[gin-auth] The new VOMS Server for GIN is active from now

Oscar Koeroo okoeroo at nikhef.nl
Sat Mar 4 18:24:50 CST 2006 

Hi Cindy,

You didn't do anything wrong. The VOMS Admin doesn't allow 
unauthenticatable access to the service. I think you've used a 
certificate signed by the SDSC CA. That CA is not (correct me if I'm 
very wrong) within the IGTF accredited CAs and thus it was not supported

To comfort you and others using the SDSC CA, I've manually added the 
trust in that CA on the VOMS services.

I hope this additional CA to the service is exceptional. Personally I do 
advise to only use CA certificates within the accreditation of the IGTF 
to ease such problems around the world. But, I guess that this could be 
hard to achieved within a few days if you don't have the 'right' 
certificates yet.

You don't need to import the VOMS host cert. You should install the 
NIKHEF CA file into your preferred browser (to kill the warning/error 
and) to mutually trust the connection.
This page might be helpfull: http://marianne.in2p3.fr/ca/ca-table-ca.html



Cheers,

    Oscar


Cindy Zheng wrote:

>Hi, Oscar Koeroo and gen-auth team,
>
>Thank you for setting up VO for GIN testbed!
>
>Erwin suggested me to contact gin-auth for VO questions
>and problems. First, let me spill all the related 
>background info to make sure that we are on the same page.
> 
>You probably already know about this, that PRAGMA Grid 
>and Teragrid had started a GIN experiment, running a grid 
>application on a few PRAGMA grid clusters and a TeraGrid 
>cluster. In the immediate next step, we want to include 
>one or more Imperial College (EGEE) clusters in this 
>application run.
>
>As we have found out in our first round effort, trying to 
>run an application across grid boundry, the first issue 
>is authentication. Our application drivers, certified by 
>AIST, SDSC, need access to clusters of all GIN testbed 
>resources. In the case of TeraGrid and PRAGMA grid, PRAGMA 
>grid already accept AIST and SDSC CAs and TeraGrid already 
>accept SDSC CA, but was not yet accept AIST CA. AIST CA is 
>signed by APGrid PMA, a member of IGTF. The solution was 
>then decided by TeraGrid to accepted AIST CA on the cluster 
>involved, while working on a formal process of accepting 
>AIST's CA TeraGrid-wise.
>
>Now comes to EGEE. My basic question is how can we
>accomplish the same goal here? From application drivers
>point of view, we need the certificate files (~.0, 
>~.signing_policy) of the CA who signs Imperial College 
>personal/resources certificates. We need to install them on
>the globus client side. On the other end, we need Imperial 
>College resources to accept AIST and SDSC certificates
>(http://pragma-goc.rocksclusters.org/pragma-doc/resources.html).
>Is VO registration a solution to all or part of these?
>I thought to find some answers by accessing the VO site, 
>but failed. This leads to more detail questions about
>VO site access:
>I'm new to VO registration process. I tried to access 
>the urls given in your email use either firefox or IE, 
>with my personal certificate (signed by SDSC/NPACI) 
>imported, but the browsers does not recognize the CA 
>of your site. When I accept your cert anyway, I still 
>got rejected by the site. Do I need to import 
>dec-2005-kuiken.nikhef.nl.pem in website cert list in 
>my browser? If so, could you give me the p12 version? 
>Without the key, I cannot convert it to p12 format and 
>the browsers do not take pem format. Also, maybe I need 
>to add your CA in trusted CA list in my browser? Which
>CA? 
>
>Thanks in advance for your help,
>
>Cindy
>
>-----Original Message-----
>From: Erwin Laure [mailto:Erwin.Laure at cern.ch] 
>Sent: Saturday, March 04, 2006 7:37 AM
>To: zhengc at sdsc.edu
>Cc: 'Olivier van der Aa'; 'Philip Papadopoulos'; 'Catlett Charlie';
>'David Colling'; m.aggarwal at imperial.ac.uk; yoshio.tanaka at aist.go.jp;
>'Yusuke Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>fplin at nchc.org.tw; 'Mason Katz'
>Subject: Re: E-intro and getting some Gin.
>
>Hi Cindy,
>
>I suggest you address your question about the VO to gin-auth at ggf.org. If
>
>there are problems this group should resolve them for everybody rather 
>than we are trying to do it only bilaterally.
>
>The important point I think is that each site should recognize all the 
>IGTF approved CAs. Then we should not have problems, but I'm not a 
>security expert.
>
>Cheers,
>
>-- Erwin
>
>Cindy Zheng wrote:
>  
>
>>Thank you, Erwin and Olivier, for the info and quick response!
>>
>>Most Oliviers questions are best answered by Yoshio and Yusuke.
>>
>>Olivier, I need the certificate files (~.0, ~.signing_policy) 
>>of the CA who signs all your personal/host certificates.
>>
>>Our CA certificate files can be obtained from the user info paks, 
>>or can be downloaded from 
>>http://pragma-goc.rocksclusters.org/pragma-doc/resources.html
>>I think you need to install AIST and SDSC CA files in your
>>system, so it will accept our user certificates.
>>
>>For the VO registration, it's new process for me. I tried to
>>access the urls given in Erwin's attachment use either firefox 
>>or IE, with my personal certificate imported, but the browsers 
>>does not recognize the CA of your site. If I accept your cert 
>>anyway, I still get rejected by the site. Do I need to import 
>>dec-2005-kuiken.nikhef.nl.pem as website cert in my browser? 
>>If so, could you give me the p12 version? Without the key, 
>>I cannot convert it to p12 format and the browsers do not 
>>take pem format. Also, I think I would need to put your root
>>CA in my trusted CA list. I need to know the CA who sign your
>>site.
>>
>>Maybe I completely missed the boat :-) In that case, please
>>give me a pointer, I'll try to swim over :-)
>>
>>Thanks,
>>
>>Cindy
>>
>>    
>>
>
>  
>
>>-----Original Message-----
>>From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org] 
>>On Behalf Of Oscar Koeroo
>>Sent: Friday, March 03, 2006 5:18 AM
>>To: gin-auth at ggf.org
>>Subject: [gin-auth] The new VOMS Server for GIN is active from now
>>
>>
>>Hi all,
>>
>>Trying to incorporate all ideas of the VO naming debate into 
>>a live and 
>>kicking VO-name I gave it my own twist and created 
>>'GIN-GGF-ORG'. This 
>>VO name can be changed when we have a common agreement on the 
>>VO naming 
>>convention.
>>
>>The server is 'kuiken.nikhef.nl' which is running the EGEE/Glite VOMS 
>>services VOMS-Admin and the VOMS (core) daemon. This means that the 
>>Fully Qualified Attribute Names (FQANs) are in the format of:
>>/GIN-GGF-ORG
>>/GIN-GGF-ORG/<group 1>
>>/GIN-GGF-ORG/<group 1>/<sub group 1>
>>/GIN-GGF-ORG/Role=VO-Admin
>>/GIN-GGF-ORG/<group 1>/Role=<your role here>
>>
>>The set of CAs is compliant with the newest classic-IGTF 
>>which should be 
>>suffient, if not, please mail me.
>>
>>
>>Registration info:
>>The URL of the website is: 
>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-> ORG/
>>A direct link 
>>to the registration page is: 
>>
>>    
>>
>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/request/user/create
>
>Config info:
>The link to the configuration page is: 
>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/config
>Basicly the VOMS daemon is running on portnumber 15050.
>
>For voms-proxy-init (the ~/.vomses or /opt/glite/etc/vomses/GIN-GGF-ORG 
>file):
>"GIN-GGF-ORG" "kuiken.nikhef.nl" "15050" 
>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl" "GIN-GGF-ORG"
>
>For mkgridmap.conf:
>group vomss://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG  .GIN-GGF-ORG
>
>VOMS Host cert:
>Because there's not a common way of supplying the hostcert of the VOMS 
>server, I've attached it in the mail.
>
>
>cheers,
>
>    Oscar "/GIN-GGF-ORG/Role=VO-Admin" Koeroo
>  
>

More information about the gin-auth mailing list