LFC WLCG home >
LFC operations
How to renew host certificates
It should be described at
https://twiki.cern.ch/twiki/bin/view/FIOgroup/Certproc
But as a summary, what has to be done is:
1. Request a new certificate for each machine (it's suppossed that you have a user certificate).
Connect to your AFS account in lxadm cluster and type:
host-certificate-manager --from hep-service-lfc@cernNOSPAMPLEASE.ch hostname_of_the_machine
(if this is for several host, we put all of them at the end separated by a space)
When returned from the CA, move the hostcert.pem file to the appropriate subdirectory in your ~/certificates dir, overwritting the existing dummy file.
2. Update CDB to enable SINDES:
In lxadm, type:
cdbop (this will ask for your NICE login/pwd)
get profile_yourHostName
!vi profile_yourHostName.tpl
and add the following lines to enable SINDES in the machine:
# yourLogin - date - Enable SINDES:
"/software/components/sindes/items/grid-host-certificates" =
nlist("method","file","scope","node","path","/etc/grid-security");
"/software/components/sindes/all" =
if (is_defined(self)) self + ",grid-host-certificates"
else "grid-host-certificates";
Save the file and type:
update profile_yourHostName.tpl
commit
That will update and commit those changes to CDB.
3. Deploy the signed certificates using Sindes typing:
host-certificate-manager --sindes yourHostNamesSeparatedBySpaces
Then go to your node/s and type:
ccm-fetch
ncm-ncd --co sindes
Now your grid certificate should be sucessfully deployed in /etc/grid-security.
-- Main.dcollado - 25 Aug 2006