Marc-Elian has put together a script to register CAs into keystore (managed by keytool), used by Tomcat to authenticate users. The idea is to maintain a valid list of CAs in line with the list provided by the EUGridPMA folks. They distribute on a regular basis the list of CAs and CRL (Cert revocation list).

His script takes as input the certificates and the CRL (actually it downloads the CRL from URLs provided by EUGridPMA) and the keystore to install into.

This is an input to WP2 such that when a new list is available, it is installed on all production machines. The CAs and CRL are distributed in different forms, including RPM. The idea would then to run meb's script (or something else) to update the keystore used by Tomcat for authentication.

Although meb has tested the script and made sure it works both using a browser and a 'keytool -list', he's less certain wrt the CRLs. This will require a little more testing. The CRLs provided in the RPM are a mixe of binary and ascii formats (PK12 and PEM), and meb doubts that Tomcat is smart enough to work with both format (but we never know ;-). The other issue is that when new CRLs (or CAs) are published and installed on the machine, Tomcat seem to require a restart to refresh the CRLs (and the keystore).

Last issue is that we should make sure that we distribute and install both the CAs from EUGridPMA and our own (e.g. testing and training CAs).

There is a new module in CVS: org.etics.utilities.certificates to host the script.

The script is now a bit more fail safe then this morning and can be run from any directory. It's probably still a good idea to check with 'keytool -list' and a browser that the script work probably (and don't forget to restart Tomcat). The script report the number of certificates it found and managed to insert in the store. It also backs-up the store before doing anything. It will also extract the cert bit from humain readable part (keytool fails if more than just the cert bit is provided).

-- Main.couvares - 13 Nov 2006

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2006-11-13 - unknown
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ETICS All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback