lh total 8.0K -rw-r--r-- 1 admin admin 1.6K Jul 3 16:41 dynes-fdt.physics.uiowa.educert.pem -rw------- 1 admin admin 1.7K Jul 3 16:41 dynes-fdt.physics.uiowa.edukey.pem ====== DYNES IDC Host Certificate ====== Here is how to view the certificate information if it already exists: [admin@dynes-idc ~]$ openssl x509 -in /home/admin/dynes-idc-vm1.net.uiowa.educert.pem -text -noout ===== Request IDC Host ===== I am using grow-grid to request certificates for the dynes equipment in hopes that I will not have to install OSG software on the DYNES equipment. Request the certificate. [user@grow-grid ~]# cert-request -ou s -dir . -label dynes-idc.net.uiowa.edu ===== Retrieve IDC Host ===== Once you have a confirmation, you can retrieve the certificate using the serial number sent in the confirmation email. [user@grow-grid ~]$ cert-retrieve -serial 0xYYYYY -label dynes-idc-vm1.net.uiowa.edu -dir . -prefix dynes-idc-vm1.net.uiowa.edu %%checking CertLib version, V2-7, This is the latest version, released 18 May 2009. using CA doegrids Using URL https://pki1.doegrids.org/displayBySerial?op=displayBySerial&serialNumber=0x11509 Checking that the certificate and ./dynes-idc-vm1.net.uiowa.edukey.pem match writing RSA key previous ./dynes-idc-vm1.net.uiowa.edukey.pem exists previous ./dynes-idc-vm1.net.uiowa.edukey.pem exists, overwrite? (N,y): y mv: `./dynes-idc-vm1.net.uiowa.edukey.pem' and `./dynes-idc-vm1.net.uiowa.edukey.pem' are the same file ./dynes-idc-vm1.net.uiowa.educert.pem and ./dynes-idc-vm1.net.uiowa.edukey.pem now contain your new credential %% ===== Verify IDC Host ===== Check to make sure the certificate matches your machine hostname. [user@grow-grid ~]$ grid-cert-info -file ./dynes-idc.net.uiowa.educert.pem -subject /DC=org/DC=doegrids/OU=Services/CN=dynes-idc-vm1.net.uiowa.edu Now execute this command on the IDC server: [admin@dynes-idc ~]$ hostname -f dynes-idc-vm1.net.uiowa.edu The host names in red above should match. ===== Edit IDC Host ===== Move the certificate and key to the IDC server. These files will be kept in /home/admin. [user@grow-grid ~]$ scp dynes-idc-vm1.net.uiowa.edu* admin@dynes-idc.net.uiowa.edu:/home/admin DYNES Authorized Use Only dynes-idc-vm1.net.uiowa.educert.pem 100% 1562 1.5KB/s 00:00 dynes-idc-vm1.net.uiowa.edukey.pem 100% 1675 1.6KB/s 00:00 Verify that the key and certificate are owned by admin:admin and that the permissions are 444 for dynes-idc-vm1.net.uiowa.educert.pem, and 400 for dynes-idc-vm1.net.uiowa.edukey.pem. [admin@dynes-idc ~]$ ls -lh total 8.0K -rw-r--r-- 1 admin admin 1.6K Jul 3 15:37 dynes-idc-vm1.net.uiowa.educert.pem -rw------- 1 admin admin 1.7K Jul 3 15:37 dynes-idc-vm1.net.uiowa.edukey.pem ====== Notes ====== ====== Contact Info ====== This Dokuwiki page is maintained by:\\ Daniel Squires\\ University of Iowa\\ Department of Computer Science\\ Email: