Renew cert: Difference between revisions
Jump to navigation
Jump to search
(New page: To renew a soon to expire grid certificate: Current expiry dates of certificates: Server Grid certificate expiry date trdata00 May 19th 2014 trdata01 May 19th 2014 trdata02 May 19th...) |
m (8 revisions imported) |
||
(7 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
To renew a soon to expire grid certificate: | = To renew a soon to expire grid certificate: = | ||
Current expiry dates of certificates: | Current expiry dates of certificates: | ||
Line 11: | Line 11: | ||
Instructions to renew grid certificates | = Instructions to renew grid certificates = | ||
* Go to Grid Canada grid certificate website: | |||
https://cert.gridcanada.ca/pki/pub | https://cert.gridcanada.ca/pki/pub | ||
You may need a valid grid certificate in your browser in order to access this website. | |||
Click on the "Request a certificate" link. | You may need a valid grid certificate in your browser in order to access this website. | ||
Click on "Server Request" link and fill in the request. Couple details | |||
* Click on the "Request a certificate" link. | |||
* Click on "Server Request" link and fill in the request. Couple details | |||
** Set the hostname to trdata00.triumf.ca | |||
A couple days later you will receive emails from grid-canada with a link to your new grid certificates. Following the links will download the new grid certificates for each host into your browser. | ** Set the Role to 'User' | ||
** Choose some passphrase for the PIN. | |||
* A couple days later you will receive emails from grid-canada with a link to your new grid certificates. Following the links will download the new grid certificates for each host into your browser. | |||
* Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'. You should see a list of your certificates, which should show the new certificates for trdata*. For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'. | |||
** Update 2020: new grid canada website is odd... need to go to bottom, under "certificate and keypair", choose PCKS#12 then click Download | |||
* Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires. The instructions for this transformation are given here: | |||
http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8 | http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8 | ||
The critical set of steps is as follows (for trdata00 as example): | |||
<pre> | |||
cd <whereever on local computer you have .p12 files> | cd <whereever on local computer you have .p12 files> | ||
openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem | openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem | ||
Line 35: | Line 43: | ||
chmod 0444 trdata00_hostcert.pem | chmod 0444 trdata00_hostcert.pem | ||
chmod 0400 trdata00_hostkey.pem | chmod 0400 trdata00_hostkey.pem | ||
</pre> | |||
During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct. | |||
For t2ksrm you also need to do | |||
<pre> | |||
chown dcache /etc/grid-security/hostkey.pem | |||
chown dcache /etc/grid-security/hostcert.pem | |||
</pre> | |||
* Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer: | |||
<pre> | |||
ssh root@trdata00 | ssh root@trdata00 | ||
cd /etc/grid-security/ | cd /etc/grid-security/ | ||
Line 46: | Line 64: | ||
scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem | scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem | ||
cp -p 2012/host* . | cp -p 2012/host* . | ||
</pre> | |||
* Finally restart dcache server from head node: | |||
Finally restart dcache server from head node: | |||
<pre> | |||
service dcache restart | service dcache restart | ||
</pre> | |||
= test certificates = | |||
Now go ahead and try to do a grid transfer (globus-url-copy) from trdata. If this succeeds then you have successfully uploaded new certificates. | |||
<pre> | |||
export LFC_HOST=lfc.gridpp.rl.ac.uk; export LCG_GFAL_INFOSYS=lcg-bdii.cern.ch:2170; lcg-cp -v -v srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/raw/ND280/ND280/00007000_00007999/nd280_00007892_0019.daq.mid.gz file://tmp/nd280_00007892_0019_30643.daq.mid.gz | |||
</pre> | |||
Also try a lcg-ls command: | |||
lcg-ls srm://t2ksrm.nd280.org/nd280data/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root | <pre> | ||
lcg-ls srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root | |||
</pre> |
Latest revision as of 09:52, 2 February 2022
To renew a soon to expire grid certificate:
Current expiry dates of certificates:
Server
Grid certificate expiry date
trdata00 May 19th 2014
trdata01 May 19th 2014
trdata02 May 19th 2014
trdata03 May 19th 2014
Instructions to renew grid certificates
- Go to Grid Canada grid certificate website:
https://cert.gridcanada.ca/pki/pub
You may need a valid grid certificate in your browser in order to access this website.
- Click on the "Request a certificate" link.
- Click on "Server Request" link and fill in the request. Couple details
** Set the hostname to trdata00.triumf.ca ** Set the Role to 'User' ** Choose some passphrase for the PIN.
- A couple days later you will receive emails from grid-canada with a link to your new grid certificates. Following the links will download the new grid certificates for each host into your browser.
- Next you need to export these certificate from the browser into a PKCS#12 format file (extension .p12 file). Following instructions are for firefox 10.0.3; go to 'preferences' -> 'advanced' -> 'encryption', then click on 'View Certificates'. You should see a list of your certificates, which should show the new certificates for trdata*. For each certificate click on 'backup' and then save the .p12 file somewhere on your local computer with a name like 'trdata00_cert.p12'.
- Update 2020: new grid canada website is odd... need to go to bottom, under "certificate and keypair", choose PCKS#12 then click Download
- Next, transform these .p12 files into the hostcert.pem and hostkey.pem files the trdata grid security requires. The instructions for this transformation are given here:
http://gridcanada.ext.nrc.ca/?q=node/7&page=0%2C8
The critical set of steps is as follows (for trdata00 as example):
cd <whereever on local computer you have .p12 files> openssl pkcs12 -nocerts -in trdata00_cert.p12 -out trdata00_hostkey.encrypted.pem openssl pkcs12 -clcerts -nokeys -in trdata00_cert.p12 -out trdata00_hostcert_noText.pem openssl x509 -in trdata00_hostcert_noText.pem -text > trdata00_hostcert.pem openssl rsa -in trdata00_hostkey.encrypted.pem -out trdata00_hostkey.pem chmod 0444 trdata00_hostcert.pem chmod 0400 trdata00_hostkey.pem
During this transformation you are asked for other passphrases; I just used the same set of passphrases as for the online application; not sure if this is correct.
For t2ksrm you also need to do
chown dcache /etc/grid-security/hostkey.pem chown dcache /etc/grid-security/hostcert.pem
- Finally, login to root@trdata00, move the old certificate files to a new folder and copy the new certificates from your local computer:
ssh root@trdata00 cd /etc/grid-security/ mkdir 2011; cp -p host* 2011 (if copy does not already exist) mkdir 2012 scp neut14:<dir>/trdata00_hostcert.pem 2012/hostcert.pem scp neut14:<dir>/trdata00_hostkey.pem 2012/hostkey.pem cp -p 2012/host* .
- Finally restart dcache server from head node:
service dcache restart
test certificates
Now go ahead and try to do a grid transfer (globus-url-copy) from trdata. If this succeeds then you have successfully uploaded new certificates.
export LFC_HOST=lfc.gridpp.rl.ac.uk; export LCG_GFAL_INFOSYS=lcg-bdii.cern.ch:2170; lcg-cp -v -v srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/raw/ND280/ND280/00007000_00007999/nd280_00007892_0019.daq.mid.gz file://tmp/nd280_00007892_0019_30643.daq.mid.gz
Also try a lcg-ls command:
lcg-ls srm://t2ksrm.nd280.org/nd280data/t2k.org/nd280/production005/A/mcp/genie/2010-11-water/magnet/beamb/numc/oa_gn_beam_91210002-0029_io24sikspw4w_numc_000_prod005magnet201011waterb.root