[gin-auth] RE: New VOMS server for GIN is active from now
Dane Skow
skow at mcs.anl.gov
Mon Mar 6 16:51:50 CST 2006
Forwarding post from Cindy Zheng.
(The list is restricted to member only posts to cut down on SPAM.
Cindy, I've signed you up. You should be getting a confirmation email
now.)
Dane
Begin forwarded message:
>
> From: "Cindy Zheng" <zhengc at sdsc.edu>
> To: "'Oscar Koeroo'" <okoeroo at nikhef.nl>
> Cc: <gin-auth at ggf.org>
> Subject: RE: [gin-auth] The new VOMS Server for GIN is active from now
> Date: Mon, 6 Mar 2006 14:42:07 -0800
>
>
> I don't blame you, Oscar. I thought SDSC was trusted by IGTF
> - it's a part of TeraGrid! :-) So, I was shocked to learn
> it's not in IGTF yet. NPACI is really SDSC, now the project
> changed to TeraGrid, a new CA is setup for SDSC. But NPACI
> CA are still in effect until next month. Sorry for all the
> confusion. We (PRAGMA) is planning to setup our own CA
> according to IGTF standard in April. So, a temporary solution
> for me is fine. Thanks for your help!
>
> Cindy
>
>> -----Original Message-----
>> From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>> Sent: Monday, March 06, 2006 2:22 PM
>> To: zhengc at sdsc.edu
>> Cc: gin-auth at ggf.org
>> Subject: Re: [gin-auth] The new VOMS Server for GIN is active from
>> now
>>
>>
>> NPACI?
>>
>> I'm sorry, I'm from Europe, The Netherlands, Amsterdam,
>> NIKHEF (actually
>> living in The Hague though).
>> I have no clue about all these CAs if they're not in the IGTF :-)
>>
>> I consider all 'other' CAs outside of the IGTF exotic and needs
>> investigation on they're user-registration policy before I
>> can actually
>> put my server's trust in that trust anchor.
>> Bare with me if I don't trust your identity.
>>
>>
>> cheers,
>>
>> Oscar
>>
>>
>> Cindy Zheng wrote:
>>
>>> Thank you, Oscar! I succeeded this morning using a new
>>> SDSC cert. I used NPACI cert before and it's going to
>>> expire soon. So, it might as well to use a new SDSC cert.
>>>
>>> Cindy
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>>>> Sent: Monday, March 06, 2006 6:42 AM
>>>> To: Cindy Zheng
>>>> Cc: gin-auth at ggf.org
>>>> Subject: Re: [gin-auth] The new VOMS Server for GIN is
>> active from now
>>>>
>>>>
>>>> Hi Cindy,
>>>>
>>>> I've check my logs, but they are unconclusive.
>>>> You didn't show up in the logs at all... pretty odd though.
>>>>
>>>> Do you get a strange error message in your browser or
>>>> something like it?
>>>> Do you get a connection to the machine? Pingable or
>>>> connectable on port
>>>> 8443?
>>>>
>>>> 'failing authentication' is very vague to me. Nevertheless
>> I want to
>>>> see/know/understand what is going on here.
>>>> If it is not working at all, you can always send your
>>>> usercert.pem file
>>>> to me (privately) so that I can do the registration manually
>>>> and check
>>>> if my security stuff is setup correctly.
>>>>
>>>> At the moment we have 4 successfull registrations in the VO.
>>>>
>>>>
>>>> cheers,
>>>>
>>>> Oscar
>>>>
>>>>
>>>>
>>>>
>>>> Cindy Zheng wrote:
>>>>
>>>>
>>>>
>>>>> Hi, Oscar,
>>>>>
>>>>> I'm still failing to authenticate to the VOM site.
>>>>> Maybe you can find some clue for the cause in your logs?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Cindy
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>>>>>> Sent: Saturday, March 04, 2006 4:25 PM
>>>>>> To: Cindy Zheng
>>>>>> Cc: gin-auth at ggf.org; 'Olivier van der Aa'; 'Philip
>>>>>> Papadopoulos'; 'Catlett Charlie'; 'David Colling';
>>>>>> m.aggarwal at imperial.ac.uk; yoshio.tanaka at aist.go.jp; 'Yusuke
>>>>>> Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>>>>>> fplin at nchc.org.tw; 'Mason Katz'
>>>>>> Subject: RE: [gin-auth] The new VOMS Server for GIN is
>>>>>>
>>>>>>
>>>> active from now
>>>>
>>>>
>>>>>> Hi Cindy,
>>>>>>
>>>>>> You didn't do anything wrong. The VOMS Admin doesn't allow
>>>>>> unauthenticatable access to the service. I think you've used a
>>>>>> certificate signed by the SDSC CA. That CA is not (correct
>>>>>>
>>>>>>
>>>> me if I'm
>>>>
>>>>
>>>>>> very wrong) within the IGTF accredited CAs and thus it was
>>>>>> not supported
>>>>>>
>>>>>> To comfort you and others using the SDSC CA, I've manually
>>>>>>
>>>>>>
>>>> added the
>>>>
>>>>
>>>>>> trust in that CA on the VOMS services.
