Certification report for patch 4609

Savannah patch

https://savannah.cern.ch/patch/?4609

Clean installation

Starting from an SL5, X86_64 clean installation.

cd /etc/yum.repos.d/
wget <repo listed in the patch>
yum update
yum install glite-VOMS_oracle

YUM clean installation log.

Upgrade from production

Starting from a working gLite 3.2 VOMS production installation.

YUM upgrade log.

After shutting down tomcat and cleaning up work directories:

service tomcat5 stop
rm -rf $CATALINA_HOME/webapps/*
rm -rf $CATALINA_HOME/work/*
service tomcat5 start

The installation is reconfigured via YAIM and works as expected.

YAIM upgrade log.

Configuration

Oracle

Install oracle-instantclient-basic RPM as downloaded from the oracle website.

http://download.oracle.com/otn/linux/instantclient/10204/oracle-instantclient-basic-10.2.0.4-1.x86_64.rpm

yum localinstall oracle-instantclient-basic-10.2.0.4-1.x86_64.rpm

YAIM

site-info.def:

VOMS_DB_TYPE="oracle"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.oracle"
ORACLE_CLIENT="/usr/lib/oracle/10.2.0.4/client64"

services/glite-voms:

VOMS_HOST=cert-voms-01.cnaf.infn.it 

VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it
VOMS_ADMIN_CERT=/root/andreacert.pem

VOMS_DB_DEPLOY=true
ORACLE_CONNECTION_STRING="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST = voms-db-02.cr.cnaf.infn.it)(PORT = 1521)))(CONNECT_DATA=(SERVICE_NAME = vomsdb2.cr.cnaf.infn.it)))"

VO_CERT_ORACLE_VOMS_PORT=15000
VO_CERT_ORACLE_VOMS_DB_USER=admin_25
VO_CERT_ORACLE_VOMS_DB_PASS=***

YAIM clean installation log.

VOMS Admin

  • Add host certificate as administrator to the VO:
    root@cert-voms-01 ~]# /opt/glite/sbin/voms-db-deploy.py add-admin --vo cert.oracle --cert /etc/grid-security/hostcert.pem 
    Admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA' not found. It will be created...
    Adding ALL permissions on '/cert.oracle' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
    Adding ALL permissions on role '/cert.oracle/Role=VO-Admin' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
    

Certification

Basic checks

  • Check that VOMS admin responds:
    [root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
    No users found in vo
    

  • Create personal user:
    [root@cert-voms-01 ~]# voms-admin --vo cert.oracle create-user andreacert.pem 
    [root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
    /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti, /C=IT/O=INFN/CN=INFN CA - andrea.ceccanti@cnaf.infn.it
    

  • Create VOMS proxy:
    [andrea@voms-rd02-21 ~]$ voms-proxy-init -voms cert.oracle
    Enter GRID pass phrase:
    Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    Creating temporary proxy ............................................ Done
    Contacting  cert-voms-01.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it] "cert.oracle" Done
    Creating proxy ......................................... Done
    Your proxy is valid until Sat Jan 29 22:25:53 2011
    [andrea@voms-rd02-21 ~]$ voms-proxy-info -all
    subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti/CN=proxy
    issuer    : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    identity  : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    type      : proxy
    strength  : 1024 bits
    path      : /tmp/x509up_u503
    timeleft  : 11:59:55
    === VO cert.oracle extension information ===
    VO        : cert.oracle
    subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    issuer    : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it
    attribute : /cert.oracle/Role=NULL/Capability=NULL
    timeleft  : 11:59:55
    uri       : cert-voms-01.cnaf.infn.it:15000
    

  • Remove personal user:
    root@cert-voms-01 ~]# voms-admin --vo cert.oracle delete-user andreacert.pem
    [root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
    No users found in vo!
    

  • Attempt proxy creation for non-existing user:
    [andrea@voms-rd02-21 ~]$ voms-proxy-init -voms cert.oracle
    Enter GRID pass phrase:
    Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    Creating temporary proxy ..................................... Done
    Contacting  cert-voms-01.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it] "cert.oracle" Failed
    
    Error: User is currently suspended!
    Suspension reason: 0OCI_NO_DATA SELECT suspended_reason FROM certificate WHERE subject_string = :1 AND ca_id = :2 AND suspended != 0 1 = '/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti]), 2 = '
    
    None of the contacted servers for cert.oracle were capable
    of returning a valid AC for the user.
    
    Here VOMS confuses a non-existing user with a suspended one. See savannah bug 77550. I don't this is a stopper for this certification.

VOMS Admin test suite

Test VOMS-addMember   - OK
Test VOMS-assignRole   - OK
Test VOMS-crAttribute   - OK
Test VOMS-crGroup   - OK
Test VOMS-crRole   - OK
Test VOMS-crUser   - OK
Test VOMS-crUserNocert   - OK
Test VOMS-delAttribute   - OK
Test VOMS-delGroup   - OK
Test VOMS-delGroupAttribute   - OK
Test VOMS-delRole   - OK
Test VOMS-delRoleAttribute   - OK
Test VOMS-delUser   - OK
Test VOMS-delUserAttribute   - OK
Test VOMS-dismissRole   - OK
Test VOMS-listAttributes   - OK
Test VOMS-listGroupAttributes   - OK
Test VOMS-listGroups   - OK
Test VOMS-listMembers   - OK
Test VOMS-listRoleAttributes   - OK
Test VOMS-listRoles   - OK
Test VOMS-listSubGroups   - OK
Test VOMS-listUserAttributes   - OK
Test VOMS-listUserGroups   - OK
Test VOMS-listUserRoles   - OK
Test VOMS-listUsers   - OK
Test VOMS-listUsrWithRol   - OK
Test VOMS-removeMember   - OK
Test VOMS-setGroupAttribute   - OK
Test VOMS-setRoleAttribute   - OK
Test VOMS-setUserAttribute   - OK

VOMS Admin cli testsuite execution log.

