----
h1. Creating a Trust Fabric Certificate Authority
----
{include:Documentation Navigation}
{cagridroundpanel}
{pre:class=cagridheaderfont}Contents{pre}
{toc:outline=true|exclude=GTS Installation Guide|style=none}
{cagridroundpanel}
This guide explains how to install caGrid and create the trust fabric certificate authority as part of the installation of a new grid.
{warning:title=This Page is Part of a Multi-Page Set of Directions}
The instructions on this page are intended to be used a part of the instructions for installing a new grid that start on the [Grid Installation Guide|caGrid13:caGrid 1.3 Grid Installation Guide].
{warning}
{tip}All of the steps described on this page should be performed on the same host VM that will host the grid's master GTS.
{tip}
h2. Step 1: Install caGrid/GTS
In this step you download and install caGrid using the caGrid Installer. If you have already installed caGrid 1.3, proceed to the next step.
What immediately follows this paragraph is a standard set of instructions for installing caGrid. When you get to the part with the installer asks you to select a target grid, you can save some time by selecting _*No Target Grid*_ rather than the training grid that is suggested.
{include:caGrid13:Install caGrid Using the caGrid 1.3 Installer}
* The installer installs caGrid to the directory you specified during installation. From this point on we refer to this directory as *{_}CAGRID_HOME{_}*.
\\
* You can find the GTS in the directory _CAGRID_HOME/projects/gts_; from this point on we refer to this directory as *{_}GTS{_}{*}{*}_\_HOME{_}*.
* The GAARDS UI (user interface) for administrating the GTS is located in _CAGRID_HOME/projects/gaardsui_; from this point on we refer to this directory as *{_}GAARDS_UI_HOME{_}*.
----
h2. Step 2: Bootstrap the Trust Fabric
Deployments that leverage the GTS to maintain the trust fabric are effectively delegating their authentication responsibility to the GTS. Therefore it is imperative the GTS instance(s) can be trusted. In order for the GTS to be trusted it must run securely with a host credential (X.509 certificate and private key). It is critical that this host credential be issued by an authority that all parties in the deployment trust. This certificate authority will be the trust anchor of the entire trust fabric and will be the certificate authority that all parties trust in order to bootstrap the entire trust fabric.
It is *{_}EXTREMELY IMPORTANT{_}* that this certificate authority be highly secured. If it were to be compromised parties trusting it could be convinced to trust certificate authorities that would not otherwise be trusted.
Although it is not required, we recommend that you use a separate certificate authority for issuing host credentials to GTS instance(s). For the purposes of this guide we create a certificate authority that we will use for issuing credentials to GTS instances.
To create a certificate authority please complete the following steps from a command line:
#Create a directory to contain the CA's certificate and key files. For the purposes of these directions, we will assume that this directory is {{/home/gridAdmin/certificates}}.
\\ \\
# Type {{{*}cd GTS_HOME{*}}}.
\\ \\
# Type {{{*}ant generateCA{*}}}.
\\ \\
# Enter the distinguished name (DN) for the CA. The name that you enter should follow the pattern\\
{{O=\[_GRID_NAME_\],OU=GTS,OU=Trust Fabric,CN=Trust Fabric CA}} \\
where \[_GRID_NAME_\] is the one-word name for your grid. For example, if the grid name is "abc", then the distinguished name should be
{{O=abc,OU=GTS,OU=Trust Fabric,CN=Trust Fabric CA}}
\\ \\
# Enter the number of days that the CA will be valid for (i.e 3650).
\\ \\
# Enter a password which will be used to encrypt the CA's private key. Be sure to make a note of the password as it will be needed later.
{note}The password should be 13 characters long. {note}
\\
# Enter a file to write the CA private key to. We will assume that you enter \\
{{/home/gridAdmin/certificates/trustca-key.pem}}
{warning:title=No White Space}Be careful not to enter any leading or trailing white space (blankes, tabs, ...){warning}
\\ \\
# Enter a file to write the CA certificate to. We will assume that you enter \\
{{/home/gridAdmin/certificates/trustca-cert.pem}}
Sample output from executing the above steps is shown below:
{noformat}ant generateCA
Buildfile: build.xml
setGlobus:
checkGlobus:
[echo] Globus: /home/gridAdmin/ext/ws-core-4.0.3
defineClasspaths:
defineExtendedClasspaths:
init:
checkValidate:
preInit:
configure:
[copy] Copying 1 file to /home/gridAdmin/releases/caGrid-1.3/projects/gts
postInit: generateCA:
[input] Please enter the DN for the new CA (ex. O=osu,OU=bmi,CN=Some CA):
O=abc,OU=GTS,OU=Trust Fabric,CN=Trust Fabric CA
[input] Please enter the number of days the new CA will be valid for:
3650
[input] Please enter a password for the new CA:
LPM23sdf_en123
[input] Please enter a location to write the new CA's private key:
/home/gridAdmin/certificates/trustca-key.pem
[input] Please enter a location to write the new CA's certificate:
/home/gridAdmin/certificates/trustca-cert.pem
[java] Successfully created the CA certificate:
[java] O=abc,OU=GTS,OU=Trust Fabric,CN=Trust Fabric CA
[java] CA certificate valid till:
[java] Thu Feb 14 15:06:56 EST 2019 \[java\] CA private key written to:
[java] /home/gridAdmin/certificates/trustca-key.pem
[java] CA certificate written to:
[java] /home/gridAdmin/certificates/trustca-cert.pem
BUILD SUCCESSFUL
Total time: 1 minute 44 seconds
{noformat}
{tip}Be sure to note down the location that your CA certificate and private key were written to, from this point forward we will refer to thesse locations as *{_}TRUST_CA_CERTIFICATE{_}* and *{_}TRUST_CA_KEY{_}* respectively. Also be sure to note down that password you entered for your private key. Finally be sure to take note of the distiguished name or subject you entered for your CA, from this point forward we will refer to this as the *CA_SUBJECT*.
{tip}Now that we have created a trust fabric certificate authority we can use it to issue host credentials for GTS instances. To create host credentials please complete the following steps from a command prompt(illustrated below):
\\
\\
# Type {{{*}cd GTS_HOME{*}}}.
\\ \\
# Type {{{*}ant createAndSignHostCertificate{*}}}.
\\ \\
# Enter the location of the CA's private key (TRUST_CA_KEY).
\\ \\
# Enter the password used to encrypt the CA's private key.
\\ \\
# Enter the location of the CA's certificate (TRUST_CA_CERTIFICATE).
\\ \\
# Enter the name of the host. For example, {{mastergts.abc.example.org}}.
{note}Use of the fully qualified hostname is highly recommended. {note}
\\ \\
# Enter the number of days that the host credentials should be valid for (i.e 3620).
{note}The number of days entered must allow the host certificate to expire before the CA's certificate. {note}
\\ \\
# Enter a location to which to write the host private key. The location you enter should follow this pattern: \\
{{_*HOME*_}}/.cagrid/certficates/_hostName_-key.pem\\
Where {{_*HOME*_}} is your home directory and {{_hostName_}} is the host name you entered previously. For example if {{_*HOME*_}} is {{/home/gridAdmin}} and the host name is {{mastergts.abc.example.org}}, then you should enter \\
{{/home/gridAdmin/.cagrid/certificates/mastergts.abc.example.org-key.pem}}
\\ \\
# Enter a location to which to write the host certificate. The location you enter should follow this pattern: \\
{{_*HOME*_}}/.cagrid/certficates/_hostName_-cert.pem\\
Where {{_*HOME*_}} is your home directory and {{_hostName_}} is the host name you entered previously. For example if {{_*HOME*_}} is {{/home/gridAdmin}} and the host name is {{mastergts.abc.example.org}}, then you should enter \\
{{/home/gridAdmin/.cagrid/certificates/mastergts.abc.example.org-cert.pem}}
Sample output from executing the above steps is shown below:
{noformat}$ ant createAndSignHostCertificate
Buildfile: build.xml
setGlobus:
checkGlobus:
[echo] Globus: /home/gridAdmin/ws-core-4.0.3
defineClasspaths:
defineExtendedClasspaths:
init: checkValidate:
preInit:
configure:
[copy] Copying 1 file to /home/gridAdmin/caGrid-1.3/projects/gts
postInit:
createAndSignHostCertificate:
[input] Please enter the location of the CA's private key:
/home/gridAdmin/certificates/trustca-key.pem
[input] Please enter the CA's password: d3DM^si_1MBd
[input] Please enter the location of the CA's certificate: /home/gridAdmin/certificates/trustca-cert.pem
[input] Please enter the Hostname [mastergts.abc.example.org]: [mastergts.abc.example.org]
llanowar
[input] Please enter the number of days the host certificate will be valid for:
1000
[input]Please enter a location to write the host key:
/home/gridAdmin/.cagrid/certificates/mastergts.abc.example.org-key.pem
[input] Please enter a location to write the host certificate:
/home/gridAdmin/.cagrid/certificates/mastergts.abc.example.org-cert.pem
[java]
Successfully created the host certificate:
[java] O=abc,OU=GTS,OU=Trust Fabric,CN=host/mastergts.abc.example.org
[java] Host certificate issued by:
[java] O=caGrid,OU=GTS Example,OU=Trust Fabric,CN=Trust Fabric CA
[java] Host certificate valid till: [java] Sun Nov 13 15:42:32 EST 2011
[java] Host private key written to:
[java] /home/gridAdmin/.cagrid/certificates/mastergts.abc.example.org-key.pem
[java] Host certificate written to:
[java] /home/gridAdmin/.cagrid/certificates/mastergts.abc.example.org-cert.pem
BUILD SUCCESSFUL
Total time: 1 minute 44 seconds
{noformat}
Make a copy of the directory that contains the host certificate and key files. You will need this copy to restore the files if they are corrupted.
{tip}Note down the location to which the host certificate and private key were written. You will need these later to configure your container.
Also be sure to note the location of the copied directory.
{tip}
Administration
...