Closed calestyo closed 3 weeks ago
The documentation has been update on master, with pull-request targeting 9.2: https://github.com/dCache/dcache/pull/7554
There is a patch that updates the oidc plugin so it provides more "reasonable" error message if there was a problem fetching or parsing either the discovery document or the JWKS document:: https://rb.dcache.org/r/14248/
Having a configurable trust-store is something that makes sense when OPs start using IGTF certificates. So far, OPs (include atlas-auth.web.cern.ch
) use CA/B certificates, which is available (by default) on most Java distributions.
The documentation has been update on master, with pull-request targeting 9.2: #7554
looks good :-)
Having a configurable trust-store is something that makes sense when OPs start using IGTF certificates. So far, OPs (include atlas-auth.web.cern.ch) use CA/B certificates, which is available (by default) on most Java distributions.
Hmm I personally would have argued the other way round:
With the IGTF bundle we have a strictly limited set of CAs from "our community" (science), which apart from perhaps one or two we can probably trust.
With CA/B - assuming that most people just leave them all enabled – we have ~150 root CAs, probably some thousands of intermediate CAs (which also can do more or less anything), not few of them which have been known in the past for repeatedly ~forging certificates~ "accidentally" release test certificates for completely unrelated domains ... and which are from and thus effectively under the control of totalitarian countries.
That's not only the reason why I disable them all ^^ per default... and stumbled over this in the first place, but also why I think it would make some sense to allow at least specifically configuring the CA (which I guess in most cases will be USERTrust Network via Géant).
Cheers, Chris :-)
Hey.
Took me quite some time today, to find out why oidc authentication failed.
In a line like:
there needs to be some way how to actually authenticate against the OP.
What people in dCache would probably expect is that
/etc/grid-security/
CAs are used for that, which would IMO be the natural and best choice.However, undocumented as it is (or at least I couldn’t find anything about it), it uses the system JKS instead.
And the error message is pretty much encrypted:
And even with
DEBUG
it doesn’t get much better:For security reasons I generally have no certs enabled on our systems.
Knowing that, I had of course already a vague feeling and did actually enable the certs used by ATLAS’ OP, but then I got bitten by https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069251 so until I realised that Debian also does wrong, I thought it couldn’t be the certs.
So from order from the least favourable to the best, I'd say the following would be good to have:
/etc/grid-security/
or what would be even better, make the CA configurable per OPCheers, Chris.