> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of Christopher J.Walker
> >
> > Essentially, yes. We've now noticed this on a Cream CE as well, but
> > I've mostly been playing with it on a would-be Argus server. Not
only
> > does it not require any other copies of the certificate, it's a
brand
> > new system so there's no old cruft lying around at all.
>
> How does it access the key then? Does it run as root? suid? acls? or
is
> there a signing oracle[1]?
>
It runs as root. Fundamentally though, it almost doesn't matter what,
if anything, I've stuffed up in the Argus configuration (though,
actually,
I'm pretty sure it's fine) - the test case is as simple as having the
old
and new cert/key pairs for the same node on the machine. If you copy or
link the old ones as /etc/grid-security/host{cert/key}.pem then the
services start up. If you replace the old cert & key with the new ones
and try to restart the services, they fail. No other changes are needed,
just swapping the cert/key pair is enough.
Normally I'd think this was some local mistake with the new
certificate's
application process or handling, but not only can I not find anything,
one
of the exact same cert/key pairs that fail on the test Argus setup is
working just fine on an lcg-CE, and another on a DPM.
They only seem to fail on the Java based services. It's very odd.
Ewan
|