List of host certificates
From BeSTGRID
To keep track of the host certificates for all the grid gateways I administer, I have decided to put them together in a single table to see the due dates for renewing the certificates. This is the list of certificates for Canterbury (with Otago to follow). I encourage other grid admins within BeSTGRID to create a similar table for their systems.
[edit] Canterbury Grid Gateway: Current certificates
| Host | Purpose | Expires | Action (+ reason) |
|---|---|---|---|
| hpcgrid1 | IBM p520 - GridFTP server for HPC | 2009-02-12 | Renew - production service |
| grid | User client tools | 2009-04-07 | Renew - may be useful |
| gridgwtest | Testing grid sw | 2009-04-07 | Renew - may be useful |
| myproxy | MyProxy server | 2009-04-07 | Configured, keep renewing certificates |
| ng2dev | ng2 development | 2009-04-07 | Renew |
| ng2hpcdev | ng2hpc development | 2009-04-07 | Renew |
| ng2sge | SGE cluster Ng2 gateway | 2009-04-07 | Renew - production service |
| ng2hpc | HPC cluster Ng2 gateway | 2009-04-07 | Renew - production service |
| ngdata | SRB | 2009-10-29 | Renew when needed |
| nggums | GUMS authentication server | 2009-04-07 | Renew - production service |
| ngportal | GridSphere portal | 2009-04-07 | Renew - production service |
| ngportaldev | GridSphere development portal | 2009-04-07 | Renew - may be useful |
| ng2 | Ng2 gateway (GT4) for NGCompute | 2009-08-07 | Renew when needed - production service |
| ngportal | ipsCA frontend certificate | 2010-08-07 | Renew when needed |
| ngportaldev | ipsCA frontend certificate | 2010-08-07 | Renew when needed |
| nggums | ipsCA frontend certificate | 2010-08-07 | Renew when needed |
| srb | ipsCA frontend certificate (for DAVIS) | 2010-12-04 | Renew when needed |
Action items:
- Revisit this list by February 2009 (hpcgrid1 would expire)
Items done:
- GUMS: switch to a more recent certificate
- Request certificates to be reissued.
- Note that all certificates should be renewed without a "host/" prefix, and in the /C=NZ/O=BeSTGRID namespace.
- For ng2 gateway, ask for new name to be added to the MDS gridmap file
- Ng2: ask for MDS mapping, switch to NZ certificate (more recent) Due: April 23, 2008
- Reissue: grid gridgwtest myproxy Due: April 23, 2008
- Reissue: ngportal ngportaldev nggums ng2hpc ng2sge (AU namespace, due June-August)
- Revisit this list by September 2008 (ng2 would expire)
- Notes:
- Request host certificates with a script based on ARCS HostCertificates request guidelines:
root@ucgridgw:~/hostcerts# ./bestgrid-cert-request.sh ~/hostcerts-renew2008/nggums nggums.canterbury.ac.nz vladimir.mencl@canterbury.ac.nz
- The script invokes openssql req, with a config based on APACGrid CA's ssl.conf.
- Request host certificates with a script based on ARCS HostCertificates request guidelines:
[edit] Canterbury Grid Gateway: Past certificates
| Host | Purpose | Ser.# | Issued | Expires | Action (+ reason) | Distinguished Name |
|---|---|---|---|---|---|---|
| ucgridgw | Xen host OS | 522 | 2007-03-21 | 2008-03-20 | Do not renew - no cert needed | /C=AU/O=APACGrid/OU=BeSTGRID-UoC/CN=ucgridgw.canterbury.ac.nz |
| grid | User client tools | 572 | 2007-04-24 | 2008-04-23 | Renew - may run a GridFTP server | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/grid.canterbury.ac.nz |
| gridgwtest | Testing grid sw | 573 | 2007-04-24 | 2008-04-23 | Renew - though cert not really needed | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/gridgwtest.canterbury.ac.nz |
| myproxy | MyProxy server | 574 | 2007-04-24 | 2008-04-23 | Renew - though service not really used | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/myproxy.canterbury.ac.nz |
| ng1 | Ng1 gateway (GT2) | 575 | 2007-04-24 | 2008-04-23 | Do not renew - service will not be deployed | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/ng1.canterbury.ac.nz |
| ng2 | Ng2 gateway (GT4) for NGCompute | 576 | 2007-04-24 | 2008-04-23 | Renew (move to 861) - production service | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/ng2.canterbury.ac.nz |
| ng2 | Ng2 gateway (GT4) for NGCompute | 834 | 2007-08-22 | 2008-08-21 | Do not renew - this was a test certificate | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=ng2.canterbury.ac.nz |
| ng2 | Ng2 gateway (GT4) for NGCompute | 861 | 2007-09-05 | 2008-09-04 | Renew when needed - production service | /C=NZ/O=BeSTGRID/OU=University of Canterbury/CN=ng2.canterbury.ac.nz |
| ng2 | Ng2 gateway (GT4) for NGCompute | 862 | 2007-09-05 | 2008-09-04 | Do not renew - this was a test certificate | /C=NZ/O=BeSTGRID/OU=University_of_Canterbury/CN=ng2.canterbury.ac.nz |
| ngdata | Ngdata | 577 | 2007-04-24 | 2008-04-23 | Do not renew now (services would run on hpcgrid?) | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/ngdata.canterbury.ac.nz |
| ngcompute | NGCompute test PBS cluster | 578 | 2007-04-24 | 2008-04-23 | Do not renew - no cert needed | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/ngcompute.canterbury.ac.nz |
| nggums | GUMS authentication server | 579 | 2007-04-24 | 2008-04-23 | Superseded by 835 | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/nggums.canterbury.ac.nz |
| nggums | GUMS authentication server | 835 | 2007-08-22 | 2008-08-21 | Renew - service being deployed | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=nggums.canterbury.ac.nz |
| ngportal | GridSphere portal | 580 | 2007-04-24 | 2008-04-23 | Superseded by 792 | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/ngportal.canterbury.ac.nz |
| ngportal | GridSphere portal | 792 | 2007-07-17 | 2008-07-16 | Renew - production service | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=ngportal.canterbury.ac.nz |
| ngportaldev | GridSphere development portal | 836 | 2007-08-22 | 2008-08-21 | Renew - useful as testbed | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=ngportaldev.canterbury.ac.nz |
| vomrs | VOMRS server | 581 | 2007-04-24 | 2008-04-23 | Do not renew - service not deployed | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=host/vomrs.canterbury.ac.nz |
| xpc14a0 | Development workstation | 631 | 2007-05-25 | 2008-05-24 | Do not renew - no longer needed | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=xpc14a0.math.canterbury.ac.nz |
| ng2hpc | GT4 gateway for HPC | 682 | 2007-06-07 | 2008-06-06 | Renew - production service | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=ng2hpc.canterbury.ac.nz |
| ng2sge | GT4 gateway for Oldesparky | 683 | 2007-06-07 | 2008-06-06 | Renew - service still planned | /C=AU/O=APACGrid/O=BeSTGRID/OU=University of Canterbury/CN=ng2sge.canterbury.ac.nz |
[edit] BeSTGRID Shibboleth Federation
| Host | Channel | Issuer | Expires | Comment |
|---|---|---|---|---|
| wayf.bestgrid.org | https | ipsCA | 2010-11-24 | |
| idp.bestgrid.org | front | ipsCA | 2010-11-14 | |
| idp.bestgrid.org | back | APACGrid | 2009-06-26 | Note 1, Note 3 |
| www.bestgrid.org | front | ipsCA | 2009-09-16 | |
| www.bestgrid.org | back | AAF L2 Shib | 2010-01-24 | Note 2 |
| openidp.test.bestgrid.org | front+back | MAMS Level 1 CA | 2009-07-28 | |
| wiki.test.bestgrid.org | front | BeSTGRID CA | 2010-05-23 | |
| wiki.test.bestgrid.org | back | CAUDIT | 2010-01-24 | Note 2 |
| idp-test.canterbury.ac.nz | front+back | MAMS Level 1 CA | 2009-08-21 | |
| wayf.test.bestgrid.org | https | BeSTGRID CA | 2010-05-24 | |
| gridsphere.test.bestgrid.org | front | BeSTGRID CA | 2010-11-21 | |
| gridsphere.test.bestgrid.org | back | MAMS Level 1 CA | 2009-12-15 | |
| avcc.karen.net.nz | front | ipsCA | 2010-05-27 | |
| avcc.karen.net.nz | back | CAUDIT | 2010-01-13 | |
| idp.canterbury.ac.nz | front | ipsCA | 2010-09-17 | |
| idp.canterbury.ac.nz | back | CAUDIT | 2010-01-13 | |
| wiki.canterbury.ac.nz | front | ipsCA | 2010-11-30 | |
| wiki.canterbury.ac.nz | back | CAUDIT | 2010-04-15 | |
| confluencewiki.canterbury.ac.nz | front+back | MAMS-Level-1 | 2009-11-25 |
- Schedule:
- June 2009: Do something about idp.bestgrid.org - either renew the back-channel certificate or switch to using ipsCA on the back-channel.
- Note 1: yuck: idp.bestgrid.org is issuing assertions with APACGrid certficiate, that's why APACGrid CA is included in BeSTGRID federation metadata.
- Note 2: these certificates were due to expire Jun 18 with the old CAUDIT Shibboleth Issuing CA.
- Note 3: Now that idp.bestgrid.org has an ipsCA front-end certificate, we might switch to using it also for back-channel - and them remove APACGrid CA from the BeSTGRID Federation metadata.
