Jens, I noticed this problem weeks ago but never raised a ticket. I suspect CERN may have installed a new CA distribution and reinstalled the vanilla UK one.
John
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Jens Jensen
> Sent: 14 June 2011 18:19
> To: [log in to unmask]
> Subject: Re: CERN SSO problem with with UK e-Science CA
>
> Hum, I thought that was fixed ages ago - I created a separate CA
> certificate for CERN - which otherwise looked exactly like the "real" one
> but had this CDP extension inside to keep their Microsoft upgrade happy.
> DoEScienceGrid had the same problem.
>
> I'll see if I can dig out the old email - if, by some fluke, whoever worked
> on it before is still working on it, I can follow up. It was probably
> Emmanuel I talked to.
>
> Oh, and yes if you want a CERN certificate, you do need this extra
> chocolate coated account, not a plain vanilla one.
>
> When we roll over, I'll put the CDP extension into the new certificate, of
> course, and we should be free from this nonsense. It is nice enough of them
> to let you sign in with any approved certificate, though.
>
> Any Qs, let me know. I'll let you know what I discover.
>
> Cheers
> -j
> ________________________________________
> From: Testbed Support for GridPP member institutes [TB-
> [log in to unmask]] on behalf of Stephen Burke
> [[log in to unmask]]
> Sent: 14 June 2011 15:22
> To: [log in to unmask]
> Subject: Re: CERN SSO problem with with UK e-Science CA
>
> Testbed Support for GridPP member institutes [mailto:TB-
> > [log in to unmask]] On Behalf Of David O'Callaghan
> > Sent: 14 June 2011 14:57 said:
> > I don't think it's "anyone with a CERN account" but only those who have
> > CERN HR record including photo ID (rule of thumb: you have a valid CERN
> > photo ID card).
>
> Well, OK, as it says on the CA page:
>
> •Be registered in CERN's central HR database, with one of the following
> categories (for which physical presence at the appropriate registration
> service is required)
> ◦Members of Personnel as defined in Administrative Circular 11 (status:
> STAFF, FELL, PDAS, PJAS,USAS, CASS, UPAS, USER, DOCT, TECH, ADMI, SUMM,
> CHIL, APPR )
> ◦Employee of a CERN contractor (status: ENTC)
>
> But Simon was talking about SSO, e.g. access to protected atlas web pages,
> and anyone needing that on a regular basis is likely to be in that
> category.
>
> Stephen
|