Today : Sat, 02 Mar 24 .


INFN-PADOVA wiki


Fabric Management

Notes

PmWiki

edit SideBar

Sanctorum

Page: Site.Sanctorum - Last Modified : Mon, 03 Dec 18

Sanctorum Howto

See certificate request instructions for new hosts in MwProblem.HostCertReq

All certificates are store in host passtore.pn.pd.infn.it using user fido

If the requested certificates are TERENA ones, use the DB to recover the hostkey.pem of the corresponding public hostcert.pem received via zipped mail from the DigiCert CA, e.g.:

mysql -h localhost -u root
mysql> use passtore;
mysql> SELECT id_hostpas,host,AES_DECRYPT(hostkey,'1lc@n3') AS crt FROM hostpas WHERE host = 'egi-cloud';

Certificates autorenewal

IMPORTANT NOTE: When doing a renew - one should renew ALL the certificates that are expiring, in this way avoiding to lose track of certificates that have to be renewed.

1. Run autorenew.py script when any certificates are expiring

cd /home/fido/new_sanctorum
python autorenew.py

This script:

  • checks when certificates are expiring;
  • sends a pre-formatted renewal mail to site admins for each expiring certificates;
  • backups old certificates in the oldcrt table.

Expiration limit can be set in sanctorum.conf (crt_TTL parameter; default value crt_TTL=21).

2. Send mail to local RA

Site admins have to check the mail inbox looking for mails just sent by autorenew.py and then:

  • edit the subject;
  • sign the mail;
  • forward to local RA (Fulvia Costa and Massimo Gravino, remember to put in CC grid-services-pd@lists.infn.it);
  • reply to mail address check of CA.

3. Run auto_crt_upd.py script when CA notifies the renewal of any certificates

python auto_crt_upd.py

This script:

  • checks what certificates are missing in hostpas table;
  • downloads the renewed certificates directly from CA;
  • installs them in /etc/grid-security/ of the corresponding host;
  • notifies by mail.

IMPORTANT: Site admins only have to copy the renewed certificates to any needed path different from etc/grid-security/.

VERY IMPORTANT: VOMS server host certificate update needs a particular care; it has to be updated only when new ig-vomscerts-all rpm is deployed!!!

TROUBLESHOOTING: In case of failure e.g. due to ssh issues, adjust the ssh issue and then use ./sanctorum.py -putcrt

Add a host certificate (new host)

cd /home/fido/new_sanctorum
./sanctorum.py -a

Insert the username usually root
Insert the host name without the domain extension i.e. (prod-ce-03) and not (prod-ce-03.pd.infn.it)
After inserted a mail will be sent to site admins.
Remember to sign the mail and send the mail to local RA (Fulvia Costa and Massimo Gravino, remember to put in CC grid-services-pd@lists.infn.it);

Host deletion

cd /home/fido/new_sanctorum
./sanctorum.py -d

This command definitively remove host from database (no backup will be done).

Copy certificate to a host (not the case of new certificate when it SHOULD be used the auto_crt_upd.py - step3.)

./sanctorum.py -putcrt

Insert the host name
After inserted the certificate will be copied in etc/grid-security/ of the corresponding host.


Powered by PmWiki
Skin by CarlosAB

looks borrowed from http://haran.freeshell.org/oswd/sinorca
More skins here