| layout | title |
|---|---|
default |
Trust |
This page is the central source for all ESG Federation trust root information. It provides a distribution of all trust roots that need to be trusted by Gateways and Data Nodes that participate in the ESG Federation.
These are a collection of CA certificates that are trusted by ESG Federation services Show Trusted CA Certificates
| Certificate Hash | Certificate DN |
| 246d7a36 | /O=ESG-CET/OU=NCAR/OU=simpleCA-vetswebprod.ucar.edu/CN=ESG-NCAR CA |
| 272a3167 | /O=Grid/OU=GlobusTest/OU=simpleCA-wawona.ca.sandia.gov/CN=Globus Simple CA |
| 2d96ae6d | /O=ESG/OU=ESG-JPL/CN=jpl-esg.jpl.nasa.gov |
| 1d552c87 | /O=ESG/OU=ESG-ANL/OU=www.esg.anl.gov/CN=ANL Gateway CA |
| 30ffc224 | /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01 |
| 02b2d53d | /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 |
| 25552524 | /O=ESG/OU=ESG-NCAR/OU=vetswebprod.ucar.edu/CN=NCAR Gateway CA |
| 12d0da68 | /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 |
| 7cef5492 | /C=AU/O=APACGrid/OU=CA/CN=APACGrid/[email protected] |
| f081611a | /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority |
| 241a8801 | /C=US/ST=IL/L=Chicago/O=ANL/OU=ESG/CN=dev.esg.anl.gov |
| f131b364 | /C=US/O=GeoTrust, Inc./CN=RapidSSL CA |
| 3513523f | /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA |
| 971d4d32 | /O=Grid/OU=GlobusTest/OU=simpleCA-esgf.nccs.nasa.gov/CN=Globus Simple CA |
| 6425fbc5 | /O=Grid/OU=GlobusTest/OU=simpleCA-adm07.cmcc.it/CN=Globus Simple CA |
| 157753a5 | /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root |
| d2f4a5b9 | /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi6.llnl.gov/CN=Globus Simple CA |
| 563d35fe | /O=Grid/OU=GlobusTest/OU=simpleCA-esg01.nersc.gov/CN=Globus Simple CA |
| f18deb20 | /O=ESG/OU=ESG-NERSC/OU=esg.nersc.gov/CN=NERSC Gateway CA |
| eb99629b | /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 |
| 812e17de | /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 |
| 578d5c04 | /C=US/O=Equifax/OU=Equifax Secure Certificate Authority |
| 542ea116 | /O=Grid/OU=GlobusTest/OU=simpleCA-esg2.nci.org.au/CN=Globus Simple CA |
| 4f654c5b | /O=ESGF/OU=JPL/CN=ESG JPL Test CA |
| de6347de | /O=Grid/OU=GlobusTest/OU=simpleCA-esg2.mgmt/CN=Globus Simple CA |
| 8722d9d5 | /C=AU/postalCode=0200/ST=ACT/L=Canberra/street=Cnr Garran and Ward Roads/O=The Australian National University/OU=DOI/CN=esg.nci.org.au |
| 5de29f67 | /O=ESGF/OU=esg-datanode.jpl.nasa.gov/CN=NASA JPL |
| b1159c4c | /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA |
| d1f1d944 | /O=ESGF/OU=ESGF.ORG/OU=DKRZ/CN=esgf-data.dkrz.de |
| 6d330c32 | /O=Grid/OU=Globus/OU=bvlpenes.knmi.nl/CN=Globus Simple CA |
| 1ec4d31a | /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network |
