| 39 | == Slice Authority trust configuration == |
| 40 | |
| 41 | FOAM has a set of CA certificates that it uses for user authorization: If a user has a certificate signed by a CA that FOAM is configured to trust, then that user can talk to FOAM (and create FOAM slivers, which will be approved automatically if auto-approval is on, etc). |
| 42 | |
| 43 | To configure what Slice Authorities FOAM trusts, install or remove the CA cert for the Slice Authority in a file in `/opt/foam/etc/gcf-ca-certs`, and then rebuild the nginx CA cert bundle and restart FOAM and nginx: |
| 44 | |
| 45 | {{{ |
| 46 | sudo foamctl admin:bundle-certs |
| 47 | sudo service foam restart |
| 48 | sudo service nginx restart |
| 49 | }}} |
| 50 | |
| 51 | The GPO recommends that GENI FOAM aggregates trust the authorities in the GENI cert bundle; see below for detailed instructins on how to do that. |
| 52 | |
| 61 | === Slice Authorities === |
| 62 | |
| 63 | The GPO recommends that GENI FOAM aggregates trust the authorities in the GENI cert bundle. To do that, first download the bundle and check its MD5 checksum: |
| 64 | |
| 65 | {{{ |
| 66 | wget -O geni-cert-bundle.tar.gz http://groups.geni.net/geni/attachment/wiki/GeniTrustAnchors/geni-cert-bundle.tar.gz?format=raw |
| 67 | md5sum geni-cert-bundle.tar.gz |
| 68 | }}} |
| 69 | |
| 70 | See http://groups.geni.net/geni/wiki/GeniTrustAnchors for the expected value of the checksum. If the checksum doesn't match, contact `gpo-infra@geni.net` and we'll take a look. |
| 71 | |
| 72 | If the checksum on the tar.gz file matches, unpack the bundle and check the sums on the files in it: |
| 73 | |
| 74 | {{{ |
| 75 | tar xfz geni-cert-bundle.tar.gz |
| 76 | cd geni-cert-bundle |
| 77 | md5sum --check MD5SUMS |
| 78 | }}} |
| 79 | |
| 80 | That should produce output like: |
| 81 | |
| 82 | {{{ |
| 83 | ch.geni.net-ca.pem: OK |
| 84 | ch.geni.net-ma.pem: OK |
| 85 | emulab.net.pem: OK |
| 86 | pgeni.gpolab.bbn.com.pem: OK |
| 87 | plc.pem: OK |
| 88 | }}} |
| 89 | |
| 90 | If any of them don't say "OK", or you get any other errors, contact `gpo-infra@geni.net`. |
| 91 | |
| 92 | If those do all check out ok, install the certs in the directory that FOAM uses, rebuild the cert file that nginx uses, and restart FOAM and nginx: |
| 93 | |
| 94 | {{{ |
| 95 | sudo cp *.pem /opt/foam/etc/gcf-ca-certs |
| 96 | sudo foamctl admin:bundle-certs |
| 97 | sudo service foam restart |
| 98 | sudo service nginx restart |
| 99 | }}} |
| 100 | |
| 101 | Experimenters should then be able to use FOAM with credentials signed by any of those authorities; you can test this yourself if you have such credentials handy. |
| 102 | |
369 | | == Slice Authority trust configuration == |
370 | | |
371 | | FOAM has a set of CA certificates that it uses for user authorization: If a user has a certificate signed by a CA that FOAM is configured to trust, then that user can talk to FOAM (and create FOAM slivers, which will be approved automatically if auto-approval is on, etc). |
372 | | |
373 | | To configure what Slice Authorities FOAM trusts, install or remove the CA cert for the Slice Authority in a file in /opt/foam/etc/gcf-ca-certs, and then rebuild the nginx CA cert bundle and restart FOAM and nginx: |
374 | | |
375 | | {{{ |
376 | | sudo foamctl admin:bundle-certs |
377 | | sudo service foam restart |
378 | | sudo service nginx restart |
379 | | }}} |
380 | | |
381 | | GENI deployments should trust the pgeni.gpolab.bbn.com SA; the official FOAM installation guide includes this step, or you can get the cert from http://www.pgeni.gpolab.bbn.com/ca-cert/pgeni.gpolab.bbn.com.pem if you need it. |
382 | | |