VOMS System administrator guide

Operating system installation and configuration

In order to install the EMI VOMS metapackage you will need a clean SL5 X86_64 machine with the EPEL repository configured. More information here.

VOMS Node clean Installation

  • Make sure that your VOMS server has NTP properly configured. Clock skew between VOMS clients and servers may cause proxy generations failures.

  • Make sure you install the IGTF EUGridPMA trust anchors bundle, using the EGI CA repo:
    • yum install ca-policy-egi-core

  • In case you plan to install the emi-voms-oracle metapackage, download and install the Oracle instant client basic libraries (v. 10.2.0.4-1) on your system:
    • yum localinstall oracle-instantclient-basic-10.2.0.4-1.x86_64.rpm

  • Add the EMI repository file into your local /etc/yum.repos.d/ directory, e.g., for EMI 1:
    • yum install yum-protectbase yum-priorities
    • rpm -ivh http://emisoft.web.cern.ch/emisoft/dist/EMI/1/sl5/x86_64/base/emi-release-1.0.0-1.sl5.noarch.rpm

  • Install the emi-voms-mysql metapackage or emi-voms-oracle depending on the database backend you are using (mysql or Oracle):
    • yum install emi-voms-mysql or yum install emi-voms-oracle

  • Manually install xml-commons-apis libraries (after having installed the right metapackage for your installation), as the ones provided by the JRE cause warnings when starting/stopping tomcat:
    • yum install xml-commons-apis

VOMS Node Configuration

Configuring the database backend

MySQL configuration

Make sure that the MySQL administrator password that you specify in the YAIM VOMS configuration files matches the password that is set for the root MySQL account. Yaim configuration script does not set it for you. If you want to set a MySQL administrator password:

  1. Check that mySQL is running; if not, launch it using service mysqld start
  2. Issue the following commands as root (putting appropriate information in the <adminPassword> and <hostname> placeholders)
    /usr/bin/mysqladmin -u root password <adminPassword>
    /usr/bin/mysqladmin -u root -h <hostname> password <adminPassword>;
    

The above command sets a password for the mysql root account.

Oracle configuration

Create the necessary users and databases in Oracle. Please see the Oracle manuals for details.

Configuring the VOMS server with YAIM

  1. Copy the site-info.def and services/glite-voms_mysql (or services/glite-voms_oracle, depending on your database backend) files from '/opt/glite/yaim/examples/siteinfo' into your favourite dir.
  2. Rename glite-voms_mysql (or glite-voms_oracle, depending on your database backend) as glite-voms.
  3. Set yaim variables as specified in the VOMS YAIM configuration guide
  4. Make sure mysql is running with service mysqld status. Start the service in case it's not running with the command: service mysqld start
  5. Launch yaim as follows:
    /opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS
    
  6. In order to starting using the voms-admin cli you without opening a new shell may need to source the grid environment:
    source /etc/profile.d/grid-env.sh

YAIM siteinfo and glite-voms example files

MySQL backend

Below is a siteinfo and service file for a VOMS mysql node configuration:

site-info.def:

MYSQL_PASSWORD="pwd"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.mysql"

services/glite-voms: 

# VOMS server hostname
VOMS_HOST=cert-voms-01.cnaf.infn.it 
VOMS_DB_HOST='localhost'

VO_CERT_MYSQL_VOMS_PORT=15000
VO_CERT_MYSQL_VOMS_DB_USER=cert_mysql_user
VO_CERT_MYSQL_VOMS_DB_PASS="pwd"
VO_CERT_MYSQL_VOMS_DB_NAME=voms_cert_mysql_db

VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it

Oracle backend

site-info.def:

VOMS_DB_TYPE="oracle"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.oracle"
ORACLE_CLIENT="/usr/lib/oracle/10.2.0.4/client64"

services/glite-voms:

VOMS_HOST=cert-voms-01.cnaf.infn.it 

VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it
VOMS_ADMIN_CERT=/root/andreacert.pem

ORACLE_CONNECTION_STRING="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST = voms-db-02.cr.cnaf.infn.it)(PORT = 1521)))(CONNECT_DATA=(SERVICE_NAME = vomsdb2.cr.cnaf.infn.it)))"

VO_CERT_ORACLE_VOMS_PORT=15000
VO_CERT_ORACLE_VOMS_DB_USER=admin_25
VO_CERT_ORACLE_VOMS_DB_PASS=***

Upgrading VOMS mysql from a gLite 3.2 VOMS server

Install and configure an SL5 X86_64 EPEL machine

In order to install the EMI VOMS metapackage you will need a clean SL5 X86_64 machine with the EPEL repository configured. SL5, as configured by gLite 3.2, is not suitable for installing the EMI VOMS since gLite uses the DAG repository, which is alternative and incompatible with EPEL.

Once you have a clean machine configured, install the emi-voms-mysql metapackage without launching yaim configuration.

VOMS database dump and YAIM configuration

On your existing gLite 3.2 VOMS node dump the VOMS database for all the VO using the following command:

mysqldump -uroot -p<MYSQL_ROOT_PASSWORD> --all-databases --flush-privileges > voms_database_dump.sql

You will then copy the dump file on the new EMI VOMS node.

Remember to save your YAIM configuration (in most cases, site-info.def and services/glite-voms in your siteinfo directory) and copy it on the new EMI VOMS node.

Restoring the VOMS database on the EMI node

You should now have the mysql daemon installed in your EMI machine (it was installed as a dependency of the emi-voms-mysql metapackage). Follow the instructions in this section to properly configure the mysql root account.

Once the root account is configured and working (check that you can login issuing the command mysql -uroot -p<MYSQL_ROOT_PASSWORD>), you can restore the VOMS database issuing the following command:

mysql -uroot -p<PASSWORD> < voms_database_dump.sql

Configuring VOMS on the EMI node

The gLite 3.2 YAIM configuration should work in your EMI installation. Just check that no gLite-specific paths are referenced in your configuration. In order to configure VOMS, place the YAIM configuration files in your favorite directory and launch the following command:

/opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS

Known issues for the gLite 3.2 to EMI 1 upgrade

AUP is not shown correctly after upgrade to EMI 1

This issue is tracked here. The workaround, until VOMS Admin 2.6.2 is released, depends on the value of the GLITE_LOCATION_VAR environment variable in the gLite 3.2 VOMS installation being upgraded.

If

GLITE_LOCATION_VAR = /var/glite

the workaround would be to execute the following SQL commands on the database backend for each vo (note the vo_name placeholder in the commands where the actual VO name should be put):

update aup_version set url="file:/etc/voms-admin/<vo_name>/vo-aup.txt " where url="file:/var/glite/etc/voms-admin/<vo_name>/vo-aup.txt"
update aup_version set url="file:///etc/voms-admin/<vo_name>/vo-aup.txt " where url="file:///var/glite/etc/voms-admin/<vo_name>/vo-aup.txt"

The above commands will not be needed starting from VOMS Admin version 2.6.2, as it will be possible to modify the AUP URL from the web interface in the AUP management section.

Troubleshooting

For MySQL and Oracle debugging, please see the corresponding MySQL and Oracle manuals.

-- AndreaCeccanti - 07-Apr-2011

Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r11 - 2012-03-01 - AndreaCeccantiExCern
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback