Difference between revisions of "DUNE third party copy IC to RAL"

From GridPP Wiki
Jump to: navigation, search
m (Daniela Bauer 7cecb7c591 moved page DUNE third party ic to ral to DUNE third party copy IC to RAL: Style)
 
(10 intermediate revisions by one user not shown)
Line 1: Line 1:
__NOTITLE__
+
 
 
== Third party copies Imperial dCache to RAL ECHO  ==
 
== Third party copies Imperial dCache to RAL ECHO  ==
  
Line 9: Line 9:
 
# Expired delegation is not updated (happens when you start testing on a Friday and come back on a Monday): <br> Short term solution: remove delegation from dCache, start afresh. <br> Long term solution: wait for dCache [https://github.com/DmitryLitvintsev/dcache/wiki/DCacheDelegationPatch fix] provided by Dmitry to make it into the release. <br>
 
# Expired delegation is not updated (happens when you start testing on a Friday and come back on a Monday): <br> Short term solution: remove delegation from dCache, start afresh. <br> Long term solution: wait for dCache [https://github.com/DmitryLitvintsev/dcache/wiki/DCacheDelegationPatch fix] provided by Dmitry to make it into the release. <br>
 
# Checksums on ECHO: Apparently it doesn't provide any. <br> Short term solution: Set webdav.enable.third-party.requiring-verification-by-default = false in dcache.conf on the head node. <br> Long term solution: ??? <br>
 
# Checksums on ECHO: Apparently it doesn't provide any. <br> Short term solution: Set webdav.enable.third-party.requiring-verification-by-default = false in dcache.conf on the head node. <br> Long term solution: ??? <br>
# Dynafed's QuoVadis certificate: Dynafed needs an intermediate CA (QuoVadis Global SSL ICA G3). <br>
+
# Dynafed's QuoVadis certificate: Dynafed needs an intermediate CA (QuoVadis Global SSL ICA G3). <br> Short term solution: Procure certificate from from here: [https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL.aspx Downloads]. Distribute it on the head and pool nodes. Remember to make the .0 file and create a link:  
Short term solution: Procure certificate from from here: [https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL.aspx Downloads]. Distribute it on the head and pool nodes. Remember to make the .0 file and create a link:  
+
 
<pre>
 
<pre>
 
[root@blah certificates]#  openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash
 
[root@blah certificates]#  openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash
Line 18: Line 17:
 
</pre> Make a QuoVadis-SSL-ICA-G3.crl_url file while you are at it. <br>
 
</pre> Make a QuoVadis-SSL-ICA-G3.crl_url file while you are at it. <br>
  
 +
'''Dynafed's QuoVadis certificate: Now it gets interesting.''' <br>
 +
''Solution A'': On you pool nodes set: dcache.authn.namespace-mode=IGNORE (webdav.authn.namespace-mode=IGNORE didn't seem to be enough).
  
 +
We also currently have the following settings on our headnode (in dcache.conf) <br>
 +
webdav.enable.third-party.requiring-verification-by-default = false <br>
 +
webdav.authn.namespace-mode=IGNORE <br>
 +
webdav.authn.crl-mode=IGNORE &larr; I don't think I need that one as I have my crls, but can only restart the head node so often <br>
 +
webdav.authn.ocsp-mode=IGNORE <br>
  
 +
Now, off you go. <br>
  
 +
''Solution B'': The hacker special <br>
 +
Leave dcache.authn.namespace-mode on the default setting. Make yourself (on the pool node) a QuoVadis-SSL-ICA-G3.signing_policy with the following content (and don't forget the link: 35e514f6.signing_policy -> QuoVadis-SSL-ICA-G3.signing_policy): <br>
 +
<pre>
 +
access_id_CA  X509    '/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G3'  <br>
 +
pos_rights    globus  CA:sign  <br>
 +
cond_subjects  globus  '"/C=GB/*"'  <br>
 +
</pre>
 +
This now matches the RAL Dynafed certificate. Uh oh. <br>
  
 +
Long term solution: ??? <br>
  
  
Line 32: Line 48:
 
[...] <br>
 
[...] <br>
 
<nowiki> [https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation]</nowiki> $ destroy 1234  &larr; I can't remember where I found this.<br>
 
<nowiki> [https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation]</nowiki> $ destroy 1234  &larr; I can't remember where I found this.<br>
 
 
__NOTITLE__
 

Latest revision as of 16:20, 12 September 2018

Third party copies Imperial dCache to RAL ECHO

Baseline versions
dCache version: 3.2.15-1
gfal-* on an up-to-date CentOS 7 node (lxplus7.cern.ch will do) with gfal2-util version 1.5.1 (gfal2 2.15.4)

Issues

  1. Expired delegation is not updated (happens when you start testing on a Friday and come back on a Monday):
    Short term solution: remove delegation from dCache, start afresh.
    Long term solution: wait for dCache fix provided by Dmitry to make it into the release.
  2. Checksums on ECHO: Apparently it doesn't provide any.
    Short term solution: Set webdav.enable.third-party.requiring-verification-by-default = false in dcache.conf on the head node.
    Long term solution: ???
  3. Dynafed's QuoVadis certificate: Dynafed needs an intermediate CA (QuoVadis Global SSL ICA G3).
    Short term solution: Procure certificate from from here: Downloads. Distribute it on the head and pool nodes. Remember to make the .0 file and create a link:
[root@blah certificates]#  openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash
35e514f6
[root@blah certificates]# ln -s QuoVadis-SSL-ICA-G3.pem 35e514f6.0
openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash
Make a QuoVadis-SSL-ICA-G3.crl_url file while you are at it.

Dynafed's QuoVadis certificate: Now it gets interesting.
Solution A: On you pool nodes set: dcache.authn.namespace-mode=IGNORE (webdav.authn.namespace-mode=IGNORE didn't seem to be enough).

We also currently have the following settings on our headnode (in dcache.conf)
webdav.enable.third-party.requiring-verification-by-default = false
webdav.authn.namespace-mode=IGNORE
webdav.authn.crl-mode=IGNORE ← I don't think I need that one as I have my crls, but can only restart the head node so often
webdav.authn.ocsp-mode=IGNORE

Now, off you go.

Solution B: The hacker special
Leave dcache.authn.namespace-mode on the default setting. Make yourself (on the pool node) a QuoVadis-SSL-ICA-G3.signing_policy with the following content (and don't forget the link: 35e514f6.signing_policy -> QuoVadis-SSL-ICA-G3.signing_policy):

 access_id_CA   X509    '/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G3'  <br>
 pos_rights     globus  CA:sign  <br>
 cond_subjects  globus  '"/C=GB/*"'  <br>

This now matches the RAL Dynafed certificate. Uh oh.

Long term solution: ???


Side note: How to remove a delegation

use 'delegation' from dcache-srmclient-3.0.9-1.noarch (certificates must be installed in /etch/grid-security/certificates):
lx> delegation $ endpoint https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation ← find this in the gfal-copy -vvv log
[https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation]> $ help
[...]
[https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation] $ destroy 1234 ← I can't remember where I found this.