20 | | To enable mutual authentication and secure communication between the client and the QCG-Broker service set of trusted CA certificates must be copied either into the /etc/grid-security/certificates directory or configured individually for every user. |
21 | | |
22 | | === EGI IGTF CAs === |
23 | | Install EGI Accepted CA certificates (this also install the Polish Grid CA) |
24 | | * Add appropriate YUM repository |
25 | | {{{ |
26 | | #!div style="font-size: 90%" |
27 | | {{{#!sh |
28 | | cat > /etc/yum.repos.d/egi-trustanchors.repo << EOF |
29 | | [EGI-trustanchors] |
30 | | name=EGI-trustanchors |
31 | | baseurl=http://repository.egi.eu/sw/production/cas/1/current/ |
32 | | gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 |
33 | | gpgcheck=1 |
34 | | enabled=1 |
35 | | EOF |
36 | | }}} |
37 | | }}} |
38 | | |
39 | | * Install certificates |
40 | | {{{ |
41 | | #!div style="font-size: 90%" |
42 | | {{{#!sh |
43 | | yum install ca-policy-egi-core |
44 | | }}} |
45 | | }}} |
46 | | |
47 | | The above instruction is based on this [https://wiki.egi.eu/wiki/EGI_IGTF_Release manual] |
48 | | |
49 | | === PL-Grid Simpla-CA certificate (PL-Grid only) === |
50 | | * Add appropriate YUM repository |
51 | | {{{ |
52 | | #!div style="font-size: 90%" |
53 | | {{{#!sh |
54 | | cat > /etc/yum.repos.d/plgrid.repo << EOF |
55 | | [PLGRID-general] |
56 | | name=PLGRID general packages repository |
57 | | baseurl=http://software.plgrid.pl/packages/general/ |
58 | | enabled=1 |
59 | | metadata_expire=300 |
60 | | gpgcheck=0 |
61 | | EOF |
62 | | }}} |
63 | | }}} |
64 | | |
65 | | * Install certificates |
66 | | {{{ |
67 | | #!div style="font-size: 90%" |
68 | | {{{#!sh |
69 | | yum install ca_PLGRID-SimpleCA |
70 | | }}} |
71 | | }}} |
72 | | |
73 | | |
74 | | === Certificate Revocation List - CLR === |
75 | | Configure the system to periodically update the information about revoked certificates. |
76 | | |
77 | | * Add appropriate YUM repository |
78 | | {{{ |
79 | | #!div style="font-size: 90%" |
80 | | {{{#!sh |
81 | | cat > /etc/yum.repos.d/fetch-crl.repo << EOF |
82 | | [EUGRIDPMA-fetch-crl] |
83 | | name=EUGRIDPMA fetch-crl repository |
84 | | baseurl=https://dist.eugridpma.info/distribution/util/fetch-crl3/ |
85 | | enabled=1 |
86 | | metadata_expire=300 |
87 | | gpgcheck=0 |
88 | | EOF |
89 | | }}} |
90 | | }}} |
91 | | |
92 | | * Install certificate revocation list fetching utility |
93 | | {{{ |
94 | | #!div style="font-size: 90%" |
95 | | {{{#!sh |
96 | | yum install fetch-crl |
97 | | }}} |
98 | | }}} |
99 | | |
100 | | * Get fresh CRLs now |
101 | | {{{ |
102 | | #!div style="font-size: 90%" |
103 | | {{{#!sh |
104 | | /usr/sbin/fetch-crl |
105 | | }}} |
106 | | }}} |
107 | | |
108 | | * Install cron job for fetching CRLs |
109 | | {{{ |
110 | | #!div style="font-size: 90%" |
111 | | {{{#!sh |
112 | | cat > /etc/cron.daily/fetch-crl.cron << EOF |
113 | | #!/bin/sh |
114 | | /usr/sbin/fetch-crl |
115 | | EOF |
116 | | }}} |
117 | | }}} |
118 | | |
119 | | {{{ |
120 | | #!div style="font-size: 90%" |
121 | | {{{#!sh |
122 | | chmod a+x /etc/cron.daily/fetch-crl.cron |
123 | | }}} |
124 | | }}} |
| 20 | To allow proper mutual authentication between client and service set of Certificate Authorities [CA] certificates has to be installed. |
| 21 | To install CA certificates please follow the instruction: [[https://www.qoscosgrid.org/trac/qcg/wiki/CA%20certificates | CA certificates installation]] |