EGEE Web>CertificationReportForPatch4609 (2011-01-29, unknown)

EditAttachPDF

Certification report for patch 4609

Certification report for patch 4609

Savannah patch

https://savannah.cern.ch/patch/?4609

Clean installation

Starting from an SL5, X86_64 clean installation.

cd /etc/yum.repos.d/
wget <repo listed in the patch>
yum update
yum install glite-VOMS_oracle

YUM clean installation log.

Upgrade from production

Starting from a working gLite 3.2 VOMS production installation.

YUM upgrade log.

After shutting down tomcat and cleaning up work directories:

service tomcat5 stop
rm -rf $CATALINA_HOME/webapps/*
rm -rf $CATALINA_HOME/work/*
service tomcat5 start

The installation is reconfigured via YAIM and works as expected.

YAIM upgrade log.

Configuration

Oracle

Install oracle-instantclient-basic RPM as downloaded from the oracle website.

http://download.oracle.com/otn/linux/instantclient/10204/oracle-instantclient-basic-10.2.0.4-1.x86_64.rpm

yum localinstall oracle-instantclient-basic-10.2.0.4-1.x86_64.rpm

YAIM

site-info.def:

VOMS_DB_TYPE="oracle"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.oracle"
ORACLE_CLIENT="/usr/lib/oracle/10.2.0.4/client64"

services/glite-voms:

VOMS_HOST=cert-voms-01.cnaf.infn.it 

VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it
VOMS_ADMIN_CERT=/root/andreacert.pem

VOMS_DB_DEPLOY=true
ORACLE_CONNECTION_STRING="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST = voms-db-02.cr.cnaf.infn.it)(PORT = 1521)))(CONNECT_DATA=(SERVICE_NAME = vomsdb2.cr.cnaf.infn.it)))"

VO_CERT_ORACLE_VOMS_PORT=15000
VO_CERT_ORACLE_VOMS_DB_USER=admin_25
VO_CERT_ORACLE_VOMS_DB_PASS=***

YAIM clean installation log.

VOMS Admin

Add host certificate as administrator to the VO:

root@cert-voms-01 ~]# /opt/glite/sbin/voms-db-deploy.py add-admin --vo cert.oracle --cert /etc/grid-security/hostcert.pem 
Admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA' not found. It will be created...
Adding ALL permissions on '/cert.oracle' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
Adding ALL permissions on role '/cert.oracle/Role=VO-Admin' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'

Certification

Basic checks

Check that VOMS admin responds:

[root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
No users found in vo

Create personal user:

[root@cert-voms-01 ~]# voms-admin --vo cert.oracle create-user andreacert.pem 
[root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti, /C=IT/O=INFN/CN=INFN CA - andrea.ceccanti@cnaf.infn.it

Create VOMS proxy:

[andrea@voms-rd02-21 ~]$ voms-proxy-init -voms cert.oracle
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
Creating temporary proxy ............................................ Done
Contacting  cert-voms-01.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it] "cert.oracle" Done
Creating proxy ......................................... Done
Your proxy is valid until Sat Jan 29 22:25:53 2011
[andrea@voms-rd02-21 ~]$ voms-proxy-info -all
subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti/CN=proxy
issuer    : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
identity  : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
type      : proxy
strength  : 1024 bits
path      : /tmp/x509up_u503
timeleft  : 11:59:55
=== VO cert.oracle extension information ===
VO        : cert.oracle
subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
issuer    : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it
attribute : /cert.oracle/Role=NULL/Capability=NULL
timeleft  : 11:59:55
uri       : cert-voms-01.cnaf.infn.it:15000

Remove personal user:

root@cert-voms-01 ~]# voms-admin --vo cert.oracle delete-user andreacert.pem
[root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
No users found in vo!

Attempt proxy creation for non-existing user:

[andrea@voms-rd02-21 ~]$ voms-proxy-init -voms cert.oracle
Enter GRID pass phrase:
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
Creating temporary proxy ..................................... Done
Contacting  cert-voms-01.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it] "cert.oracle" Failed

Error: User is currently suspended!
Suspension reason: 0OCI_NO_DATA SELECT suspended_reason FROM certificate WHERE subject_string = :1 AND ca_id = :2 AND suspended != 0 1 = '/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti]), 2 = '

None of the contacted servers for cert.oracle were capable
of returning a valid AC for the user.

Here VOMS confuses a non-existing user with a suspended one. See savannah bug 77550

. I don't this is a stopper for this certification.

VOMS Admin test suite

Test VOMS-addMember   - OK
Test VOMS-assignRole   - OK
Test VOMS-crAttribute   - OK
Test VOMS-crGroup   - OK
Test VOMS-crRole   - OK
Test VOMS-crUser   - OK
Test VOMS-crUserNocert   - OK
Test VOMS-delAttribute   - OK
Test VOMS-delGroup   - OK
Test VOMS-delGroupAttribute   - OK
Test VOMS-delRole   - OK
Test VOMS-delRoleAttribute   - OK
Test VOMS-delUser   - OK
Test VOMS-delUserAttribute   - OK
Test VOMS-dismissRole   - OK
Test VOMS-listAttributes   - OK
Test VOMS-listGroupAttributes   - OK
Test VOMS-listGroups   - OK
Test VOMS-listMembers   - OK
Test VOMS-listRoleAttributes   - OK
Test VOMS-listRoles   - OK
Test VOMS-listSubGroups   - OK
Test VOMS-listUserAttributes   - OK
Test VOMS-listUserGroups   - OK
Test VOMS-listUserRoles   - OK
Test VOMS-listUsers   - OK
Test VOMS-listUsrWithRol   - OK
Test VOMS-removeMember   - OK
Test VOMS-setGroupAttribute   - OK
Test VOMS-setRoleAttribute   - OK
Test VOMS-setUserAttribute   - OK

VOMS Admin cli testsuite execution log.

Attached bugs

VOMS Admin gives terrifying error message when database is not reachable (https://savannah.cern.ch/bugs/?45425)

Less messages are printed by default by loggers. Logging configuration can be tuned by changing the verbosity of logger

<logger name="com.mchange" level="ERROR" />

to the WARN, INFO, DEBUG levels in $GLITE_LOCATION_VAR/etc/voms-admin/<VO_NAME>/logback.runtime.xml for the VO logs and in $GLITE_LOCATION/share/voms-admin/tools/classes/logback.xml for the database deploy scripts.

The voms-db-deploy.py utility also provides a method to check the connectivity to the database:

[root@cert-voms-01 classes]# /opt/glite/sbin/voms-db-deploy.py check-connectivity --vo cert.mysql
Checking database connectivity...
Connections could not be acquired from the underlying database!

===========================================================================================================================
Error connecting to the voms database! Check your database settings and ensure that the database backend is up and running.
============================================================================================================================

VOMS Admin background tasks are not resilient to transient database failures (https://savannah.cern.ch/bugs/?45567)

Fixed.

VOMS Admin should provide a way to see and manage unconfirmed request (https://savannah.cern.ch/bugs/?55988)

Fixed. Now VOMS Admin shows requests waiting for user confirmation in the admin home page.

[VOMS-ADMIN-2.5] Unhandled exception on adding ACL for a non-VO member (https://savannah.cern.ch/bugs/?60323)

Fixed. Now validation is performed correctly.

VOMS-Admin shows error to VO applicant if there is an SMTP error delivering a notification to a VO-admin (https://savannah.cern.ch/bugs/?62266)

Fixed.

Membership expiration date format problem (https://savannah.cern.ch/bugs/?68966)

Fixed. Now the date can be set only using the datepicker control and the formatting respects the locale set for the application.

[VOMS-Admin] There are possible vulnerabilities in VOMS-Admin (https://savannah.cern.ch/bugs/?76587)

Fixed.

[VOMS] yaim voms ships confusing template configuration files (https://savannah.cern.ch/bugs/?76610)

Fixed.

[VOMS Admin] User request forms do not work as expected (https://savannah.cern.ch/bugs/?76628)

Fixed.

[VOMS Admin] Registration should be turned off when the service is started in read only mode (https://savannah.cern.ch/bugs/?76837)

Fixed.

[VOMS Admin] VOMS admin CA updater not started when registration is disabled (https://savannah.cern.ch/bugs/?76838)

Fixed.

[VOMS Admin] No notification sent to users when a membership removal request is approved/rejected by administrators (https://savannah.cern.ch/bugs/?76839)

Fixed.

[VOMS Admin] No notification is sent to administrators when a membership removal request is submitted by users (https://savannah.cern.ch/bugs/?76840)

Fixed.

[VOMS Admin] Submitting a request for the same certificate twice causes a stack trace to be printed (https://savannah.cern.ch/bugs/?76841)

Fixed.

[VOMS Admin] The notification delivery fails when all the admins have empty email addresses (https://savannah.cern.ch/bugs/?76842)

Fixed.

New features

Configurable anti-CSRF filter on the web service interfaces

After turning on the check via YAIM:

root@cert-voms-01 ~]# cat siteinfo/services/glite-voms | grep CSRF
VOMS_ADMIN_WS_CSRF_LOG_ONLY=false

voms-admin client version 2.0.15 succeds in accessing the web services:

[root@cert-voms-01 ~]# voms-admin --version
voms-admin v. 2.0.15
[root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
No users found in vo

while older versions fail since no anti-CSRF header is present in client requests:

[andrea@voms-rd02-21 ~]$ voms-admin --version
voms-admin v. 2.0.14
[andrea@voms-rd02-21 ~]$ voms-admin --host cert-voms-01.cnaf.infn.it --vo cert.mysql list-groups
org.glite.security.voms.admin.error.VOMSException: CSRF header guard missing from request!

Looking at the service log, it can be seen that the request was stopped:

17:37:40.962 [TP-Processor25] - WARN  o.g.s.v.a.service.CSRFGuardHandler - Incoming request from 192.168.100.21:44931 is missing CSRF prevention HTTP header

Check connectivity method in voms-db-deploy.py

voms-db-deploy.py now offers a check connectivity method that can be used to test connectivity to the database.

root@cert-voms-01 ~]# voms-db-deploy.py check-connectivity --vo cert.oracle
Checking database connectivity...
Database contacted succesfully
Checking database existence...
Found existing voms-admin 2.5.x database...

-- AndreaCeccanti - 29-Jan-2011

Attachments

Topic attachments
I	Attachment	History	Action	Size	Date	Who
ext	full_result_p4609	r1	manage	15.1 K	2011-01-29 - 11:07	UnknownUser
txt	yaim-clean-installation-log.txt	r1	manage	17.3 K	2011-01-29 - 09:05	UnknownUser
txt	yaim-upgrade-log.txt	r1	manage	6.3 K	2011-01-29 - 11:47	UnknownUser
txt	yum-clean-installation-log.txt	r1	manage	214.9 K	2011-01-29 - 09:05	UnknownUser
txt	yum-upgrade-log.txt	r1	manage	12.8 K	2011-01-29 - 11:48	UnknownUser

Topic revision: r2 - 2011-01-29 - unknown

EGEE

Main.WebList

Welcome Guest

- Cern Search
- TWiki Search
- Google Search
EGEE All webs

Copyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback