15 | | This involves downloading the template describing the list of CA-related RPMs to install (each trusted CA is described with a separate RPM) and downloading the associated RPMs. |
| 15 | The list of trusted certification authorities (CA), also known as the ''CA trust policy'', is made of 2 components: |
| 16 | * The template describing the CA trust policy |
| 17 | * The RPMs providing the informaton about each trusted CA |
| 18 | |
| 19 | Both are normally maintained centrally by a grid organization, for example EGI or a specific NGI. '''They are updated regullarly and each update needs to be deployed in a timely fashion on every site.''' |
| 20 | |
| 21 | The [source:templates/trunk/grid/glite-3.2/common/security/ca-policy-egi-core.tpl EGI default policy] is provided in QWG templates. This template is '''maintained by EGI''' and new versions are announced trough EGI broadcast. At the time of this writing (10/2/2011), the official source is http://egi-igtf.ndpf.info/distribution/egi/current/meta/ca-policy-egi-core.tpl but look at precise URL in announcements. |
| 22 | |
| 23 | In addition to downloading the template, it is necessary to download the new CA RPMs from the location indicated in the announcement. In QWG templates, these RPMs are generally stored in a specific RPM repository for easier management. It is a good practice to rename the corresponding directory, create a new one with the same name and download the new RPMs in this empty directory. For example, for CA 1.38 (replace the directory in the example by the directory corresponding to CA RPMs repository) : |
| 24 | {{{ |
| 25 | cd /your/scdb/top/level/dir |
| 26 | mv /www/htdocs/packages/ca /www/htdocs/packages/ca.old |
| 27 | mkdir /www/htdocs/packages/ca |
| 28 | # Look at URL mentionned in the announcemet |
| 29 | utils/misc/rpmUpdate /www/htdocs/packages/ca http://repository.egi.eu/sw/production/cas/1/current/RPMS/ |
| 30 | }}} |
| 31 | |
19 | | To retrieve the RPMs, you can use as a source either the URL in the EGEE announcement or the GRIF copy available at https://quattorsrv.lal.in2p3.fr/packages/ca. The easiest way to retrieve the RPM is, from the main SCDB directory: |
20 | | {{{ |
21 | | mkdir /dir/to/packages/ca-xxx # Replace xxx by the version number |
22 | | src/utils/misc/rpmUpdates /dir/to/packages/ca-xxx Source_URL # Ignore all the very verbose output |
23 | | rm /dir/to/packages/ca # Or whatever is your current directory for CA repository |
24 | | ln -s /dir/to/packages/ca-xxx /dir/to/packages/ca |
25 | | }}} |
26 | | |
27 | | ''Note: if you define the directory for the CA RPMs with a symlink, ensure your Apache configuration allows the use of symlinks. For this option `FollowSymlinks` must be enabled for the corresponding directory with something like the following in your Apache configuration:'' |
| 35 | As an alternative to renaming CA repository, you may have one directory per version of the CA trust policy (eg. `ca-1.37`, `ca-1.38`...) and define a symlink (eg. `ca`) pointing to the version currently in production. This may reduce the risk of mistake. In this case, ensure your Apache configuration allows the use of symlinks for the URL/directory corresponding to the symlink. You may need to update your Apache configuration with something like: |