On Wed, Jan 12, 2011 at 8:26 PM, John Gordon <[log in to unmask]> wrote:
> I thought we had safeguards against nodes using someone else's host cert.
In this case the host certificate is being used as a client to the voms server
here. It's as me using your certificate and pretending to be you, no
one could tell.
The safeguards are for services where the certificate is compared
against the hostname
of the service.
>
> John
>
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of Steve Traylen
> Sent: 12 January 2011 19:23
> To: [log in to unmask]
> Subject: Re: dteam VO VOMS server change - updates needed at most UKI sites!
>
> On Wed, Jan 12, 2011 at 5:54 PM, Daniela Bauer
> <[log in to unmask]> wrote:
>> I am sorry, but I still can't take this seriously.
>> For Imperial in the update from today they list ceprod00.hep.ph.ic.ac.uk
>
> From today:
>
> INFO 2011-01-12 14:28:09,976 [http-8443-Processor89]
> operations.BaseVomsOperation - Operation: ListMemberNamesOperation([])
> - ([log in to unmask],/C=UK/O=eScienceCA/OU=Authority/CN=UK
> e-Science CA) -
>
> you have a phantom...... Of course it could be another host/thing with
> the wrong certificate.
>
>
>> This machine was decommissioned months ago, it hasn't been in the
>> bdii/GOCDB for months and most importantly it's off. How can they
>> claim they tested it ?
>>
>> Daniela
>>
>> On 12 January 2011 16:50, Stuart Purdie <[log in to unmask]> wrote:
>>>
>>> On 12 Jan 2011, at 16:22, Govind Songara wrote:
>>>
>>>> Hi Jermy,
>>>>
>>>> RHUL installed new VOMS on Dec 15 and there are also old cern dteam voms.
>>>> I think that could be reason, we or other sites still query cern voms.
>>>>
>>>> Here also says that
>>>> "Note that CERN VOMS servers are to remain in the site configuration during this transitional phase"
>>>> https://wiki.egi.eu/wiki/Dteam_vo
>>>>
>>>> Could you please check if we need to remove the old cern voms.
>>>
>>>
>>> I raised this in the EGI Operations meeting, and the answer is: Yes; from places, and no from others.
>>>
>>> The VO_DTEAM_VOMS_SERVERS attribute in site-info.def must contain only: vomss://voms.hellasgrid.gr:8443/voms/dteam?/dteam/
>>>
>>> The VO_DTEAM_VOMSES atribute may contain the CERN ones as well.
>>>
>>> VOMS_SERVERS is used to build the gridmap, whilst VOMSES is used for generation of the voms attributes.
>>>
>>>
>>> It's horrible, but that's the desired behaviour.
>>
>>
>>
>> --
>> -----------------------------------------------------------
>> [log in to unmask]
>> HEP Group/Physics Dep
>> Imperial College
>> Tel: +44-(0)20-75947810
>> http://www.hep.ph.ic.ac.uk/~dbauer/
>>
>
>
>
> --
> Steve Traylen
>
--
Steve Traylen
|