 |
 |
Hello Winnie,
Others, storage and transfer experts, will correct me, but I would say -
"need" - no. Certificates issued by CERN WLCG IOTA CA are used only by WLCG VO members and exclusively in the context of the CERN WebFTS service https://webfts.cern.ch/. So, I doubt there will be resulting failures. My _guess_ is that, if people use this service, they do so anyway with their "normal" IGTF certificate loaded into the browser. It would only be on storage nodes and somebody with access to the logs of such a node would have to check incoming proxies identities to be sure.
"should" - probably yes. To comply to WLCG policy - but it's a "should" because policy is "...sites are requested...", so the final say is (as always) up to you. It seems a bit odd though if nobody uses it.
Reference should be accessible -
http://lcg-ca.web.cern.ch/lcg-ca/doc/WLCG-CERN-IOTA- statement-MB.pdf
Hope this helps.
Ian
-- Ian Neilson
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Winnie Lacesso
> Sent: 28 June 2017 16:00
> To: [log in to unmask]
> Subject: Do sites need lcg-CA installed?
>
> Good afternoon!
>
> re: this Broadcast:
>
> On Tue, 27 Jun 2017, Operations-portal wrote:
> <snip>
> > This is the EGI Trust Anchor release, based on the updated IGTF
> Accredited CA
> > distribution version 1.84-1 with Classic, SLCS and MICS profiles,
> encoded in
> > meta-package "ca-policy-egi-core-1.84-1" (new installs) and "lcg-CA-
> 1.84-1"
> > (for sites upgrading from EGEE/JSPG releases).
> >
> > IMPORTANT NOTICE:
> > Sites that need compliance with the WLCG policy should install BOTH
> packages,
> > or you will miss out the CERN WLCG IOTA CA specific exception.
> Details, see:
> > https://documents.egi.eu/document/2745
>
> (I'm unable to access that page)
>
> Most of our nodes do NOT have lcg-CA installed.
> (Some service nodes do & some WN do.)
>
> Do other sites?