[gin-auth] The new VOMS Server for GIN is active from now
Oscar Koeroo
okoeroo at nikhef.nl
Mon Mar 6 16:55:30 CST 2006
Hi,
No problem to help out and ease the proces. I'll be looking forward to
the permanent solution. ;-)
Ow and while I'm at it anyway:
I've just added the (labeled at the IGTF as 'experiment') FNAL KCA to
the VOMS server.
Enjoy,
Oscar - "/Role=VO-Admin"
Cindy Zheng wrote:
>I don't blame you, Oscar. I thought SDSC was trusted by IGTF
>- it's a part of TeraGrid! :-) So, I was shocked to learn
>it's not in IGTF yet. NPACI is really SDSC, now the project
>changed to TeraGrid, a new CA is setup for SDSC. But NPACI
>CA are still in effect until next month. Sorry for all the
>confusion. We (PRAGMA) is planning to setup our own CA
>according to IGTF standard in April. So, a temporary solution
>for me is fine. Thanks for your help!
>
>Cindy
>
>
>
>>-----Original Message-----
>>From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>>Sent: Monday, March 06, 2006 2:22 PM
>>To: zhengc at sdsc.edu
>>Cc: gin-auth at ggf.org
>>Subject: Re: [gin-auth] The new VOMS Server for GIN is active from now
>>
>>
>>NPACI?
>>
>>I'm sorry, I'm from Europe, The Netherlands, Amsterdam,
>>NIKHEF (actually
>>living in The Hague though).
>>I have no clue about all these CAs if they're not in the IGTF :-)
>>
>>I consider all 'other' CAs outside of the IGTF exotic and needs
>>investigation on they're user-registration policy before I
>>can actually
>>put my server's trust in that trust anchor.
>>Bare with me if I don't trust your identity.
>>
>>
>>cheers,
>>
>> Oscar
>>
>>
>>Cindy Zheng wrote:
>>
>>
>>
>>>Thank you, Oscar! I succeeded this morning using a new
>>>SDSC cert. I used NPACI cert before and it's going to
>>>expire soon. So, it might as well to use a new SDSC cert.
>>>
>>>Cindy
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>>>>Sent: Monday, March 06, 2006 6:42 AM
>>>>To: Cindy Zheng
>>>>Cc: gin-auth at ggf.org
>>>>Subject: Re: [gin-auth] The new VOMS Server for GIN is
>>>>
>>>>
>>active from now
>>
>>
>>>>Hi Cindy,
>>>>
>>>>I've check my logs, but they are unconclusive.
>>>>You didn't show up in the logs at all... pretty odd though.
>>>>
>>>>Do you get a strange error message in your browser or
>>>>something like it?
>>>>Do you get a connection to the machine? Pingable or
>>>>connectable on port
>>>>8443?
>>>>
>>>>'failing authentication' is very vague to me. Nevertheless
>>>>
>>>>
>>I want to
>>
>>
>>>>see/know/understand what is going on here.
>>>>If it is not working at all, you can always send your
>>>>usercert.pem file
>>>>to me (privately) so that I can do the registration manually
>>>>and check
>>>>if my security stuff is setup correctly.
>>>>
>>>>At the moment we have 4 successfull registrations in the VO.
>>>>
>>>>
>>>>cheers,
>>>>
>>>> Oscar
>>>>
>>>>
>>>>
>>>>
>>>>Cindy Zheng wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi, Oscar,
>>>>>
>>>>>I'm still failing to authenticate to the VOM site.
>>>>>Maybe you can find some clue for the cause in your logs?
