Opened 9 years ago

Closed 9 years ago

#1027 closed (fixed)

use a cert with the correct URN

Reported by: Aaron Helsinger Owned by: Aaron Helsinger
Priority: major Milestone:
Component: I2AM Version: SPIRAL5
Keywords: Cc:,, Aaron Helsinger,


PG cares that the ION AMs urn says 'ionpl+authority+sa' instead of '' and wants this changed.

Work on regenerating the correct self signed certificate and using that instead.

Tony Mack says:

You can use the following commands to regenerate your registry certs and maintain the existing keys:

$ sfaadmin registry nuke --certs
$ sfaadmin registry import_registry

Attachments (1)

sfa-2.0-9-patch-7.diff (202 bytes) - added by 9 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 9 years ago by Aaron Helsinger

Make sure the 'interface_hrn' and 'root_auth' fields in /etc/sfa/sfa_config are set to ''.

But given that this system's SFA is old, Tony says:


but that will just clear out the registry database. You will have to manually remove all .cert and .gid files in /var/lib/sfa recursively. 

Set SFA_INTERFACE_HRN and SFA_ROOT_AUTH to in /etc/sfa/sfa_config, although your sfa_config file is probably being generated from /etc/sfa/configs/site.xml so you may need to update these values there to make them permanent. 

Once that's done you can use to regenerate your registry records.

You should consider upgrading your v2 interface to the latest tagged release and/or bringing up a v3 interface on another machine.

comment:2 Changed 9 years ago by

Cc: Aaron Helsinger added
Owner: changed from to

Reassign to Chad.

Do the following steps to updates SFA on ION AM.

  2. find /var/lib/sfa/ -name *.gid |xargs rm -rf

find /var/lib/sfa/ -name *.cert |xargs rm -rf find /var/lib/sfa/ -name *.cred |xargs rm -rf

  1. grep -r ionpl /etc/sfa |cut -d: -f1 | xargs sed -i "s/ionpl/"
  2. apply the attached sfa-2.0-9-patch-7.diff
  3. service sfa restart
  5. service sfa restart

Note: This is only for network-only aggregates that have no MyPLC hosts to allocate. Otherwise, simply replace the hrn may break MyPLC functions.

comment:3 Changed 9 years ago by

The wiki text was a bit messy in comment#2. Reformat the steps below:

  2. find /var/lib/sfa/ -name *.gid |xargs rm -rf; find /var/lib/sfa/ -name *.cert |xargs rm -rf; find /var/lib/sfa/ -name *.cred |xargs rm -rf
  3. grep -r ionpl /etc/sfa |cut -d: -f1 | xargs sed -i "s/ionpl/"
  4. apply the attached sfa-2.0-9-patch-7.diff
  5. service sfa restart
  7. service sfa restart

Changed 9 years ago by

Attachment: sfa-2.0-9-patch-7.diff added

comment:4 Changed 9 years ago by

Status: newassigned

I've applied the patch and followed the steps before restarting sfa. Then reimported the certs and restarted sfa.

comment:5 Changed 9 years ago by

Owner: changed from to Aaron Helsinger
Status: assignednew

comment:6 Changed 9 years ago by Aaron Helsinger

Status: newassigned

I confirmed the fix. Just waiting now to ensure the PG folks are happy.

comment:7 Changed 9 years ago by Aaron Helsinger

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.