| dfc28aa6 | /C=DE/O=Deutsches Klimarechenzentrum GmbH/CN=DKRZ CA - G02/[email protected] |
| 42a8256f | /C=AU/postalCode=0200/ST=ACT/L=Canberra/street=Cnr Garran and Ward Roads/O=The Australian National University/OU=DOI/CN=esgnode1.nci.org.au |
| ab21bdac | /serialNumber=ciWxj3m6pqiqdUPU1xMPnzHSpiF6F1ZS/C=US/O=esg-gateway.jpl.nasa.gov/OU=GT59609478/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=esg-gateway.jpl.nasa.gov |
| 9d0a75f2 | /O=Grid/OU=GlobusTest/OU=simpleCA-esgf-node.ipsl.fr/CN=Globus Simple CA |
| 46117fcc | /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 |
| 244b5494 | /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA |
| 99b0865c | /C=AU/O=AusCERT/OU=Certificate Services/CN=AusCERT Server CA |
| 3262c85d | /O=ESGF/OU=ESGF.ORG/CN=esg.bnu.edu.cn |
| 226b9045 | /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi3.llnl.gov/CN=Globus Simple CA |
| dd6acc3f | /O=ESG/OU=ESG-ORNL/OU=NCCS/CN=esg2-gw.ccs.ornl.gov |
| 2fafbae8 | /C=GB/O=Science and Technology Facilities Council/OU=RAL-SPBU/CN=ceda.ac.uk |
| 598630ad | /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 |
| 7ed47087 | /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root |
| 28e46182 | /O=ESGF/OU=ESGF.ORG/CN=esg.ccs.ornl.gov |
| d9be2151 | /C=NL/O=TERENA/CN=TERENA SSL CA |
| 6107e209 | /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 |
| 7162f3c9 | /O=Grid/OU=GlobusTest/OU=simpleCA-esg.nci.org.au/CN=Globus Simple CA |
| cbf06781 | /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 |
| 7c60f3f7 | /C=DE/O=DKRZ/OU=WDCC/CN=ESG-DKRZ ipcc-ar5 |
| 993715d8 | /DC=uk/DC=ac/DC=ceda/O=STFC RAL/CN=Centre for Environmental Data Archival |
| 0119347c | /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1 |
| 06c34218 | /O=Grid/OU=GlobusTest/OU=simpleCA-dev-hydra.esrl.pri/CN=Globus Simple CA |
| 746ef087 | /O=Grid/OU=GlobusTest/OU=simpleCA-dev.esg.anl.gov/CN=Globus Simple CA |
| 241a8801 | /C=US/ST=IL/L=Chicago/O=ANL/OU=ESG/CN=dev.esg.anl.gov |
| c4949a23 | /O=Grid/OU=GlobusTest/OU=simpleCA-esg.ccs.ornl.gov/CN=Globus Simple CA |
| 439ce3f7 | /C=UK/O=eScienceSLCSHierarchy/OU=Authority/CN=SLCS Top Level CA |
| 52440ff8 | /O=Grid/OU=GlobusTest/OU=simpleCA-pcmdi.llnl.gov/CN=Globus Simple CA |
| 6e5da70c | /C=DE/O=DKRZ/OU=WDCC/CN=ESG-DKRZ CA (albedo2) |
| b204d74a | /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 |
| b13cc6df | /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware |
| 530f7122 | /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B |
Available here is a link to a gzip compressed tar archive of all of these CA certificates and signing policy files.
For your convenience, a truststore has been created that contains the above certificates in it.
This section will briefly discuss how to consume the above tarball archive. First of course it must be downloaded and the md5sum should be verified to match the above listing. After that, it should be extracted to a temporary directory and the contents copied over to /etc/grid-security/certificates. An example of command used to do this could look something like this:
neillm@boiler:~$ cd /tmp
neillm@boiler:/tmp$ mkdir TMPCERTS
neillm@boiler:/tmp$ cd TMPCERTS/
neillm@boiler:/tmp/TMPCERTS$ wget --no-check-certificate https://rainbow.llnl.gov/dist/certs/esg-trusted-certificates.tar
--2010-08-23 09:05:06-- https://rainbow.llnl.gov/dist/certs/esg-trusted-certificates.tar Resolving rainbow.llnl.gov... 198.128.245.140
Connecting to rainbow.llnl.gov... 198.128.245.140... :443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14250 (14K) [application/x-tar]
Saving to: `esg-trusted-certificates.tar
100%[==============================================================================>] 14,250 --.-K/s in 0.02s
2010-08-23 09:05:06 (609 KB/s) - `esg-trusted-certificates.tar saved [14250/14250]
neillm@boiler:/tmp/TMPCERTS$ md5sum esg-trusted-certificates.tar
[ MAKE SURE THIS VALUE MATCHES THE ONE LISTED ABOVE ]
neillm@boiler:/tmp/TMPCERTS$ tar -xf esg-trusted-certificates.tar
neillm@boiler:/tmp/TMPCERTS$ sudo cp esg-trusted-certificates// /etc/grid-security/certificates/
In order to use the above provided trust store, it must be configured for your java environment (which can be done in a number of ways). Assuming you're using tomcat, it should be downloaded and referenced from your tomcat configuration as shown below. If you're using it from another Java application, see the command line configuration below that.
Either way, start by downloading the trust store file and verifying the md5sum:
neillm@boiler:/tmp/TMPCERTS$ wget --no-check-certificate https://rainbow.llnl.gov/dist/certs/esg-truststore.ts
--2010-08-24 08:15:56-- https://rainbow.llnl.gov/dist/certs/esg-truststore.ts
Resolving rainbow.llnl.gov... 198.128.245.140
Connecting to rainbow.llnl.gov... 198.128.245.140... :443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 82872 (81K) [text/texmacs]
Saving to: `esg-truststore.ts
100%[==============================================================================>] 82,872 --.-K/s in 0.09s
2010-08-24 08:15:56 (863 KB/s) - `esg-truststore.ts saved [82872/82872]
neillm@boiler:/tmp/TMPCERTS$ md5sum esg-truststore.ts
In tomcat, to configure the usage of a particular trust store file, you need to modify the $CATALINA_HOME/conf/server.xml file. Find the relevant connector section and edit it by adding in the paths to the trust store and keystore used. An example section looks like this:
<Connector port="8443" SSLEnabled="true" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="/PATH/TO/TOMCAT/mykeystore.ks" keystorePass="KEYSTORE-PASSWORD"
trustoreFile="/PATH/TO/TOMCAT/esg-truststore.ts" trustorePass="TRUSTSTORE-PASSWORD" />
After making this configuration change, you need to stop and start Tomcat by running the $CATALINA_HOME/bin/catalina.sh script.
For other command line Java applications, to configure the usage of a particular trust store, you need to modify the $JAVA_OPTS environment variable to include a pointer to the new trust store. An example of this is shown here:
neillm@boiler:/tmp/TMPCERTS$ export JAVA-OPTS="-Djavax.net.ssl.trustStore=/tmp/TMPCERTS/esg-truststore.ts -Djavax.net.ssl.trustStorePassword=TRUSTSTORE-PASSWORD $JAVA-OPTS"
See Accepted OpenID IdP Endpoint Table
| DN |
| CN=ceda.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB |
| CN=esg-datanode.jpl.nasa.gov, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT25821476, O=esg-datanode.jpl.nasa.gov, C=US, serialNumber=ROF2RAfDrdcNrCcL4KQEH0-uHPVwt-lK |
| CN=esg-gateway.jpl.nasa.gov, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT59609478, O=esg-gateway.jpl.nasa.gov, C=US, serialNumber=1DfLTHkkGVP1MEf8YZcSQrs4iIRBLY2Y |
| CN=www.earthsystemgrid.org, OU=University Corporation for Atmospheric Research, O=University Corporation for Atmospheric Research, L=Boulder, ST=Colorado, C=US |
| CN=pcmdi3.llnl.gov, OU=ESG-PCMDI, O=Lawrence Livermore National Laboratory, L=Livermore, ST=California, C=US |
| CN=openid.ornl.gov, O=Oak Ridge National Laboratory, L=Oak Ridge, ST=Tennessee, C=US |
| CN=esg2-gw.ccs.ornl.gov, OU=OLCF, O=Oak Ridge National Laboratory, L=Oak Ridge, ST=Tennessee, C=US |
| CN=esg.nersc.gov, OU=ESG-NERSC, O=ESG, L=Berkeley, ST=CA, C=US |
| CN=ipcc-ar5.dkrz.de, OU=WDCC, O=DKRZ, C=DE |
| CN=albedo2.dkrz.de, OU=WDCC, O=DKRZ, C=DE |
| CN=esg.nci.org.au, OU=DOI, O=The Australian National University, L=Canberra/streetAddress=Cnr Garran and Ward Roads, ST=ACT, C=AU/postalCode=0200 |
| CN=ANL Gateway CA, OU=www.esg.anl.gov, OU=ESG-ANL, O=ESG |
| CN=ANL Gateway CA, OU=www.esg.anl.gov, OU=ESG-ANL, O=ESG |
See Accepted Gateway Endpoint Table
| Organization | Attribute Service Endpoint | Authorization Service Endpoint | Authorization Authority DN |
| N/a | |||
| N/A |
See Accepted Gateway/MyProxy Endpoint Table
| Organization | DN |
| CN=Centre for Environmental Data Archival, O=STFC RAL, DC=ceda, DC=ac, DC=uk | |
| CN=Globus Simple CA, OU=simpleCA-pcmdi3.llnl.gov, OU=GlobusTest, O=Grid | |
| CN=jpl-esg.jpl.nasa.gov, OU=ESG-JPL, O=ESG | |
| CN=ESG-NCAR CA, OU=simpleCA-vetswebprod.ucar.edu, OU=NCAR, O=ESG-CET | |
| CN=NCAR Gateway CA, OU=vetswebprod.ucar.edu, OU=ESG-NCAR, O=ESG | |
| CN=esg2-gw.ccs.ornl.gov, OU=NCCS, OU=ESG-ORNL, O=ESG | |
| CN=ESG-DKRZ ipcc-ar5, OU=WDCC, O=DKRZ, C=DE | |
| CN=ESG-DKRZ CA (albedo2), OU=WDCC, O=DKRZ, C=DE | |
| CN=NERSC Gateway CA, OU=esg.nersc.gov, OU=ESG-NERSC, O=ESG | |
| CN=esg.nci.org.au, OU=DOI, O=The Australian National University, L=Canberra/streetAddress=Cnr Garran and Ward Roads, ST=ACT, C=AU/postalCode=0200 | |
| CN=ANL Gateway CA, OU=www.esg.anl.gov, OU=ESG-ANL, O=ESG | |
| CN=Globus Simple CA, OU=simpleCA-dev.esg.anl.gov, OU=GlobusTest, O=Grid |
See Accepted Datanode Endpoint Table
| DN |
| CN=cmip1.dkrz.de, OU=WDCC, O=DKRZ, C=DE |
| CN=cmip2.dkrz.de, OU=WDCC, O=DKRZ, C=DE |
| CN=esgnode1.nci.org.au, OU=DOI, O=The Australian National University, L=Canberra/streetAddress=Cnr Garran and Ward Roads, ST=ACT, C=AU/postalCode=0200 |
| CN=cmip-dn.badc.rl.ac.uk, OU=RAL-SPBU, O=Science and Technology Facilities Council, C=GB |
| CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE |
| CN=TERENA SSL CA, O=TERENA, C=NL |
| CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com/, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US |
| CN=esg-datanode.nersc.gov, OU=ESG-NERSC, O=ESG, L=Berkeley, ST=CA, C=US |
| CN=esg-datanode.jpl.nasa.gov, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU=GT25821476, O=esg-datanode.jpl.nasa.gov, C=US, serialNumber=ROF2RAfDrdcNrCcL4KQEH0-uHPVwt-lK |
| C=US, ST=IL, O=ESG, OU=ANL, CN=esg.anl.gov |
| CN=Globus Simple CA, OU=simpleCA-dev.esg.anl.gov, OU=GlobusTest, O=Grid |