>>>>>
>>>>>Thanks,
>>>>>
>>>>>Cindy
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>>>>>>Sent: Saturday, March 04, 2006 4:25 PM
>>>>>>To: Cindy Zheng
>>>>>>Cc: gin-auth at ggf.org; 'Olivier van der Aa'; 'Philip
>>>>>>Papadopoulos'; 'Catlett Charlie'; 'David Colling';
>>>>>>m.aggarwal at imperial.ac.uk; yoshio.tanaka at aist.go.jp; 'Yusuke
>>>>>>Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>>>>>>fplin at nchc.org.tw; 'Mason Katz'
>>>>>>Subject: RE: [gin-auth] The new VOMS Server for GIN is
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>active from now
>>>>
>>>>
>>>>
>>>>
>>>>>>Hi Cindy,
>>>>>>
>>>>>>You didn't do anything wrong. The VOMS Admin doesn't allow
>>>>>>unauthenticatable access to the service. I think you've used a
>>>>>>certificate signed by the SDSC CA. That CA is not (correct
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>me if I'm
>>>>
>>>>
>>>>
>>>>
>>>>>>very wrong) within the IGTF accredited CAs and thus it was
>>>>>>not supported
>>>>>>
>>>>>>To comfort you and others using the SDSC CA, I've manually
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>added the
>>>>
>>>>
>>>>
>>>>
>>>>>>trust in that CA on the VOMS services.
>>>>>>
>>>>>>I hope this additional CA to the service is exceptional.
>>>>>>Personally I do
>>>>>>advise to only use CA certificates within the accreditation
>>>>>>of the IGTF
>>>>>>to ease such problems around the world. But, I guess that
>>>>>>this could be
>>>>>>hard to achieved within a few days if you don't have the 'right'
>>>>>>certificates yet.
>>>>>>
>>>>>>You don't need to import the VOMS host cert. You should
>>>>>>
>>>>>>
>>install the
>>
>>
>>>>>>NIKHEF CA file into your preferred browser (to kill the
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>warning/error
>>>>
>>>>
>>>>
>>>>
>>>>>>and) to mutually trust the connection.
>>>>>>This page might be helpfull:
>>>>>>http://marianne.in2p3.fr/ca/ca-table-ca.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>Cheers,
>>>>>>
>>>>>> Oscar
>>>>>>
>>>>>>
>>>>>>Cindy Zheng wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Hi, Oscar Koeroo and gen-auth team,
>>>>>>>
>>>>>>>Thank you for setting up VO for GIN testbed!
>>>>>>>
>>>>>>>Erwin suggested me to contact gin-auth for VO questions
>>>>>>>and problems. First, let me spill all the related
>>>>>>>background info to make sure that we are on the same page.
>>>>>>>
>>>>>>>You probably already know about this, that PRAGMA Grid
>>>>>>>and Teragrid had started a GIN experiment, running a grid
>>>>>>>application on a few PRAGMA grid clusters and a TeraGrid
>>>>>>>cluster. In the immediate next step, we want to include
>>>>>>>one or more Imperial College (EGEE) clusters in this
>>>>>>>application run.
>>>>>>>
>>>>>>>As we have found out in our first round effort, trying to
>>>>>>>run an application across grid boundry, the first issue
>>>>>>>is authentication. Our application drivers, certified by
>>>>>>>AIST, SDSC, need access to clusters of all GIN testbed
>>>>>>>resources. In the case of TeraGrid and PRAGMA grid, PRAGMA
>>>>>>>grid already accept AIST and SDSC CAs and TeraGrid already
>>>>>>>accept SDSC CA, but was not yet accept AIST CA. AIST CA is
>>>>>>>signed by APGrid PMA, a member of IGTF. The solution was
>>>>>>>then decided by TeraGrid to accepted AIST CA on the cluster
>>>>>>>involved, while working on a formal process of accepting
>>>>>>>AIST's CA TeraGrid-wise.
>>>>>>>
>>>>>>>Now comes to EGEE. My basic question is how can we
>>>>>>>accomplish the same goal here? From application drivers
>>>>>>>point of view, we need the certificate files (~.0,
>>>>>>>~.signing_policy) of the CA who signs Imperial College
>>>>>>>personal/resources certificates. We need to install them on
>>>>>>>the globus client side. On the other end, we need Imperial
>>>>>>>College resources to accept AIST and SDSC certificates
>>>>>>>(http://pragma-goc.rocksclusters.org/pragma-doc/resources.html).
>>>>>>>Is VO registration a solution to all or part of these?
>>>>>>>I thought to find some answers by accessing the VO site,
>>>>>>>but failed. This leads to more detail questions about
>>>>>>>VO site access:
>>>>>>>I'm new to VO registration process. I tried to access
>>>>>>>the urls given in your email use either firefox or IE,
>>>>>>>with my personal certificate (signed by SDSC/NPACI)
>>>>>>>imported, but the browsers does not recognize the CA
>>>>>>>of your site. When I accept your cert anyway, I still
>>>>>>>got rejected by the site. Do I need to import
>>>>>>>dec-2005-kuiken.nikhef.nl.pem in website cert list in
>>>>>>>my browser? If so, could you give me the p12 version?
>>>>>>>Without the key, I cannot convert it to p12 format and
>>>>>>>the browsers do not take pem format. Also, maybe I need
>>>>>>>to add your CA in trusted CA list in my browser? Which
>>>>>>>CA?
>>>>>>>
>>>>>>>Thanks in advance for your help,
>>>>>>>
>>>>>>>Cindy
>>>>>>>
>>>>>>>-----Original Message-----
>>>>>>>From: Erwin Laure [mailto:Erwin.Laure at cern.ch]
>>>>>>>Sent: Saturday, March 04, 2006 7:37 AM
>>>>>>>To: zhengc at sdsc.edu
>>>>>>>Cc: 'Olivier van der Aa'; 'Philip Papadopoulos';
>>>>>>>
>>>>>>>
>>'Catlett Charlie';
>>
>>
>>>>>>>'David Colling'; m.aggarwal at imperial.ac.uk;
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>yoshio.tanaka at aist.go.jp;
>>>>
>>>>
>>>>
>>>>
>>>>>>>'Yusuke Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>>>>>>>fplin at nchc.org.tw; 'Mason Katz'
>>>>>>>Subject: Re: E-intro and getting some Gin.
>>>>>>>
>>>>>>>Hi Cindy,
>>>>>>>
>>>>>>>I suggest you address your question about the VO to
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>gin-auth at ggf.org. If
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>there are problems this group should resolve them for
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>everybody rather
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>than we are trying to do it only bilaterally.
>>>>>>>
>>>>>>>The important point I think is that each site should
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>recognize all the
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>IGTF approved CAs. Then we should not have problems, but
>>>>>>>
>>>>>>>
>>I'm not a
>>
>>
>>>>>>>security expert.
>>>>>>>
>>>>>>>Cheers,
>>>>>>>
>>>>>>>-- Erwin
>>>>>>>
>>>>>>>Cindy Zheng wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>Thank you, Erwin and Olivier, for the info and quick response!
>>>>>>>>
>>>>>>>>Most Oliviers questions are best answered by Yoshio and Yusuke.
>>>>>>>>
>>>>>>>>Olivier, I need the certificate files (~.0, ~.signing_policy)
>>>>>>>>of the CA who signs all your personal/host certificates.
>>>>>>>>
>>>>>>>>Our CA certificate files can be obtained from the user
>>>>>>>>
>>>>>>>>
>>info paks,
>>
>>
>>>>>>>>or can be downloaded from
>>>>>>>>http://pragma-goc.rocksclusters.org/pragma-doc/resources.html
>>>>>>>>I think you need to install AIST and SDSC CA files in your
>>>>>>>>system, so it will accept our user certificates.
>>>>>>>>
>>>>>>>>For the VO registration, it's new process for me. I tried to
>>>>>>>>access the urls given in Erwin's attachment use either firefox
>>>>>>>>or IE, with my personal certificate imported, but the browsers
>>>>>>>>does not recognize the CA of your site. If I accept your cert
>>>>>>>>anyway, I still get rejected by the site. Do I need to import
>>>>>>>>dec-2005-kuiken.nikhef.nl.pem as website cert in my browser?
>>>>>>>>If so, could you give me the p12 version? Without the key,
>>>>>>>>I cannot convert it to p12 format and the browsers do not
>>>>>>>>take pem format. Also, I think I would need to put your root
>>>>>>>>CA in my trusted CA list. I need to know the CA who sign your
>>>>>>>>site.
>>>>>>>>
>>>>>>>>Maybe I completely missed the boat :-) In that case, please
>>>>>>>>give me a pointer, I'll try to swim over :-)
>>>>>>>>
>>>>>>>>Thanks,
>>>>>>>>
>>>>>>>>Cindy
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>-----Original Message-----
>>>>>>>>From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
>>>>>>>>On Behalf Of Oscar Koeroo
>>>>>>>>Sent: Friday, March 03, 2006 5:18 AM
>>>>>>>>To: gin-auth at ggf.org
>>>>>>>>Subject: [gin-auth] The new VOMS Server for GIN is
>>>>>>>>
>>>>>>>>
>>active from now
>>
>>
>>>>>>>>Hi all,
>>>>>>>>
>>>>>>>>Trying to incorporate all ideas of the VO naming debate into
>>>>>>>>a live and
>>>>>>>>kicking VO-name I gave it my own twist and created
>>>>>>>>'GIN-GGF-ORG'. This
>>>>>>>>VO name can be changed when we have a common agreement on the
>>>>>>>>VO naming
>>>>>>>>convention.
>>>>>>>>
>>>>>>>>The server is 'kuiken.nikhef.nl' which is running the
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>EGEE/Glite VOMS
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>services VOMS-Admin and the VOMS (core) daemon. This
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>means that the
>>>>
>>>>
>>>>
>>>>
>>>>>>>>Fully Qualified Attribute Names (FQANs) are in the format of:
>>>>>>>>/GIN-GGF-ORG
>>>>>>>>/GIN-GGF-ORG/<group 1>
>>>>>>>>/GIN-GGF-ORG/<group 1>/<sub group 1>
>>>>>>>>/GIN-GGF-ORG/Role=VO-Admin
>>>>>>>>/GIN-GGF-ORG/<group 1>/Role=<your role here>
>>>>>>>>
>>>>>>>>The set of CAs is compliant with the newest classic-IGTF
>>>>>>>>which should be
>>>>>>>>suffient, if not, please mail me.
>>>>>>>>
>>>>>>>>
>>>>>>>>Registration info:
>>>>>>>>The URL of the website is:
>>>>>>>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-> ORG/
>>>>>>>>A direct link
>>>>>>>>to the registration page is:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/request/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>user/create
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Config info:
>>>>>>The link to the configuration page is:
>>>>>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/config
>>>>>>Basicly the VOMS daemon is running on portnumber 15050.
>>>>>>
>>>>>>For voms-proxy-init (the ~/.vomses or
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>/opt/glite/etc/vomses/GIN-GGF-ORG
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>file):
>>>>>>"GIN-GGF-ORG" "kuiken.nikhef.nl" "15050"
>>>>>>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>"GIN-GGF-ORG"
>>>>
>>>>
>>>>
>>>>
>>>>>>For mkgridmap.conf:
>>>>>>group vomss://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG .GIN-GGF-ORG
>>>>>>
>>>>>>VOMS Host cert:
>>>>>>Because there's not a common way of supplying the hostcert
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>of the VOMS
>>>>
>>>>
>>>>
>>>>
>>>>>>server, I've attached it in the mail.
>>>>>>
>>>>>>
>>>>>>cheers,
>>>>>>
>>>>>> Oscar "/GIN-GGF-ORG/Role=VO-Admin" Koeroo
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
More information about the gin-auth
mailing list