SINDES

From Begrid Wiki
Revision as of 09:12, 9 June 2021 by Maintenance script (talk | contribs) (Created page with " === Sindes Installation === *What is SINDES? You might want to read [https://twiki.cern.ch/twiki/pub/FIOgroup/SinDes/presentation-poulhies-27-sept-2005.pdf presentation on S...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Sindes Installation

  • What is SINDES? You might want to read presentation on SINDES to know what SINDES is.
    • we only use it for the certificate distribution/management part

Configuration step through guide

  • Use the cb-v5 yum repository (if not yet done, go here)
  • This should get everything else that's needed
  yum install SINDES-ca
  • edit /etc/sindes/ca.config, make sure to set O, OU and CN.
    • Is it possible that the CN of the CA can't be the machines FQDN because of conflict with the certificate for the webserver (which is not the CA certificate, but a certificate signed by the CA with the CN of the host of the webserver, being the same as the CA? ;)
    • eg (the CA after CN is not a typo)
 [ req_distinguished_name ]
 O                      = IIHE
 OU                     = GRID
 CN                     = Local BEgrid client CA
  • edit /etc/sindes/sindesrc: in [MISC], set correctly domain (and use it correctly in sindessh !)
  • Default validity of the certificates:
    • the current version of sindes-bootstrap-ca will generate a CA certificate with a 10 year lifetime. (if this is not ok for you, run grep 3650 /usr/sbin/sindes-bootstrap-ca and mofiy it there!)
    • The generated certificates also have a lifetime of 10 years. If this is not Ok for you, you can change the default lifetime in /etc/sindes/ca.config:
  default_days            = 3650
  • run "sindes-bootstrap-ca -a" to generate all certificates etc, check output carefully. This also generates a rpm with the CA certifiacte called eg SINDES-ca-certificate-<machine>-0.1-1.noarch.rpm
    • you need to provide a passphrase for the apache.key. If you do this, everytime you want to restart httpd, it will prompt for a passwd (see the Troubleshooting section to disable password)
    • Email the SINDES-ca-certificate-<machine>-0.1-1.noarch.rpm to begrid@belnet.be, so an administrator can upload it to the quattor-repository.
    • instructions on how to do it yourself
    • you can check the validity of the genereated certificates in /etc/sindes/cert by running
  openssl x509 -in /etc/sindes/certs/ca.crt -noout -text
  openssl x509 -in /etc/sindes/certs/apache.crt -noout -text
  • edit /etc/httpd/conf.d/sindes-ssl.conf:
    • make sure that the /var/www/https/profiles directory is not reachable by any other virtualhost (ie, if the DocumentRoot is unique, it shouldn't).
      • Replace DocumentRoot /var/www/html/https by DocumentRoot /var/www/https.
    • because we will use it only for certificate-management, some of the configuration it is already in ssl.conf, BUT we should use a new virtualhost (port 444) for sindes and profiles.
    • also, the rewrite rules should be made for the profile directory.
    • add this line in the beginning of the virtual host setting: (so after <virtualhost _default_:444>)
  HostnameLookups On
    • add the following lines at the end of the correct virtual host (the one running on port 444, the default sindes-ssl.config file also has a virtualhost on 445):
        #### BEGIN AII STUFF ####
        RewriteMap ACLmap txt:/var/www/acl/ACLmap.txt
        RewriteCond ${ACLmap:%{REMOTE_HOST}|NO} NO
        RewriteRule ^/profiles/.*$ /profiles/profile_%{REMOTE_HOST}.xml
 
        <Directory "/var/www/https/profiles">
        Options +Indexes
        SSLOptions +StdEnvVars
        SSLRequireSSL
        SSLVerifyClient require
        SSLOptions +StrictRequire
        SSLVerifyDepth 1
        SSLOptions +OptRenegotiate
        SSLRequire %{SSL_CLIENT_S_DN_CN} eq %{REMOTE_HOST}
        </Directory>
        #### END AII STUFF ####
  • make ACLmap in /var/www/acl/ACLmap.txt. It's needed for aii-shellfe to avoid remapping. Replace <fqdn> by the actual fully qualified domain name of your machine.
  mkdir /var/www/acl/
  echo "$(hostname -f) YES" > /var/www/acl/ACLmap.txt
  • give correct premission to the /var/log/sindes repository:
  chown -R apache.apache /var/log/sindes
  • create the https directory:
  mkdir /var/www/https/
  • disable SElinux (if not already done)
    • check if the file /selinux/enforce exists
    • if not, then is SElinux disabled
    • if it exists, do
echo "echo 0 >  /selinux/enforce" >> /etc/rc.local
/etc/rc.local  
  service httpd restart


Useful commands

About the domain set in sindesrc: if you have machine called node20-1.wn.iihe.ac.be and you set the domain to iihe.ac.be, the target should be node20-1.wn

  • to use SINDES, switch to sindes user. It uses it's own special sindes shell
su - sindes
  • set timelimit of 1000s to target and grant the permission to retrieve it
  acl -set -length 1000 -grant -target node20-1.wn
  • give overview of status
  acl -print
  • give info about certificate
  cert -check -target node20-1.wn
  • revoke certificate
  cert -revoke -target node20-1.wn

Manual certificate revocation

(in case the cert -revoke doesn't work) The hard way is not very userfriendly, though it can be easily wrapped I think. You have to grep for a line starting with 'V' and containing your CN in your ca.db.index. You'll get something like:

   V 101215134729Z 02 unknown /O=CERN/OU=FIO-DS/CN=lxservb02.cern.ch
   ^^

Then, you know your certificate has serial '02' (hex), so you can run:

  /usr/bin/openssl ca -config /etc/sindes/ca.config -batch -revoke 
  /var/sindes/CA/ca/ca.db.certs/02.pem -crl_reason cessationOfOperation

Manual client installation

  • install SINDES-client and SINDES-ca-certificate-<machine> rpms:
  • configure /etc/sindes/get-cert.conf ( O and OU must match the ones in ca.config (use quotes!!); domain can be empty)
  # Https server
  HTTP_SEL="https://"
  HTTPS_SERVER="q3.iihe.ac.be"
  #domain name, to be removed from the hostname if it's a FQDN
  DOMAIN_NAME=""
  # Organisation and Unit:
  CRT_O="IIHE"
  CRT_OU="GRID"
  • run sindes-get-certificate

SINDES+AII

  • modify /etc/aii-shellfe.conf to make sure it is setup correctly
  cdburl = https://f.q.d.n:444/profiles
  cert_file = /etc/sindes/certs/apache.crt
  key_file = /etc/sindes/keys/apache.key
  ca_file = /etc/sindes/certs/ca.crt
  profile_prefix = profile_
  use_fqdn = 1
#comment
**TIP: use ca_dir instead of ca_file (in AII, ccm.conf and aii-shellfe.conf)
  • to install a new node, one now has to:
    • aii-shellfe --configure
    • aii-shellfe --install
    • you can already start the installation
    • set the acl with acl -set -length 1000 -grant -target

Renewal of CA cert

On the quattor client side:

  • remove all existing certificates issued (run this command only if you know what your are doing):
  sindes-bootstrap-ca -c
  • increase the RELEASE parameter in sindes-bootstrap-ca so it will create the new CA rpm with a different rpm version.
  • then generate new ones by looking at section Configuration step through guide
  • grant permission retrieve a new certificate
 su - sindes
 acl -set -grant -length 5000 -target nodeXXX.wn

On the every node side:

  • install the new CA certificate of the quattor client:
  rpm -Uvh http://quattor.begrid.be//begrid/swrep/noarch_sindes/SINDES-ca-certificate-q3-0.1-5.noarch.rpm
  • to avoid using globus version of openssl (gives -batch not found error):
  export PATH=/usr/bin/:$PATH
  • finally, renew the node certificate with:
  sindes-get-certificate -f

Troubleshooting

  • if you have troubles with sindes-get-certificate, login on the machine and first do
export DEBUG=1
 This will turn on the debug and will allow you to rerun the commands used.
    • most curl commands used by sindes run with curl -f -s for very silent running and failing. To debug, it's best to rerun them with curl -v
  • logfiles can be found in /var/log/httpd and /var/log/sindes
  • remove passwd from apache.key in /etc/sindes/keys
  cd /etc/sindes/keys;mv apache.key apache.key-2;openssl rsa -in apache.key-2 -out apache.key;chown apache.apache apache.key;chmod 400 apache.key; cd -
  • full cleanup: because high dependencies, best is to
    • backup config-files (ca.config, sindesrc and sindes-ssl.conf)
    • and run:
  rpm -e perl-SINDES-Shell-0.5-30 perl-SINDES-common-0.5-24 SINDES-Shell-bin-0.5-34 perl-SINDES-GetCertificate-0.9.99-1 SINDES-ca-0.9.99-2
  rm -Rf /etc/sindes /var/sindes
  yum install SINDES-ca
  • Make sure nslookup of the client fqdn works on the SINDES-server.
  • on the client: when a problem arises with ccm-fetch, use curl to see if profiles are fetchable:
  curl --cert /etc/sindes/certs/client_cert_key.pem --cacert /etc/sindes/certs/ca.crt <link to profile>
  • a direct route to sindes server (ie the DN in the apache.crt) is needed. Passing through a NAT-box first will make it fail. Therefore you need:
    • extra line in aii with explicit route BEFORE sindes-setup (don't forget to sleep!!)
    • hard route config in the profiles (or ccm-fetch will not work)
  • aii-installack.cgi failure:
    • add a "--use_fqdn " to aii-installack.cgi
    • aii-installack.cgi also needs a direct route to the cgi-server.
  • if more than one crt resides in the CA crt dir, run in that directory (get the Makefile.crt from /etc/httpd/ssl.crt)
  make -f Makefile.crt
  • When I wanted to renew the certificate of a workernode behind NAT, it failed when I run "sindes-get-certificate -f":
  ...
  Something went wrong while contacting CA (curl returned 22)
The error is because the WN connects to the quattor client via NAT instead of direct. I solved this by adding this in /etc/hosts:
192.168.10.4    gridy4.begrid.be

This is the private ip of our quattor client.


Links

  export CVSROOT=:pserver:anonymous@isscvs.cern.ch:/local/reps/fio
  cvs co fabric/SINDES


Template:TracNotice