Project

General

Profile

Installation of ESGF trustroots

Back to Overview

Download and install ESGF trustroots.

ESGF trustroots installation is required for safe connection over HTTPS, used for OpenID and OpenDAP.

Install trustroots keystore for JAVA

Install trustroots into eclipse/tomcat environment as described in http://esgf.org/trust.html

cd ~/impactportal/
wget https://raw.githubusercontent.com/ESGF/esgf-dist/master/installer/certs/esg-truststore.ts

In: Run --> Run Configurations --> Apache Tomcat --> Tomcat v7.0 Server --> Arguments --> VM Arguments, add to the existing arguments:

-Djavax.net.ssl.trustStore="<absolutepathto>/esg-truststore.ts" -Djavax.net.ssl.trustStorePassword="changeit" 

Or add these arguments to JAVA_OPTS in production environment

Some hosts are not in this file and are not autmatically trusted, like esg-dn1.nsc.liu.se, they need to be added manually by hand:

echo | openssl s_client -connect esg-dn1.nsc.liu.se:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > esg-dn1.nsc.liu.se
keytool -delete -alias esg-dn1.nsc.liu.se  -keystore <absolutepathto>/esg-truststore.ts -storepass changeit
keytool -import -v -trustcacerts -alias esg-dn1.nsc.liu.se -file esg-dn1.nsc.liu.se -keystore <absolutepathto>/esg-truststore.ts -storepass changeit -noprompt

Install trustroots in globus certificate directory for Globus myproxy

(this is required when NOT running your own MyProxy Server):

mkdir -p ~/.globus/certificates
cd  ~/.globus/certificates
wget https://raw.githubusercontent.com/ESGF/esgf-dist/master/installer/certs/esg_trusted_certificates.tar 
tar -xvf esg_trusted_certificates.tar 
mv esg_trusted_certificates/* .

After these actions, restart the tomcat server in eclipse. The impactportal is now able to login into the ESGF authentication nodes with OpenID and a SLC X509 credential can be generated.

For NGINX, compose from a set of certifificates, for given subject, a single bundle representing the certificate chain

#!/bin/bash
# Maarten Plieger, 2018-11-16
# This script composes from a set of certifificates, for given subject, a single bundle representing the certificate chain
# The bundle is useful for the nginx ssl_client_certificate setting

subjecttofind="DC=uk, DC=ac, DC=ceda, O=STFC RAL, CN=Centre for Environmental Data Analysis" 

pushd /tmp/
curl -L https://raw.githubusercontent.com/ESGF/esgf-dist/master/installer/certs/esg_trusted_certificates.tar > esg_trusted_certificates.tar
tar -xvf esg_trusted_certificates.tar 
popd

certificatepath=/tmp/esg_trusted_certificates

echo "" > /tmp/bundle.pem
while true;do
  echo "Looking for subject [$subjecttofind]" 
  # Loop through all certificates
  for file in $certificatepath/*.0;do 
    # Filter subject and issuer
    subject=`openssl x509 -in $file -text -noout | grep Subject`;
    cleansubject=${subject##*Subject:} && subject=`echo ${cleansubject%%Subject*} | sed 's/^ *//;s/ *$//'`
    issuer=`openssl x509 -in $file -text -noout | grep Issuer`;issuer=${issuer##*:}
    cleanissuer=${issuer##*Subject:} && issuer=`echo ${cleanissuer%%Subject*} | sed 's/^ *//;s/ *$//'`
    #Check if subject matches subject we are looking for
    a=`echo $subject | grep "$subjecttofind"`;
    if [[ ! -z "$a" ]]; then
      echo  ${file##*/}[$subject]"->"[$issuer]
      cat $file >> /tmp/bundle.pem
      if [ "$subjecttofind" == "$issuer" ]; then
        # Display bundle
        cat /tmp/bundle.pem
        exit
      fi
      subjecttofind="$issuer";      
    fi
  done
done

Output:

Looking for subject [DC=uk, DC=ac, DC=ceda, O=STFC RAL, CN=Centre for Environmental Data Analysis]
09184877.0[DC=uk, DC=ac, DC=ceda, O=STFC RAL, CN=Centre for Environmental Data Analysis]->[C=UK, O=eScienceSLCSHierarchy, OU=Authority, CN=SLCS Top Level CA]
439ce3f7.0[C=UK, O=eScienceSLCSHierarchy, OU=Authority, CN=SLCS Top Level CA]->[C=UK, O=eScienceSLCSHierarchy, OU=Authority, CN=SLCS Top Level CA]

