Documentation – Collaboration Tools

Internal: Service information

Mon, 01 Jan 0001 00:00:00 +0000

Identity card

Property	Value
Name	Collaboration Tools
Description	Supporting Collaboration across the EGI Federation
URL	N/A
Support Email	it-support@egi.eu
Helpdesk Support Unit	EGI Services and Service Components I__ Collaboration Tools
Configuration Database entry	https://goc.egi.eu/portal/index.php?Page_Type=Site&id=983
Supplier	EGI Foundation and CESNET
Roadmap	N/A
Release notes	N/A
Source code	N/A
Issue tracker for developers	N/A
License	Every component is having its own licence
Privacy Policy	Parent policy, components usually have their own policy

Internal: Certificates

Mon, 01 Jan 0001 00:00:00 +0000

EGI Foundation is having access to a GÉANT Trusted Certificate Service subscription.

Sectigo is the current Certificate Authority (CA) providing certificates to GÉANT TCS.

This can be used to issue IGTF-trust (AKA eScience certificates) and public-trust certificates, for the domains managed by EGI Foundation, like egi.eu.

Operators of central services can request two types of certificates:

host certificates, with public-trust, and optionally IGTF trust.
robot email certificates, to be used as client certificate, to authenticate using X509 as a service.

In some specific cases, like for Cloud Compute providers not having access to an IGTF CA, it’s possible for them to request a robot certificate, as an IGTF certificate is required for sending accounting records.

You can contact scs-ra@egi.eu (or operations@egi.eu) if you need support.

Requesting a new certificate

Open a ticket to Collaboration Tools SU in EGI Helpdesk, providing:

Justification of the request.
Type of certificate (host or robot).
FQDN of the service.
Mailing list to be used as contact address that will receive renewal notifications.
For host certificates: a Certificate Signing Request, or mentioning the desire to use the ACME protocol.

An operator will follow with the request, and help you getting the certificate.

Retrieving certificates

Host certificates will be sent by email, you will receive a notification with links allowing to download it.
For robot certificates, you will receive an invitation by email allowing to generate and retrieve it.

Renewing certificates

Certificates are usually valid for one year. Auto-renewal of certificates is enabled by default, 30 days before expiration, notifications will be sent to the contact address provided when requesting the certificate.

The notifications contain links allowing to renew the certificate.

Creating a Certificate Signing Request

In order to get a certificate, Service Providers may be requested to send a Certificate Signing Request (CSR).

In the CSR only the Common Name (CN) is important, it should be the (FQDN) of the service Most of other fields will be replaced by the CA while generating the certificate.

It can be done via different ways, some are documented below.

Using a web application

DigiCert provides an online web application.

Using CloudFlare cfssl tool

It can be done with the cfssl tool from CloudFlare.

# Replace #FQDN# by the FQDN of the service
$ cfssl genkey <(echo '{"hosts":["#FQDN#"],"CN"#FQDN#","key":{"algo":"rsa","size":4096}}')
 | cfssljson -bare ##FQDN##.rsa

Using OpenSSL

It can be done using the following OpenSSL command that will generate a password-protected key.

You will be asked for various questions, but the only important ones are the Common Name (CN) and Subject Alternative Names (SAN) (in case you want to request a certificates covering different FQDNs), as other values will be overwritten by the CA.

$ openssl req -out CSR.csr -new -newkey rsa:4096 -keyout privateKey.key

Adding the -nodes option will disable password protection for the key, beware if using it.

Using ACME protocol

It is possible to automate the certificate request and renewal using the ACME protocol via certbot or similar tools.

Two things should be considered:

it’s not yet possible to get eScience/IGTF-trusted certificates, it’s on the roadmap but without any firm ETA.
it’s using a different intermediate CA from Sectigo, not the usual GEANT one used for TCS, but this shouldn’t have much impact for generic/non-eScience public services.

The EGI SDIS team will have to create and register an ACME client ID for you.

Once you will have the credential it should be possible to request a certificate, using the standard certbot client, as documented below.

Registering the client and saving the credentials locally

This will interactively register your certbot client. Even if the ACME credentials are shared, only a given client is able to manage the certificates it requested. Email address is used for urgent renewal and security notices. This is preferred way if you need to get notifications on certificate expiration and if you are doing some manual management or testing.

$ sudo certbot register --no-eff-email \
 --server https://acme.sectigo.com/v2/GEANTOV \
 --eab-kid <EAB_KID> \
 --eab-hmac-key <EAB_HMAC_KEY> \
 --email <CONTACT_EMAIL>

# Checking existing account
$ sudo certbot show_account --server https://acme.sectigo.com/v2/GEANTOV

# Unregistering an account
# Beware: you won't any more be able to revoke certificate issued with the account
$ sudo certbot unregister --server https://acme.sectigo.com/v2/GEANTOV

Requesting a certificate

$ sudo certbot certonly --standalone --non-interactive \
 --server https://acme.sectigo.com/v2/GEANTOV \
 --domain fakedomaindonotexist.egi.eu

Revoking a certificate

$ sudo certbot revoke \
 --server https://acme.sectigo.com/v2/OV \
 --cert-name fakedomaindonotexist.egi.eu

Registering and requesting a certificate all at once

This is useful when you don’t want interactive registration, like for one shot scripts. Email address is used for urgent renewal and security notices.

Apparently the notification to use this email is not visible in cert-manager, and the first option with explicit registration may be safer to get the notifications, if it’s a required feature.

$ sudo certbot certonly --standalone --non-interactive --agree-tos \
 --server https://acme.sectigo.com/v2/GEANTOV \
 --eab-kid <EAB_KID> --eab-hmac-key <EAB_HMAC_KEY> \
 --rsa-key-size 4096 \
 --email <CONTACT_EMAIL> \
 --domain fakedomaindonotexist.egi.eu

Other usual certbot options should also work. You may also be able to use other tools that can speak the ACME protocol, it should be standard.

Internal: EGI SSO

Mon, 01 Jan 0001 00:00:00 +0000

EGI SSO is a legacy central Identity Provider mainly intended to access the EGI Collaboration Tools.

For most services people should look into using federated authentication via EGI Check-in. Still, for some services not yet integrated with Check-in, an EGI SSO account should be used, in that case you can create an EGI SSO account.

Features

Central Identity Provider allowing to access EGI Collaboration Tools
Group management
Synchronisation of groups with other EGI Collaboration Tools
Linking of X.509 certificate Distinguished Name (DN) to authenticate using a client certificate

Linking an X.509 certificate to an EGI SSO account

Open the EGI SSO user management page
Select your new certificate to authenticate with it
Complete the login process using your username and password
Once logged, your new DN will be linked to your user account

Updating the DN of a certificate linked to a given EGI SSO account

On purpose a user cannot manually edit a certificate DN

You usually just need to link your new DN to your EGI SSO account, as documented above.

You may have to do this by in a private browser session to ensure that your previous certificate is used.

Once you have done this, you can request us to remove the former DN by opening an Helpdesk ticket to the Collaboration Tools Support Unit.

Legacy DNs shouldn’t prevent you accessing any service with a newer certificate, as long as its DN is linked to your account.

Internal: Mailing lists

Mon, 01 Jan 0001 00:00:00 +0000

Mailing lists are managed by software called Mailman.

The software provides a web interface and a public list of mailing lists is available.

Requesting the creation of a new mailing list

By default all mailing lists are managed using groups in EGI SSO. Only for very specific they may be managed directly in mailman.

Open a ticket to Collaboration Tools SU in EGI Helpdesk, providing:

List name
List Description
List administrator contact

After validation of those information the list will be created.

Name and description of the mailing list will be validated, you may be recommended to change name or description to follow already existing best practices for naming, or to improve description.

List administrators

EGI mailing lists are usually managed by EGI SSO, with some exceptions for lists that include members without SSO accounts.

List administrators of every SSO-managed list are set to the owners of the corresponding EGI SSO group when a new list is created.

Note

For SSO managed-lists: a change to the list of list administrators through the Mailman interface will not be permanent.

Only the EGI IT support can change who are the owners of an SSO group, please contact us if you want to add a new list administrator.

Each list can be administered over the web interface by following its link from the page Admin links. You can use your EGI SSO password to access the administration pages of the lists for which you are the administrator.

List members

Members of lists are synchronized with members of same named groups in the EGI SSO system.

Note

For SSO managed-lists: Changes made to list membership through the Mailman interface will not be permanent.

Managing list members must be done by managing members of corresponding groups in EGI SSO. Log into your EGI SSO account, and you will see a list of groups of which you are the owner. Click on the “»manage” link, it will display a page where you can

remove members from the group
add existing users as members of thew group
invite new users to the group

If you manage more then one list, and you need to add many new users to several lists at once, it may be helpful to follow the link titled “»Create new users in groups”. It directs to a page where you can enter many addresses at once, and specify the groups to which they should be added. Existing users will be added immediately, non-existing users will be invited to create an account and they will be assigned to the groups when they create the account.