HOWTO01 Using IGTF CA distribution

Using the IGTF CA distribution

To ensure interoperability within and outside of EGI, the Policy on Acceptable Authentication Assurance defined a common set of trust anchors (in a PKIX implementation “Certification Authorities”) that all sites in EGI should install. In short, all CAs accredited to the Interoperable Global Trust Federation under the classic, MICS or SLCS Authentication Profiles are approved for use in EGI. When installing the ‘combined-assurance’ bundle, also IOTA issuers complying with assurance level DOGWOOD are included. Of course, sites may add additional CAs as long as the integrity of the infrastructure as a whole is not compromised. Also, if there are site or national policies/regulations that prevent you from installing a CA, these regulations take precedence – but you then must inform the EGI Security Officer (see EGI CSIRT) about this exception.

Release notes

Review the release notes containing important notices about the current release, as well as a list of changes to the trust fabric.

Installation

To install the EGI trust anchors on a system that uses the RedHat Package Manager (RPM) based package management system, we provide a convenience package to manage the installation. To install the currently valid distribution, all RPM packages are provided at

https://repository.egi.eu/sw/production/cas/1/current/

The current version is based on the IGTF release with the same version number. Install the meta-package ca-policy-egi-core (or ca-policy-egi-cam) and its dependencies to implement the core EGI policy on trusted CAs.

Using YUM package management

Add the following repo-file to the /etc/yum.repos.d/ directory:

[EGI-trustanchors]
name=EGI-trustanchors
baseurl=https://repository.egi.eu/sw/production/cas/1/current/
gpgkey=https://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3
gpgcheck=1
enabled=1

and then update your installation. How to update depends on your previous activity:

  • if you have previously ever installed the lcg-CA package, remove any references to https://linuxsoft.cern.ch/LCG-CAs/current from your YUM setup, and run
$ yum clean cache metadata
$ yum update lcg-CA
  • and you are done. This will update the packages installed to the latest version, and also install the new ca-policy-egi-core package as well as a ca-policy-lcg package. All packages encode the same set of dependencies

  • if you are upgrading from a previous EGI version only, just run

$ yum update ca-policy-egi-core
  • although at times you may need to clean the yum cache using
$ yum clean cache metadata
  • if you are installing the EGI trust anchors for the first time, run
$ yum install ca-policy-egi-core

Using the distribution on a Debian or Debian-derived platform

The 1.39+ releases experimentally add the option to install the trust anchors from Debian packages using the APT dependency management system. Although care has been taken to ensure that this distribution is installable and complete, no guarantees are given, but you are invited to report your issues through GGUS. You may have to wait for a subsequent release of the Trust Anchor release to solve your issue, or may be asked to use a temporary repository. To use it:

  • Install the EUGridPMA PGP key for apt:
$ wget -q -O - \
    https://dist.eugridpma.info/distribution/igtf/current/GPG-KEY-EUGridPMA-RPM-3 \
    | apt-key add -
  • Add the following line to your sources.list file for APT:
#### EGI Trust Anchor Distribution ####
deb https://repository.egi.eu/sw/production/cas/1/current egi-igtf core
  • Populate the cache and install the meta-package
$ apt-get update
$ apt-get install ca-policy-egi-core

Using the distribution on other (non-RPM) platforms

The trust anchors are provided also as simple ’tar-balls’ for installation on other platforms. Since there is no dependency management in this case, please review the release notes carefully for any security issues or withdrawn CAs. The tar files can be found in the EGI repository at

https://repository.egi.eu/sw/production/cas/1/current/tgz/

Once you have downloaded the directory, you can unpack all the CA tar,gz as follows to your certificate directory:

$ for tgz in $(ls  <ca download dir>); do
    tar xzf <ca download dir>/$tgz --strip-components=1 \
      -C /etc/grid-security/certificates
  done

Installing the distribution using Quattor

Quattor templates are provided as drop-in replacements for both QWG and CDB installations. Update your software repository (re-generating the repository templates as needed) and obtain the new CA templates from:

  • https://repository.egi.eu/sw/production/cas/1/current/meta/ca-policy-egi-core.tpl for QWG
  • https://repository.egi.eu/sw/production/cas/1/current/meta/pro_software_meta_ca_policy_egi_core.tpl for CDB

Make sure to mirror (or refer to) the new repository at https://repository.egi.eu/sw/production/cas/1/current/ and create the appropriate repository definition file.

For WLCG sites that are migrating from the lcg-CA package: the WLCG policy companion of the EGI templates can be found at QWG and CDB and can be included in the profile in parallel with the EGI core template. All packages needed are also included in the EGI repository, so only a single repository reference is necessary.

Combined Assurance/Adequacy Model

The release contains a “cam” (combined assurance/adequacy) package based on the approved policy on differentiated assurance. Technically, this means that you must ONLY install the new ca-policy-egi-cam packages if you ALSO at the same time implement VO-specific authorization controls in your software stack. This may require reconfiguration or a software update. Otherwise, just only install or update the regular ca-policy-egi-core package. There are no changes in this case. The ca-policy-egi-core package is approved for all VOs membership and assurance models. No configuration change is needed.

Acceptable Authentication Assurance

If a VO registration service or e-infrastructure registration service is accredited by EGI to meet the approved authentication assurance, an IGTF “DOGWOOD” accredited Authority - used solely in combination with said registration service - is also adequate for user authentication. See the policy for details.

This additional restriction policy must be implemented by each service in the authorization software. The “combined assurance” model package MUST NOT be installed unless the additional authorization is in place. You will need to reconfigure and may need to install upgrades. Not installing the new “cam” package does not have any detrimental effect on current users - only a new class of users (that can only obtain an opaque identifiers and do not do full vetting at their electronic identity provider) could be affected, and then only those users that are member of one of the communities that has part of the combined-assurance programme: LCG-Atlas, LCG-Alice, LCG-LHCb, and LCG-CMS.

Patches and workarounds

Reminder notice for VOMS AA operators

Several updates to this trust anchor distribution incorporate changes to the name of the issuing authority, but the name of the end-entities and the users remains exactly the same. To make the change transparent, all operators of VOMS and VOMS-Admin services are requested to enable the subject-only name resolution mechanisms in VOMS and VOMS Admin, see additional documentation in VOMS services configuration reference:

  • on the VOMS core Attribute Authority service, configure the -skipcacheck flag on start-up.
  • Set voms.skip_ca_check=True in the service properties.

Concerns, issues and verification

If you experience problems with the installation or upgrade of your trust anchors, or with the repository, please report such an issue through the GGUS system. For issues with the contents of the distribution, concerns about the trust fabric, or with questions about the integrity of the distribution, please contact the EGI IGTF liaison at egi-igtf-liaison@nikhef.nl.

You can verify the contents of the EGI Trust Anchor (CA) release with those of the International Grid Trust Federation, or its mirror. See the IGTF and EUGridPMA web pages for additional information.

Make sure to verify your trust anchors with TACAR, the TERENA Academic CA Repository, where applicable.