>>>>>>
>>>>>> I hope this additional CA to the service is exceptional.
>>>>>> Personally I do
>>>>>> advise to only use CA certificates within the accreditation
>>>>>> of the IGTF
>>>>>> to ease such problems around the world. But, I guess that
>>>>>> this could be
>>>>>> hard to achieved within a few days if you don't have the 'right'
>>>>>> certificates yet.
>>>>>>
>>>>>> You don't need to import the VOMS host cert. You should
>> install the
>>>>>> NIKHEF CA file into your preferred browser (to kill the
>>>>>>
>>>>>>
>>>> warning/error
>>>>
>>>>
>>>>>> and) to mutually trust the connection.
>>>>>> This page might be helpfull:
>>>>>> http://marianne.in2p3.fr/ca/ca-table-ca.html
>>>>>>
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Oscar
>>>>>>
>>>>>>
>>>>>> Cindy Zheng wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hi, Oscar Koeroo and gen-auth team,
>>>>>>>
>>>>>>> Thank you for setting up VO for GIN testbed!
>>>>>>>
>>>>>>> Erwin suggested me to contact gin-auth for VO questions
>>>>>>> and problems. First, let me spill all the related
>>>>>>> background info to make sure that we are on the same page.
>>>>>>>
>>>>>>> You probably already know about this, that PRAGMA Grid
>>>>>>> and Teragrid had started a GIN experiment, running a grid
>>>>>>> application on a few PRAGMA grid clusters and a TeraGrid
>>>>>>> cluster. In the immediate next step, we want to include
>>>>>>> one or more Imperial College (EGEE) clusters in this
>>>>>>> application run.
>>>>>>>
>>>>>>> As we have found out in our first round effort, trying to
>>>>>>> run an application across grid boundry, the first issue
>>>>>>> is authentication. Our application drivers, certified by
>>>>>>> AIST, SDSC, need access to clusters of all GIN testbed
>>>>>>> resources. In the case of TeraGrid and PRAGMA grid, PRAGMA
>>>>>>> grid already accept AIST and SDSC CAs and TeraGrid already
>>>>>>> accept SDSC CA, but was not yet accept AIST CA. AIST CA is
>>>>>>> signed by APGrid PMA, a member of IGTF. The solution was
>>>>>>> then decided by TeraGrid to accepted AIST CA on the cluster
>>>>>>> involved, while working on a formal process of accepting
>>>>>>> AIST's CA TeraGrid-wise.
>>>>>>>
>>>>>>> Now comes to EGEE. My basic question is how can we
>>>>>>> accomplish the same goal here? From application drivers
>>>>>>> point of view, we need the certificate files (~.0,
>>>>>>> ~.signing_policy) of the CA who signs Imperial College
>>>>>>> personal/resources certificates. We need to install them on
>>>>>>> the globus client side. On the other end, we need Imperial
>>>>>>> College resources to accept AIST and SDSC certificates
>>>>>>> (http://pragma-goc.rocksclusters.org/pragma-doc/resources.html).
>>>>>>> Is VO registration a solution to all or part of these?
>>>>>>> I thought to find some answers by accessing the VO site,
>>>>>>> but failed. This leads to more detail questions about
>>>>>>> VO site access:
>>>>>>> I'm new to VO registration process. I tried to access
>>>>>>> the urls given in your email use either firefox or IE,
>>>>>>> with my personal certificate (signed by SDSC/NPACI)
>>>>>>> imported, but the browsers does not recognize the CA
>>>>>>> of your site. When I accept your cert anyway, I still
>>>>>>> got rejected by the site. Do I need to import
>>>>>>> dec-2005-kuiken.nikhef.nl.pem in website cert list in
>>>>>>> my browser? If so, could you give me the p12 version?
>>>>>>> Without the key, I cannot convert it to p12 format and
>>>>>>> the browsers do not take pem format. Also, maybe I need
>>>>>>> to add your CA in trusted CA list in my browser? Which
>>>>>>> CA?
>>>>>>>
>>>>>>> Thanks in advance for your help,
>>>>>>>
>>>>>>> Cindy
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Erwin Laure [mailto:Erwin.Laure at cern.ch]
>>>>>>> Sent: Saturday, March 04, 2006 7:37 AM
>>>>>>> To: zhengc at sdsc.edu
>>>>>>> Cc: 'Olivier van der Aa'; 'Philip Papadopoulos';
>> 'Catlett Charlie';
>>>>>>> 'David Colling'; m.aggarwal at imperial.ac.uk;
>>>>>>>
>>>>>>>
>>>> yoshio.tanaka at aist.go.jp;
>>>>
>>>>
>>>>>>> 'Yusuke Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>>>>>>> fplin at nchc.org.tw; 'Mason Katz'
>>>>>>> Subject: Re: E-intro and getting some Gin.
>>>>>>>
>>>>>>> Hi Cindy,
>>>>>>>
>>>>>>> I suggest you address your question about the VO to
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> gin-auth at ggf.org. If
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> there are problems this group should resolve them for
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> everybody rather
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> than we are trying to do it only bilaterally.
>>>>>>>
>>>>>>> The important point I think is that each site should
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> recognize all the
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> IGTF approved CAs. Then we should not have problems, but
>> I'm not a
>>>>>>> security expert.
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> -- Erwin
>>>>>>>
>>>>>>> Cindy Zheng wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Thank you, Erwin and Olivier, for the info and quick response!
>>>>>>>>
>>>>>>>> Most Oliviers questions are best answered by Yoshio and Yusuke.
>>>>>>>>
>>>>>>>> Olivier, I need the certificate files (~.0, ~.signing_policy)
>>>>>>>> of the CA who signs all your personal/host certificates.
>>>>>>>>
>>>>>>>> Our CA certificate files can be obtained from the user
>> info paks,
>>>>>>>> or can be downloaded from
>>>>>>>> http://pragma-goc.rocksclusters.org/pragma-doc/resources.html
>>>>>>>> I think you need to install AIST and SDSC CA files in your
>>>>>>>> system, so it will accept our user certificates.
>>>>>>>>
>>>>>>>> For the VO registration, it's new process for me. I tried to
>>>>>>>> access the urls given in Erwin's attachment use either firefox
>>>>>>>> or IE, with my personal certificate imported, but the browsers
>>>>>>>> does not recognize the CA of your site. If I accept your cert
>>>>>>>> anyway, I still get rejected by the site. Do I need to import
>>>>>>>> dec-2005-kuiken.nikhef.nl.pem as website cert in my browser?
>>>>>>>> If so, could you give me the p12 version? Without the key,
>>>>>>>> I cannot convert it to p12 format and the browsers do not
>>>>>>>> take pem format. Also, I think I would need to put your root
>>>>>>>> CA in my trusted CA list. I need to know the CA who sign your
>>>>>>>> site.
>>>>>>>>
>>>>>>>> Maybe I completely missed the boat :-) In that case, please
>>>>>>>> give me a pointer, I'll try to swim over :-)
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Cindy
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
>>>>>>>> On Behalf Of Oscar Koeroo
>>>>>>>> Sent: Friday, March 03, 2006 5:18 AM
>>>>>>>> To: gin-auth at ggf.org
>>>>>>>> Subject: [gin-auth] The new VOMS Server for GIN is
>> active from now
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> Trying to incorporate all ideas of the VO naming debate into
>>>>>>>> a live and
>>>>>>>> kicking VO-name I gave it my own twist and created
>>>>>>>> 'GIN-GGF-ORG'. This
>>>>>>>> VO name can be changed when we have a common agreement on the
>>>>>>>> VO naming
>>>>>>>> convention.
>>>>>>>>
>>>>>>>> The server is 'kuiken.nikhef.nl' which is running the
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> EGEE/Glite VOMS
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> services VOMS-Admin and the VOMS (core) daemon. This
>>>>>>>>
>>>>>>>>
>>>> means that the
>>>>
>>>>
>>>>>>>> Fully Qualified Attribute Names (FQANs) are in the format of:
>>>>>>>> /GIN-GGF-ORG
>>>>>>>> /GIN-GGF-ORG/<group 1>
>>>>>>>> /GIN-GGF-ORG/<group 1>/<sub group 1>
>>>>>>>> /GIN-GGF-ORG/Role=VO-Admin
>>>>>>>> /GIN-GGF-ORG/<group 1>/Role=<your role here>
>>>>>>>>
>>>>>>>> The set of CAs is compliant with the newest classic-IGTF
>>>>>>>> which should be
>>>>>>>> suffient, if not, please mail me.
>>>>>>>>
>>>>>>>>
>>>>>>>> Registration info:
>>>>>>>> The URL of the website is:
>>>>>>>> https://kuiken.nikhef.nl:8443/voms/GIN-GGF-> ORG/
>>>>>>>> A direct link
>>>>>>>> to the registration page is:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/request/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> user/create
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Config info:
>>>>>> The link to the configuration page is:
>>>>>> https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/config
>>>>>> Basicly the VOMS daemon is running on portnumber 15050.
>>>>>>
>>>>>> For voms-proxy-init (the ~/.vomses or
>>>>>>
>>>>>>
>>>> /opt/glite/etc/vomses/GIN-GGF-ORG
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> file):
>>>>>> "GIN-GGF-ORG" "kuiken.nikhef.nl" "15050"
>>>>>> "/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
>>>>>>
>>>>>>
>>>> "GIN-GGF-ORG"
>>>>
>>>>
>>>>>> For mkgridmap.conf:
>>>>>> group vomss://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG .GIN-GGF-
>>>>>> ORG
>>>>>>
>>>>>> VOMS Host cert:
>>>>>> Because there's not a common way of supplying the hostcert
>>>>>>
>>>>>>
>>>> of the VOMS
>>>>
>>>>
>>>>>> server, I've attached it in the mail.
>>>>>>
>>>>>>
>>>>>> cheers,
>>>>>>
>>>>>> Oscar "/GIN-GGF-ORG/Role=VO-Admin" Koeroo
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>
>
More information about the gin-auth
mailing list