Version 2 (modified by piontek, 11 years ago) (diff)

--

Certificate authorities

To enable mutual authentication and secure communication between the QCG clients and service set of trusted CA certificates must be copied either into the /etc/grid-security/certificates directory or configured individually for every user.

EGI IGTF CAs

Install EGI Accepted CA certificates (this also install the Polish Grid CA)

  • Add appropriate YUM repository
    cat > /etc/yum.repos.d/egi-trustanchors.repo << EOF
    [EGI-trustanchors]
    name=EGI-trustanchors
    baseurl=http://repository.egi.eu/sw/production/cas/1/current/
    gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3
    gpgcheck=1
    enabled=1
    EOF
    
  • Install certificates
    yum install ca-policy-egi-core
    

The above instruction is based on this  manual

PL-Grid Simpla-CA certificate (PL-Grid only)

  • Add appropriate YUM repository
    cat > /etc/yum.repos.d/plgrid.repo << EOF
    [PLGRID-general]
    name=PLGRID general packages repository
    baseurl=http://software.plgrid.pl/packages/general/
    enabled=1
    metadata_expire=300
    gpgcheck=0
    EOF
    
  • Install certificates
    yum install ca_PLGRID-SimpleCA
    

Certificate Revocation List - CLR

Configure the system to periodically update the information about revoked certificates.

  • Add appropriate YUM repository
    cat > /etc/yum.repos.d/fetch-crl.repo << EOF
    [EUGRIDPMA-fetch-crl]
    name=EUGRIDPMA fetch-crl repository
    baseurl=https://dist.eugridpma.info/distribution/util/fetch-crl3/
    enabled=1
    metadata_expire=300
    gpgcheck=0
    EOF
    
  • Install certificate revocation list fetching utility
    yum install fetch-crl
    
  • Get fresh CRLs now
    /usr/sbin/fetch-crl 
    
  • Install cron job for fetching CRLs
    cat > /etc/cron.daily/fetch-crl.cron << EOF
    #!/bin/sh 
    /usr/sbin/fetch-crl
    EOF
    
chmod a+x /etc/cron.daily/fetch-crl.cron