Attached bugs

VOMS Admin gives terrifying error message when database is not reachable (https://savannah.cern.ch/bugs/?45425)

Less messages are printed by default by loggers. Logging configuration can be tuned by changing the verbosity of logger

<logger name="com.mchange" level="ERROR" />

to the WARN, INFO, DEBUG levels in $GLITE_LOCATION_VAR/etc/voms-admin/<VO_NAME>/logback.runtime.xml for the VO logs and in $GLITE_LOCATION/share/voms-admin/tools/classes/logback.xml for the database deploy scripts.

The voms-db-deploy.py utility also provides a method to check the connectivity to the database:

[root@cert-voms-01 classes]# /opt/glite/sbin/voms-db-deploy.py check-connectivity --vo cert.mysql
Checking database connectivity...
Connections could not be acquired from the underlying database!

===========================================================================================================================
Error connecting to the voms database! Check your database settings and ensure that the database backend is up and running.
============================================================================================================================

VOMS Admin background tasks are not resilient to transient database failures (https://savannah.cern.ch/bugs/?45567)

Fixed.

VOMS Admin should provide a way to see and manage unconfirmed request (https://savannah.cern.ch/bugs/?55988)

Fixed. Now VOMS Admin shows requests waiting for user confirmation in the admin home page.

[VOMS-ADMIN-2.5] Unhandled exception on adding ACL for a non-VO member (https://savannah.cern.ch/bugs/?60323)

Fixed. Now validation is performed correctly.

VOMS-Admin shows error to VO applicant if there is an SMTP error delivering a notification to a VO-admin (https://savannah.cern.ch/bugs/?62266)

Fixed.

Membership expiration date format problem (https://savannah.cern.ch/bugs/?68966)

Fixed. Now the date can be set only using the datepicker control and the formatting respects the locale set for the application.

[VOMS-Admin] There are possible vulnerabilities in VOMS-Admin (https://savannah.cern.ch/bugs/?76587)

Fixed.

[VOMS] yaim voms ships confusing template configuration files (https://savannah.cern.ch/bugs/?76610)

Fixed.

[VOMS Admin] User request forms do not work as expected (https://savannah.cern.ch/bugs/?76628)

Fixed.

[VOMS Admin] Registration should be turned off when the service is started in read only mode (https://savannah.cern.ch/bugs/?76837)

Fixed.

[VOMS Admin] VOMS admin CA updater not started when registration is disabled (https://savannah.cern.ch/bugs/?76838)

Fixed.

[VOMS Admin] No notification sent to users when a membership removal request is approved/rejected by administrators (https://savannah.cern.ch/bugs/?76839)

Fixed.

[VOMS Admin] No notification is sent to administrators when a membership removal request is submitted by users (https://savannah.cern.ch/bugs/?76840)

Fixed.

[VOMS Admin] Submitting a request for the same certificate twice causes a stack trace to be printed (https://savannah.cern.ch/bugs/?76841)

Fixed.

[VOMS Admin] The notification delivery fails when all the admins have empty email addresses (https://savannah.cern.ch/bugs/?76842)

Fixed.

New features

Configurable anti-CSRF filter on the web service interfaces

After turning on the check via YAIM:

root@cert-voms-01 ~]# cat siteinfo/services/glite-voms | grep CSRF
VOMS_ADMIN_WS_CSRF_LOG_ONLY=false

voms-admin client version 2.0.15 succeds in accessing the web services:

[root@cert-voms-01 ~]# voms-admin --version
voms-admin v. 2.0.15
[root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
No users found in vo

while older versions fail since no anti-CSRF header is present in client requests:

[andrea@voms-rd02-21 ~]$ voms-admin --version
voms-admin v. 2.0.14
[andrea@voms-rd02-21 ~]$ voms-admin --host cert-voms-01.cnaf.infn.it --vo cert.mysql list-groups
org.glite.security.voms.admin.error.VOMSException: CSRF header guard missing from request!

Looking at the service log, it can be seen that the request was stopped:

17:37:40.962 [TP-Processor25] - WARN  o.g.s.v.a.service.CSRFGuardHandler - Incoming request from 192.168.100.21:44931 is missing CSRF prevention HTTP header

Check connectivity method in voms-db-deploy.py

voms-db-deploy.py now offers a check connectivity method that can be used to test connectivity to the database.

root@cert-voms-01 ~]# voms-db-deploy.py check-connectivity --vo cert.oracle
Checking database connectivity...
Database contacted succesfully
Checking database existence...
Found existing voms-admin 2.5.x database...

-- AndreaCeccanti - 29-Jan-2011

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatext full_result_p4609 r1 manage 15.1 K 2011-01-29 - 11:07 UnknownUser  
Texttxt yaim-clean-installation-log.txt r1 manage 17.3 K 2011-01-29 - 09:05 UnknownUser  
Texttxt yaim-upgrade-log.txt r1 manage 6.3 K 2011-01-29 - 11:47 UnknownUser  
Texttxt yum-clean-installation-log.txt r1 manage 214.9 K 2011-01-29 - 09:05 UnknownUser  
Texttxt yum-upgrade-log.txt r1 manage 12.8 K 2011-01-29 - 11:48 UnknownUser  
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2011-01-29 - unknown
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback