Opened 6 years ago
Closed 4 years ago
#1469 closed defect (fixed)
New functionality for sge_ca (CSP certification management tool)
Reported by: | markdixon | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | sge | Version: | 8.1.3 |
Severity: | minor | Keywords: | |
Cc: |
Description
Hi Dave,
I am almost certain you'll hate this one :)
There are some patches (against 8.1.3) attached, to "improve" the sge_ca tool for managing CSP certificates; the aim is to allow overlap of multiple valid certificates.
Note that they change the behaviour of some existing options (-renew, -renew_sys, -renew_sdm).
What do you think?
I'm not running them in production yet so, even if you like them, you might want to wait a bit before putting them in a release.
Cheers,
Mark
--
Mark Dixon Email : m.c.dixon@…
HPC/Grid Systems Support Tel (int): 35429
Information Systems Services Tel (ext): +44(0)113 343 5429
University of Leeds, LS2 9JT, UK
0001-sge_ca-new-revoke-cert-option.patch
0002-sgeCA-allow-multiple-certs-with-same-name.patch
0003-sge_ca-renew-and-friends-no-longer-revoke-old-cert.patch
Attachments (3)
Change History (6)
Changed 6 years ago by markdixon
comment:4 Changed 6 years ago by dlove
Mark Dixon <m.c.dixon@…> writes:
Hi Dave,
I am almost certain you'll hate this one :)
No more than the rest of that stuff, certainly!
There are some patches (against 8.1.3) attached, to "improve" the
sge_ca tool for managing CSP certificates; the aim is to allow overlap
of multiple valid certificates.
Note that they change the behaviour of some existing options (-renew,
-renew_sys, -renew_sdm).
What do you think?
I haven't looked at it carefully yet, but why can't it be
backwards-compatible, either with new options and keeping the semantics
of the current args or providing some flag to change their behaviour?
I'm actually inclined to just give the certificates a lifetime of, say,
10 years in a new setup, and make renewal moot.
comment:5 Changed 6 years ago by markdixon
On Fri, 16 Aug 2013, Dave Love wrote:
...
I haven't looked at it carefully yet, but why can't it be
backwards-compatible, either with new options and keeping the semantics
of the current args or providing some flag to change their behaviour?
...
It could be if you like, but I would argue that an option called "-renew" shouldn't be doing a revoke...
I'm actually inclined to just give the certificates a lifetime of, say,
10 years in a new setup, and make renewal moot.
You might in your environment, others may not in theirs :)
Daemon and user certificates cannot easily be secured against an attacker on submit/exec hosts. It might ultimately be ineffectual, but it's nice to have a relatively short lifetime to help cut short windows of opportunity without administrator action.
Mark
--
Mark Dixon Email : m.c.dixon@…
HPC/Grid Systems Support Tel (int): 35429
Information Systems Services Tel (ext): +44(0)113 343 5429
University of Leeds, LS2 9JT, UK
comment:6 Changed 4 years ago by dlove
- Resolution set to fixed
- Status changed from new to closed
Added by email2trac