Next: Miscellaneous Information Up: A local Globus install Previous: Security Contents

Certification Authority

Two local certification authorities (CAs) are deployed to test the Globus install and to perform some initial testing. These CAs are:

nikCA

This CA signed the host certificates for the micro grid and the two initial users (davidg and meet). This CA has the DN:
O=Vlab, OU=NIKHEF, CN=nikCA Certificate Authority/
Email=davidg@nikhef.nl
MD5 fingerprint: A5:E7:AD:60:9E:29:06:E1:40:BB:E6:D6:58:76:A8:07,
hash: cee276c0.

This CA also signed the host certificate for a test-bed secure web server (the cert is for *.nikhef.nl). There is some tooling available to convert user certs signed by the CA to PKCS#12 type user certs for use by Netscape and MSIE.

nikhefCA

This CA was initially used for testing certification policies (allowing access for different classes of users signed by different CAs). This CA has a `better' DN and might be used as a basis for a more firm local CA. Its DN is:
C=NL, O=NIKHEF, CN=NIKHEF CA Organization
MD5 fingerprint: A3:F3:E8:16:12:F0:4B:5E:CA:94:38:06:E1:0E:B2:37,
hash: 263d1de6.

Since these `local' CAs will probably not inspire a lot of trust outside NIKHEF, it might be useful to apply for certification with another (new) CA, e.g., a local CA for the WCW, a new CA to be operated by SURFNET (related to the PKI project) or maybe even a commercial CA like Verisign or Twarthe.

But since you can allow for multiple CAs to sign user certs, this is not an immediate issue (as long as all participants trust each other). Note that a specific user cert can be signed by one and only one CA. User key ring support is not currently part of the Globus toolkit (but is is foreseen for some later release).

The following files contain localized information on subject and CA names:

etc/globus-gatekeeper.cert name in this cert (and matching key) is extracted at gatekeeper startup and used to re-write the jobmanager configuration file.

share/certificates/ca-sign... determined which CA can sign which certificates.

~/.globus/... user information. The grid-cert-request script takes the user cert DN from the cofiguration script at etc/grid-security.conf.

etc/grid-security.conf Contains the baseDN used for both gatekeeper and user DNs.

The name of the gatekeeper certificate is generated by the grid-cert-request program, using the hostname obtained from the master etc/gatekeepers.conf file. Its invication, as taken from

$\begin{verbatimtab}[4] ${bindir}/grid-cert-request -gatekeeper ${name} -force \... ...rt_file} -key ${key_file} \ -req ${req_file} > /dev/null 2>&1 \end{verbatimtab}$

Next: Miscellaneous Information Up: A local Globus install Previous: Security Contents

David Groep
2001-01-25

`etc/globus-gatekeeper.cert`	name in this cert (and matching key) is extracted at gatekeeper startup and used to re-write the jobmanager configuration file.
`share/certificates/ca-sign`...	determined which CA can sign which certificates.
`~/.globus/`...	user information. The `grid-cert-request` script takes the user cert DN from the cofiguration script at `etc/grid-security.conf`.
`etc/grid-security.conf`	Contains the baseDN used for both gatekeeper and user DNs.