| | 1 | == Certificate authorities == |
| | 2 | To enable mutual authentication and secure communication between the client and the QCG-Broker service set of trusted CA certificates must be copied either into the /etc/grid-security/certificates directory or configured individually for every user. |
| | 3 | |
| | 4 | === EGI IGTF CAs === |
| | 5 | Install EGI Accepted CA certificates (this also install the Polish Grid CA) |
| | 6 | * Add appropriate YUM repository |
| | 7 | {{{ |
| | 8 | #!div style="font-size: 90%" |
| | 9 | {{{#!sh |
| | 10 | cat > /etc/yum.repos.d/egi-trustanchors.repo << EOF |
| | 11 | [EGI-trustanchors] |
| | 12 | name=EGI-trustanchors |
| | 13 | baseurl=http://repository.egi.eu/sw/production/cas/1/current/ |
| | 14 | gpgkey=http://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 |
| | 15 | gpgcheck=1 |
| | 16 | enabled=1 |
| | 17 | EOF |
| | 18 | }}} |
| | 19 | }}} |
| | 20 | |
| | 21 | * Install certificates |
| | 22 | {{{ |
| | 23 | #!div style="font-size: 90%" |
| | 24 | {{{#!sh |
| | 25 | yum install ca-policy-egi-core |
| | 26 | }}} |
| | 27 | }}} |
| | 28 | |
| | 29 | The above instruction is based on this [https://wiki.egi.eu/wiki/EGI_IGTF_Release manual] |
| | 30 | |
| | 31 | === PL-Grid Simpla-CA certificate (PL-Grid only) === |
| | 32 | * Add appropriate YUM repository |
| | 33 | {{{ |
| | 34 | #!div style="font-size: 90%" |
| | 35 | {{{#!sh |
| | 36 | cat > /etc/yum.repos.d/plgrid.repo << EOF |
| | 37 | [PLGRID-general] |
| | 38 | name=PLGRID general packages repository |
| | 39 | baseurl=http://software.plgrid.pl/packages/general/ |
| | 40 | enabled=1 |
| | 41 | metadata_expire=300 |
| | 42 | gpgcheck=0 |
| | 43 | EOF |
| | 44 | }}} |
| | 45 | }}} |
| | 46 | |
| | 47 | * Install certificates |
| | 48 | {{{ |
| | 49 | #!div style="font-size: 90%" |
| | 50 | {{{#!sh |
| | 51 | yum install ca_PLGRID-SimpleCA |
| | 52 | }}} |
| | 53 | }}} |
| | 54 | |
| | 55 | |
| | 56 | === Certificate Revocation List - CLR === |
| | 57 | Configure the system to periodically update the information about revoked certificates. |
| | 58 | |
| | 59 | * Add appropriate YUM repository |
| | 60 | {{{ |
| | 61 | #!div style="font-size: 90%" |
| | 62 | {{{#!sh |
| | 63 | cat > /etc/yum.repos.d/fetch-crl.repo << EOF |
| | 64 | [EUGRIDPMA-fetch-crl] |
| | 65 | name=EUGRIDPMA fetch-crl repository |
| | 66 | baseurl=https://dist.eugridpma.info/distribution/util/fetch-crl3/ |
| | 67 | enabled=1 |
| | 68 | metadata_expire=300 |
| | 69 | gpgcheck=0 |
| | 70 | EOF |
| | 71 | }}} |
| | 72 | }}} |
| | 73 | |
| | 74 | * Install certificate revocation list fetching utility |
| | 75 | {{{ |
| | 76 | #!div style="font-size: 90%" |
| | 77 | {{{#!sh |
| | 78 | yum install fetch-crl |
| | 79 | }}} |
| | 80 | }}} |
| | 81 | |
| | 82 | * Get fresh CRLs now |
| | 83 | {{{ |
| | 84 | #!div style="font-size: 90%" |
| | 85 | {{{#!sh |
| | 86 | /usr/sbin/fetch-crl |
| | 87 | }}} |
| | 88 | }}} |
| | 89 | |
| | 90 | * Install cron job for fetching CRLs |
| | 91 | {{{ |
| | 92 | #!div style="font-size: 90%" |
| | 93 | {{{#!sh |
| | 94 | cat > /etc/cron.daily/fetch-crl.cron << EOF |
| | 95 | #!/bin/sh |
| | 96 | /usr/sbin/fetch-crl |
| | 97 | EOF |
| | 98 | }}} |
| | 99 | }}} |
| | 100 | |
| | 101 | {{{ |
| | 102 | #!div style="font-size: 90%" |
| | 103 | {{{#!sh |
| | 104 | chmod a+x /etc/cron.daily/fetch-crl.cron |
| | 105 | }}} |
| | 106 | }}} |
