Opened 6 years ago

Closed 4 years ago

#1469 closed defect (fixed)

New functionality for sge_ca (CSP certification management tool)

Reported by: markdixon Owned by:
Priority: normal Milestone:
Component: sge Version: 8.1.3
Severity: minor Keywords:
Cc:

Description

Hi Dave,

I am almost certain you'll hate this one :)

There are some patches (against 8.1.3) attached, to "improve" the sge_ca tool for managing CSP certificates; the aim is to allow overlap of multiple valid certificates.

Note that they change the behaviour of some existing options (-renew, -renew_sys, -renew_sdm).

What do you think?

I'm not running them in production yet so, even if you like them, you might want to wait a bit before putting them in a release.

Cheers,

Mark
--


Mark Dixon Email : m.c.dixon@…
HPC/Grid Systems Support Tel (int): 35429
Information Systems Services Tel (ext): +44(0)113 343 5429
University of Leeds, LS2 9JT, UK


0001-sge_ca-new-revoke-cert-option.patch

0002-sgeCA-allow-multiple-certs-with-same-name.patch

0003-sge_ca-renew-and-friends-no-longer-revoke-old-cert.patch

Attachments (3)

0001-sge_ca-new-revoke-cert-option.patch (2.8 KB) - added by markdixon 6 years ago.
Added by email2trac
0002-sgeCA-allow-multiple-certs-with-same-name.patch (1.4 KB) - added by markdixon 6 years ago.
Added by email2trac
0003-sge_ca-renew-and-friends-no-longer-revoke-old-cert.patch (11.0 KB) - added by markdixon 6 years ago.
Added by email2trac

Download all attachments as: .zip

Change History (6)

Changed 6 years ago by markdixon

Added by email2trac

Changed 6 years ago by markdixon

Added by email2trac

Changed 6 years ago by markdixon

Added by email2trac

comment:4 Changed 6 years ago by dlove

Mark Dixon <m.c.dixon@…> writes:

Hi Dave,

I am almost certain you'll hate this one :)

No more than the rest of that stuff, certainly!

There are some patches (against 8.1.3) attached, to "improve" the
sge_ca tool for managing CSP certificates; the aim is to allow overlap
of multiple valid certificates.

Note that they change the behaviour of some existing options (-renew,
-renew_sys, -renew_sdm).

What do you think?

I haven't looked at it carefully yet, but why can't it be
backwards-compatible, either with new options and keeping the semantics
of the current args or providing some flag to change their behaviour?

I'm actually inclined to just give the certificates a lifetime of, say,
10 years in a new setup, and make renewal moot.

comment:5 Changed 6 years ago by markdixon

On Fri, 16 Aug 2013, Dave Love wrote:
...

I haven't looked at it carefully yet, but why can't it be
backwards-compatible, either with new options and keeping the semantics
of the current args or providing some flag to change their behaviour?

...

It could be if you like, but I would argue that an option called "-renew" shouldn't be doing a revoke...

I'm actually inclined to just give the certificates a lifetime of, say,
10 years in a new setup, and make renewal moot.

You might in your environment, others may not in theirs :)

Daemon and user certificates cannot easily be secured against an attacker on submit/exec hosts. It might ultimately be ineffectual, but it's nice to have a relatively short lifetime to help cut short windows of opportunity without administrator action.

Mark
--


Mark Dixon Email : m.c.dixon@…
HPC/Grid Systems Support Tel (int): 35429
Information Systems Services Tel (ext): +44(0)113 343 5429
University of Leeds, LS2 9JT, UK


comment:6 Changed 4 years ago by dlove

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.