This README describes how you can take advantage of standard LCG VO Box setup and it's services for managing Phedex at your site.

What is a VO Box

VO Box is LCG term describing a server at a site, that is running VO specific services. The OS and other system components on the VO Box are managed by the site admins, while the VO services - by the VO. The VO is fully responsible for everything bad caused by the VO services on the VO box. You may find here the installation instructions for a WLCG VOBOX.

Typical VO BOX setup

Expected on the VO box (provided by a site): host certificate, grid-mapfile, local account (typically cmssgm), production version of LCG/gLite UI, gsissh daemon, proxy-renewal daemon. VO box must be registered with myproxy server at CERNVO box can be also published in BDII. A VO is given access to the VO box via gsissh. The list of allowed to login DNs is provided by the VO, typically it's a set of people defined in VOMS as lcg-admins for this VO. According to the LCG docs, VO boxes can be requested by a VO.

CMS and VO boxes

CMS does not formally require a VO Box. However CMS does require a server on every site for running Phedex. This server is typically managed by a site's CMS contact person. There is no common way of managing a Phedex server (Phedex account, software dir, etc), everybody uses their own following some guidance provided by Phedex README files. Site's people have local login with password, and sometimes they must share the password with other people. They need to store their private certificates and keys on such server, making them vulnerable.

Why VO Boxes are good for CMS

Password-less access to the Phedex server with gsissh.

This is to avoid sharing (an having!) a password. Avoids keeping key and certificates on the server. Other VO experts can login and help with operations and debugging of Phedex and other CMS services. It is even possible not to have a dedicated site person, but just a regional responsible, who will manage few sites - great for federated T2s or T2s with T1 in their country.

Proxy-renewal - LCG gives you the solution against certificate expirations!

Phedex README does show few ways to keep your proxy-certificates from expiring, but they require some non-standard actions, like getting a service certificate etc.

Proxy renewal service in details

The user generates a proxy on some LCG UI using grid-proxy-init. This proxy is used to gsissh to the VO Box. The user generates and stores a long-lived (e.g. one month) proxy on using myproxy-init. Once logged in to the VO Box a user has a login proxy. He uses this login proxy to register his DN with the VO Box Proxy Renewal Service. The proxy generated by the VO-Box Proxy Renewal Service will be called the user proxy. The VO-Box Proxy Renewal Service keeps the user proxy alive by periodically getting a new 12-hours one from the MyProxy server. To authenticate to the latter, it uses the root-owned machine proxy. Phedex (or ProdAgent, or other VO services) running on the VO-Box use the user proxy to run srmcp transfers.

What to do

1) Ask for the VO box from your LCG admins. If you are the admin, set it up one yourself!

2) Ask for one local account (cmssgm) with sufficient space in a home dir, where you will most likely install Phedex.

3) Ask to enable gsissh daemon, put you DN in the grid-mapfile, and DNs of people whom you can trust in managing your box.

4) Ask to configure and start proxy-renewal daemon for VO CMS. It should be started as root, although on start it does "su" and turns into cmssgm.

5) Not to forget - the VO Box needs to be registred with Myproxy server at CERN. Send the host certificate DN to asking to authorize it for proxy renewal on

Working with gsissh

From LCG UI at your site:

LCG UI> grid-proxy-init
LCG_UI> gsissh -p 1975 -l cmssgm

Once logged in, check you proxy:

VO-Box> grid-proxy-info

It should give normal output, listing a valid proxy. Check that $X509_USER_PROXY is also valid and is pointing to your proxy cert in /tmp. Hint: you may need to put calling LCG init script in your login scripts for cmssgm.

Testing proxy renewal service

Uploading you proxy to the MyProxy server

LCG-UI> export GT_PROXY_MODE=rfc
LCG-UI> myproxy-init -s -d -n -t 48 -c 720


use the user's certificate subject as username
use this particular MyProxy server. This is the one all VO-Boxes are registered to.
allow retrieval of a proxy without a password (this option is not documented in myproxy-init man page)
-c 720
Lifetime, in hours, of the MyProxy stored in the server. This value (one month) is a suggestion. The proxy renewal daemon running on the VO Box will try to warn you (by email) some time before the expiration date (see below).
-t 48
The maximum lifetime of derived proxies

Registering your proxy for renewal with the proxy renewal deamon at the VO Box

VO-Box> vobox-proxy --vo cms --proxy-safe 3600 --myproxy-safe 259200 --email <email> register


Triggers email to specified address when the timeleft of user proxy is less then given argument. This should never happened as long as everything is working.
Triggers email to specified address when the timeleft of the proxy in MyProxy server is less then given argument. This is what will happen to you. The lifetime of the proxy in MyProxy server is specified by -c option of myproxy-init.

Once received such alert, you should redo myproxy-init again.

VO-Box> vobox-proxy --vo cms -dn all query

Should list you all user proxies registered for renewal on your VO BOX, including yours (hopefully). Also check the location of the user proxy: /opt/vobox/cms/proxy_repository. It should contain a file with name made up of your DN.

VO-Box> vobox-proxy --vo cms unregister

This is to tell the proxy-renewal daemon not to update your proxy anymore.

Setting up Phedex to use proxy renewal

Almost nothing to do! In the Phedex config file put the location of the proxy where renewal daemon keeps it:

export X509_USER_PROXY="/opt/vobox/cms/proxy_repository/+2fO+3dGRID-FR+2fC+3dFR+2fO+3dCNRS+2fOU+3dCC-LYON+2fCN+3dArtem+20Trunov+2fCN+3dproxy";

Fire up Phedex - all set!

VO Box etiquette

You let some people login to your VO Box, you expect them to help, but you help them too. Put in the login script some README info about setup of your Phedex and other CMS software:

- Where is Phedex installed? Logs?

- Where is your SITECONF?

- Who is primary CMS support person on the site?

- Other usefull things for someone who is not routinely managing your Phedex.

Always notify primary CMS site support person about what you did if you changed something.

Other information

Check out Alice Wiki page describing proxy-renewal business. This manual used parts of it and the credit goes to Stefano Bagnasco of INFN-Torino.

-- Main.trunov - 08 May 2007

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r8 - 2015-06-16 - NicoloMagini
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CMSPublic All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback