Grid Certificate Distribution at AGLT2

The certificates in /etc/grid-security/certificates are used by the OSG authentication stack. It is a regularly updated, standard set of files, an includes the details of revoked certificates. So as to avoid all hosts doing regular updates over the Internet, we instead have a central machine ( pull all updates, including rpm changes, into its own directories. This in turn is written to a rw afs volume, which is then released to all ro copies. All other client machines then pull their directory copy via rsync into their own certificates directory.

Details of the Several Steps

  • Every 6 hours at h:0 a check is made on for a new rpm of certificates
    • /etc/cron.d/osg-ca-certs-updater from the OSG distribution
  • At h:50 on fetch-crl is run via cron
    • /etc/cron.d/fetch-crl, set up by the OSG rpm, probably modified by AGLT2 to run at this time
  • At h:14 on the full directory is rsync'd into /afs/, the rw volume of this set
    • /etc/cron.d/rsync-certificates-into-afs that runs /root/tools/
  • At h:41 on linat06, the home of the OSG_certificates rw volume, the rw volume is released to the ro copies
    • /etc/cron.d/release_Certificates
    • Keeps an accumulating log in /var/log/afs_release_Certificates.log
  • In the interval h:25 to h:40, all but the various dCache machines rsync their certificates directory out of afs
    • /etc/cron.d/rsync-certificates.cron, which runs /root/tools/
  • At h:20 the various dCache macines rsync their certificates directory out of afs
    • Same cron task, same tools file, just different time

Probably this cycle time could be shortened by changing the time the rw volume is released on linat06 to h:15, and the gate01 copy into afs to h:10. Such a change could accomplish a full certificate distribution in about 50 minutes or so.

-- BobBall - 04 Oct 2018
Topic revision: r2 - 04 Oct 2018 - 14:47:08 - BobBall

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback