Renew cert: Difference between revisions

From DaqWiki
Jump to navigation Jump to search
(New page: To renew a soon to expire grid certificate: Current expiry dates of certificates: Server Grid certificate expiry date trdata00 May 19th 2014 trdata01 May 19th 2014 trdata02 May 19th...)
 
m (8 revisions imported)
 
(7 intermediate revisions by one other user not shown)
Line 1: Line 1:
To renew a soon to expire grid certificate:
= To renew a soon to expire grid certificate: =
Current expiry dates of certificates:
Current expiry dates of certificates:


Line 11: Line 11:


   
   
Instructions to renew grid certificates
= Instructions to renew grid certificates =


    Go to Grid Canada grid certificate website:
* Go to Grid Canada grid certificate website:
     https://cert.gridcanada.ca/pki/pub
     https://cert.gridcanada.ca/pki/pub
     You may need a valid grid certificate in your browser in order to access this website.
      
     Click on the "Request a certificate" link.
You may need a valid grid certificate in your browser in order to access this website.
     Click on "Server Request" link and fill in the request.  Couple details
      
        Set the hostname to trdata00.triumf.ca  
* Click on the "Request a certificate" link.
        Set the Role to 'User'
      
        Choose some passphrase for the PIN.
* Click on "Server Request" link and fill in the request.  Couple details
    Repeat step 3 for trdata01, trdata02, trdata03 and trdata04.
  **      Set the hostname to trdata00.triumf.ca  
     A couple days later you will receive emails from grid-canada with a link to your new grid certificates.  Following the links will download the new grid certificates for each host into your browser.
  **      Set the Role to 'User'
    Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'.  You should see a list of your certificates, which should show the new certificates for trdata*.  For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
  **      Choose some passphrase for the PIN.
    Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires.  The instructions for this transformation are given here:
 
*     A couple days later you will receive emails from grid-canada with a link to your new grid certificates.  Following the links will download the new grid certificates for each host into your browser.
 
*    Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'.  You should see a list of your certificates, which should show the new certificates for trdata*.  For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
 
** Update 2020: new grid canada website is odd... need to go to bottom, under "certificate and keypair", choose PCKS#12 then click Download
 
*    Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires.  The instructions for this transformation are given here:
     http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8
     http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8
    The critical set of steps is as follows (for trdata00 as example):


The critical set of steps is as follows (for trdata00 as example):
<pre>
     cd <whereever on local computer you have .p12 files>
     cd <whereever on local computer you have .p12 files>
     openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem
     openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem
Line 35: Line 43:
     chmod 0444 trdata00_hostcert.pem
     chmod 0444 trdata00_hostcert.pem
     chmod 0400 trdata00_hostkey.pem
     chmod 0400 trdata00_hostkey.pem
</pre>
During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.
For t2ksrm you also need to do
<pre>
chown dcache /etc/grid-security/hostkey.pem
chown dcache /etc/grid-security/hostcert.pem
</pre>


    During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.
    Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:


*    Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:
<pre>
     ssh root@trdata00
     ssh root@trdata00
     cd /etc/grid-security/
     cd /etc/grid-security/
Line 46: Line 64:
     scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem
     scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem
     cp -p 2012/host* .
     cp -p 2012/host* .
</pre>


    Now go ahead and try to do a grid transfer (globus-url-copy) from trdata.  If this succeeds then you have successfully uploaded new certificates.
*     Finally restart dcache server from head node:
     Finally restart dcache server from head node:


<pre>
     service dcache restart
     service dcache restart
</pre>
= test certificates =
Now go ahead and try to do a grid transfer (globus-url-copy) from trdata.  If this succeeds then you have successfully uploaded new certificates.
<pre>
export LFC_HOST=lfc.gridpp.rl.ac.uk; export LCG_GFAL_INFOSYS=lcg-bdii.cern.ch:2170; lcg-cp -v -v srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/raw/ND280/ND280/00007000_00007999/nd280_00007892_0019.daq.mid.gz file://tmp/nd280_00007892_0019_30643.daq.mid.gz
</pre>


    Also try a lcg-ls command:
Also try a lcg-ls command:


     lcg-ls srm://t2ksrm.nd280.org/nd280data/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root
<pre>
     lcg-ls srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root
</pre>

Latest revision as of 09:52, 2 February 2022

To renew a soon to expire grid certificate:

Current expiry dates of certificates:


Server Grid certificate expiry date trdata00 May 19th 2014 trdata01 May 19th 2014 trdata02 May 19th 2014 trdata03 May 19th 2014


Instructions to renew grid certificates

  • Go to Grid Canada grid certificate website:
   https://cert.gridcanada.ca/pki/pub
   

You may need a valid grid certificate in your browser in order to access this website.

  • Click on the "Request a certificate" link.
  • Click on "Server Request" link and fill in the request. Couple details
 **      Set the hostname to trdata00.triumf.ca 
 **      Set the Role to 'User'
 **      Choose some passphrase for the PIN.
  • A couple days later you will receive emails from grid-canada with a link to your new grid certificates. Following the links will download the new grid certificates for each host into your browser.
  • Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'. You should see a list of your certificates, which should show the new certificates for trdata*. For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
    • Update 2020: new grid canada website is odd... need to go to bottom, under "certificate and keypair", choose PCKS#12 then click Download
  • Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires. The instructions for this transformation are given here:
   http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8

The critical set of steps is as follows (for trdata00 as example):

    cd <whereever on local computer you have .p12 files>
    openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem
    openssl pkcs12 -clcerts -nokeys -in trdata00_cert.p12 -out trdata00_hostcert_noText.pem
    openssl x509 -in trdata00_hostcert_noText.pem -text > trdata00_hostcert.pem
    openssl rsa -in trdata00_hostkey.encrypted.pem -out trdata00_hostkey.pem
    chmod 0444 trdata00_hostcert.pem
    chmod 0400 trdata00_hostkey.pem

During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.

For t2ksrm you also need to do

chown dcache /etc/grid-security/hostkey.pem
chown dcache /etc/grid-security/hostcert.pem


  • Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:
    ssh root@trdata00
    cd /etc/grid-security/
    mkdir 2011; cp -p host* 2011 (if copy does not already exist)
    mkdir 2012
    scp neut14:<dir>/trdata00_hostcert.pem 2012/hostcert.pem
    scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem
    cp -p 2012/host* .
  • Finally restart dcache server from head node:
    service dcache restart

test certificates

Now go ahead and try to do a grid transfer (globus-url-copy) from trdata. If this succeeds then you have successfully uploaded new certificates.

export LFC_HOST=lfc.gridpp.rl.ac.uk; export LCG_GFAL_INFOSYS=lcg-bdii.cern.ch:2170; lcg-cp -v -v srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/raw/ND280/ND280/00007000_00007999/nd280_00007892_0019.daq.mid.gz file://tmp/nd280_00007892_0019_30643.daq.mid.gz

Also try a lcg-ls command:

    lcg-ls srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root