Tuesday, November 17, 2009

New KCA (Kerberos certificate Authority) server

Since Monday morning Nov. 16, Fermilab has switched to a new KCA (Kerberos certificate Authority) server. The old KCA server will be dropped from IGTF CA distribution bundle on Dec 1st of 2009. The new server has a different public/private key pair, certificates issued by old KCA will not be valid.

Site security contacts do not need to take any additional steps; a new bundle will be automatically fetched by your gatekeeper (if you enabled the cron jobs for fetching certificates -- see https://twiki.grid.iu.edu/bin/view/ReleaseDocumentation/ComputeElementInstall#Install_the_CA_Certificate_Updat)


If you run web servers that uses Fermi KCA for authentication, please follow:

http://security.fnal.gov/pki/new2kcafaq.html#1_16

which will explain how to properly update the web servers to accept the new certificates.


VO security contacts, if your users rely on certificates issued by Fermi KCA, you may get some questions from the users. There are basically two types of things that can go wrong:

1) Users may experience some problems in getting certificates.

In most cases this will be because the clients on their desktops which request the certificates have not been updated so that they can successfully talk to the new KCA software. Please direct users to the web page:

http://computing.fnal.gov/xms/Services/Getting_Services/Certificates/Certificate_Client_Update_Instructions

which explains how to make sure their client software is properly updated. Users can go to the web page:

http://security.fnal.gov/pki/browsercerttest.html

to check whether or not they have a certificate (and whether it is one of the newly issued certificates).

2) Users may have no problem getting certificates but discover that the certificates are not allowing them to access services that they were formerly able to access. In most cases this is because the service admin (typically not the user making the complaint) has not properly updated their servers to recognize the newly issued certificates. On grid machines that enabled automated cert updates, this should not be an issue. If problem persists, please open a ticket with OSG GOC.

For any other problems, please urge your users to either submit a ticket to OSG GOC or directly call Fermilab Service Desk. Contacting Fermilab Service Desk may speed up the process.

Regards,
OSG Security Team

No comments:

Post a Comment