DOEGrids to DigiCert Distinguished Name Transition

The 2012 OSG CA Transition will require OSG participants who currently hold certificates from the DOEGrids CA to obtain certificates from a new CA (the DigiCert Grid CA). Since each IGTF accredited CA must issue certificates with non-overlapping names, the certificates from the new CA will contain different names (called Distinguished Names or DNs) for both the certificate issuer and certificate subject fields. The DNs for all types of DOEGrids certificates (user, host, service) will change.

A major impact of the DN change is that OSG participants will need to register new DNs in VOMS for any certificates used to submit jobs or access data. This includes both user certificates and pilot certificates. In most cases, DN changes will not cause issues for server certificates (exceptions noted below), because clients check that the server certificate matches the server's hostname, rather than checking the full DN of the server certificate.

This document provides information for making this DN transition as smooth as possible for OSG participants.

Background Material

Distinguished Name Forms

Certificates issued by the DOEGrids CA contain distinguished names of the following forms:

  • Issuer: /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
  • Subject: /DC=org/DC=doegrids/OU=People/CN=full name ID#
  • Subject: /DC=org/DC=doegrids/OU=Hosts/CN=fqdn
  • Subject: /DC=org/DC=doegrids/OU=Services/CN= servicename

For example:

  • /DC=org/DC=doegrids/OU=People/CN=James Alan Basney 710056
  • /DC=org/DC=doegrids/OU=Hosts/CN=ce.example.edu
  • /DC=org/DC=doegrids/OU=Services/CN=uscmspilot/cmssrv105.fnal.gov

Certificates issued by the DigiCert Grid CA contain distinguished names of the following forms:

  • Issuer: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1
  • Subject: /DC=com/DC=DigiCert-Grid/...

For example:

  • /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=People/CN=Jim Basney
  • /DC=com/DC=DigiCert-Grid/O=Open Science Grid/OU=Services/CN=ce.example.edu

Note: The DigiCert signing policy also lists other forms (DC=DigiCertGrid and O=DigiCert Grid). These are not used in the OSG PKI.

VOMS

VOs use VOMS to manage VO membership and privileges. All VO members have DNs registered in VOMS. When a user's DN changes, the user's VOMS registration must be updated. VOMS has the concept of multiple DNs per user, so users can retain their VO roles when their DN changes. It is possible for users to self-register their new certificate DN in the VOMS server while logged in with their old certificate. It is helpful to have both the old and new DNs for a user registered in VOMS during the transition period, to give time for the new DNs to propagate to the sites and for jobs running with old certificates to complete.

Each VOMS server runs with a host/service certificate that is registered in the vomses file. This file will need to be updated for each VOMS server that replaces its DOEGrids certificate, i.e., update of the VOMS server certificate and the vomses file must be coordinated. The transition of VOMS server certificates to the DigiCert Grid CA can occur independently of the transition of user certificates to the DigiCert Grid CA.

GUMS

Sites use GUMS to map user DNs to local accounts. GUMS queries VOMS periodically to obtain the list of DNs for VO members. Sites can configure GUMS to:

  • map groups of users to shared group accounts
  • map users to pool accounts, one user per account
  • map users to group accounts manually

GUMS has only limited support for handling VOMS registration of multiple DNs per user. When using pool accounts, GUMS will assign a different local user to each DN that belongs to a user.

edg-mkgridmap

edg-mkgridmap is a simple program that contacts VOMS servers and creates a grid-mapfile. It is an alternative to GUMS.

Gratia

Gratia is the OSG accounting system. It tracks resource usage across OSG by DN.

What will OSG need to do for its own services?

As part of the certificate issuance process, OSG will register user DNs in OIM (OSG Information Management System). Besides OIM, OSG will update DN registrations in the Twiki and DocDB. OSG will also need to update Gratia to avoid double-counting users as their DNs change.

What will OSG need to communicate to the VOs?

OSG will assist VOs in preparing announcements, procedures, and documentation (as needed) for users to register their new DNs in VOMS. We expect OSG participants to register their new certificates in VOMS following the normal registration procedures for their VO. VO administrators will then manually associate new DNs with existing VOMS accounts, if desired.

OSG will help VOs understand what impacts (if any) the DN change will have on access to compute and data for the VO users. For example:

  • Do the VO's users expect to have their jobs run in the same pool account at a site over time?
  • Does the VO use DN-based access control to data?
  • How are DNs registered in the VO's submit nodes and/or pilot job frameworks?

What will OSG need to communicate to the sites?

OSG will distribute to all OSG sites an updated vomses file that contains the new VOMS server DNs. The following 34 VOs currently use DOEGrids DNs for their VOMS server: cdf, fermilab, star, atlas, dosar, dzero, des, GLOW, LIGO, nanohub, i2u2, NWICG, gpn, CompBioGrid, Engage, osg, ilc, NYSGRID, SBGrid, CIGI, mis, osgedu, NEBioGrid, Gluex, GridUNESP, dayabay, hcc, CSIU, suragrid, nees, gcvo, gcedu, dream, and lbne.

OSG will communicate to all OSG sites the impacts that DN changes will have on local account mappings at compute elements and storage elements. In some cases (for example, dCache at BNL), everyone from a given VO is mapped to a single group account at the local site, so changes in individual user DNs won't require updated mappings. In other cases, pool accounts have been assigned to particular users, and DN changes will result in new pool accounts being allocated or will require manual re-mapping of pool accounts. Lastly, in other cases user DNs are manually mapped to local accounts, and these manual mappings will need to be updated. OSG will provide specific instructions for configuring GUMS and edg-mkgridmap as needed for this DN transition.

What testing has been performed for the DN transition?

Anthony Tiradani tested registration of new DigiCert DNs in VOMS for US CMS. Rob Snihur will be testing the full CMS stack using a DigiCert certificate.

John Hover is testing use of new DigiCert DNs for US ATLAS.

Topic revision: r17 - 01 Mar 2013 - 16:09:45 - VonWelch
Hello, TWikiGuest
Register

 
TWIKI.NET

TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..