Setup: Installation: The security enhancement can be either added to a previously configured system or the system can be setup during the initial installation to support CSP security. Installation with CSP security ------------------------------ The installation is performed as usual except that the install script is called with the additional parameter -csp. In the following you see the installation steps 1. Unpack and install the Grid Engine distribution 2. Install Grid Engine On the master machine type: Become superuser % su % ./install_qmaster -csp You need the following additional information, see the example below. Country code: C=US State: ST=California Location: L=San Francisco Organization: O=8Bits Organizational unit: OU=Support CA email address: emailAddress=admin@eightbits.com you get the following installation screens Initializing Certificate Authority (CA) for OpenSSL security framework ---------------------------------------------------------------------- Creating /scratch2/aa114085/sge_sec/default/common/sgeCA Creating /var/sgeCA/port5321/default Creating /scratch2/aa114085/sge_sec/default/common/sgeCA/certs Creating /scratch2/aa114085/sge_sec/default/common/sgeCA/crl Creating /scratch2/aa114085/sge_sec/default/common/sgeCA/newcerts Creating /scratch2/aa114085/sge_sec/default/common/sgeCA/serial Creating /scratch2/aa114085/sge_sec/default/common/sgeCA/index.txt Creating /var/sgeCA/port5321/default/userkeys Creating /var/sgeCA/port5321/default/private Hit to continue >> Enter all the required information for the distinguished name for the CA certificate: You selected the following basic data for the distinguished name of your certificates: Country code: C=US State: ST=California Location: L=San Francisco Organization: O=8Bits Organizational unit: OU=Support CA email address: emailAddress=admin@eightbits.com Do you want to use these data (y/n) [y] >> Creating RANDFILE from >/kernel/genunix< in >/var/sgeCA/port5321/default/private/rand.seed< 1513428 semi-random bytes loaded Creating CA certificate and private key Using configuration from /tmp/sge_ca126095.tmp Generating a 1024 bit RSA private key ....................................++++++ ............++++++ writing new private key to '/var/sgeCA/port5321/default/private/cakey.pem' ----- Hit to continue >> Creating Daemon certificate and key ----------------------------------- Creating RANDFILE from >/kernel/genunix< in >/var/sgeCA/port5321/default/private/rand.seed< 1513428 semi-random bytes loaded Using configuration from /tmp/sge_ca126095.tmp Generating a 1024 bit RSA private key ...................................++++++ .....................++++++ writing new private key to '/var/sgeCA/port5321/default/private/key.pem' ----- Using configuration from /tmp/sge_ca126095.tmp Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'California' localityName :PRINTABLE:'San Francisco' organizationName :PRINTABLE:'8Bits' organizationalUnitName:PRINTABLE:'Support' uniqueIdentifier :PRINTABLE:'root' commonName :PRINTABLE:'SGE Daemon' emailAddress :IA5STRING:'none' Certificate is to be certified until Mar 1 16:14:23 2003 GMT (365 days) Write out database with 1 new entries Data Base Updated created and signed certificate for SGE daemons Creating RANDFILE from >/kernel/genunix< in >/var/sgeCA/port5321/default/userkeys/root/rand.seed< 1513428 semi-random bytes loaded Using configuration from /tmp/sge_ca126095.tmp Generating a 1024 bit RSA private key ....++++++ .....................++++++ writing new private key to '/var/sgeCA/port5321/default/userkeys/root/key.pem' ----- Using configuration from /tmp/sge_ca126095.tmp Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'California' localityName :PRINTABLE:'San Francisco' organizationName :PRINTABLE:'8Bits' organizationalUnitName:PRINTABLE:'Support' uniqueIdentifier :PRINTABLE:'root' commonName :PRINTABLE:'SGE install user' emailAddress :IA5STRING:'none' Certificate is to be certified until Mar 1 16:14:25 2003 GMT (365 days) Write out database with 1 new entries Data Base Updated created and signed certificate for user >root< in >/var/sgeCA/port5321/default/userkeys/root< Creating RANDFILE from >/kernel/genunix< in >/var/sgeCA/port5321/default/userkeys/aa114085/rand.seed< 1513428 semi-random bytes loaded Using configuration from /tmp/sge_ca126095.tmp Generating a 1024 bit RSA private key ......++++++ ...++++++ writing new private key to '/var/sgeCA/port5321/default/userkeys/aa114085/key.pem' ----- Using configuration from /tmp/sge_ca126095.tmp Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'California' localityName :PRINTABLE:'San Francisco' organizationName :PRINTABLE:'8Bits' organizationalUnitName:PRINTABLE:'Support' uniqueIdentifier :PRINTABLE:'aa114085' commonName :PRINTABLE:'SGE admin user' emailAddress :IA5STRING:'none' Certificate is to be certified until Mar 1 16:14:26 2003 GMT (365 days) Write out database with 1 new entries Data Base Updated created and signed certificate for user >aa114085< in >/var/sgeCA/port5321/default/userkeys/aa114085< Hit to continue >> Then the installation script proceeds as usual. Creating CA certificate and private key --------------------------------------- Please give some basic parameters to create the distinguished name (DN) for the certificates. We will ask for - the two letter country code - the state - the location, e.g city or your buildingcode - the organization (e.g. your company name) - the organizational unit, e.g. your department - the email address of the CA administrator (you!) Hit to continue >> ================================================================================ ATTENTION !! THIS IS WORK IN PROGRESS AND SHOULD NOT BE USED IN PRODUCTION ENVIRONMENTS NONETHELESS YOU ARE VERY WELCOME TO TEST, ADVICE AND ENHANCE In the following sections the use of the openssl binary (version 0.9.6b) for building a CA & key infrastructure for SGE is outlined. Names from passwd ypcat passwd | cut -f 1,5 -d : Setup CA ======== Certificate creation cmds ========================= CA creation: -nodes option is used to suppress the encryption of priv keys otherwise one has to deal with the PEM passphrase at least 4 letters password during runtime of csp'ed SGE. CA cert and key: openssl genrsa [-des3] -out -rand 1024 without -des3 unencrypted no passphrase Selfsign CA cert: openssl req -new -x509 -days 730 -key -out Display cert: openssl x509 -in -text User key and cert: openssl genrsa -out -rand 1024 openssl req -new -key -out Signing: openssl ca -name ca_name -keyfile -in -out -outdir ca_name is the section in the config file e.g. Client_CA, Server_CA ... Hash generation: serial number: = `openssl x509 -in -noout -serial` ln -s .pem `openssl x509 -in .pem -hash -noout`.0 Certificate check cmds ====================== Check issuer % openssl x509 -issuer -in ~/.SGE_SECURE/default/CERT/cert.pem -noout issuer= /C=DE/ST=Bavaria/L=Regensburg/O=Sun Microsystems/OU=Gridware/CN=CA/Email=andre.alefeld@sun.com Check subject % openssl x509 -subject -in ~/.SGE_SECURE/default/CERT/cert.pem -noout subject= /C=DE/ST=Bavaria/L=Regensburg/O=Sun Microsystems/OU=Gridware/CN=andre/Email=andre.alefeld@sun.com Show email of cert % openssl x509 -email -in ~/.SGE_SECURE/default/CERT/cert.pem -noout andre.alefeld@sun.com Show validity orgulas% openssl x509 -dates -in ~/.SGE_SECURE/default/CERT/cert.pem -noout notBefore=Sep 25 14:48:38 2001 GMT notAfter=Sep 25 14:48:38 2002 GMT Show fingerprint orgulas% openssl x509 -fingerprint -in ~/.SGE_SECURE/default/CERT/cert.pem -noout MD5 Fingerprint=F9:FA:AB:86:F3:71:E4:7F:18:82:78:7D:5E:51:7B:B5 Show C format of cert orgulas% openssl x509 -C -in ~/.SGE_SECURE/default/CERT/cert.pem -noout/* subject:/C=DE/ST=Bavaria/L=Regensburg/O=Sun Microsystems/OU=Gridware/CN=andre/Email=andre.alefeld@sun.com */ /* issuer :/C=DE/ST=Bavaria/L=Regensburg/O=Sun Microsystems/OU=Gridware/CN=CA/Email=andre.alefeld@sun.com */ unsigned char XXX_subject_name[155]={ 0x30,0x81,0x98,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x44,0x45, 0x31,0x10,0x30,0x0E,0x06,0x03,0x55,0x04,0x08,0x13,0x07,0x42,0x61,0x76,0x61,0x72, 0x69,0x61,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x07,0x13,0x0A,0x52,0x65,0x67, 0x65,0x6E,0x73,0x62,0x75,0x72,0x67,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0A, 0x13,0x10,0x53,0x75,0x6E,0x20,0x4D,0x69,0x63,0x72,0x6F,0x73,0x79,0x73,0x74,0x65, 0x6D,0x73,0x31,0x11,0x30,0x0F,0x06,0x03,0x55,0x04,0x0B,0x13,0x08,0x47,0x72,0x69, 0x64,0x77,0x61,0x72,0x65,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x03,0x13,0x05, 0x61,0x6E,0x64,0x72,0x65,0x31,0x24,0x30,0x22,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, 0x0D,0x01,0x09,0x01,0x16,0x15,0x61,0x6E,0x64,0x72,0x65,0x2E,0x61,0x6C,0x65,0x66, 0x65,0x6C,0x64,0x40,0x73,0x75,0x6E,0x2E,0x63,0x6F,0x6D, }; unsigned char XXX_public_key[162]={ 0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01, 0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xC1,0xA3,0xE0, 0xAE,0x61,0x84,0xFC,0xEC,0x73,0x85,0xF4,0x00,0x97,0x60,0xE6,0x34,0xCA,0xC3,0xF2, 0x6E,0xCA,0x3F,0xA8,0x06,0x0D,0xE9,0x0D,0xB3,0x65,0x38,0x93,0x1C,0x8C,0x38,0x62, 0xD2,0x0F,0x7E,0xF7,0xD1,0xD1,0x03,0xBA,0x9C,0x5C,0xB8,0x41,0xE1,0x07,0x9D,0x5F, 0x29,0x0D,0xE9,0x4B,0xB2,0x0C,0xC0,0xC7,0x55,0x4D,0x15,0xE0,0xC3,0x42,0xFF,0xAF, 0x7F,0x03,0x5D,0x3B,0x6D,0x5E,0xE1,0x63,0x95,0x19,0xD9,0xBD,0x01,0xA9,0x00,0x72, 0xAF,0x75,0x4E,0xFD,0x68,0x86,0xE6,0x58,0xFD,0xFA,0x97,0x8F,0x8F,0xF4,0x34,0x58, 0x93,0x99,0xCE,0x97,0x5B,0xCA,0xCE,0xC9,0xD1,0x7D,0xC3,0xEF,0xE8,0x30,0x3F,0x7D, 0xCC,0xA9,0x57,0xB0,0x6C,0xCD,0x82,0x79,0x04,0xA5,0xAB,0xAC,0x45,0x02,0x03,0x01, 0x00,0x01, }; unsigned char XXX_certificate[972]={ 0x30,0x82,0x03,0xC8,0x30,0x82,0x03,0x31,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01, 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x04,0x05,0x00,0x30, 0x81,0x95,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x44,0x45,0x31, 0x10,0x30,0x0E,0x06,0x03,0x55,0x04,0x08,0x13,0x07,0x42,0x61,0x76,0x61,0x72,0x69, 0x61,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x07,0x13,0x0A,0x52,0x65,0x67,0x65, 0x6E,0x73,0x62,0x75,0x72,0x67,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0A,0x13, 0x10,0x53,0x75,0x6E,0x20,0x4D,0x69,0x63,0x72,0x6F,0x73,0x79,0x73,0x74,0x65,0x6D, 0x73,0x31,0x11,0x30,0x0F,0x06,0x03,0x55,0x04,0x0B,0x13,0x08,0x47,0x72,0x69,0x64, 0x77,0x61,0x72,0x65,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x03,0x13,0x02,0x43, 0x41,0x31,0x24,0x30,0x22,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01, 0x16,0x15,0x61,0x6E,0x64,0x72,0x65,0x2E,0x61,0x6C,0x65,0x66,0x65,0x6C,0x64,0x40, 0x73,0x75,0x6E,0x2E,0x63,0x6F,0x6D,0x30,0x1E,0x17,0x0D,0x30,0x31,0x30,0x39,0x32, 0x35,0x31,0x34,0x34,0x38,0x33,0x38,0x5A,0x17,0x0D,0x30,0x32,0x30,0x39,0x32,0x35, 0x31,0x34,0x34,0x38,0x33,0x38,0x5A,0x30,0x81,0x98,0x31,0x0B,0x30,0x09,0x06,0x03, 0x55,0x04,0x06,0x13,0x02,0x44,0x45,0x31,0x10,0x30,0x0E,0x06,0x03,0x55,0x04,0x08, 0x13,0x07,0x42,0x61,0x76,0x61,0x72,0x69,0x61,0x31,0x13,0x30,0x11,0x06,0x03,0x55, 0x04,0x07,0x13,0x0A,0x52,0x65,0x67,0x65,0x6E,0x73,0x62,0x75,0x72,0x67,0x31,0x19, 0x30,0x17,0x06,0x03,0x55,0x04,0x0A,0x13,0x10,0x53,0x75,0x6E,0x20,0x4D,0x69,0x63, 0x72,0x6F,0x73,0x79,0x73,0x74,0x65,0x6D,0x73,0x31,0x11,0x30,0x0F,0x06,0x03,0x55, 0x04,0x0B,0x13,0x08,0x47,0x72,0x69,0x64,0x77,0x61,0x72,0x65,0x31,0x0E,0x30,0x0C, 0x06,0x03,0x55,0x04,0x03,0x13,0x05,0x61,0x6E,0x64,0x72,0x65,0x31,0x24,0x30,0x22, 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,0x16,0x15,0x61,0x6E,0x64, 0x72,0x65,0x2E,0x61,0x6C,0x65,0x66,0x65,0x6C,0x64,0x40,0x73,0x75,0x6E,0x2E,0x63, 0x6F,0x6D,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, 0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xC1, 0xA3,0xE0,0xAE,0x61,0x84,0xFC,0xEC,0x73,0x85,0xF4,0x00,0x97,0x60,0xE6,0x34,0xCA, 0xC3,0xF2,0x6E,0xCA,0x3F,0xA8,0x06,0x0D,0xE9,0x0D,0xB3,0x65,0x38,0x93,0x1C,0x8C, 0x38,0x62,0xD2,0x0F,0x7E,0xF7,0xD1,0xD1,0x03,0xBA,0x9C,0x5C,0xB8,0x41,0xE1,0x07, 0x9D,0x5F,0x29,0x0D,0xE9,0x4B,0xB2,0x0C,0xC0,0xC7,0x55,0x4D,0x15,0xE0,0xC3,0x42, 0xFF,0xAF,0x7F,0x03,0x5D,0x3B,0x6D,0x5E,0xE1,0x63,0x95,0x19,0xD9,0xBD,0x01,0xA9, 0x00,0x72,0xAF,0x75,0x4E,0xFD,0x68,0x86,0xE6,0x58,0xFD,0xFA,0x97,0x8F,0x8F,0xF4, 0x34,0x58,0x93,0x99,0xCE,0x97,0x5B,0xCA,0xCE,0xC9,0xD1,0x7D,0xC3,0xEF,0xE8,0x30, 0x3F,0x7D,0xCC,0xA9,0x57,0xB0,0x6C,0xCD,0x82,0x79,0x04,0xA5,0xAB,0xAC,0x45,0x02, 0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x21,0x30,0x82,0x01,0x1D,0x30,0x09,0x06,0x03, 0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x2C,0x06,0x09,0x60,0x86,0x48,0x01,0x86, 0xF8,0x42,0x01,0x0D,0x04,0x1F,0x16,0x1D,0x4F,0x70,0x65,0x6E,0x53,0x53,0x4C,0x20, 0x47,0x65,0x6E,0x65,0x72,0x61,0x74,0x65,0x64,0x20,0x43,0x65,0x72,0x74,0x69,0x66, 0x69,0x63,0x61,0x74,0x65,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14, 0x3C,0xAD,0x71,0x8B,0x0D,0xD9,0xAE,0x39,0x51,0xC3,0x51,0x8C,0x5D,0x87,0xDF,0x13, 0x0F,0xBE,0xA6,0x03,0x30,0x81,0xC2,0x06,0x03,0x55,0x1D,0x23,0x04,0x81,0xBA,0x30, 0x81,0xB7,0x80,0x14,0x76,0x42,0x9A,0xBF,0xB8,0xC0,0xF4,0x25,0xF8,0xF3,0x05,0x8C, 0x31,0x5B,0x40,0xAD,0x0D,0x27,0x76,0xF9,0xA1,0x81,0x9B,0xA4,0x81,0x98,0x30,0x81, 0x95,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x44,0x45,0x31,0x10, 0x30,0x0E,0x06,0x03,0x55,0x04,0x08,0x13,0x07,0x42,0x61,0x76,0x61,0x72,0x69,0x61, 0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x07,0x13,0x0A,0x52,0x65,0x67,0x65,0x6E, 0x73,0x62,0x75,0x72,0x67,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0A,0x13,0x10, 0x53,0x75,0x6E,0x20,0x4D,0x69,0x63,0x72,0x6F,0x73,0x79,0x73,0x74,0x65,0x6D,0x73, 0x31,0x11,0x30,0x0F,0x06,0x03,0x55,0x04,0x0B,0x13,0x08,0x47,0x72,0x69,0x64,0x77, 0x61,0x72,0x65,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x03,0x13,0x02,0x43,0x41, 0x31,0x24,0x30,0x22,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,0x16, 0x15,0x61,0x6E,0x64,0x72,0x65,0x2E,0x61,0x6C,0x65,0x66,0x65,0x6C,0x64,0x40,0x73, 0x75,0x6E,0x2E,0x63,0x6F,0x6D,0x82,0x01,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48, 0x86,0xF7,0x0D,0x01,0x01,0x04,0x05,0x00,0x03,0x81,0x81,0x00,0x21,0x4A,0x48,0x94, 0x2F,0xB9,0x0C,0x8A,0x42,0x75,0xA4,0xDD,0xD1,0xBD,0x95,0xE6,0xE3,0x05,0x70,0x44, 0x81,0x9E,0xC3,0x77,0x9B,0x46,0xE8,0xE3,0x6B,0x5B,0x3E,0x89,0xD0,0x51,0x71,0x6C, 0xE8,0xBC,0x7F,0xB5,0xF8,0x2E,0x52,0xCB,0x8F,0xEA,0x98,0x0C,0x59,0x69,0x62,0xC7, 0x6E,0x75,0x99,0xBC,0x31,0xA1,0x1A,0x3C,0x7F,0xEF,0x81,0x5C,0xE6,0x61,0xF9,0x64, 0x10,0xFE,0x4A,0xFC,0xB7,0xA3,0xB0,0x3B,0xFC,0x22,0x42,0x75,0x7A,0x2B,0xA5,0xB2, 0x15,0x8E,0xFC,0xC6,0x08,0xD6,0x6B,0xCE,0xEB,0xDC,0x05,0x89,0xB7,0x56,0x55,0xCD, 0xA3,0x71,0xD0,0x48,0xA5,0x8F,0xAE,0x96,0x7F,0xB8,0x86,0x15,0xBF,0x57,0xDB,0x03, 0xDE,0x27,0x11,0xD0,0x79,0x6F,0x5B,0x00,0xB4,0x89,0x84,0x70, }; #!/bin/sh # print out the hash values # for i in $* do h=`openssl x509 -hash -noout -in $i` echo "$h.0 => $i" done #!/bin/sh # # print the subject # for i in $* do n=`openssl x509 -subject -issuer -enddate -noout -in $i` echo "$i" echo "$n" echo "--------" done #!/bin/sh # # print out the issuer # for i in $* do n=`openssl x509 -issuer -noout -in $i` echo "$i\t$n" done #!/bin/sh # # print the subject # for i in $* do n=`openssl x509 -subject -noout -in $i` echo "$i $n" done awk '{printf "DE:"; printf "Bavaria:"; printf "Regensburg:"; printf "Sun Microsystems:"; printf "Gridware:"; printf $0":"; print $1"."$2"@sun.com"}' NAMES.txt > DN_TABLE.txt Generate a CRL utilbin/solaris64/openssl ca -config util/sgeCA/sge_ssl.cnf -verbose -cert default/common/sgeCA/cacert.pem -keyfile /var/sgeCA/port5321/default/private/cakey.pem -gencrl -out troet Renewal of CA key: $SGE_ROOT/utilbin/solaris64/openssl req -nodes -x509 -key /var/sgeCA/port5321/default/private/cakey.pem -out cacert.new -days 1024 -new -config