Difference: HostCertificateUpdate (1 vs. 5)

Revision 52012-12-13 - CristinaAiftimiei

Line: 1 to 1
 
META TOPICPARENT name="UseCases"
Line: 7 to 7
 

Introduction

Updating the host certificate in /etc/grid-security is not always sufficient: some services have a copy of this certificate which they started with. It is therefore necessary to update those copies and restart these services.
Changed:
<
<
This page tends to sum up services which need to be restarted.
>
>
For an automatic update using the YAIM configuration tool:
  • update host certificates under /etc/grid-security directory
  • reconfigure the whole node using YAIM, not forgetting to use all services (node-types) that need to be mentioned as arguments of the command line.

For a manual configuration please follow the advices bellow:

  • find all locations where you have put copies of the host cert & key files
  • ensure the right ownership and permissions are maintained
  • restart specific services
 
Changed:
<
<

Copies location and permissions

Copies of certificate are in general with the following rights:
>
>

List of known paths and ownerships for individual services:

 
Added:
>
>
  • Copies of certificate shold have the following permissions:
 
  • 644 for public key (hostcert.pem)
  • 600 for the private key (hostkey.pem)
Changed:
<
<
Generally you can easily find the location using locate unix command:
locate hostcert.pem
locate hostkey.pem

but for some services they change the file name like:

  • tomcat-cert.pem
  • tomcat-key.pem

usually you can find the host certificate and key in /etc/grid-security or in a sub directory named like the services (voms, storm, dpm, ...)

  • List for individual services:
    • CREAM CE
            # ll /etc/grid-security/*.pem
>
>
  • Generally you can easily find the location using locate unix command:
    locate cert.pem
    locate key.pem
This will help in case paths have changes between different versions of the same service or they are different between different services. For example you can find also: tomcat-cert.pem & tomcat-key.pem

Please find bellow details for specific services:

  • CREAM CE:
    # ll /etc/grid-security/*.pem
    
    
  -rw-r--r-- 1 root root 1428 Oct 22 10:19 /etc/grid-security/hostcert.pem -r-------- 1 root root 887 Oct 22 10:19 /etc/grid-security/hostkey.pem -rw-r--r-- 1 tomcat root 1428 Nov 12 16:01 /etc/grid-security/tomcat-cert.pem
Changed:
<
<
-r-------- 1 tomcat root 887 Nov 12 16:01 /etc/grid-security/tomcat-key.pem

# ll /home/glite/.certs/ total 8 -rw-r--r-- 1 glite glite 1428 Dec 13 06:00 hostcert.pem -r-------- 1 glite glite 887 Nov 12 16:03 hostkey.pem

>
>
-r-------- 1 tomcat root 887 Nov 12 16:01 /etc/grid-security/tomcat-key.pem
    • and, depending on the glite user home directory:
      # ll /var/glite/.certs/*.pem
      -rw-r--r-- 1 glite glite 1419 Dec 13 12:00 /var/glite/.certs/hostcert.pem
      -r-------- 1 glite glite  887 Dec  5 16:59 /var/glite/.certs/hostkey.pem
    • OR
      # ll /home/glite/.certs/*.pem
      -rw-r--r-- 1 glite glite 1428 Dec 13 12:00 /home/glite/.certs/hostcert.pem
      -r-------- 1 glite glite  887 Nov 12 16:03 /home/glite/.certs/hostkey.pem
 
Changed:
<
<

Services to be restarted

>
>

Services to be restarted

 
Changed:
<
<

CREAM-CE

>
>
CREAM-CE
 
  • tomcat5 for SL5
  • tomcat6 for SL6
  • globus-gridftp
Added:
>
>
  • glite-lb-locallogger
 
Changed:
<
<

lcg-CE

>
>
lcg-CE
 
  • globus-gatekeeper
  • globus-gridftp
Changed:
<
<

SE StoRM

>
>
SE StoRM
 
  • storm-backend, storm-frontend, storm-checksum
  • globus-gridftp
Changed:
<
<

SE DPM

>
>
SE DPM
 
  • dpm, dpmcopyd, dpm-gsiftp, dpm-httpd, dpnsdaemon
  • srmv1, srmv2, srmv2.2
  • globus-gridftp
Changed:
<
<

VOMS

>
>
VOMS
 
  • tomcat5
  • voms
Changed:
<
<

WMS

>
>
WMS
 
  • gLite

Revision 42012-12-13 - CristinaAiftimiei

Line: 1 to 1
 
META TOPICPARENT name="UseCases"
Line: 9 to 9
  This page tends to sum up services which need to be restarted.
Changed:
<
<

Copies location and rights

>
>

Copies location and permissions

 Copies of certificate are in general with the following rights:

  • 644 for public key (hostcert.pem)
Line: 27 to 27
  usually you can find the host certificate and key in /etc/grid-security or in a sub directory named like the services (voms, storm, dpm, ...)
Added:
>
>
  • List for individual services:
    • CREAM CE
            # ll /etc/grid-security/*.pem
            -rw-r--r-- 1 root   root 1428 Oct 22 10:19 /etc/grid-security/hostcert.pem
            -r-------- 1 root   root  887 Oct 22 10:19 /etc/grid-security/hostkey.pem
            -rw-r--r-- 1 tomcat root 1428 Nov 12 16:01 /etc/grid-security/tomcat-cert.pem
            -r-------- 1 tomcat root  887 Nov 12 16:01 /etc/grid-security/tomcat-key.pem
      
            # ll /home/glite/.certs/
            total 8
            -rw-r--r-- 1 glite glite 1428 Dec 13 06:00 hostcert.pem
            -r-------- 1 glite glite  887 Nov 12 16:03 hostkey.pem
            
 

Services to be restarted

CREAM-CE

Changed:
<
<
  • tomcat5
>
>
  • tomcat5 for SL5
  • tomcat6 for SL6
 
  • globus-gridftp
Added:
>
>
 

lcg-CE

  • globus-gatekeeper

Revision 22012-01-05 - CristinaAiftimiei

Line: 1 to 1
 
META TOPICPARENT name="UseCases"
Line: 61 to 61
  * gLite
Deleted:
<
<
-- SergioTraldi - 2012-01-04
 \ No newline at end of file

Revision 12012-01-04 - SergioTraldi

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="UseCases"

Whole site: Host certificate update

Introduction

Updating the host certificate in /etc/grid-security is not always sufficient: some services have a copy of this certificate which they started with. It is therefore necessary to update those copies and restart these services.

This page tends to sum up services which need to be restarted.

Copies location and rights

Copies of certificate are in general with the following rights:

* 644 for public key (hostcert.pem) * 600 for the private key (hostkey.pem)

Generally you can easily find the location using locate unix command:

locate hostcert.pem
locate hostkey.pem

but for some services they change the file name like: * tomcat-cert.pem * tomcat-key.pem

usually you can find the host certificate and key in /etc/grid-security or in a sub directory named like the services (voms, storm, dpm, ...)

Services to be restarted

CREAM-CE

* tomcat5 * globus-gridftp

lcg-CE

* globus-gatekeeper * globus-gridftp

SE StoRM

* storm-backend, storm-frontend, storm-checksum * globus-gridftp

SE DPM

* dpm, dpmcopyd, dpm-gsiftp, dpm-httpd, dpnsdaemon * srmv1, srmv2, srmv2.2 * globus-gridftp

VOMS

* tomcat5 * voms

WMS

* gLite

-- SergioTraldi - 2012-01-04

 
This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback