Skip to content

Latest commit

 

History

History
executable file
·
221 lines (193 loc) · 19.2 KB

trust.md

File metadata and controls

executable file
·
221 lines (193 loc) · 19.2 KB
layout title
default
Trust

ESG Federation Trust Roots

This page is the central source for all ESG Federation trust root information. It provides a distribution of all trust roots that need to be trusted by Gateways and Data Nodes that participate in the ESG Federation.

PKI Trust Roots

These are a collection of CA certificates that are trusted by ESG Federation services Show Trusted CA Certificates

Certificate Hash Certificate DN
246d7a36 /O=ESG-CET/OU=NCAR/OU=simpleCA-vetswebprod.ucar.edu/CN=ESG-NCAR CA
272a3167 /O=Grid/OU=GlobusTest/OU=simpleCA-wawona.ca.sandia.gov/CN=Globus Simple CA
2d96ae6d /O=ESG/OU=ESG-JPL/CN=jpl-esg.jpl.nasa.gov
1d552c87 /O=ESG/OU=ESG-ANL/OU=www.esg.anl.gov/CN=ANL Gateway CA
30ffc224 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01
02b2d53d /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
25552524 /O=ESG/OU=ESG-NCAR/OU=vetswebprod.ucar.edu/CN=NCAR Gateway CA
12d0da68 /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
7cef5492 /C=AU/O=APACGrid/OU=CA/CN=APACGrid/emailAddress=camanager@vpac.org
f081611a /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
241a8801 /C=US/ST=IL/L=Chicago/O=ANL/OU=ESG/CN=dev.esg.anl.gov
f131b364 /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
3513523f /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
971d4d32 /O=Grid/OU=GlobusTest/OU=simpleCA-esgf.nccs.nasa.gov/CN=Globus Simple CA
6425fbc5 /O=Grid/OU=GlobusTest/OU=simpleCA-adm07.cmcc.it/CN=Globus Simple CA
157753a5 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
d2f4a5b9 /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi6.llnl.gov/CN=Globus Simple CA
563d35fe /O=Grid/OU=GlobusTest/OU=simpleCA-esg01.nersc.gov/CN=Globus Simple CA
f18deb20 /O=ESG/OU=ESG-NERSC/OU=esg.nersc.gov/CN=NERSC Gateway CA
eb99629b /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
812e17de /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
578d5c04 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
542ea116 /O=Grid/OU=GlobusTest/OU=simpleCA-esg2.nci.org.au/CN=Globus Simple CA
4f654c5b /O=ESGF/OU=JPL/CN=ESG JPL Test CA
de6347de /O=Grid/OU=GlobusTest/OU=simpleCA-esg2.mgmt/CN=Globus Simple CA
8722d9d5 /C=AU/postalCode=0200/ST=ACT/L=Canberra/street=Cnr Garran and Ward Roads/O=The Australian National University/OU=DOI/CN=esg.nci.org.au
5de29f67 /O=ESGF/OU=esg-datanode.jpl.nasa.gov/CN=NASA JPL
b1159c4c /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
d1f1d944 /O=ESGF/OU=ESGF.ORG/OU=DKRZ/CN=esgf-data.dkrz.de
6d330c32 /O=Grid/OU=Globus/OU=bvlpenes.knmi.nl/CN=Globus Simple CA
1ec4d31a /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
dfc28aa6 /C=DE/O=Deutsches Klimarechenzentrum GmbH/CN=DKRZ CA - G02/emailAddress=pki@dkrz.de
42a8256f /C=AU/postalCode=0200/ST=ACT/L=Canberra/street=Cnr Garran and Ward Roads/O=The Australian National University/OU=DOI/CN=esgnode1.nci.org.au
ab21bdac /serialNumber=ciWxj3m6pqiqdUPU1xMPnzHSpiF6F1ZS/C=US/O=esg-gateway.jpl.nasa.gov/OU=GT59609478/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=esg-gateway.jpl.nasa.gov
9d0a75f2 /O=Grid/OU=GlobusTest/OU=simpleCA-esgf-node.ipsl.fr/CN=Globus Simple CA
46117fcc /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
244b5494 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
99b0865c /C=AU/O=AusCERT/OU=Certificate Services/CN=AusCERT Server CA
3262c85d /O=ESGF/OU=ESGF.ORG/CN=esg.bnu.edu.cn
226b9045 /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus Simple CA
dd6acc3f /O=ESG/OU=ESG-ORNL/OU=NCCS/CN=esg2-gw.ccs.ornl.gov
2fafbae8 /C=GB/O=Science and Technology Facilities Council/OU=RAL-SPBU/CN=ceda.ac.uk
598630ad /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
7ed47087 /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root
28e46182 /O=ESGF/OU=ESGF.ORG/CN=esg.ccs.ornl.gov
d9be2151 /C=NL/O=TERENA/CN=TERENA SSL CA
6107e209 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
7162f3c9 /O=Grid/OU=GlobusTest/OU=simpleCA-esg.nci.org.au/CN=Globus Simple CA
cbf06781 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
7c60f3f7 /C=DE/O=DKRZ/OU=WDCC/CN=ESG-DKRZ ipcc-ar5
993715d8 /DC=uk/DC=ac/DC=ceda/O=STFC RAL/CN=Centre for Environmental Data Archival
0119347c /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1
06c34218 /O=Grid/OU=GlobusTest/OU=simpleCA-dev-hydra.esrl.pri/CN=Globus Simple CA
746ef087 /O=Grid/OU=GlobusTest/OU=simpleCA-dev.esg.anl.gov/CN=Globus Simple CA
241a8801 /C=US/ST=IL/L=Chicago/O=ANL/OU=ESG/CN=dev.esg.anl.gov
c4949a23 /O=Grid/OU=GlobusTest/OU=simpleCA-esg.ccs.ornl.gov/CN=Globus Simple CA
439ce3f7 /C=UK/O=eScienceSLCSHierarchy/OU=Authority/CN=SLCS Top Level CA
52440ff8 /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi.llnl.gov/CN=Globus Simple CA
6e5da70c /C=DE/O=DKRZ/OU=WDCC/CN=ESG-DKRZ CA (albedo2)
b204d74a /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
b13cc6df /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
530f7122 /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B

Available here is a link to a gzip compressed tar archive of all of these CA certificates and signing policy files.

For your convenience, a truststore has been created that contains the above certificates in it.


Using PKI Trust Roots: Trusted CA Certificates

This section will briefly discuss how to consume the above tarball archive. First of course it must be downloaded and the md5sum should be verified to match the above listing. After that, it should be extracted to a temporary directory and the contents copied over to /etc/grid-security/certificates. An example of command used to do this could look something like this:

neillm@boiler:~$ cd /tmp
neillm@boiler:/tmp$ mkdir TMPCERTS
neillm@boiler:/tmp$ cd TMPCERTS/
neillm@boiler:/tmp/TMPCERTS$ wget --no-check-certificate https://rainbow.llnl.gov/dist/certs/esg-trusted-certificates.tar 
--2010-08-23 09:05:06--  https://rainbow.llnl.gov/dist/certs/esg-trusted-certificates.tar Resolving rainbow.llnl.gov... 198.128.245.140
Connecting to rainbow.llnl.gov... 198.128.245.140... :443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14250 (14K) [application/x-tar]
Saving to: `esg-trusted-certificates.tar

100%[==============================================================================>] 14,250      --.-K/s   in 0.02s   

2010-08-23 09:05:06 (609 KB/s) - `esg-trusted-certificates.tar saved [14250/14250]

neillm@boiler:/tmp/TMPCERTS$ md5sum esg-trusted-certificates.tar
[ MAKE SURE THIS VALUE MATCHES THE ONE LISTED ABOVE ]
neillm@boiler:/tmp/TMPCERTS$ tar -xf esg-trusted-certificates.tar
neillm@boiler:/tmp/TMPCERTS$ sudo cp esg-trusted-certificates// /etc/grid-security/certificates/

Using PKI Trust Roots: The TrustStore

In order to use the above provided trust store, it must be configured for your java environment (which can be done in a number of ways). Assuming you're using tomcat, it should be downloaded and referenced from your tomcat configuration as shown below. If you're using it from another Java application, see the command line configuration below that.
Either way, start by downloading the trust store file and verifying the md5sum:

neillm@boiler:/tmp/TMPCERTS$ wget --no-check-certificate https://rainbow.llnl.gov/dist/certs/esg-truststore.ts
--2010-08-24 08:15:56--  https://rainbow.llnl.gov/dist/certs/esg-truststore.ts
Resolving rainbow.llnl.gov... 198.128.245.140
Connecting to rainbow.llnl.gov... 198.128.245.140... :443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 82872 (81K) [text/texmacs]
Saving to: `esg-truststore.ts

100%[==============================================================================>] 82,872      --.-K/s   in 0.09s   

2010-08-24 08:15:56 (863 KB/s) - `esg-truststore.ts saved [82872/82872]

neillm@boiler:/tmp/TMPCERTS$ md5sum esg-truststore.ts

In tomcat, to configure the usage of a particular trust store file, you need to modify the $CATALINA_HOME/conf/server.xml file. Find the relevant connector section and edit it by adding in the paths to the trust store and keystore used. An example section looks like this:

<Connector port="8443"  SSLEnabled="true" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"

clientAuth="want" sslProtocol="TLS"
keystoreFile="/PATH/TO/TOMCAT/mykeystore.ks" keystorePass="KEYSTORE-PASSWORD"
trustoreFile="/PATH/TO/TOMCAT/esg-truststore.ts" trustorePass="TRUSTSTORE-PASSWORD" />

After making this configuration change, you need to stop and start Tomcat by running the $CATALINA_HOME/bin/catalina.sh script.
For other command line Java applications, to configure the usage of a particular trust store, you need to modify the $JAVA_OPTS environment variable to include a pointer to the new trust store. An example of this is shown here:

neillm@boiler:/tmp/TMPCERTS$ export JAVA-OPTS="-Djavax.net.ssl.trustStore=/tmp/TMPCERTS/esg-truststore.ts -Djavax.net.ssl.trustStorePassword=TRUSTSTORE-PASSWORD $JAVA-OPTS"

ESG Whitelisting Policy

See Accepted OpenID IdP Endpoint Table

DN
CN=ceda.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB
CN=esg-datanode.jpl.nasa.gov, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT25821476, O=esg-datanode.jpl.nasa.gov, C=US, serialNumber=ROF2RAfDrdcNrCcL4KQEH0-uHPVwt-lK
CN=esg-gateway.jpl.nasa.gov, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT59609478, O=esg-gateway.jpl.nasa.gov, C=US, serialNumber=1DfLTHkkGVP1MEf8YZcSQrs4iIRBLY2Y
CN=www.earthsystemgrid.org, OU=University Corporation for Atmospheric Research, O=University Corporation for Atmospheric Research, L=Boulder, ST=Colorado, C=US
CN=pcmdi3.llnl.gov, OU=ESG-PCMDI, O=Lawrence Livermore National Laboratory, L=Livermore, ST=California, C=US
CN=openid.ornl.gov, O=Oak Ridge National Laboratory, L=Oak Ridge, ST=Tennessee, C=US
CN=esg2-gw.ccs.ornl.gov, OU=OLCF, O=Oak Ridge National Laboratory, L=Oak Ridge, ST=Tennessee, C=US
CN=esg.nersc.gov, OU=ESG-NERSC, O=ESG, L=Berkeley, ST=CA, C=US
CN=ipcc-ar5.dkrz.de, OU=WDCC, O=DKRZ, C=DE
CN=albedo2.dkrz.de, OU=WDCC, O=DKRZ, C=DE
CN=esg.nci.org.au, OU=DOI, O=The Australian National University, L=Canberra/streetAddress=Cnr Garran and Ward Roads, ST=ACT, C=AU/postalCode=0200
CN=ANL Gateway CA, OU=www.esg.anl.gov, OU=ESG-ANL, O=ESG
CN=ANL Gateway CA, OU=www.esg.anl.gov, OU=ESG-ANL, O=ESG
NOTE: *Not all of the above OpenID Endpoints are operational. If your organization's endpoint is incorrect, please send mail to esgf-admin@lists.llnl.gov ASAP with the correct information*.

See Accepted Gateway Endpoint Table

Organization Attribute Service Endpoint Authorization Service Endpoint Authorization Authority DN
N/a
N/A

See Accepted Gateway/MyProxy Endpoint Table

Organization DN
CN=Centre for Environmental Data Archival, O=STFC RAL, DC=ceda, DC=ac, DC=uk
CN=Globus Simple CA, OU=simpleCA-pcmdi3.llnl.gov, OU=GlobusTest, O=Grid
CN=jpl-esg.jpl.nasa.gov, OU=ESG-JPL, O=ESG
CN=ESG-NCAR CA, OU=simpleCA-vetswebprod.ucar.edu, OU=NCAR, O=ESG-CET
CN=NCAR Gateway CA, OU=vetswebprod.ucar.edu, OU=ESG-NCAR, O=ESG
CN=esg2-gw.ccs.ornl.gov, OU=NCCS, OU=ESG-ORNL, O=ESG
CN=ESG-DKRZ ipcc-ar5, OU=WDCC, O=DKRZ, C=DE
CN=ESG-DKRZ CA (albedo2), OU=WDCC, O=DKRZ, C=DE
CN=NERSC Gateway CA, OU=esg.nersc.gov, OU=ESG-NERSC, O=ESG
CN=esg.nci.org.au, OU=DOI, O=The Australian National University, L=Canberra/streetAddress=Cnr Garran and Ward Roads, ST=ACT, C=AU/postalCode=0200
CN=ANL Gateway CA, OU=www.esg.anl.gov, OU=ESG-ANL, O=ESG
CN=Globus Simple CA, OU=simpleCA-dev.esg.anl.gov, OU=GlobusTest, O=Grid

See Accepted Datanode Endpoint Table

DN
CN=cmip1.dkrz.de, OU=WDCC, O=DKRZ, C=DE
CN=cmip2.dkrz.de, OU=WDCC, O=DKRZ, C=DE
CN=esgnode1.nci.org.au, OU=DOI, O=The Australian National University, L=Canberra/streetAddress=Cnr Garran and Ward Roads, ST=ACT, C=AU/postalCode=0200
CN=cmip-dn.badc.rl.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB
CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
CN=TERENA SSL CA, O=TERENA, C=NL
CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com/, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
CN=esg-datanode.nersc.gov, OU=ESG-NERSC, O=ESG, L=Berkeley, ST=CA, C=US
CN=esg-datanode.jpl.nasa.gov, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT25821476, O=esg-datanode.jpl.nasa.gov, C=US, serialNumber=ROF2RAfDrdcNrCcL4KQEH0-uHPVwt-lK
C=US, ST=IL, O=ESG, OU=ANL, CN=esg.anl.gov
CN=Globus Simple CA, OU=simpleCA-dev.esg.anl.gov, OU=GlobusTest, O=Grid