Ticket #1092 (new task)

Opened 9 years ago

[S] Script needed to keep services in the ESG federation up to date with trust roots

Reported by: pjkersha Owned by: pjkersha
Priority: required Milestone: CMIP5 Security
Component: security Version:
Keywords: security, MyProxy Cc:

Description

Services in the federation using SSL need to keep their PKI settings up to date so that they only trust other registered services. This includes:

  1. Management of CA certificates to verify trust root of a given certificate back to a recognised CA
  2. CRLs (Certificate Revocation lists) to reject revoked certificates.
  3. Constrain services to accept communication with a given whitelist of certificate DNs (Distinguished Names)

This has been discussed at the last  Security Telecon. MyProxy can fulfill the requirements for 1) and 2) via its provisioning capability. This can be used together with a script which will regularly pull the trust root configuration from a list of trusted MyProxy servers from across the federation. The trust root information can then be installed on the target host for services to pick up and use. In the case of Java services, an additional step will be needed to ingest certificates into a keystore.

The configuration for the download script then would be:

  • a list of trusted MyProxy servers from which services in the federation can pull trust roots
  • the location of the keystore to be updated

And then the processing steps:

  1. for each server in the list of trusted MyProxy servers call myproxy-get-trustroots
  2. for each certificate in the retrieved trust roots directory:
    • convert the certificate to DER format
    • call keytool updating the keystore (for Java based services only)

The two bullets can be achieved simply with:

$ openssl x509 -inform pem -in my_ca.pem -outform der -out my_ca.der 
$ keytool -import -alias my_ca -file my_ca.der -keystore keystorename -storepass keystorepassword

The script could be written in Python by the  MyProxyClient package needs an implementation of the myproxy-get-trust-roots command.

This script would cover management of CA certificates (and CRLs?) but it doesn't cover whitelisting of certificate DNs for a given service e.g. 'I allow clients with a certificate DN of "/O=ESG/OU=My ESG Data Node/CN=DataNode Manager" to query my Attribute Service.' For the moment (prior to the March deadline), this information will be held in local configuration for any given service. A later review could define some central services registry services for such information.

Note: See TracTickets for help on using tickets.