DOEGrids to DigiCert Distinguished Name Transition
The 2012 OSG CA Transition
will require OSG participants who currently hold certificates from the DOEGrids CA to obtain certificates from a new CA (the DigiCert Grid CA
). Since each IGTF
accredited CA must issue certificates with non-overlapping names, the certificates from the new CA will contain different names (called Distinguished Names or DNs) for both the certificate issuer and certificate subject fields. The DNs for all types of DOEGrids certificates (user, host, service) will change.
A major impact of the DN change is that OSG participants will need to register new DNs in VOMS for any certificates used to submit jobs or access data. This includes both user certificates and pilot certificates. In most cases, DN changes will not cause issues for server certificates (exceptions noted below), because clients check that the server certificate matches the server's hostname, rather than checking the full DN of the server certificate.
This document provides information for making this DN transition as smooth as possible for OSG participants.
Distinguished Name Forms
Certificates issued by the DOEGrids CA contain distinguished names of the following forms:
- Issuer: /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
- Subject: /DC=org/DC=doegrids/OU=People/CN=full name ID#
- Subject: /DC=org/DC=doegrids/OU=Hosts/CN=fqdn
- Subject: /DC=org/DC=doegrids/OU=Services/CN= servicename
- /DC=org/DC=doegrids/OU=People/CN=James Alan Basney 710056
Certificates issued by the DigiCert Grid CA contain distinguished names of the following forms:
- Issuer: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1
- Subject: /DC=com/DC=DigiCert-Grid/...
- /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=Jim Basney
- /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=Services/CN=ce.example.edu
Note: The DigiCert signing policy
also lists other forms (DC=DigiCertGrid and O=DigiCert Grid). These are not used in the OSG PKI.
VOs use VOMS
to manage VO membership and privileges.
All VO members have DNs registered in VOMS.
When a user's DN changes, the user's VOMS registration must be updated.
VOMS has the concept of multiple DNs per user, so users can retain their VO roles when their DN changes.
It is possible for users to self-register their new certificate DN in the VOMS server while logged in with their old certificate.
It is helpful to have both the old and new DNs for a user registered in VOMS during the transition period,
to give time for the new DNs to propagate to the sites and for jobs running with old certificates to complete.
Each VOMS server runs with a host/service certificate that is registered in the vomses
This file will need to be updated for each VOMS server that replaces its DOEGrids certificate, i.e., update of the VOMS server certificate and the vomses file must be coordinated.
The transition of VOMS server certificates to the DigiCert Grid CA can occur independently of the transition of user certificates to the DigiCert Grid CA.
Sites use GUMS
to map user DNs to local accounts.
GUMS queries VOMS periodically to obtain the list of DNs for VO members.
Sites can configure GUMS
- map groups of users to shared group accounts
- map users to pool accounts, one user per account
- map users to group accounts manually
GUMS has only limited support for handling VOMS registration of multiple DNs per user.
When using pool accounts, GUMS will assign a different local user to each DN that belongs to a user.
edg-mkgridmap is a simple program that contacts VOMS servers and creates a grid-mapfile. It is an alternative to GUMS.
is the OSG accounting system.
It tracks resource usage across OSG by DN.
As part of the certificate issuance process, OSG will register user DNs in OIM
(OSG Information Management System).
Besides OIM, OSG will update DN registrations in the Twiki
OSG will also need to update Gratia to avoid double-counting users as their DNs change.
OSG will assist VOs in preparing announcements, procedures, and documentation (as needed) for users to register their new DNs in VOMS.
We expect OSG participants to register their new certificates in VOMS following the normal registration procedures for their VO.
VO administrators will then manually associate new DNs with existing VOMS accounts, if desired.
OSG will help VOs understand what impacts (if any) the DN change will have on access to compute and data for the VO users.
- Do the VO's users expect to have their jobs run in the same pool account at a site over time?
- Does the VO use DN-based access control to data?
- How are DNs registered in the VO's submit nodes and/or pilot job frameworks?
OSG will distribute to all OSG sites an updated vomses
file that contains the new VOMS server DNs. The following 34 VOs currently use DOEGrids DNs for their VOMS server: cdf, fermilab, star, atlas, dosar, dzero, des, GLOW, LIGO, nanohub, i2u2, NWICG, gpn, CompBioGrid, Engage, osg, ilc, NYSGRID, SBGrid, CIGI, mis, osgedu, NEBioGrid, Gluex, GridUNESP, dayabay, hcc, CSIU, suragrid, nees, gcvo, gcedu, dream, and lbne.
OSG will communicate to all OSG sites the impacts that DN changes will have on local account mappings at compute elements and storage elements.
In some cases (for example, dCache at BNL), everyone from a given VO is mapped to a single group account at the local site, so changes in individual user DNs won't require updated mappings.
In other cases, pool accounts have been assigned to particular users, and DN changes will result in new pool accounts being allocated or will require manual re-mapping of pool accounts.
Lastly, in other cases user DNs are manually mapped to local accounts, and these manual mappings will need to be updated.
OSG will provide specific instructions for configuring GUMS and edg-mkgridmap as needed for this DN transition.
Anthony Tiradani tested registration of new DigiCert DNs in VOMS for US CMS. Rob Snihur will be testing the full CMS stack using a DigiCert certificate.
John Hover is testing use of new DigiCert DNs for US ATLAS.