sidemenu

Restricted Access

FAQ

Frequently Asked Questions

New KCA Service

Q. 1.0 What is a KCA server?
Q. 1.1 What are possible common uses of KCA certificates?
Q. 1.2 Why are we changing the KCA service?
Q. 1.3 What changes are being made in the new KCA service?
Q. 1.4 What is not affected?
Q. 1.5 When is the new KCA service moving into production?
Q. 1.6 What do I need to do to prepare for the cutover?
Q. 1.7 What do the differences look like?
Q. 1.8 How can I test the new KCA service?
Q. 1.9 I am trying to test against the new KCA servers, but a kxlist output still shows my old certificate.
Q. 1.10 Where can I obtain a new DN Translation List which contains the new naming scheme?
Q. 1.11 How are you communicating these changes?
Q. 1.12 Has anyone considered DocDB, NIMI, Miser and the other web applications?
Q. 1.13 Why does my displayName for my certificate in my browser no longer report my full name?
Q. 1.14 What not use a different naming convention or other OID available in the x.509 spec?
Q. 1.15 I cannot find an answer to my question. Who should I contact?
Q. 1.16 How can I reconfigure my web server to use the new KCA service?

New KCA Service

A. 1.0 What is a KCA server?

The KCA server is a service that issues an x.509 certificate after presenting a valid Kerberos ticket.

Return to top

A. 1.1 What are possible common uses of KCA certificates?

KCA certificates are used to identify you for authorization to various services that cannot (or do not utilize kerebros authentication). While KCA certificates are not to be used to interactively log into a system (such as through SSH), they are appropriate for other services. Some common services include:
- Access to web pages
- DocDB
- Service Desk activities
- Mitigating TIssue events
- Various Copmuting Division resources
- Grid job submission

Return to top

A. 1.2 Why are we changing the KCA service?

We have various requirements we must meet so that our KCA server will obtain TAGPMA accreditation (and thereby be trusted all over the grid community). These requirements include:

Utilize a Hardware Security Module (HSM) for private key storage
Only issue certificates when clients use at least 1024 bit encryption

Return to top

A. 1.3 What changes are being made in the new KCA service?

The new revision of the KCA service uses a Hardware Security Module (HSM) to store the KCA server's private key, to provide additional security to protect the private key, The actual private key itself has been newly generated, and the DN of the server's root certificate (which users need to install in their applications) has also been modified. In addition, the server will no longer grant certificates to kx509 clients using less than 1024 bit encryption, so some users will need to update their local kx509 clients they use to request certificates.

Return to top

A. 1.4 What is not affected?

Services that utilize Kerberos authentication or passwords are not affected. These include:
- Kerberos tickets
- SSH/rsh/rlogin/Telnet/FTP services
- DCACHE access via LDAP
- Email

Return to top

A. 1.5 When is the new KCA service moving into production?

The new KCA service will go into production after the root certificate has been included in the OGTF distribution of trusted CAs for at least two weeks (not until some time in May 2009). However, the new KCA is available as a test service now.

Return to top

A. 1.6 What do I need to do to prepare for the cutover?

You need to take different actions to prepare depending in which category below you fall into:

If you use windows platforms to obtain KCA certificates to authenticate yourself to web or other services, you do not have to do anything. NetID manager already uses 1024 bit encryption, and will automatically go to the new server when it goes into production. You can test the new server using the suggestions given below. If you are getting your kca certificates through get-cert or some other obsolete method, please switch to NetID manager, your osbolete clients are not supported and if by some miracle they are still working now they will no longer work with the new KCA server.
If you use windows platforms to obtain KCA certificates to authenticate yourself to web or other services, you will probably need to download a new kx509 client that supports 1024 bit encryption. The clients can be obtained here

here

Return to top

A. 1.7 What do the differences look like?

Here is a current KCA certificate:
issuer= /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA
subject= /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Joe Klemencic/CN=UID:jklemenc

And here is the new format (notice the change at the end of the issuer CN):
issuer= /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM
subject= /DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Joe Klemencic/CN=UID:jklemenc

Return to top

A. 1.8 How can I test the new KCA service?

First, you need to use the modified version of the kx509 utility which contains a feature to specify a KCA server on the command line instead of relying on DNS to resolve the KCA service. You can obtain it here (Linux and MAC only). After extracting, you will want to perform a kdestroy to get rid of any certificates you may have already obtained. Next, perform a kinit to obtain a Kerberos ticket then execute kx509 -s 'servername' where 'servername' is the name of the KCA server you wish to test against. The KCA servers are:

winserver.fnal.gov is the old production KCA server
winserver2.fnal.gov is the redundant production KCA server
fermi-kcatest01.fnal.gov is the test KCA

After you obtain a certificate, issue the command 'kxlist' and you should see output similar to the following:
Service kx509/certificate
issuer= /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM
subject= /DC=gov/DC=fnal/O=Fermilab/OU=People/CN='Your Name'/CN=UID:'your username'

You may now use this certificate to test your applications. Windows users can configure NetIDManager through the GUI to utilize a named KCA server.

Return to top

A. 1.9 I am trying to test against the new KCA servers, but a kxlist output still shows my old certificate.

First, make sure to destroy your old certificate. In NIM, you can do so my clicking the Destroy Credentials button. If using command line tools, perform a kdestroy. Next, obtain a new Kerberos ticket. Finally, obtain a new KCA certificate. Be sure to have configured your software to point to the new KCA servers. If using get-cert.sh, there is a test kx509 binary available at http://security.fnal.gov/tools that supports the -s servername option. You will need this binary AND modify your get-cert.sh script to add '-s fermi-kcatest01.fnal.gov' to the $KX509PROG line (around line 104). If you choose to not use get-cert.sh, simply execute 'kx509 -s fermi-kcatest01.fnal.gov' using the new kx509 binary listed previously.

Return to top

A. 1.10 Where can I obtain a new DN Translation List which contains the new naming scheme?

A new DN Translation List is automatically generated at https://security.fnal.gov/pki/protected/KCA_DN_translation.txt
A DN translation list for Robot certificates is available at https://security.fnal.gov/pki/protected/KCArobots_DN_translation.txt

Return to top

A. 1.11 How are you communicating these changes?

For most of the FNAL population, these changes will go unnoticed, so a general broadcast announcement was considered, but not feasible. We have been trying to get the 'right people', especially large stakeholders, to help plan for the changes. We will announce the changes in the upcoming CD Tracks newsletter.

Return to top

A. 1.12 Has anyone considered DocDB, NIMI, Miser and the other web applications?

Yes. The Core Services developers have been engaged during the planning process and many of their services are now accepting both old and new KCA certificates.

Return to top

A. 1.13 Why does my displayName for my certificate in my browser no longer report my full name?

Many applications will print only the last /CN found within a DN. In the case of the KCA (at this time), the last object in the DN is /CN=UID:username. Thus, your browser finds the last /CN in the string and displays everything after the equal sign.

Return to top

A. 1.14 What not use a different naming convention or other OID available in the x.509 spec?

his is a long discussion. We were using /UID=username, but some OpenSSL versions reported the oid-to-name mapping inconsistently. Since this was casuing problems, TAGPMA encouraged us to change to a different scheme. We looked at other OID's available along with appending additional /CN objects, and decided on /pseudonym=username as to to interfere with the original DN. However, due to inconsistencies in the BouncyCastle software used by much grid middleware, this was abandoned. We then had a shoot out of /CN=UID= and /CN=UID: and /CN=UID: had the least impact in the grid (BouncyCastle still had inconsistencies with /CN=UID=). There are countless different ways to handle this, including inventing our own OID, but it was decided to stick with something that supports the lowest common denominator while providing an easy to parse object to extract the Fermi username.

Return to top

A. 1.15 I cannot find an answer to my question. Who should I contact?

If you are having a general problem obtaining or using a KCA certificate, please open a help desk ticket by calling the Help Desk at x2345 or through their web interface at http://helpdesk.fnal.gov. If you have concerns or questions about the transition to the new KCA service, you may email the Computer Security Team at cst @ fnal.gov.

Return to top

A. 1.16 How can I reconfigure my web server to use the new KCA service?

(Submitted by the CD/LSC/CSI/WCS Web Team)
Instructions for adding new Fermi CA to your Apache web server
---------------------------------------------------------------

1) Get the new CA file from the security web site in PEM format.
   http://security.fnal.gov/pki/final-kcaprod.txt

2) Add it into the trustedcas directory for you web server.
   If you are not sure where this is, you can check your
   Apache web configuration for a line that looks like:

   SSLCACertificatePath /path/to/your/trustedcas

   Keep the old CA file (e1fce4e9.0) in the trustedcas dir
   so that current browser certs continue to work. It is fine
   to have both CA files. Keep the old CA file until at least
   7 days after the switchover since people may be using browser
   certs issued before the switchover that haven't expired yet.

3) Check whether you already have a file named 99f9f5a3.0
   in that trustedcas directory or not. If so, move it aside.

4) Rename the final-kcaprod.txt from step #1 to: 99f9f5a3.0

5) Check that the 99f9f5a3.0 file permissions are such that
   the account your web server is running under can read it.

6) If you do not already have a file named 99f9f5a3.0
   in your trustedcas directory, you do NOT need to
   restart your web server for the change to take effect.

   If you did already have a diffent file named 99f9f5a3.0
   in your trustedcas directory, you will need to restart
   your web server for the change to take effect.

7) Try it out. Follow security's instruction's to get a
   new client cert on your web browser and then visit
   KCA protected areas of your web site.
   http://security.fnal.gov/pki/new2kcafaq.html#1_8

   [I tested the new CA on the test central web server with
   access restriction by KCA name, Fermilab  organization,
   and issuer match. I also tested that old browser certs
   still worked after new CA installed. Tests worked fine.]

8) The issuer DN format in the client/browser cert has changed.
   Instead of ending in "CN=Kerberized CA", they now end in
   "CN=Kerberized CA HSM" - with an extra "HSM" on the end.

   Check your web content for .htaccess files with commands
   which rely on matching the old issuer DN format (without
   the "HSM" at the end). If you find that, then add an OR
   so that the issuer's DN can be either with or without HSM
   (so it will work both now and after the switchover).

   Example: If your .htaccess file has this issuer DN reference:
   (all on one line)

SSLRequire  (%{SSL_CLIENT_I_DN} eq "/DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA")

   You should change it to check for either old style or new:
   (all on one line)

SSLRequire  (%{SSL_CLIENT_I_DN} eq "/DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA") or (%{SSL_CLIENT_I_DN} eq "/DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA HSM")

    You should be able to find these files with a find command
    such as (Linux Find with Linux switches used here):

    # find the paths of all .htaccess files with commands
    # that have SSL_CLIENT_I_DN in them. Then "more" the files.
    cd root_of_your_web_content
    find . -noleaf -name .htaccess -follow -exec grep -li "SSL_CLIENT_I_DN" {} \; >htaccesskca.all
    more `cat htaccesskca.all`

    You will only need to change the entries if they are doing
    a match that includes the "CN=Kerberized CA" field. You
    can remove the non-"HSM" entry after at least 7 days after
    the switchover (to allow browser certs issued by the old
    service to work until they expire after 7 days).

9) Check your web CGIs or applications. If they do any
   authentication based on the issuer DN, that code may also
   need to be changed to match with or without the "HSM".

If you have questions, please submit a service desk ticket assigned to CD/LSC/CSI/WCS Web Team.

***** Additional notes from Web Team *****
If after following the above instructions, you can no longer access your web site via HTTPS, be sure that the trustedcas dir
(and dirs above it) must be readable by the web server account, and not just root.
When a directory is used for trustedcas (as opposed to a file) apache looks at the directory beyond just startup
(otherwise putting the new CA in without a server restart wouldn't work), so the web server account needs to be able to read it too.

Return to top

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by IG on Apr 1, 2009.
(Address comments about page to the Computer Security Team.)