Fermilab Computing Division
Search

Fermilab Computer Security

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access

The Fermilab Computer Security Team administers the laboratory's computer security program and provides the Fermilab community with technical expertise and up-to-date information and resources for improving computer security.

Verify your node registration. ScanMeNow PortScanMeNow nessquik
Was I Scanned? SurfMeNow CertTestNow CSTBlog
mailparse

What's New    

whatsnewRC.html
  • November 6, 2009: Updated Get-Cert package for Mac OSX adding the -t option to get certificate from the Test KCA server, fix success message handling. (includes fixing use of the encryption password for Globus users).
  • September 22, 2009: Security Awareness Day 2009  Schedule of presentations for Security Awareness Day 2009
  • September 16, 2009: Get-Cert for Mac OSX  fixed an error which caued the get-cert.sh script to not work under 10.6 and some 10.5 systems.  Please re-download this version..
  • September 10, 2009: See Tools page for a script fo make keytab for use with kcron in a shared (no Kerberos principal account). This script be will added to the Fermi Kerberos Tools for SLF 4 and 5.
  • September 4, 2009: Get-Cert for Mac OSX  updated  with new kx509 binaries (v1.05  supports  -s  server option and 1024-bit keys) and fixes  to support Leopard (10.5) and Snow Leopard (10.6).
  • May 22, 2009: Updated the Proxy Server Manual Configuration document with more details on how to configure a web browser for explicit proxy operation.
  • May 22, 2009: Updated the FNAL Site Proxy Servers FAQ
  • May 8, 2009: Published the FNAL Patching timeline
  • May 7, 2009: New version of get-cert for Mac is available on Tools page. This code should also work on linux. We'd appreciate testing and feedback on both platforms so that, if poosible, we can merge both tools and just have one "unix-like" get-cert
  • April 20, 2009: How to forward syslog to CST
  • April 20, 2009: Info about Detecting system changes with checksums posted
  • April 20, 2009: April 13, 2009: New Thunderbird Add-On: View Switch (Quickly switch your message pane between HTML, Simple HTML, RAW and Plain Text)
  • April 10, 2009: Check out the Cert Manager Firefox/Thunderbird Extension! (it allows for a shortcut to the Certificate Store manager)
  • April 3, 2009: Updated the krb5.conf template file to V2.10, added SERVICES domain to [realms].
  • April 2, 2009: New KCA Service FAQ
  • April 1, 2009: New Authentication Policy. Be sure to read!
  • September 5, 2008: Created instructions on how to manually configure your web browser to test the new Proxy Servers.
  • August 26, 2008: Released a new CA Certificate for the Fermilab Kerberized Certificate Authority servers (KCA) as the old CA certificate expires in October of 2008.  The new CA Certificate expires in 2018.  See the page on CA Certificate Downloads for information on downloading and installing the Fermilab KCA CA Certificate.
  • May 28, 2008: Swtiched to new production KCA servers with new Subject Distringuished Names for people and robots
  • May 8, 2008: Added a list of the KCA certficate Distinguished Names for robots (special Kerberos principals) which will be issued by the new KCA servers.
  • May 2, 2008: Added initial list of the KCA certficate Distinguished Names for people which will be issued by the new KCA servers.
  • April 22, 2008: FAQ concerning the new KCA service
  • April 3, 2008: Instructions for forwarding apache access, error, etc logs to central logging can be found here. Apache baseline is CD-DocDB # 1536. RA policies are #2336 and #2360.
  • January 11, 2008: See Issues with Expired Certificates for instructions on dealing with expired certificates in your certificate stores.  Some of you may have an expired DOEGrids CA certificate which might be causing problems.
  • December 11, 2007: Added start of How-To Guide on Notes on Changing Your Kerberos Passwords.
  • October 9, 2007: Changed the configuration files used to generate DOEGrids host/service certificate requests to include a single CN in the DN; for multi-home nodes use a regular expression such as (a|b|c|d).fnal.gov for this CN.
  • August 30, 2007: Updates on Tools page, linking to newer release of Win32OpenSSL and removed the link to Kerberos Client-only for Windows/Cygwin as this package is no longer supported and very much out of date.
  • August 15, 2007: DOEGrids Certificate Users: Please renew (replace) your personal certificates as soon as you receive the renewal notice E-mail from DOEGrids.org. Do Not Wait until the expiration date since the pki1.doegrids.org service site will not accept expired certificates for authentication.
  • April 9, 2007: Updated the krb5.conf template file to match the Kits Test version (V2.4) adding the CERN.CH realm.
  • December 08, 2006: Modified KCA configuration so the issued certificates are only valid as SSL Client certifiates (and not for E-mail signing) in order to make use of KCA certificates easier for Macintosh u.Mail users.
  • September 29, 2006: How-To Access the Baseline Documents in DocDB. Step-by-Step instructions presentation is now available.
  • June 23, 2005: CST RSS Feed available
  • Mar 9, 2004: Email containing a virus is now dropped at the email gateway to avoid flooding.
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by JK. on Oct 23, 2008.
(Address comments about page to the Computer Security Team.)