17 | | |
18 | | == Certificate authorities == |
19 | | To enable mutual authentication and secure communication between the client (which is used by the probe) and the QCG-Broker service set of trusted CA certificates must be copied either into the /etc/grid-security/certificates directory or configured individually for the test user. |
20 | | |
21 | | === EGI IGTF CAs === |
22 | | Install EGI Accepted CA certificates (this also install the Polish Grid CA) |
23 | | * Add appropriate YUM repository |
24 | | {{{ |
25 | | #!div style="font-size: 90%" |
26 | | {{{#!sh |
27 | | cat > /etc/yum.repos.d/egi-trustanchors.repo << EOF |
28 | | [EGI-trustanchors] |
29 | | name=EGI-trustanchors |
30 | | baseurl=http://repository.egi.eu/sw/production/cas/1/current/ |
31 | | gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 |
32 | | gpgcheck=1 |
33 | | enabled=1 |
34 | | EOF |
35 | | }}} |
36 | | }}} |
37 | | |
38 | | * Install certificates |
39 | | {{{ |
40 | | #!div style="font-size: 90%" |
41 | | {{{#!sh |
42 | | yum install ca-policy-egi-core |
43 | | }}} |
44 | | }}} |
45 | | |
46 | | The above instruction is based on this [https://wiki.egi.eu/wiki/EGI_IGTF_Release manual] |
47 | | |
48 | | === PL-Grid Simpla-CA certificate (PL-Grid only) === |
49 | | * Add appropriate YUM repository |
50 | | {{{ |
51 | | #!div style="font-size: 90%" |
52 | | {{{#!sh |
53 | | cat > /etc/yum.repos.d/plgrid.repo << EOF |
54 | | [PLGRID-general] |
55 | | name=PLGRID general packages repository |
56 | | baseurl=http://software.plgrid.pl/packages/general/ |
57 | | enabled=1 |
58 | | metadata_expire=300 |
59 | | gpgcheck=0 |
60 | | EOF |
61 | | }}} |
62 | | }}} |
63 | | |
64 | | * Install certificates |
65 | | {{{ |
66 | | #!div style="font-size: 90%" |
67 | | {{{#!sh |
68 | | yum install ca_PLGRID-SimpleCA |
69 | | }}} |
70 | | }}} |
71 | | |
72 | | |
73 | | === Certificate Revocation List - CLR === |
74 | | Configure the system to periodically update the information about revoked certificates. |
75 | | |
76 | | * Add appropriate YUM repository |
77 | | {{{ |
78 | | #!div style="font-size: 90%" |
79 | | {{{#!sh |
80 | | cat > /etc/yum.repos.d/fetch-crl.repo << EOF |
81 | | [EUGRIDPMA-fetch-crl] |
82 | | name=EUGRIDPMA fetch-crl repository |
83 | | baseurl=https://dist.eugridpma.info/distribution/util/fetch-crl3/ |
84 | | enabled=1 |
85 | | metadata_expire=300 |
86 | | gpgcheck=0 |
87 | | EOF |
88 | | }}} |
89 | | }}} |
90 | | |
91 | | * Install certificate revocation list fetching utility |
92 | | {{{ |
93 | | #!div style="font-size: 90%" |
94 | | {{{#!sh |
95 | | yum install fetch-crl |
96 | | }}} |
97 | | }}} |
98 | | |
99 | | * Get fresh CRLs now |
100 | | {{{ |
101 | | #!div style="font-size: 90%" |
102 | | {{{#!sh |
103 | | /usr/sbin/fetch-crl |
104 | | }}} |
105 | | }}} |
106 | | |
107 | | * Install cron job for fetching CRLs |
108 | | {{{ |
109 | | #!div style="font-size: 90%" |
110 | | {{{#!sh |
111 | | cat > /etc/cron.daily/fetch-crl.cron << EOF |
112 | | #!/bin/sh |
113 | | /usr/sbin/fetch-crl |
114 | | EOF |
115 | | }}} |
116 | | }}} |
117 | | |
118 | | {{{ |
119 | | #!div style="font-size: 90%" |
120 | | {{{#!sh |
121 | | chmod a+x /etc/cron.daily/fetch-crl.cron |
122 | | }}} |
123 | | }}} |
124 | | |
125 | | |
126 | | |
127 | | |