9 | | * Setup instructions at BeGrid [http://quattor.begrid.be/trac/centralised-begrid-v4/wiki/SINDES] |
| 9 | * Setup instructions based on those at at BeGrid [http://quattor.begrid.be/trac/centralised-begrid-v4/wiki/SINDES] |
| 10 | |
| 11 | |
| 12 | == Sindes Installation == |
| 13 | * What is SINDES? You might want to read [https://twiki.cern.ch/twiki/pub/FIOgroup/SinDes/presentation-poulhies-27-sept-2005.pdf presentation on SINDES] to know what SINDES is. |
| 14 | * we only use it for the certificate distribution/management part |
| 15 | === Configuration step through guide === |
| 16 | * Use the cb-v5 yum repository (if not yet done, go [https://quattor.begrid.be/trac/centralised-begrid-v5/wiki/BEgridClient#AII here]) |
| 17 | * This should get everything else that's needed |
| 18 | |
| 19 | {{{ |
| 20 | yum install SINDES-ca |
| 21 | }}} |
| 22 | |
| 23 | * edit /etc/sindes/ca.config, make sure to set O, OU and CN. |
| 24 | * Is it possible that the CN of the CA can't be the machines FQDN because of conflict with the certificate for the webserver (which is not the CA certificate, but a certificate signed by the CA with the CN of the host of the webserver, being the same as the CA? ;) |
| 25 | * eg (the CA after CN is not a typo) |
| 26 | |
| 27 | {{{ |
| 28 | [ req_distinguished_name ] |
| 29 | O = IIHE |
| 30 | OU = GRID |
| 31 | CN = Local BEgrid client CA |
| 32 | }}} |
| 33 | |
| 34 | * edit /etc/sindes/sindesrc: in [MISC], set correctly domain (and use it correctly in sindessh !) |
| 35 | * Default validity of the certificates: |
| 36 | * the current version of sindes-bootstrap-ca will generate a CA certificate with a 10 year lifetime. (if this is not ok for you, run '''grep 3650 /usr/sbin/sindes-bootstrap-ca''' and mofiy it there!) |
| 37 | * The generated certificates also have a lifetime of 10 years. If this is not Ok for you, you can change the default lifetime in /etc/sindes/ca.config: |
| 38 | {{{ |
| 39 | default_days = 3650 |
| 40 | }}} |
| 41 | |
| 42 | * run "sindes-bootstrap-ca -a" to generate all certificates etc, check output carefully. This also generates a rpm with the CA certifiacte called eg SINDES-ca-certificate-<machine>-0.1-1.noarch.rpm |
| 43 | * you need to provide a passphrase for the apache.key. If you do this, everytime you want to restart httpd, it will prompt for a passwd (see the [wiki:SINDES#Troubleshooting Troubleshooting] section to disable password) |
| 44 | * Email the SINDES-ca-certificate-<machine>-0.1-1.noarch.rpm to begrid@belnet.be, so an administrator can upload it to the quattor-repository. |
| 45 | * [http://quattor.begrid.be/trac/centralised-begrid-v5/wiki/BEgridClient#Optional:SetupaccesstoBEgridSWREPrepository instructions on how to do it yourself] |
| 46 | * you can check the validity of the genereated certificates in /etc/sindes/cert by running |
| 47 | {{{ |
| 48 | openssl x509 -in /etc/sindes/certs/ca.crt -noout -text |
| 49 | openssl x509 -in /etc/sindes/certs/apache.crt -noout -text |
| 50 | }}} |
| 51 | |
| 52 | * edit /etc/httpd/conf.d/sindes-ssl.conf: |
| 53 | * make sure that the /var/www/https/profiles directory is not reachable by any other virtualhost (ie, if the {{{DocumentRoot}}} is unique, it shouldn't). |
| 54 | * Replace ''{{{DocumentRoot /var/www/html/https}}}'' by ''{{{DocumentRoot /var/www/https}}}''. |
| 55 | * because we will use it only for certificate-management, some of the configuration it is already in ssl.conf, BUT we should use a new virtualhost (port 444) for sindes and profiles. |
| 56 | * also, the rewrite rules should be made for the profile directory. |
| 57 | * add this line in the beginning of the virtual host setting: (so after <virtualhost _default_:444>) |
| 58 | {{{ |
| 59 | HostnameLookups On |
| 60 | }}} |
| 61 | |
| 62 | * add the following lines at the end of the correct virtual host (the one running on port 444, the default sindes-ssl.config file also has a virtualhost on 445): |
| 63 | |
| 64 | {{{ |
| 65 | #### BEGIN AII STUFF #### |
| 66 | RewriteMap ACLmap txt:/var/www/acl/ACLmap.txt |
| 67 | RewriteCond ${ACLmap:%{REMOTE_HOST}|NO} NO |
| 68 | RewriteRule ^/profiles/.*$ /profiles/profile_%{REMOTE_HOST}.xml |
| 69 | |
| 70 | <Directory "/var/www/https/profiles"> |
| 71 | Options +Indexes |
| 72 | SSLOptions +StdEnvVars |
| 73 | SSLRequireSSL |
| 74 | SSLVerifyClient require |
| 75 | SSLOptions +StrictRequire |
| 76 | SSLVerifyDepth 1 |
| 77 | SSLOptions +OptRenegotiate |
| 78 | SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_HOST} |
| 79 | </Directory> |
| 80 | #### END AII STUFF #### |
| 81 | }}} |
| 82 | |
| 83 | * make ACLmap in /var/www/acl/ACLmap.txt. It's needed for aii-shellfe to avoid remapping. Replace <fqdn> by the actual fully qualified domain name of your machine. |
| 84 | |
| 85 | {{{ |
| 86 | mkdir /var/www/acl/ |
| 87 | echo "$(hostname -f) YES" > /var/www/acl/ACLmap.txt |
| 88 | }}} |
| 89 | |
| 90 | * give correct premission to the /var/log/sindes repository: |
| 91 | |
| 92 | {{{ |
| 93 | chown -R apache.apache /var/log/sindes |
| 94 | }}} |
| 95 | |
| 96 | * create the https directory: |
| 97 | |
| 98 | {{{ |
| 99 | mkdir /var/www/https/ |
| 100 | }}} |
| 101 | |
| 102 | * disable SElinux (if not already done) |
| 103 | * check if the file '''/selinux/enforce''' exists |
| 104 | * if not, then is SElinux disabled |
| 105 | * if it exists, do |
| 106 | {{{ |
| 107 | echo "echo 0 > /selinux/enforce" >> /etc/rc.local |
| 108 | /etc/rc.local |
| 109 | }}} |
| 110 | |
| 111 | * restart httpd (will prompt for passwd. To get rid of this, see [http://quattor.begrid.be/trac/centralised-begrid-v5/wiki/SINDES#Troubleshooting remove passwd from apache.key in /etc/sindes/keys]) |
| 112 | |
| 113 | {{{ |
| 114 | service httpd restart |
| 115 | }}} |
| 116 | |
| 117 | |
| 118 | === Useful commands === |
| 119 | '''About the domain set in sindesrc: if you have machine called node20-1.wn.iihe.ac.be and you set the domain to iihe.ac.be, the target should be node20-1.wn''' |
| 120 | * to use SINDES, switch to {{{sindes}}} user. It uses it's own special sindes shell |
| 121 | {{{ |
| 122 | su - sindes |
| 123 | }}} |
| 124 | * set timelimit of 1000s to target and grant the permission to retrieve it |
| 125 | |
| 126 | {{{ |
| 127 | acl -set -length 1000 -grant -target node20-1.wn |
| 128 | }}} |
| 129 | |
| 130 | * give overview of status |
| 131 | |
| 132 | {{{ |
| 133 | acl -print |
| 134 | }}} |
| 135 | |
| 136 | * give info about certificate |
| 137 | |
| 138 | {{{ |
| 139 | cert -check -target node20-1.wn |
| 140 | }}} |
| 141 | |
| 142 | * revoke certificate |
| 143 | |
| 144 | {{{ |
| 145 | cert -revoke -target node20-1.wn |
| 146 | }}} |
| 147 | |
| 148 | ==== Manual certificate revocation ==== |
| 149 | (in case the cert -revoke doesn't work) |
| 150 | The hard way is not very userfriendly, though it can be easily wrapped I think. |
| 151 | You have to grep for a line starting with 'V' and containing your CN in your ca.db.index. You'll get something like: |
| 152 | |
| 153 | {{{ |
| 154 | V 101215134729Z 02 unknown /O=CERN/OU=FIO-DS/CN=lxservb02.cern.ch |
| 155 | ^^ |
| 156 | }}} |
| 157 | |
| 158 | Then, you know your certificate has serial '02' (hex), so you can run: |
| 159 | |
| 160 | {{{ |
| 161 | /usr/bin/openssl ca -config /etc/sindes/ca.config -batch -revoke |
| 162 | /var/sindes/CA/ca/ca.db.certs/02.pem -crl_reason cessationOfOperation |
| 163 | }}} |
| 164 | |
| 165 | === Manual client installation === |
| 166 | * install SINDES-client and SINDES-ca-certificate-<machine> rpms: |
| 167 | * configure /etc/sindes/get-cert.conf ( O and OU must match the ones in ca.config (use quotes!!); domain can be empty) |
| 168 | |
| 169 | {{{ |
| 170 | # Https server |
| 171 | HTTP_SEL="https://" |
| 172 | HTTPS_SERVER="q3.iihe.ac.be" |
| 173 | #domain name, to be removed from the hostname if it's a FQDN |
| 174 | DOMAIN_NAME="" |
| 175 | # Organisation and Unit: |
| 176 | CRT_O="IIHE" |
| 177 | CRT_OU="GRID" |
| 178 | }}} |
| 179 | |
| 180 | * run sindes-get-certificate |
| 181 | === SINDES+AII === |
| 182 | * modify /etc/aii-shellfe.conf to make sure it is setup correctly |
| 183 | {{{ |
| 184 | cdburl = https://f.q.d.n:444/profiles |
| 185 | cert_file = /etc/sindes/certs/apache.crt |
| 186 | key_file = /etc/sindes/keys/apache.key |
| 187 | ca_file = /etc/sindes/certs/ca.crt |
| 188 | profile_prefix = profile_ |
| 189 | use_fqdn = 1 |
| 190 | }}} |
| 191 | |
| 192 | {{{ |
| 193 | #!comment |
| 194 | * TIP: use ca_dir instead of ca_file (in AII, ccm.conf and aii-shellfe.conf) |
| 195 | }}} |
| 196 | * to install a new node, one now has to: |
| 197 | * aii-shellfe --configure |
| 198 | * aii-shellfe --install |
| 199 | * you can already start the installation |
| 200 | * set the acl with acl -set -length 1000 -grant -target |
| 201 | |
| 202 | ==== Renewal of CA cert ==== |
| 203 | '''On the quattor client side:''' |
| 204 | * remove all existing certificates issued (run this command only if you know what your are doing): |
| 205 | |
| 206 | {{{ |
| 207 | sindes-bootstrap-ca -c |
| 208 | }}} |
| 209 | * increase the {{{RELEASE}}} parameter in {{{sindes-bootstrap-ca}}} so it will create the new CA rpm with a different rpm version. |
| 210 | * then generate new ones by looking at section [wiki:SINDES#Configurationstepthroughguide Configuration step through guide] |
| 211 | * grant permission retrieve a new certificate |
| 212 | |
| 213 | {{{ |
| 214 | su - sindes |
| 215 | acl -set -grant -length 5000 -target nodeXXX.wn |
| 216 | }}} |
| 217 | |
| 218 | '''On the every node side:''' |
| 219 | * install the new CA certificate of the quattor client: |
| 220 | |
| 221 | {{{ |
| 222 | rpm -Uvh http://quattor.begrid.be//begrid/swrep/noarch_sindes/SINDES-ca-certificate-q3-0.1-5.noarch.rpm |
| 223 | }}} |
| 224 | |
| 225 | * to avoid using globus version of openssl (gives -batch not found error): |
