Glasgow Certificate renewal tasks

From ScotGrid

(Difference between revisions)
Revision as of 14:44, 10 May 2012
David crooks (Talk | contribs)

← Go to previous diff		 Revision as of 14:45, 10 May 2012
David crooks (Talk | contribs)

Go to next diff →
Line 74: Line 74:
<h2>CEs: CREAM, ARC, LCG</h2> <h2>CEs: CREAM, ARC, LCG</h2>
 +<h3>CREAM</h3>
 +For CREAM CEs, you also need to copy the certs to /etc/grid-security/ as <tt>tomcat-cert.pem</tt> and <tt>tomcat-key.cert</tt>, <b>owned by <tt>tomcat</tt></b>. Then restart tomcat to pick up the new certs.
 +<h3>ARC</h3>
 +For ARC, it only needs /etc/grid-securty/host{cert,key}.pem
<h3>LCG-CE</h3> <h3>LCG-CE</h3>
YAIM usually does this for you. But if you do it manually you must copy the new certs into the glite user. YAIM usually does this for you. But if you do it manually you must copy the new certs into the glite user.
Line 83: Line 87:
You'll also need to restart the <tt>globus-gatekeeper</tt> process. You'll also need to restart the <tt>globus-gatekeeper</tt> process.
-<h3>CREAM</h3> 
-For CREAM CEs, you also need to copy the certs to /etc/grid-security/ as <tt>tomcat-cert.pem</tt> and <tt>tomcat-key.cert</tt>, <b>owned by <tt>tomcat</tt></b>. Then restart tomcat to pick up the new certs. 
-<h3>ARC</h3> 
-For ARC, it only needs /etc/grid-securty/host{cert,key}.pem 
<h2>DPM</h2> <h2>DPM</h2>
In addition to the normal certificate location. The dpmmgr component requires the same host cert/key pair to be coped and <b>owned by dpmmgr</b> in the dpmmgr subdirectory. See below for details. In addition to the normal certificate location. The dpmmgr component requires the same host cert/key pair to be coped and <b>owned by dpmmgr</b> in the dpmmgr subdirectory. See below for details.

Revision as of 14:45, 10 May 2012

Some services require a hostcert/key pair to exist in non-standard places, in addition to the usual /etc/grid-security.

Table of contents
1 How to Renew a host certificate

1.1 Download cert from browser
1.2 Copy certificates into ypf for distribution
1.3 Run PushSecrets
1.4 Re-configure Service

How to Renew a host certificate

Download cert from browser

Export the certificate without a password. This may require typing in the field and then removing (if using firefox). Add the the certificate identifier in this case 28597 to the filename. This is usually kept in a kept within ypf in a directory named after the year the certificate expires. 

scp <YOUR_HOST>.gla.scotgrid.ac.uk.28597.p12 svr031:/usr/local/ypf/private/cert/<YEAR>

Copy certificates into ypf for distribution

pushsecrets is used to distribute certificates and keys etc from svr031. The .p12 must be broken into its two .pem parts first. This can be achieved using the commands below. Referencing the .p12 from the directory names after the expiry year. The broken parts are then put into a directory at the top level names after the host. The most important thing is not to set any passwords or else no one else in the team can renew these certificates. The -nodes option is required to be able not to set a password on the key. 

cd /usr/local/ypf/private/cert/<YOUR_HOST>
openssl pkcs12 -clcerts -nokeys -in ../2011/<YOUR_HOST>.p12 -out hostcert.pem
openssl pkcs12 -nodes -nocerts -in ../2011/<YOUR_HOST>.p12 -out hostkey.pem
chmod 400 hostkey.pem
chmod 644 hostcert.pem

Run PushSecrets

pushsecrets --host=<YOUR_HOST>

Re-configure Service

Re-rerun yaim or if you know where to copy them do it manually.


WMS

  • /home/glite/.certs/, owned by glite and with the following permissions: 
-rw-------  1 glite glite 1846 Sep 16 16:27 /home/glite/.certs/hostkey.pem
-rw-r--r--  1 glite glite 2191 Oct  2 06:00 /home/glite/.certs/hostcert.pem
  • /home/glite/.globus/ also owned by glite, and with identical permissions: 
-rw-r--r--  1 glite glite 2191 Sep 16 16:23 /home/glite/.globus/usercert.pem
-rw-------  1 glite glite 1846 Sep 16 16:28 /home/glite/.globus/userkey.pem

From the hostcert above (in ~glite/.certs), /var/glite/wms.proxy gets created every six hours by glite-wms-create-host-proxy.cron. This requires that the cert has the correct permissions, else the proxy won't get generated and, as a consequence, purging on the WMS breaks.


svr031 (web server...probably applys to svr028 too)

  • /etc/httpd/conf/ssl.crt currently (Feb 2010) contains 
-rw-r--r--  1 root root 1522 Jan 16  2008 Makefile
-rw-r--r--  1 root root 1314 May 19  2008 new-escience-ca.crt
-rw-r--r--  1 root root 1281 May 19  2008 new-escience-root.crt
-rw-r--r--  1 root root 2595 Aug  7  2008 ca.crt
lrwxrwxrwx  1 root root   21 Aug  7  2008 98ef0ee5.0 -> new-escience-root.crt
lrwxrwxrwx  1 root root   19 Aug  7  2008 367b75c3.1 -> new-escience-ca.crt
lrwxrwxrwx  1 root root    6 Aug  7  2008 367b75c3.0 -> ca.crt
lrwxrwxrwx  1 root root   10 Aug  7  2008 03f01fe8.0 -> server.crt
-rw-r--r--  1 root root 2595 Aug  7  2008 ca-bundle.crt
-rw-r--r--  1 root root 1522 Nov 11  2008 Makefile.crt
-rw-r--r--  1 root root 2208 Feb 11  2009 server.crt.bak
-rw-r--r--  1 root root 2192 Feb 11  2009 server.crt

so copy the hostcert across: 

cp server.crt server.crt.bak.mjk
cp /etc/grid-security/hostcert.pem ./server.crt

And a similar thing needs doing with the hostkey in /etc/httpd/conf/ssl.key

svr029 (VOMS server)

There are two copies of hostcert/key at /usr/share/tomcat5/.certs, owned by tomcat and /etc/grid/security/scascert.pem,scaskey.pem owned by scas.

CEs: CREAM, ARC, LCG

CREAM

For CREAM CEs, you also need to copy the certs to /etc/grid-security/ as tomcat-cert.pem and tomcat-key.cert, owned by tomcat. Then restart tomcat to pick up the new certs.

ARC

For ARC, it only needs /etc/grid-securty/host{cert,key}.pem

LCG-CE

YAIM usually does this for you. But if you do it manually you must copy the new certs into the glite user.

  • /home/glite/.certs/, owned by glite and with the following permissions: 
-rw-------  1 glite glite 1846 Sep 16 16:27 /home/glite/.certs/hostkey.pem
-rw-r--r--  1 glite glite 2191 Oct  2 06:00 /home/glite/.certs/hostcert.pem

You'll also need to restart the globus-gatekeeper process.

DPM

In addition to the normal certificate location. The dpmmgr component requires the same host cert/key pair to be coped and owned by dpmmgr in the dpmmgr subdirectory. See below for details. 

svr025:/etc/grid-security/dpmmgr# ls -la
total 32
drwxr-xr-x 2 dpmmgr dpmmgr 4096 May 13 16:29 .
drwxr-xr-x 6 root   root   4096 May 17 15:32 ..
-rw-r--r-- 1 dpmmgr dpmmgr 2189 Aug 31  2009 dpmcert.pem
-r-------- 1 dpmmgr dpmmgr 1863 Aug 31  2009 dpmkey.pem

SERVICES TO RESTART: srmv1 srmv2.2

BDII

Tomcat needs a copy (not soft link) of the host/cert key pair owned by tomcat: 

-r--------   1 tomcat tomcat  1843 Aug  4  2009 hostkey.pem
-rw-r--r--   1 tomcat tomcat  2192 Aug  4  2009 hostcert.pem

and the Tomcat service needs restarting. Also owned by rgma 

svr019:/opt/glite/var/rgma/.certs# ls -lart
total 32
drwxr-xr-x  3 root root 4096 Jun 16  2008 ..
-rw-r--r--  1 rgma rgma 2192 Aug 18  2009 hostcert.pem
-r--------  1 rgma rgma 1843 Aug 18  2009 hostkey.pem
Retrieved from "http://www.scotgrid.ac.uk/wiki/index.php/Glasgow_Certificate_renewal_tasks"