A much better approach, especially since you are at Argonne, is to
request a host cert from a CA recognized by the International Grid
Trust Federation (IGTF):
http://gridpma.org
As a DOE-funded lab you would probably get yours from the DOEGrids CA:
http://www.doegrids.org
although there are also other options available to you.
The advantage of this approach is that your service will be able to
authenticate mutually with ITGF-accredited users and hosts, including
those of essentially all large grid projects (LHC Computing Grid,
Open Science Grid, PRAGMA, Teragrid in most cases, etc.) The IGTF
dedicates itself to providing authentication profiles and to
reviewing and accrediting CAs to these profiles for CAs used by such
projects. Tools for installation and maintenance of the CA
information for requesting, evaluating and using the certificates
from these CAs are also available and are included in many grid
middleware distributions.
Please write if you have further questions.
Alan
On Aug 10, 2007, at 4:05 PM, Charles Bacon wrote:
Okay. If you're not using the hostcert for globus stuff, you could
probably just use -cn and -nopw to get exactly the subject you want
on a cert with no passphrase on the key.
Charles
On Aug 10, 2007, at 4:00 PM, Dinanath Sulakhe wrote:
Following are the quotes of the error when I am testing it using
curl commad:
lucky0:/homes/sulakhe/apache/conf> curl -v --cert $HOME/.globus/
usercert.pem --key $HOME/.globus/userkey.pem --capath
$GLOBUS_LOCATION/share/certificates https://lucky0.mcs.anl.gov
* About to connect() to lucky0.mcs.anl.gov port 443
* Connected to lucky0.mcs.anl.gov (140.221.36.30) port 443
Enter PEM pass phrase:
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
CApath: /homes/sulakhe/globus/share/certificates
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /O=Grid/OU=GlobusTest/OU=simpleCA-
lucky0.mcs.anl.gov/CN=host/lucky0.mcs.anl.gov
* start date: 2007-07-30 18:14:31 GMT
* expire date: 2008-07-29 18:14:31 GMT
* SSL: certificate subject name 'host/lucky0.mcs.anl.gov' does not
match target host name 'lucky0.mcs.anl.gov'
* Closing connection #0
curl: (51) SSL: certificate subject name 'host/lucky0.mcs.anl.gov'
does not match target host name 'lucky0.mcs.anl.gov'
On Aug 10, 2007, at 3:38 PM, Charles Bacon wrote:
Actual quotes of the error message are typically useful in this
situation.
-c
On Aug 10, 2007, at 3:34 PM, Dinanath Sulakhe wrote:
I am using this hostcert with an apache instance for
authentication and it was failing. I was getting an error
message saying the hostname doesn't match.
-Dina
On Aug 10, 2007, at 2:13 PM, Joseph Bester wrote:
On Aug 10, 2007, at 2:21 PM, Dinanath Sulakhe wrote:
Hi,
I am doing some testing on lucky cluster and I ran into a
problem while using simple CA. When I generated a host
certificate for lucky0:
grid-cert-request -host lucky0.mcs.anl.gov
the Subject line in the generated cert looks something like this:
Subject: O=Grid, OU=GlobusTest, OU=simpleCA-
lucky0.mcs.anl.gov, OU=mcs.anl.gov, CN=host/lucky0.mcs.anl.gov
It adds "host" before the hostname for the CN, and I had
authentication problems because of this. Is this default
behavior intentional or do you guys think it should only have
hostname without "host/" ? I could change this behavior by
explicitly adding the CN flag while generating the host cert:
That is normal, and should be handled fine by clients which are
using host-based authorization. Did you have an app that wasn't
working because of this name?
joe
Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: [EMAIL PROTECTED] ph. 806-742-4350 fax 806-742-4358 :
====================================================================
