Certification report for patch 4609

Savannah patch


Clean installation

Starting from an SL5, X86_64 clean installation.

cd /etc/yum.repos.d/
wget <repo listed in the patch>
yum update
yum install glite-VOMS_oracle

YUM clean installation log.

Upgrade from production

Starting from a working gLite 3.2 VOMS production installation.

YUM upgrade log.

After shutting down tomcat and cleaning up work directories:

service tomcat5 stop
rm -rf $CATALINA_HOME/webapps/*
rm -rf $CATALINA_HOME/work/*
service tomcat5 start

The installation is reconfigured via YAIM and works as expected.

YAIM upgrade log.



Install oracle-instantclient-basic RPM as downloaded from the oracle website.


yum localinstall oracle-instantclient-basic-









YAIM clean installation log.

VOMS Admin

  • Add host certificate as administrator to the VO:
    root@cert-voms-01 ~]# /opt/glite/sbin/voms-db-deploy.py add-admin --vo cert.oracle --cert /etc/grid-security/hostcert.pem 
    Admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA' not found. It will be created...
    Adding ALL permissions on '/cert.oracle' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'
    Adding ALL permissions on role '/cert.oracle/Role=VO-Admin' for admin '/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it,/C=IT/O=INFN/CN=INFN CA'


Basic checks

  • Check that VOMS admin responds:
    [root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
    No users found in vo

  • Create personal user:
    [root@cert-voms-01 ~]# voms-admin --vo cert.oracle create-user andreacert.pem 
    [root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
    /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti, /C=IT/O=INFN/CN=INFN CA - andrea.ceccanti@cnaf.infn.it

  • Create VOMS proxy:
    [andrea@voms-rd02-21 ~]$ voms-proxy-init -voms cert.oracle
    Enter GRID pass phrase:
    Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    Creating temporary proxy ............................................ Done
    Contacting  cert-voms-01.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it] "cert.oracle" Done
    Creating proxy ......................................... Done
    Your proxy is valid until Sat Jan 29 22:25:53 2011
    [andrea@voms-rd02-21 ~]$ voms-proxy-info -all
    subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti/CN=proxy
    issuer    : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    identity  : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    type      : proxy
    strength  : 1024 bits
    path      : /tmp/x509up_u503
    timeleft  : 11:59:55
    === VO cert.oracle extension information ===
    VO        : cert.oracle
    subject   : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    issuer    : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it
    attribute : /cert.oracle/Role=NULL/Capability=NULL
    timeleft  : 11:59:55
    uri       : cert-voms-01.cnaf.infn.it:15000

  • Remove personal user:
    root@cert-voms-01 ~]# voms-admin --vo cert.oracle delete-user andreacert.pem
    [root@cert-voms-01 ~]# voms-admin --vo cert.oracle list-users
    No users found in vo!

  • Attempt proxy creation for non-existing user:
    [andrea@voms-rd02-21 ~]$ voms-proxy-init -voms cert.oracle
    Enter GRID pass phrase:
    Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
    Creating temporary proxy ..................................... Done
    Contacting  cert-voms-01.cnaf.infn.it:15000 [/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms-01.cnaf.infn.it] "cert.oracle" Failed
    Error: User is currently suspended!
    Suspension reason: 0OCI_NO_DATA SELECT suspended_reason FROM certificate WHERE subject_string = :1 AND ca_id = :2 AND suspended != 0 1 = '/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti]), 2 = '
    None of the contacted servers for cert.oracle were capable
    of returning a valid AC for the user.
    Here VOMS confuses a non-existing user with a suspended one. See savannah bug 77550. I don't this is a stopper for this certification.

VOMS Admin test suite

Test VOMS-addMember   - OK
Test VOMS-assignRole   - OK
Test VOMS-crAttribute   - OK
Test VOMS-crGroup   - OK
Test VOMS-crRole   - OK
Test VOMS-crUser   - OK
Test VOMS-crUserNocert   - OK
Test VOMS-delAttribute   - OK
Test VOMS-delGroup   - OK
Test VOMS-delGroupAttribute   - OK
Test VOMS-delRole   - OK
Test VOMS-delRoleAttribute   - OK
Test VOMS-delUser   - OK
Test VOMS-delUserAttribute   - OK
Test VOMS-dismissRole   - OK
Test VOMS-listAttributes   - OK
Test VOMS-listGroupAttributes   - OK
Test VOMS-listGroups   - OK
Test VOMS-listMembers   - OK
Test VOMS-listRoleAttributes   - OK
Test VOMS-listRoles   - OK
Test VOMS-listSubGroups   - OK
Test VOMS-listUserAttributes   - OK
Test VOMS-listUserGroups   - OK
Test VOMS-listUserRoles   - OK
Test VOMS-listUsers   - OK
Test VOMS-listUsrWithRol   - OK
Test VOMS-removeMember   - OK
Test VOMS-setGroupAttribute   - OK
Test VOMS-setRoleAttribute   - OK
Test VOMS-setUserAttribute   - OK

VOMS Admin cli testsuite execution log.

Attached bugs

VOMS Admin gives terrifying error message when database is not reachable (https://savannah.cern.ch/bugs/?45425)

Less messages are printed by default by loggers. Logging configuration can be tuned by changing the verbosity of logger

<logger name="com.mchange" level="ERROR" />

to the WARN, INFO, DEBUG levels in $GLITE_LOCATION_VAR/etc/voms-admin/<VO_NAME>/logback.runtime.xml for the VO logs and in $GLITE_LOCATION/share/voms-admin/tools/classes/logback.xml for the database deploy scripts.

The voms-db-deploy.py utility also provides a method to check the connectivity to the database:

[root@cert-voms-01 classes]# /opt/glite/sbin/voms-db-deploy.py check-connectivity --vo cert.mysql
Checking database connectivity...
Connections could not be acquired from the underlying database!

Error connecting to the voms database! Check your database settings and ensure that the database backend is up and running.

VOMS Admin background tasks are not resilient to transient database failures (https://savannah.cern.ch/bugs/?45567)


VOMS Admin should provide a way to see and manage unconfirmed request (https://savannah.cern.ch/bugs/?55988)

Fixed. Now VOMS Admin shows requests waiting for user confirmation in the admin home page.

[VOMS-ADMIN-2.5] Unhandled exception on adding ACL for a non-VO member (https://savannah.cern.ch/bugs/?60323)

Fixed. Now validation is performed correctly.

VOMS-Admin shows error to VO applicant if there is an SMTP error delivering a notification to a VO-admin (https://savannah.cern.ch/bugs/?62266)


Membership expiration date format problem (https://savannah.cern.ch/bugs/?68966)

Fixed. Now the date can be set only using the datepicker control and the formatting respects the locale set for the application.

[VOMS-Admin] There are possible vulnerabilities in VOMS-Admin (https://savannah.cern.ch/bugs/?76587)


[VOMS] yaim voms ships confusing template configuration files (https://savannah.cern.ch/bugs/?76610)


[VOMS Admin] User request forms do not work as expected (https://savannah.cern.ch/bugs/?76628)


[VOMS Admin] Registration should be turned off when the service is started in read only mode (https://savannah.cern.ch/bugs/?76837)


[VOMS Admin] VOMS admin CA updater not started when registration is disabled (https://savannah.cern.ch/bugs/?76838)


[VOMS Admin] No notification sent to users when a membership removal request is approved/rejected by administrators (https://savannah.cern.ch/bugs/?76839)


[VOMS Admin] No notification is sent to administrators when a membership removal request is submitted by users (https://savannah.cern.ch/bugs/?76840)


[VOMS Admin] Submitting a request for the same certificate twice causes a stack trace to be printed (https://savannah.cern.ch/bugs/?76841)


[VOMS Admin] The notification delivery fails when all the admins have empty email addresses (https://savannah.cern.ch/bugs/?76842)


New features

Configurable anti-CSRF filter on the web service interfaces

After turning on the check via YAIM:

root@cert-voms-01 ~]# cat siteinfo/services/glite-voms | grep CSRF

voms-admin client version 2.0.15 succeds in accessing the web services:

[root@cert-voms-01 ~]# voms-admin --version
voms-admin v. 2.0.15
[root@cert-voms-01 ~]# voms-admin --vo cert.mysql list-users
No users found in vo

while older versions fail since no anti-CSRF header is present in client requests:

[andrea@voms-rd02-21 ~]$ voms-admin --version
voms-admin v. 2.0.14
[andrea@voms-rd02-21 ~]$ voms-admin --host cert-voms-01.cnaf.infn.it --vo cert.mysql list-groups
org.glite.security.voms.admin.error.VOMSException: CSRF header guard missing from request!

Looking at the service log, it can be seen that the request was stopped:

17:37:40.962 [TP-Processor25] - WARN  o.g.s.v.a.service.CSRFGuardHandler - Incoming request from is missing CSRF prevention HTTP header

Check connectivity method in voms-db-deploy.py

voms-db-deploy.py now offers a check connectivity method that can be used to test connectivity to the database.

root@cert-voms-01 ~]# voms-db-deploy.py check-connectivity --vo cert.oracle
Checking database connectivity...
Database contacted succesfully
Checking database existence...
Found existing voms-admin 2.5.x database...

-- AndreaCeccanti - 29-Jan-2011

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatext full_result_p4609 r1 manage 15.1 K 2011-01-29 - 11:07 UnknownUser  
Texttxt yaim-clean-installation-log.txt r1 manage 17.3 K 2011-01-29 - 09:05 UnknownUser  
Texttxt yaim-upgrade-log.txt r1 manage 6.3 K 2011-01-29 - 11:47 UnknownUser  
Texttxt yum-clean-installation-log.txt r1 manage 214.9 K 2011-01-29 - 09:05 UnknownUser  
Texttxt yum-upgrade-log.txt r1 manage 12.8 K 2011-01-29 - 11:48 UnknownUser  
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2011-01-29 - unknown
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback