| 20 | | To enable mutual authentication and secure communication between the client and the QCG-Broker service set of trusted CA certificates must be copied either into the /etc/grid-security/certificates directory or configured individually for every user. |
| 21 | | |
| 22 | | === EGI IGTF CAs === |
| 23 | | Install EGI Accepted CA certificates (this also install the Polish Grid CA) |
| 24 | | * Add appropriate YUM repository |
| 25 | | {{{ |
| 26 | | #!div style="font-size: 90%" |
| 27 | | {{{#!sh |
| 28 | | cat > /etc/yum.repos.d/egi-trustanchors.repo << EOF |
| 29 | | [EGI-trustanchors] |
| 30 | | name=EGI-trustanchors |
| 31 | | baseurl=http://repository.egi.eu/sw/production/cas/1/current/ |
| 32 | | gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 |
| 33 | | gpgcheck=1 |
| 34 | | enabled=1 |
| 35 | | EOF |
| 36 | | }}} |
| 37 | | }}} |
| 38 | | |
| 39 | | * Install certificates |
| 40 | | {{{ |
| 41 | | #!div style="font-size: 90%" |
| 42 | | {{{#!sh |
| 43 | | yum install ca-policy-egi-core |
| 44 | | }}} |
| 45 | | }}} |
| 46 | | |
| 47 | | The above instruction is based on this [https://wiki.egi.eu/wiki/EGI_IGTF_Release manual] |
| 48 | | |
| 49 | | === PL-Grid Simpla-CA certificate (PL-Grid only) === |
| 50 | | * Add appropriate YUM repository |
| 51 | | {{{ |
| 52 | | #!div style="font-size: 90%" |
| 53 | | {{{#!sh |
| 54 | | cat > /etc/yum.repos.d/plgrid.repo << EOF |
| 55 | | [PLGRID-general] |
| 56 | | name=PLGRID general packages repository |
| 57 | | baseurl=http://software.plgrid.pl/packages/general/ |
| 58 | | enabled=1 |
| 59 | | metadata_expire=300 |
| 60 | | gpgcheck=0 |
| 61 | | EOF |
| 62 | | }}} |
| 63 | | }}} |
| 64 | | |
| 65 | | * Install certificates |
| 66 | | {{{ |
| 67 | | #!div style="font-size: 90%" |
| 68 | | {{{#!sh |
| 69 | | yum install ca_PLGRID-SimpleCA |
| 70 | | }}} |
| 71 | | }}} |
| 72 | | |
| 73 | | |
| 74 | | === Certificate Revocation List - CLR === |
| 75 | | Configure the system to periodically update the information about revoked certificates. |
| 76 | | |
| 77 | | * Add appropriate YUM repository |
| 78 | | {{{ |
| 79 | | #!div style="font-size: 90%" |
| 80 | | {{{#!sh |
| 81 | | cat > /etc/yum.repos.d/fetch-crl.repo << EOF |
| 82 | | [EUGRIDPMA-fetch-crl] |
| 83 | | name=EUGRIDPMA fetch-crl repository |
| 84 | | baseurl=https://dist.eugridpma.info/distribution/util/fetch-crl3/ |
| 85 | | enabled=1 |
| 86 | | metadata_expire=300 |
| 87 | | gpgcheck=0 |
| 88 | | EOF |
| 89 | | }}} |
| 90 | | }}} |
| 91 | | |
| 92 | | * Install certificate revocation list fetching utility |
| 93 | | {{{ |
| 94 | | #!div style="font-size: 90%" |
| 95 | | {{{#!sh |
| 96 | | yum install fetch-crl |
| 97 | | }}} |
| 98 | | }}} |
| 99 | | |
| 100 | | * Get fresh CRLs now |
| 101 | | {{{ |
| 102 | | #!div style="font-size: 90%" |
| 103 | | {{{#!sh |
| 104 | | /usr/sbin/fetch-crl |
| 105 | | }}} |
| 106 | | }}} |
| 107 | | |
| 108 | | * Install cron job for fetching CRLs |
| 109 | | {{{ |
| 110 | | #!div style="font-size: 90%" |
| 111 | | {{{#!sh |
| 112 | | cat > /etc/cron.daily/fetch-crl.cron << EOF |
| 113 | | #!/bin/sh |
| 114 | | /usr/sbin/fetch-crl |
| 115 | | EOF |
| 116 | | }}} |
| 117 | | }}} |
| 118 | | |
| 119 | | {{{ |
| 120 | | #!div style="font-size: 90%" |
| 121 | | {{{#!sh |
| 122 | | chmod a+x /etc/cron.daily/fetch-crl.cron |
| 123 | | }}} |
| 124 | | }}} |
| | 20 | To allow proper mutual authentication between client and service set of Certificate Authorities [CA] certificates has to be installed. |
| | 21 | To install CA certificates please follow the instruction: [[https://www.qoscosgrid.org/trac/qcg/wiki/CA%20certificates | CA certificates installation]] |
