[gin-auth] The new VOMS Server for GIN is active from now
Oscar Koeroo
okoeroo at nikhef.nl
Mon Mar 6 16:21:33 CST 2006
NPACI?
I'm sorry, I'm from Europe, The Netherlands, Amsterdam, NIKHEF (actually
living in The Hague though).
I have no clue about all these CAs if they're not in the IGTF :-)
I consider all 'other' CAs outside of the IGTF exotic and needs
investigation on they're user-registration policy before I can actually
put my server's trust in that trust anchor.
Bare with me if I don't trust your identity.
cheers,
Oscar
Cindy Zheng wrote:
>Thank you, Oscar! I succeeded this morning using a new
>SDSC cert. I used NPACI cert before and it's going to
>expire soon. So, it might as well to use a new SDSC cert.
>
>Cindy
>
>
>
>>-----Original Message-----
>>From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>>Sent: Monday, March 06, 2006 6:42 AM
>>To: Cindy Zheng
>>Cc: gin-auth at ggf.org
>>Subject: Re: [gin-auth] The new VOMS Server for GIN is active from now
>>
>>
>>Hi Cindy,
>>
>>I've check my logs, but they are unconclusive.
>>You didn't show up in the logs at all... pretty odd though.
>>
>>Do you get a strange error message in your browser or
>>something like it?
>>Do you get a connection to the machine? Pingable or
>>connectable on port
>>8443?
>>
>>'failing authentication' is very vague to me. Nevertheless I want to
>>see/know/understand what is going on here.
>>If it is not working at all, you can always send your
>>usercert.pem file
>>to me (privately) so that I can do the registration manually
>>and check
>>if my security stuff is setup correctly.
>>
>>At the moment we have 4 successfull registrations in the VO.
>>
>>
>>cheers,
>>
>> Oscar
>>
>>
>>
>>
>>Cindy Zheng wrote:
>>
>>
>>
>>>Hi, Oscar,
>>>
>>>I'm still failing to authenticate to the VOM site.
>>>Maybe you can find some clue for the cause in your logs?
>>>
>>>Thanks,
>>>
>>>Cindy
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Oscar Koeroo [mailto:okoeroo at nikhef.nl]
>>>>Sent: Saturday, March 04, 2006 4:25 PM
>>>>To: Cindy Zheng
>>>>Cc: gin-auth at ggf.org; 'Olivier van der Aa'; 'Philip
>>>>Papadopoulos'; 'Catlett Charlie'; 'David Colling';
>>>>m.aggarwal at imperial.ac.uk; yoshio.tanaka at aist.go.jp; 'Yusuke
>>>>Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>>>>fplin at nchc.org.tw; 'Mason Katz'
>>>>Subject: RE: [gin-auth] The new VOMS Server for GIN is
>>>>
>>>>
>>active from now
>>
>>
>>>>Hi Cindy,
>>>>
>>>>You didn't do anything wrong. The VOMS Admin doesn't allow
>>>>unauthenticatable access to the service. I think you've used a
>>>>certificate signed by the SDSC CA. That CA is not (correct
>>>>
>>>>
>>me if I'm
>>
>>
>>>>very wrong) within the IGTF accredited CAs and thus it was
>>>>not supported
>>>>
>>>>To comfort you and others using the SDSC CA, I've manually
>>>>
>>>>
>>added the
>>
>>
>>>>trust in that CA on the VOMS services.
>>>>
>>>>I hope this additional CA to the service is exceptional.
>>>>Personally I do
>>>>advise to only use CA certificates within the accreditation
>>>>of the IGTF
>>>>to ease such problems around the world. But, I guess that
>>>>this could be
>>>>hard to achieved within a few days if you don't have the 'right'
>>>>certificates yet.
>>>>
>>>>You don't need to import the VOMS host cert. You should install the
>>>>NIKHEF CA file into your preferred browser (to kill the
>>>>
>>>>
>>warning/error
>>
>>
>>>>and) to mutually trust the connection.
>>>>This page might be helpfull:
>>>>http://marianne.in2p3.fr/ca/ca-table-ca.html
>>>>
>>>>
>>>>
>>>>Cheers,
>>>>
>>>> Oscar
>>>>
>>>>
>>>>Cindy Zheng wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi, Oscar Koeroo and gen-auth team,
>>>>>
>>>>>Thank you for setting up VO for GIN testbed!
>>>>>
>>>>>Erwin suggested me to contact gin-auth for VO questions
>>>>>and problems. First, let me spill all the related
>>>>>background info to make sure that we are on the same page.
