Opened 7 years ago

Closed 6 years ago

#1027 closed (fixed)

use a cert with the correct URN

Reported by: Aaron Helsinger Owned by: Aaron Helsinger
Priority: major Milestone:
Component: I2AM Version: SPIRAL5
Keywords: Cc: tlehman@maxgigapop.net, ckotil@grnoc.iu.edu, Aaron Helsinger, xyang@maxgigapop.net
Dependencies:

Description

PG cares that the ION AMs urn says 'ionpl+authority+sa' instead of 'ion.internet2.edu+authority+am' and wants this changed.

Work on regenerating the correct self signed certificate and using that instead.

Tony Mack says:

You can use the following commands to regenerate your registry certs and maintain the existing keys:

$ sfaadmin registry nuke --certs
$ sfaadmin registry import_registry

Attachments (1)

sfa-2.0-9-patch-7.diff (202 bytes) - added by xyang@maxgigapop.net 7 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 7 years ago by Aaron Helsinger

Make sure the 'interface_hrn' and 'root_auth' fields in /etc/sfa/sfa_config are set to 'ion.internet2.edu'.

But given that this system's SFA is old, Tony says:

$ sfa-nuke.py

but that will just clear out the registry database. You will have to manually remove all .cert and .gid files in /var/lib/sfa recursively. 

Set SFA_INTERFACE_HRN and SFA_ROOT_AUTH to ion.internet2.edu in /etc/sfa/sfa_config, although your sfa_config file is probably being generated from /etc/sfa/configs/site.xml so you may need to update these values there to make them permanent. 

Once that's done you can use sfa-import.py to regenerate your registry records.

You should consider upgrading your v2 interface to the latest tagged release and/or bringing up a v3 interface on another machine.

comment:2 Changed 7 years ago by xyang@maxgigapop.net

Cc: Aaron Helsinger xyang@maxgigapop.net added
Owner: changed from xyang@maxgigapop.net to ckotil@grnoc.iu.edu

Reassign to Chad.

Do the following steps to updates SFA on ION AM.

  1. sfa-nuke-plc.py
  2. find /var/lib/sfa/ -name *.gid |xargs rm -rf

find /var/lib/sfa/ -name *.cert |xargs rm -rf find /var/lib/sfa/ -name *.cred |xargs rm -rf

  1. grep -r ionpl /etc/sfa |cut -d: -f1 | xargs sed -i "s/ionpl/ion.internet2.edu/g"
  2. apply the attached sfa-2.0-9-patch-7.diff
  3. service sfa restart
  4. sfa-import-plc.py
  5. service sfa restart

Note: This is only for network-only aggregates that have no MyPLC hosts to allocate. Otherwise, simply replace the hrn may break MyPLC functions.

comment:3 Changed 7 years ago by xyang@maxgigapop.net

The wiki text was a bit messy in comment#2. Reformat the steps below:

  1. sfa-nuke-plc.py
  2. find /var/lib/sfa/ -name *.gid |xargs rm -rf; find /var/lib/sfa/ -name *.cert |xargs rm -rf; find /var/lib/sfa/ -name *.cred |xargs rm -rf
  3. grep -r ionpl /etc/sfa |cut -d: -f1 | xargs sed -i "s/ionpl/ion.internet2.edu/g"
  4. apply the attached sfa-2.0-9-patch-7.diff
  5. service sfa restart
  6. sfa-import-plc.py
  7. service sfa restart

Changed 7 years ago by xyang@maxgigapop.net

Attachment: sfa-2.0-9-patch-7.diff added

comment:4 Changed 7 years ago by ckotil@grnoc.iu.edu

Status: newassigned

I've applied the patch and followed the steps before restarting sfa. Then reimported the certs and restarted sfa.

comment:5 Changed 7 years ago by ckotil@grnoc.iu.edu

Owner: changed from ckotil@grnoc.iu.edu to Aaron Helsinger
Status: assignednew

comment:6 Changed 7 years ago by Aaron Helsinger

Status: newassigned

I confirmed the fix. Just waiting now to ensure the PG folks are happy.

comment:7 Changed 6 years ago by Aaron Helsinger

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.