GridShib-CA Web Server (HTTPS) Addition
The GridShib CA Jar file (GridShibCA.jar) contains a set of CA
certificates that it uses to validate the https connection back to the
web server from which it was launched. If the CA certificate used to
sign your web server's certificate is not in the shipped jar, your
users will either see an error like the following (or with version
0.4.0 or later of the GridShib-CA be prompted to proceed):
Fatal Error: IO Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To correct this, you will need to add the CA for your web server
certificate to the GridShib-CA jar file and then re-sign the jar file
with a local signing credential. For the signing credential, any X.509
certificate and private key will do, though you want one with
sufficiently long-live so that you don't have to re-sign the jar often
(i.e. don't use a short-lived certificate from MyProxy or KCA, but a
certificate with a year's lifetime).
Prerequisites
For this process, you will need:
- The following java applications: keytool, jar, jarsigner
- Your CA certificate in PEM format.
- A signing credential to sign the new jar with your Webserver's CA.
- The openssl application to convert your signing credential to
PKCS12 format.
WARNING
A number of java applications echo passwords to the
screen as they are typed, so be aware of this as you proceed and be
wary of doing this process in a public place.
Step One: Change to GridShib CA distribution directory
All of these commands assume you are running in the directory created
by GridShibCA tarball (typically "gridshib-ca-0.3.0-alpha/" or
something similar).
Step Two: Convert signing credential to PKCS12
Convert the credential you will use to sign the new jar to PKCS12
format. In this case it is assumed the credential is in your ~/.globus
directory with the default names (usercert.pem for the certificate and
userkey.pem for the key) - if not you will need to adjust the
following command accordingly. The first password you will be prompted
for is the existing password for your private key. The second (and
third) password you will be prompted for is a new password you create
to protect the PKCS12 store (you can reuse your current private key
password if you wish).
% openssl pkcs12 -export -in ~/.globus/usercert.pem -inkey ~/.globus/userkey.pem -name default -out mycred.pkcs12
Enter pass phrase for /Users/vwelch/.globus/userkey.pem:
Enter Export Password:
Verifying - Enter Export Password:
Step Three: Add your CA certificate to trustStore
Now add your CA certificate to the trustStore that comes with the
GridShib CA distribution. This command assumes your CA certificate is
in a PEM formatted file called "myca-cert.0". The storepass is not
used for anything, but has to be supplied to keytool, so a dummy value
("abcef") is used.
% keytool -import -keystore resources/trustStore -noprompt -alias "MyCA" -storepass abcdef -file myca-cert.0
Certificate was added to keystore
You can repeat this step as needed to add multiple CA certificates (in
case you want to use the same jar with multiple web servers), you just
need to use a unique argument to -alias for each CA certificate.
Step Four: Update GridShibCA.jar
Now update the GridShibCA.jar file with the updated trust store. Note
that when you do this, you will break the signature on the jar (which
we address in the subsequent step).
% mv GridShibCA.jar GridShibCA.jar.modified
% jar uf GridShibCA.jar.modified resources/trustStore
Step Five: Sign new jar file
Now resign the jar with the PKCS12 store you created in step two.
Use the password you created in step two (the "Export Password").
% jarsigner -keystore mycred.pkcs12 -storetype pkcs12 -signedjar GridShibCA.jar GridShibCA.jar.modified default
Enter Passphrase for keystore:
Step Six: Install new jar file
Now run 'make install' to install your new GridShibCA.jar.
