Skip to end of metadata
Go to start of metadata

The SSL protocol is used to establish a secure communication between the CSGrid Server and its SGAs. It's also used to guarantee the identity of the involved parties: a Server only accepts registries from authorized SGAs, and a SGA connects only to the assinged Server. The following configuration must be complete to achieve this.

In the Server

The following property must be set:

SGAService.SSL.enable = true
SGAService.SSL.keystore = <keystore_file>
SGAService.SSL.keystore_password = <keystore_password>

Where keystore_file is the keystore filename and keystore_password is the keystore password.

The autorized SGAs list is defined this way:

SGAService.SSL.sga.name.1 = sgaA
SGAService.SSL.sga.name.2 = sgaB

In the SGA:

The SGA's certificate and private key and the Server's certificate are defined in the configuration file (see Configutation of Execution Nodes for a detailed explanation).

SGA {
	csbase_sga_name = "sga1",
	ssl = {
		key = "sga.key",
		certificate = "sga.crt",
		cafile = "server.crt",
	},
}

Creating keystores and certificates

1. To create a keystore with a self-signed certificate

$ keytool -genkey -keyalg RSA -alias server -keystore server.jks -storepass csgrid -validity 3650 -keysize 2048

2. To export the certificate

$ keytool -exportcert -rfc -alias server -keystore server.jks -file server.crt

3. To import the CA certificate

$ keytool -import -trustcacerts -alias ca -keystore server.jks -file ca.crt

4. To generate a private key and a certificate signing requests (CSR)

$ openssl req -newkey rsa:2048 -nodes -keyout sga.key -out sga.csr

5. To generate a signed certificate for the associated CSR

$ openssl x509 -req -CA ca.crt -CAkey ca.key -in sga.csr -out sga.crt -days 3650 -CAcreateserial
  • No labels