VOMS FAQs

Purpose of this page is to help when you need to contact VOMS Admin server but have problems. If you look for a general introduction to how to get a certificate, a VOMS membership, use those with CMSWEB and/or CRAB etc., please look in the CMS Offline Workbook at WorkBookStartingGrid#BasicGrid

VOMS vs. CMSWEB/CRAB/SiteDB

My VOMS membership is OK but still I can't access CMSWEB or CRAB commands fail with a SiteDB error

If you have problems with your certificate-to-username mapping as needed to access to CMSWEB (what's usually called SiteDB) you should check https://twiki.cern.ch/twiki/bin/view/CMS/SiteDBForCRAB and in particular https://twiki.cern.ch/twiki/bin/view/CMS/SiteDBForCRAB#Warning

I need to register in SiteDB

See above answer

Contacting VOMS server via the browser

Common Actions

I need to re-sign my AUP

I have a new (different !) certificate

  • different is what matters. If you renew your certificate (usually needed every year) and new one has the same DN, no action is needed
  • if you switch to a new DN becasue you decided to use a different CA or changed your name or whatever, you need the actions below
    • Important: do not create a new membership ! If you visit VOMS Admins web page using your new certificate, it will see that it does not know it and will prompt you to register as a new user. Having multiple membership for the same physical person in unfortunately possible, but tricky to properly manage, additionally, besides very very few special use cases, it is never useful and usually it only leads to confusion and errors.
    • what you should do is to add your certificate to your current membership. Then VOMS will accepts either certificate on equal grounds and you can safely stop using one as convenient for you. Later you can delete old certificates at your leisure simply to keep things tidy.

Add a new certificate to my membership

  1. make sure that you still have the old certificate (the one which VOMS knows you by) in your browser, so that you can authenticate to VOMS as a member
  2. make sure you have made the PEM files from your new certificate (see this link )
  3. go to your VOMS home page and scroll down a bit until you can select the "add new certificate" button as in the screeshot below (or use this quick link: https://lcg-voms2.cern.ch:8443/voms/cms/user/add-certificate.action )
    VOMS-add-an-additional-certificate.png
  4. you will be directed to this page where you should upload a PEM encoded certificate (see the blue pointer)
    VOMS-certificate.png
  5. do not try to Enter a DN, CA couple, it is difficult to do it right
    VOMS-add-certificate-1.png
  6. select the usercert.pem file which you created in the first step, like this
    VOMS-upload-pem.png
  7. the request to add the certificate will be sent to CMS VOMS Administrators which will approve (unfortunately we do not have a way to take humans off this loop)

Common Problems

Basic help

  • The CERN CA web page at https://ca.cern.ch/ca/ has an HELP tab in which points to very useful, even browser specific, information. Look there first.

Can not open VOMS home page in my browser

there can be many reasons, here are some debugging tips. If you are an expert with little time, jump to #QuickTroubleshoot

Wrong URL

Browser issues

Browser kind ?

  • We recommend to use a recent version of Firefox. There is little to no experience with e.g. Safari among CMS VOMS administrators. Chrome has sometimes it's own view of what security should mean and can cause trouble. Feel free to use it, but in case of problems, first try Firefox.

Personal certificate ?

  • Make sure you have a valid personal certificate in your browser and that you load and trust CERN root certificates in there. Instructions for various browsers can be find here : https://cafiles.cern.ch/cafiles/certificates/list.aspx?ca=grid
    • If you have and expired certificate in your browser, you will get the same errors as if you have none. Always make sure that you keep the certificate in your browser up to date whenever you get a new one from your CA
    • some more tips for Safari can be found here, note that nor CMS nor CERN maintains this page : https://www.racf.bnl.gov/docs/howto/grid/osxcertmgmt

Security Exception ?

  • If the page says "This Connection is Untrusted" or similar, you may try the shortcut offered at the last line of the same page, "I Understand the Risks" as in reality there is no risk to try. Click it, and from the next page select "Add Exception". The sub-page will ask you to "Confirm Security Exception". So you confirm, and you should be able to get in.

firewall ?

  • Check your firewall and http proxy settings

cookies ?

  • Clear the History, Cache and Cookies of Firefox and restart the browser

Antivirus ?

  • Beware your Antivirus. We have seen cases in which an antivirus tool (usually Avast Antvirus) interferes with the browser making it impossible to securely connect to servers even if you trusted all CERN CA's as indicated above. For details and cure see this ticket

Certificate issues

  • Make sure you have imported your current personal certificate in your browser (i.e the one you want to be registered as CMS VO member)

Test page

Error messages and screenshots of common problems

PR_END_OF_FILE_ERROR in Firefox

  • Recen versions of Firefox print this very obscure message when simply there is no valid user certificate in the browser (see screenshot below). Please make sure you have your (valid) certificate installed in Firefox.

Check for SSL problem

  • Go to VOMS Admin home page at: https://voms2.cern.ch:8443 This page does not require a certificate, but will verify that your browser is capable of an SSL (authenticated) session and you have no firewall problems. You should see this

Voms home

Check your certificate

  • Starting from the VOMS Admin home page above, click on cms Most common problems will be one of the following screenshots
No certificate (or expired certificate) in your browser (older browsers)

Voms home No Certificate
No certificate (or expired certificate) in your browser (newer versions e,g, Firefox 68 ))

Voms home No Certificate
Valid certificate not known to VOMS yet

Voms home Not Member

Check your certificate using the Certificate Info tab in VOMS page

  • You will see one of the following possibilities:
1 No valid certificate in your browser (older Firefox version)

Voms Cert Info No Certificate
2 No valid certificate in your browser (newer Firefox versions)

Voms Cert Info No Certificate
3 Valid certificate, but not known to VOMS

Voms Cert Info Not Member
4 All OK

Voms Cert Info OK

Still need help

  • It is impossible to help based on reports like "I got error" or "this link does not work".

  • If you need to report a problem to support, provide the specific and details error messages you get, possibly attaching screenshots. And describe the diagnostics steps you already took and what they produced.

The connection to voms2.cern.ch:8443 was interrupted while the page was loading

  • this is usually due to using http in place of https, see #Wrong_URL above
  • there are also cases where a simply browser restart can fix it

I get an empy page when connecting to VOMS

  • this is most likely a browser issue, se #Browser_issues above
  • it is also possible that the VOMS server was temporarely overloaded, try the other equivalent URL ( see #Wrong_URL above ) and try again after some random time. If problem persists contact support (see #Still_need_help above)

Can not open VOMS page (quick guide for experts)

  1. Make sure the personal certificate is in your browser (and please use Firefox or Chrome, other browsers are known to have issues) and that the certificate is valid:
    • From the generic part of the Firefox (similar on Chrome) follow the chain: Firefox -> Preferences ->  Advanced -> Encryption ->  View certificates  -> “Your Certificates” there, check that the certificate you want to use has a date for “Expires” which is in the future.

  1. If not, you have to get a new one from any of the Certificate Authorities (CA), for example from CERN: https://ca.cern.ch/ca/

  1. Then try again the "re-sign Grid usage rules" (see FAQ above about signing AUP)

Contacting VOMS server via the voms-proxy-init command

Your grid certificate needs to be present in two places:

  • the VOMS server, via the registration as VO member (see above)
  • the ~/.globus directory in the machine which you use to issue the voms-proxy-init command.
Most problems originate from having different certificates listed in those places, usually as a result of an incomplete attempt to update to a new certificate.

Typical error messages in those cases are:

  • cms: User unknown to this VO.
  • User credential is not valid!

You can verify what you have in ~/.globus with the command

  • openssl x509  -subject -dates -noout  -in ~/.globus/usercert.pem

You should compare the Subject it prints with what you used when registering in VOMS. If you need help in figuring out, please send the output of that command toghether with the one from voms-proxy-init -voms cms

-- AndreasPfeiffer

Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng VOMS-CertInfo-nocert.png r1 manage 47.8 K 2016-10-10 - 17:24 StefanoBelforte  
PNGpng VOMS-CertInfo-notmember.png r1 manage 69.4 K 2016-10-10 - 17:24 StefanoBelforte  
PNGpng VOMS-Certinfo-nocert-2.png r1 manage 41.3 K 2019-08-12 - 19:29 StefanoBelforte  
PNGpng VOMS-add-an-additional-certificate.png r1 manage 227.0 K 2018-02-07 - 13:56 StefanoBelforte  
PNGpng VOMS-add-certificate-1.png r1 manage 55.2 K 2018-02-07 - 14:58 StefanoBelforte  
PNGpng VOMS-add-certificate.png r1 manage 38.6 K 2018-02-07 - 14:57 StefanoBelforte  
PNGpng VOMS-certinfo-OK.png r1 manage 70.1 K 2016-10-10 - 17:24 StefanoBelforte  
PNGpng VOMS-home-newcert.png r1 manage 66.9 K 2016-10-10 - 17:35 StefanoBelforte  
PNGpng VOMS-nocert-2.png r1 manage 41.3 K 2019-08-12 - 19:37 StefanoBelforte  
PNGpng VOMS-nocert.png r1 manage 49.5 K 2016-10-10 - 17:24 StefanoBelforte  
PNGpng VOMS-upload-pem.png r1 manage 85.5 K 2018-02-07 - 14:58 StefanoBelforte  
PNGpng VOMSAdminHOME.png r1 manage 70.8 K 2016-10-10 - 17:24 StefanoBelforte  
Edit | Attach | Watch | Print version | History: r25 < r24 < r23 < r22 < r21 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r25 - 2019-08-12 - AndreasPfeiffer
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    CMSPublic All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback