Project

General

Profile

Support #21884

Testing of inCommon certificates

Added by Marco Mambelli 8 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
02/11/2019
Due date:
% Done:

0%

Estimated time:
Stakeholders:
Duration:

Description

Fermilab's hosts and services are migrating to the new inCommon CA certificates.
We should test GWMS to make sure that all works OK and to be able to give suggestions to the users

Tanya sent a document to report the results of the testing:
https://docs.google.com/spreadsheets/d/1lhfewry3R0wFcABYZqGrNgRvD_FCLHieOs55mrEVXLU/edit?usp=sharing

I think the testing of GWMS should cover:
- Frontend, should be no different from picking a new certificate from the old CAs (xml config files and condor_mapfile should have the correct DN)
- Factory (same)
- CE here a new regular expression line near the end of /etc/condor/certs/condor_mapfile to map all the Fermilab hosts to (like "GSI "^\/DC\=org\/DC\=opensciencegrid\/O=Open Science Grid\/OU\=Services\/CN\=(host\/)?([A-Za-z0-9.\-]*)$" \")

The regex should map all and only FNAL hosts and extract the hostname possibly.
Our subjects will start out with:
DC=org, DC=incommon, C=US/postalCode=60510-050, ST=IL,
L=Batavia/street=MS 105 WILSON AND KIRK RDS, O=Fermi Research Alliance,
OU=Computing Division,

You can get samples requesting certificates or checking w/ Joe Boyd or the security team.

History

#1 Updated by Dennis Box 6 months ago

  • Status changed from New to Resolved

Xml config files and condor_mapfiles have to be changed in obvious way.
It turns out the CE condor_mapfile already has a regular expression that passes inCommon certs that came from installation scripts.

#2 Updated by Marco Mambelli 4 months ago

  • Status changed from Resolved to Closed


Also available in: Atom PDF