| 226 | |
| 227 | {{{ |
| 228 | export PATH=/usr/bin/:$PATH |
| 229 | }}} |
| 230 | |
| 231 | * finally, renew the node certificate with: |
| 232 | |
| 233 | {{{ |
| 234 | sindes-get-certificate -f |
| 235 | }}} |
| 236 | |
| 237 | ==== Troubleshooting ==== |
| 238 | * if you have troubles with {{{sindes-get-certificate}}}, login on the machine and first do |
| 239 | {{{ |
| 240 | export DEBUG=1 |
| 241 | }}} |
| 242 | This will turn on the debug and will allow you to rerun the commands used. |
| 243 | * most curl commands used by sindes run with {{{curl -f -s}}} for very silent running and failing. To debug, it's best to rerun them with {{{curl -v}}} |
| 244 | * logfiles can be found in /var/log/httpd and /var/log/sindes |
| 245 | * remove passwd from apache.key in /etc/sindes/keys |
| 246 | |
| 247 | {{{ |
| 248 | cd /etc/sindes/keys;mv apache.key apache.key-2;openssl rsa -in apache.key-2 -out apache.key;chown apache.apache apache.key;chmod 400 apache.key; cd - |
| 249 | }}} |
| 250 | |
| 251 | * full cleanup: because high dependencies, best is to |
| 252 | * backup config-files (ca.config, sindesrc and sindes-ssl.conf) |
| 253 | * and run: |
| 254 | |
| 255 | {{{ |
| 256 | rpm -e perl-SINDES-Shell-0.5-30 perl-SINDES-common-0.5-24 SINDES-Shell-bin-0.5-34 perl-SINDES-GetCertificate-0.9.99-1 SINDES-ca-0.9.99-2 |
| 257 | rm -Rf /etc/sindes /var/sindes |
| 258 | yum install SINDES-ca |
| 259 | }}} |
| 260 | |
| 261 | * Make sure nslookup of the client fqdn works on the SINDES-server. |
| 262 | * on the client: when a problem arises with ccm-fetch, use curl to see if profiles are fetchable: |
| 263 | |
| 264 | {{{ |
| 265 | curl --cert /etc/sindes/certs/client_cert_key.pem --cacert /etc/sindes/certs/ca.crt <link to profile> |
| 266 | }}} |
| 267 | |
| 268 | * a direct route to sindes server (ie the DN in the apache.crt) is needed. Passing through a NAT-box first will make it fail. Therefore you need: |
| 269 | * extra line in aii with explicit route BEFORE sindes-setup (don't forget to sleep!!) |
| 270 | * hard route config in the profiles (or ccm-fetch will not work) |
| 271 | * aii-installack.cgi failure: |
| 272 | * add a "--use_fqdn " to aii-installack.cgi |
| 273 | * aii-installack.cgi also needs a direct route to the cgi-server. |
| 274 | * if more than one crt resides in the CA crt dir, run in that directory (get the {{{Makefile.crt}}} from {{{/etc/httpd/ssl.crt}}}) |
| 275 | {{{ |
| 276 | make -f Makefile.crt |
| 277 | }}} |
| 278 | |
| 279 | * When I wanted to renew the certificate of a workernode behind NAT, it failed when I run "sindes-get-certificate -f": |
| 280 | {{{ |
| 281 | ... |
| 282 | Something went wrong while contacting CA (curl returned 22) |
| 283 | }}} |
| 284 | The error is because the WN connects to the quattor client via NAT instead of direct. I solved this by adding this in /etc/hosts: |
| 285 | {{{ |
| 286 | 192.168.10.4 gridy4.begrid.be |
| 287 | }}} |
| 288 | This is the private ip of our quattor client. |
| 289 | |
| 290 | |
| 291 | === Links === |
| 292 | * Wiki pages [https://twiki.cern.ch/twiki/bin/view/FIOgroup/SinDes] |
| 293 | * CVS access: |
| 294 | |
| 295 | {{{ |
| 296 | export CVSROOT=:pserver:anonymous@isscvs.cern.ch:/local/reps/fio |
| 297 | cvs co fabric/SINDES |
| 298 | }}} |