>>>>>
>>>>>You probably already know about this, that PRAGMA Grid
>>>>>and Teragrid had started a GIN experiment, running a grid
>>>>>application on a few PRAGMA grid clusters and a TeraGrid
>>>>>cluster. In the immediate next step, we want to include
>>>>>one or more Imperial College (EGEE) clusters in this
>>>>>application run.
>>>>>
>>>>>As we have found out in our first round effort, trying to
>>>>>run an application across grid boundry, the first issue
>>>>>is authentication. Our application drivers, certified by
>>>>>AIST, SDSC, need access to clusters of all GIN testbed
>>>>>resources. In the case of TeraGrid and PRAGMA grid, PRAGMA
>>>>>grid already accept AIST and SDSC CAs and TeraGrid already
>>>>>accept SDSC CA, but was not yet accept AIST CA. AIST CA is
>>>>>signed by APGrid PMA, a member of IGTF. The solution was
>>>>>then decided by TeraGrid to accepted AIST CA on the cluster
>>>>>involved, while working on a formal process of accepting
>>>>>AIST's CA TeraGrid-wise.
>>>>>
>>>>>Now comes to EGEE. My basic question is how can we
>>>>>accomplish the same goal here? From application drivers
>>>>>point of view, we need the certificate files (~.0,
>>>>>~.signing_policy) of the CA who signs Imperial College
>>>>>personal/resources certificates. We need to install them on
>>>>>the globus client side. On the other end, we need Imperial
>>>>>College resources to accept AIST and SDSC certificates
>>>>>(http://pragma-goc.rocksclusters.org/pragma-doc/resources.html).
>>>>>Is VO registration a solution to all or part of these?
>>>>>I thought to find some answers by accessing the VO site,
>>>>>but failed. This leads to more detail questions about
>>>>>VO site access:
>>>>>I'm new to VO registration process. I tried to access
>>>>>the urls given in your email use either firefox or IE,
>>>>>with my personal certificate (signed by SDSC/NPACI)
>>>>>imported, but the browsers does not recognize the CA
>>>>>of your site. When I accept your cert anyway, I still
>>>>>got rejected by the site. Do I need to import
>>>>>dec-2005-kuiken.nikhef.nl.pem in website cert list in
>>>>>my browser? If so, could you give me the p12 version?
>>>>>Without the key, I cannot convert it to p12 format and
>>>>>the browsers do not take pem format. Also, maybe I need
>>>>>to add your CA in trusted CA list in my browser? Which
>>>>>CA?
>>>>>
>>>>>Thanks in advance for your help,
>>>>>
>>>>>Cindy
>>>>>
>>>>>-----Original Message-----
>>>>>From: Erwin Laure [mailto:Erwin.Laure at cern.ch]
>>>>>Sent: Saturday, March 04, 2006 7:37 AM
>>>>>To: zhengc at sdsc.edu
>>>>>Cc: 'Olivier van der Aa'; 'Philip Papadopoulos'; 'Catlett Charlie';
>>>>>'David Colling'; m.aggarwal at imperial.ac.uk;
>>>>>
>>>>>
>>yoshio.tanaka at aist.go.jp;
>>
>>
>>>>>'Yusuke Tanimura'; 'Dane Skow'; 'JP Navarro'; 'Arzberger Peter';
>>>>>fplin at nchc.org.tw; 'Mason Katz'
>>>>>Subject: Re: E-intro and getting some Gin.
>>>>>
>>>>>Hi Cindy,
>>>>>
>>>>>I suggest you address your question about the VO to
>>>>>
>>>>>
>>>>>
>>>>>
>>>>gin-auth at ggf.org. If
>>>>
>>>>
>>>>
>>>>
>>>>>there are problems this group should resolve them for
>>>>>
>>>>>
>>>>>
>>>>>
>>>>everybody rather
>>>>
>>>>
>>>>
>>>>
>>>>>than we are trying to do it only bilaterally.
>>>>>
>>>>>The important point I think is that each site should
>>>>>
>>>>>
>>>>>
>>>>>
>>>>recognize all the
>>>>
>>>>
>>>>
>>>>
>>>>>IGTF approved CAs. Then we should not have problems, but I'm not a
>>>>>security expert.
>>>>>
>>>>>Cheers,
>>>>>
>>>>>-- Erwin
>>>>>
>>>>>Cindy Zheng wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Thank you, Erwin and Olivier, for the info and quick response!
>>>>>>
>>>>>>Most Oliviers questions are best answered by Yoshio and Yusuke.
>>>>>>
>>>>>>Olivier, I need the certificate files (~.0, ~.signing_policy)
>>>>>>of the CA who signs all your personal/host certificates.
>>>>>>
>>>>>>Our CA certificate files can be obtained from the user info paks,
>>>>>>or can be downloaded from
>>>>>>http://pragma-goc.rocksclusters.org/pragma-doc/resources.html
>>>>>>I think you need to install AIST and SDSC CA files in your
>>>>>>system, so it will accept our user certificates.
>>>>>>
>>>>>>For the VO registration, it's new process for me. I tried to
>>>>>>access the urls given in Erwin's attachment use either firefox
>>>>>>or IE, with my personal certificate imported, but the browsers
>>>>>>does not recognize the CA of your site. If I accept your cert
>>>>>>anyway, I still get rejected by the site. Do I need to import
>>>>>>dec-2005-kuiken.nikhef.nl.pem as website cert in my browser?
>>>>>>If so, could you give me the p12 version? Without the key,
>>>>>>I cannot convert it to p12 format and the browsers do not
>>>>>>take pem format. Also, I think I would need to put your root
>>>>>>CA in my trusted CA list. I need to know the CA who sign your
>>>>>>site.
>>>>>>
>>>>>>Maybe I completely missed the boat :-) In that case, please
>>>>>>give me a pointer, I'll try to swim over :-)
>>>>>>
>>>>>>Thanks,
>>>>>>
>>>>>>Cindy
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: owner-gin-auth at ggf.org [mailto:owner-gin-auth at ggf.org]
>>>>>>On Behalf Of Oscar Koeroo
>>>>>>Sent: Friday, March 03, 2006 5:18 AM
>>>>>>To: gin-auth at ggf.org
>>>>>>Subject: [gin-auth] The new VOMS Server for GIN is active from now
>>>>>>
>>>>>>
>>>>>>Hi all,
>>>>>>
>>>>>>Trying to incorporate all ideas of the VO naming debate into
>>>>>>a live and
>>>>>>kicking VO-name I gave it my own twist and created
>>>>>>'GIN-GGF-ORG'. This
>>>>>>VO name can be changed when we have a common agreement on the
>>>>>>VO naming
>>>>>>convention.
>>>>>>
>>>>>>The server is 'kuiken.nikhef.nl' which is running the
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>EGEE/Glite VOMS
>>>>
>>>>
>>>>
>>>>
>>>>>>services VOMS-Admin and the VOMS (core) daemon. This
>>>>>>
>>>>>>
>>means that the
>>
>>
>>>>>>Fully Qualified Attribute Names (FQANs) are in the format of:
>>>>>>/GIN-GGF-ORG
>>>>>>/GIN-GGF-ORG/<group 1>
>>>>>>/GIN-GGF-ORG/<group 1>/<sub group 1>
>>>>>>/GIN-GGF-ORG/Role=VO-Admin
>>>>>>/GIN-GGF-ORG/<group 1>/Role=<your role here>
>>>>>>
>>>>>>The set of CAs is compliant with the newest classic-IGTF
>>>>>>which should be
>>>>>>suffient, if not, please mail me.
>>>>>>
>>>>>>
>>>>>>Registration info:
>>>>>>The URL of the website is:
>>>>>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-> ORG/
>>>>>>A direct link
>>>>>>to the registration page is:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/request/
>>>>>
>>>>>
>>>>>
>>>>>
>>>user/create
>>>
>>>
>>>
>>>
>>>>Config info:
>>>>The link to the configuration page is:
>>>>https://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG/webui/config
>>>>Basicly the VOMS daemon is running on portnumber 15050.
>>>>
>>>>For voms-proxy-init (the ~/.vomses or
>>>>
>>>>
>>/opt/glite/etc/vomses/GIN-GGF-ORG
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>file):
>>>>"GIN-GGF-ORG" "kuiken.nikhef.nl" "15050"
>>>>"/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=kuiken.nikhef.nl"
>>>>
>>>>
>>"GIN-GGF-ORG"
>>
>>
>>>>For mkgridmap.conf:
>>>>group vomss://kuiken.nikhef.nl:8443/voms/GIN-GGF-ORG .GIN-GGF-ORG
>>>>
>>>>VOMS Host cert:
>>>>Because there's not a common way of supplying the hostcert
>>>>
>>>>
>>of the VOMS
>>
>>
>>>>server, I've attached it in the mail.
>>>>
>>>>
>>>>cheers,
>>>>
>>>> Oscar "/GIN-GGF-ORG/Role=VO-Admin" Koeroo
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
More information about the gin-auth
mailing list