ARC Deployment beyond the WLCG scope

ARC-CE only accepting non-igtf tokens

This scenario is for ARC-CE sites that only accept client requests using tokens issued by any of the CAs included in your systems CA bundle, or any other non-igtf CA. In other words: non-igtf tokens and no x509 user certificates. This could be relevant for distributed computing sites set up for user communities other than WLCG. In this scenario you would not do the arcctl deploy igtf-ca step which is included in the typical setup of a production ready ARC-CE.

Currently this requires configuration changes both on the ARC-CE and on the ARC client.

Note

The ARC-CE can not be configured to use both system CA’s and igtf CA’s, as openssl only looks in one location for authentication. If you also need an ARC-CE that accepts the traditional igtf certificates you must set up a separate ARC-CE for this.

ARC-CE config settings

The host certificate should be a plain ssl host certificate (not grid certificate), and installed in the default cert location which is e.g. /etc/pki/tls/certs for the certificate and e.g. /etc/pki/tls/private for the key for a rocky 9 server. The paths will depend on your OS.

To tell your ARC-CE to use system certificates instead of igtf, add the following in the [common] block in arc.conf

[common]
x509_cert_policy = system

ARC client config settings

If on the client side the CA certificates are stored in the SSL default location add the following to ~/.arc/client.conf

causedefault=1

How to install new CA

To accept a token from a CA not included in the default system CA’s the admin must manually add the root CA’s to the OS’s default CA directory.

Download the needed root ca certificate - in this example case GEANTOVECCA4:

wget http://GEANT.crt.sectigo.com/GEANTOVECCCA4.crt

Convert it to pem format:

openssl x509 -inform DER -in GEANTOVECCCA4.crt -out GEANTOVECCCA4.pem -outform PEM

Created hash link:

ln -s GEANTOVECCCA4.pem $(openssl x509 -hash -noout -in GEANTOVECCCA4.pem).0

In the same fashion you will need to install root-CA’s of any other token issuers you want to trust, if they are not already included in your CA bundle.

How to install a ssl host certificate

In the scenario show-cased here it would be natural that your ARC-CE has a normal ssl host certificate instead of the traditional igtf one. The example below shows how to install this certificate correctly for ARC. You will also need to install the corresponding root CA of this certificate as per instructions above, it not already included in your CA bundle.

Order an ordinary ssl host certificate (i.e. not a grid one). Once obtained, create a hostcert cocatenated with the intermediate cert (if no bundle is provided). We are assuming the default locations /etc/pki/tls/certs and /etc/pki/tls/private in the following example.

cat example.com.crt > hostcert.pem
cat intermediate.crt >> hostcert.pem
sudo cp hostcert.pem /etc/pki/tls/certs/
sudo cp hostkey.pem /etc/pki/tls/private/

Create hash link of hostcert:

cd /etc/pki/tls/certs
sudo ln -s hostcert.pem $(openssl x509 -hash -noout -in hostcert.pem).0

Verify the host certificate (assumes the root CA is installed in previous step):

openssl verify /etc/pki/tls/certs/hostcert.pem
/etc/pki/tls/certs/hostcert.pem: OK

You should now be all set to use your ordinary ssl host certificate for the ARC-CE.