-----BEGIN CERTIFICATE-----
MIIE+zCCAuOgAwIBAgIBEjANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVSzEe
MBwGA1UECgwVZVNjaWVuY2VTTENTSGllcmFyY2h5MRIwEAYDVQQLDAlBdXRob3Jp
dHkxGjAYBgNVBAMMEVNMQ1MgVG9wIExldmVsIENBMB4XDTE2MDcxODA4MDAwMFoX
DTIxMDcxNDEzMDAwMFowgYIxEjAQBgoJkiaJk/IsZAEZFgJ1azESMBAGCgmSJomT
8ixkARkWAmFjMRQwEgYKCZImiZPyLGQBGRYEY2VkYTERMA8GA1UECgwIU1RGQyBS
QUwxLzAtBgNVBAMMJkNlbnRyZSBmb3IgRW52aXJvbm1lbnRhbCBEYXRhIEFuYWx5
c2lzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAom5BPpGuaB6Ja5A8
vFR367dIUCnzKjFZWbyPjtkAbiXEHzFaGOUDmOFlblAirOgg1cUY7zVi7g1hxJoj
Mc1s7N8RLlJuE6GkicDkZQUs/sXkKSyZwDv1GLVBx1CLbImC7eKZC7OdI+KNEKZX
i00ypIQFpp9oxbIH/xDZRuZt6U9FWLY6tAqva4JvbmZjGm77J0iThYaLG3ZOxRY4
d8XESAr9RhbWT3gNNII7ooxdg9FTWTWfiQEGR6KstN9JUtBYpa1KH16+DFvNFG9c
3fYz8B7Oth3O/s2vcZG4zd59UDjbXN+HCL4nUvjoJMwjCCCnXHeeNnrNvjSyXspJ
OUUJTQIDAQABo4GfMIGcMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuY2Eu
bmdzLmFjLnVrL2NybC90b3BsZXZlbC5kZXIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFKCQSWIjGBUb94o0LxDs1MPA/XEMMB8GA1Ud
IwQYMBaAFGzvrlmanlBjE1ZHxsQ6b32H/QsNMA0GCSqGSIb3DQEBCwUAA4ICAQB/
yi6oQrCAvJGIfHi7aF/jxAB/0DZbo3OnrX0erNQQagKIDZk65BGIbwQR9C6K/Pf5
dVCPzuAACCWgGvaQ/8+r1Ob6UTD9Bvwex29JKlKO9vZFtc5YrJnzjbvlMFR9laUH
/Rc7VAnO3/zEqo3tZdcCC9KR6ywQDWNUs+U/Pz3czkahTTW32rp5DTL7LxnFS53x
0IcWFrs3UaFI33NZjC9EwycjObSWFWdzYniNo6kKvCT1Uhqu4YjbH7VFhosqUaH0
HT+UgBDKV6t5GDbpY27ZZJSLrPxuGZQ9lg0x6MJ5ZqE9IYbs+Wk8ml9TiqwRw7sx
D7lh0tM/d4Z3Pwrb0brRKKGJ6z533R7PFk183ybHEVGuO4uMdc4ak5DFDCY7EHb7
mNWHJEOMoXPcN9LYpRq2vp8BBhxmh5xL83jE+qddtq6F19dJ7iYXdEOjZ+p5ad4+
60ChQFgLQXayqaAACj+fqWCKky/FBHBy2Kr+W2cHE0qqslUdpkW9vFGH+slTd1X/
2a6s2FK9NYcbAnQCTJwpp208mQYAR/OdytQg60BEMOjL8yd6WqUZtT47TjMuxsSr
8JARk+grpOcZJhH5nwJx6DAbfCjcsHuTp/fEpJbZcZCowWWSmx6bVFaRtwfTHYUV
fIPcKcQrFMxEQlgthdyclaGTkLAACVEp0Mnf+pjFMQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFmDCCA4CgAwIBAgIBETANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVSzEe
MBwGA1UECgwVZVNjaWVuY2VTTENTSGllcmFyY2h5MRIwEAYDVQQLDAlBdXRob3Jp
dHkxGjAYBgNVBAMMEVNMQ1MgVG9wIExldmVsIENBMB4XDTE2MDcxNDA4MDAwMFoX
DTIxMDcxNDEzMDAwMFowXTELMAkGA1UEBhMCVUsxHjAcBgNVBAoMFWVTY2llbmNl
U0xDU0hpZXJhcmNoeTESMBAGA1UECwwJQXV0aG9yaXR5MRowGAYDVQQDDBFTTENT
IFRvcCBMZXZlbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALzm
SNcWsOba4Ff0l9MG4MRv80+AnAIHiI6lvAk4AbAoXgqL3DWjU6VwFyZCNetJB79k
S6kJYJ2y66hK9FKAhiHovp/99p0iMYtNgTMVoRSDviyM8xijjW3tlhWVGgOu31T3
GQ4iI67KSd6cHnPi9W5gJLuTsmX46MTOkRZuoGfhVu293jQ16jKZ2Vd2HlbX0JaU
fYIpKrYUWb5SPDFOrUtsyzanr+ZsrrO+iYi3ELULdQXSinSMbCzWa4jszKP7bgQz
yH0sLrVBpMOWHfT88x2P9nCYd4/1J0gaSpht0pwxZ6a/CkZQYW59/A9v+3HtxGlO
cQG9uxxSzF1YuSKvNtFXQcDKgS0aMph5qfPG/x0WeaxKutxJc0dt8hYgmQnF8sGB
shdmZgIK0bndMb644ourrmTAheTXW4/ZGg51kcbA2F08aX4YcSL4d+S3Tryv0fap
lKR74LeaaAyw08CFSXlTFIItdPCWiTbMFL5rcrLhq0LxDt5rK6S+/wYbJuODkc7C
MXIVb7k+ySa/Ru8GYeiJwJz/gSCM/rOsnl+/YFtVv9s1+HyPKgodjAbxB5sJaO8P
V+b4SXFqufIhsFlwlGT6n/uizIgIPNI1DjMA9d96b7JxQGIi5gKRTgOfxHXkSine
OdGyYXtblZWr/K+kc5dJnkf2w1sMxVArp2DaB47LAgMBAAGjYzBhMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRs765Zmp5QYxNWR8bE
Om99h/0LDTAfBgNVHSMEGDAWgBRs765Zmp5QYxNWR8bEOm99h/0LDTANBgkqhkiG
9w0BAQsFAAOCAgEAlzNbYqBxeaOhX9SQNEeB0pMyAMW2Gvu00SZZ4dR132jRGbho
PQ1jlHoMMOnAHtiVpkbxTfUlhLwPkzDU4kbBuMbdqUZFLB/7DKB4xorAa+teirV8
RexFXKzzdsNXnDXpP7q3COYWG1LnIxmqYezRMpWsojnEZi8GSFB4ZmtixMEH9gH4
BucZjSuqGPgEQj6ni3CPV9mD7iRwkB6J9nyEqepxZ8y68rsZkKLvkwfnjzU/8+Ou
rT853g8UxxGMKHTX8y0T2RBneVvBwA5gjlA279B69tESebS6ZY7TjwH03I+CXRdc
rwi6O7VMt3PaNm2CLMtEKEnUW1mNmwcIjV95lRVB5R6ojABXwteMC2mni7VEp/uZ
cIJy1Vcbxmefw+HUSFY7ntWmx71y1Zw70+PWOVcaT2OBWrU0qnJOEnJDDt4PvGYy
8DF/VgO+4dJuhmp2HXdnTchKguM6DUlh+uf/nrn0L2DMkOj5knnoCmSslsMe8r/8
7Qf8TMAnVi58AUEOJtdfvKpz41U0um8Ye3BPFIYJE5+HUf+e3PfGdTLCmBRpljE8
cRiaj3qF8TnCBIyyW5ntuTKCKakV0gkyod+uW11dmqkAJxYP4OJQce1b2AbAIPpl
BpZs68+0qv4DGRBKDafIHpYMq9cligTc6fdiR3ZOkYy2x/dZXFwgAaAwbA4=
-----END CERTIFICATE-----
c3smagic@compute-test:~$