Difference: NGI_ITCentralBanning (1 vs. 9)

Revision 92014-02-03 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 82 to 82
  For support requests, sites can open a ticket using our local ticketing system.
Changed:
<
<
Please assign ticket to Central Support department and subject Central ban for YOUR_SITE_NAME
>
>
Please assign ticket to Central Support department and subject Central ban YOUR_SITE_NAME
 \ No newline at end of file

Revision 82014-01-31 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 10 to 10
  The solution is based on the Argus service able to deal with ban policy for certificate DNs. A three level hierachy for Argus (EGI, NGI and site levels) allows to centrally (EGI level) define banning policy inherited by both NGI and site levels.
Changed:
<
<
To take into account sites without Argus, the central banning setup considers the two following scenarios
>
>
To take into account sites without Argus, the central banning setup considers the two scenarios Site with Argus, Site without Argus.
 
Line: 19 to 19
 

Enabling site Argus to read NGI Argus policy

In order to download the ban policy from the NGI Argus you have to ask to the NGI granting read access for your Argus's DN.

Changed:
<
<
Please submit a ticket to the NGI_IT support unit using the following template
>
>
Please submit a ticket to the Central Support support unit using the following template
 
Changed:
<
<
Assign To NGI_IT
Subject Enable Argus server for site "SITENAME"
>
>
Assign To Central Support
Subject Enable Argus server for "YOUR_SITE_NAME"
 
Description Please add the following Argus DN: "DN of your Argus server"

Once your Argus is granted with the proper privileges, sites can add the NGI_IT Argus as a remote Policy Administration Point (PAP).

Line: 66 to 66
 Site without Argus server can download the ban policy file publicly available here and integrate it with local site policy.

Such file will comprise the list of EGI and/or NGI banned DNs and needs to be stored in the CREAM CE ban file located at /etc/lcas/ban_users.db

Changed:
<
<
Site can cron the download to have it schedelued in the background. The following snippet can be considered as a proof of concept of the cron:
>
>
Sites can cron the download from their CEs to have it schedelued in the background.

The following snippet is a proof of concept that ignores local site policy previously defined:

 
cat /etc/cron.d/fetch-banlist
Line: 76 to 77
  0 * * * * root (sleep $(($RANDOM\%40+10))) && http_status=$(curl -sL -w '\%{http_code}' --connect-timeout 60 --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem https://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -o /dev/null); [ $http_status -eq 200 ] && (curl -s --connect-timeout 60 --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem https://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -o /etc/lcas/ban_users.db)
Added:
>
>

Ask for support

For support requests, sites can open a ticket using our local ticketing system.

Please assign ticket to Central Support department and subject Central ban for YOUR_SITE_NAME

Revision 72014-01-30 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 44 to 44
  pap-admin set-paps-order ngi_it default
Changed:
<
<
Set polling interval to 1 hour (Please carefully consider this operation since can influence your Argus performances)
>
>
Set polling interval to 10 minutes (Please carefully consider this operation since could influence your Argus performances)
  pap-admin set-polling-interval 600

Revision 62014-01-20 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 16 to 16
 

Site with Argus

Changed:
<
<
Sites running their own Argus can add the NGI_IT Argus as a remote Policy Administration Point (PAP).
>
>

Enabling site Argus to read NGI Argus policy

In order to download the ban policy from the NGI Argus you have to ask to the NGI granting read access for your Argus's DN. Please submit a ticket to the NGI_IT support unit using the following template

Assign To NGI_IT
Subject Enable Argus server for site "SITENAME"
Description Please add the following Argus DN: "DN of your Argus server"

Once your Argus is granted with the proper privileges, sites can add the NGI_IT Argus as a remote Policy Administration Point (PAP).

 
NGI_IT Argus endpoint argus-it.cnaf.infn.it
NGI_IT Argus DN /C=IT/O=INFN/OU=Host/L=CNAF/CN=argus-it.cnaf.infn.it

Revision 52014-01-20 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 35 to 35
  pap-admin set-paps-order ngi_it default
Changed:
<
<
Set polling interval to 1 hour
>
>
Set polling interval to 1 hour (Please carefully consider this operation since can influence your Argus performances)
 
Changed:
<
<
pap-admin set-polling-interval 3600
>
>
pap-admin set-polling-interval 600
 
Added:
>
>
Reload policy and clear cache
/etc/init.d/argus-pdp reloadpolicy
/etc/init.d/argus-pepd clearcache
 Verify new remote policy by using --all option with pap-admin client

pap-admin lp --all

Line: 49 to 54
 

Site without Argus

Changed:
<
<
Site without Argus server can download the ban policy file publicly available here and integrate it with local site policy.
>
>
Site without Argus server can download the ban policy file publicly available here and integrate it with local site policy.
  Such file will comprise the list of EGI and/or NGI banned DNs and needs to be stored in the CREAM CE ban file located at /etc/lcas/ban_users.db
Changed:
<
<
Site can cron the download to have it schedelued in the background. For instance you can place in cron.d the following snippet:
>
>
Site can cron the download to have it schedelued in the background. The following snippet can be considered as a proof of concept of the cron:
 
cat /etc/cron.d/fetch-banlist 
Added:
>
>
 # Fetch ban list from central NGI repository # and add DNs to ban_users.db file
Line: 58 to 65
 # Fetch ban list from central NGI repository # and add DNs to ban_users.db file
Changed:
<
<
* */1 * * * root (sleep $(($RANDOM\%40+10))) && wget http://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -O - > /etc/lcas/ban_users.db
>
>
0 * * * * root (sleep $(($RANDOM\%40+10))) && http_status=$(curl -sL -w '\%{http_code}' --connect-timeout 60 --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem https://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -o /dev/null); [ $http_status -eq 200 ] && (curl -s --connect-timeout 60 --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem https://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -o /etc/lcas/ban_users.db)
  \ No newline at end of file

Revision 42013-11-29 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 49 to 49
 

Site without Argus

Changed:
<
<
Site without Argus server can download the ban policy file publicly available here
>
>
Site without Argus server can download the ban policy file publicly available here and integrate it with local site policy.
  Such file will comprise the list of EGI and/or NGI banned DNs and needs to be stored in the CREAM CE ban file located at /etc/lcas/ban_users.db Site can cron the download to have it schedelued in the background. For instance you can place in cron.d the following snippet:

Revision 32013-11-28 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 58 to 58
 # Fetch ban list from central NGI repository # and add DNs to ban_users.db file
Changed:
<
<
10 1 * * * root wget http://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -O - > /etc/lcas/ban_users.db
>
>
* */1 * * * root (sleep $(($RANDOM\%40+10))) && wget http://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -O - > /etc/lcas/ban_users.db
  \ No newline at end of file

Revision 22013-11-08 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 39 to 39
  pap-admin set-polling-interval 3600
Changed:
<
<
List local policy with new PAP
>
>
Verify new remote policy by using --all option with pap-admin client
  pap-admin lp --all

Revision 12013-11-08 - GiuseppeMisurelli

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

The purpose of deploying the central banning over sites is to implement the EGI CSIRT central emergency suspension policy.

In brief, EGI CSIRT can centrally ban suspected or compromised user and robot certificates whenever they can be used to submit jobs.

In case a certificate has undergone suspension procedure NGIs and sites security contact will be promptly informed.

The solution is based on the Argus service able to deal with ban policy for certificate DNs. A three level hierachy for Argus (EGI, NGI and site levels) allows to centrally (EGI level) define banning policy inherited by both NGI and site levels.

To take into account sites without Argus, the central banning setup considers the two following scenarios

Site with Argus

Sites running their own Argus can add the NGI_IT Argus as a remote Policy Administration Point (PAP).

NGI_IT Argus endpoint argus-it.cnaf.infn.it
NGI_IT Argus DN /C=IT/O=INFN/OU=Host/L=CNAF/CN=argus-it.cnaf.infn.it

Using pap-admin utility to add NGI_IT PAP to your Argus

Add NGI_IT PAP (aka ngi_it)

pap-admin add-pap ngi_it argus-it.cnaf.infn.it "/C=IT/O=INFN/OU=Host/L=CNAF/CN=argus-it.cnaf.infn.it"

Enable new NGI_IT PAP (aka ngi_it)

pap-admin enable-pap ngi_it

Make the new ngi_it PAP as the default one

pap-admin set-paps-order ngi_it default

Set polling interval to 1 hour

pap-admin set-polling-interval 3600

List local policy with new PAP

pap-admin lp --all

Preventing yaim overwrites for added PAPs

Yaim is unable to configure and add new PAPs (no yaim variables provided) so running yaim on the Argus server can potentially remove added PAPs. To avoid such situation sites should perform the procedure to add NGI_IT PAP everytime they run yaim on the Argus server. You can script the procedure or use a configuration management tool like Puppet to automate such procedure.

Site without Argus

Site without Argus server can download the ban policy file publicly available here

Such file will comprise the list of EGI and/or NGI banned DNs and needs to be stored in the CREAM CE ban file located at /etc/lcas/ban_users.db Site can cron the download to have it schedelued in the background. For instance you can place in cron.d the following snippet:

cat /etc/cron.d/fetch-banlist 
# Fetch ban list from central NGI repository
# and add DNs to ban_users.db file

10  1  *  *  *  root wget http://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -O - > /etc/lcas/ban_users.db
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback