How to configure VOMS LSC files

Introduction

A VOMS-aware service needs to have a way to verify if the proxy presented by a client was signed by a trusted VOMS server. The set of trusted VOMS servers for a given VO need to be enumerated in the subdirectory for that VO under $X509_VOMS_DIR (by default /etc/grid-security/vomsdir), in the form of LSC files whose contents need to be updated only when the certificate subject or the CA subject for a VOMS server certificate has changed. The LSC acronym stands for "list of certificates" and the contents of such files are described below.

New WLCG IAM VOMS services

In the course of 2021-2022, the LHC experiments are foreseen to switch from VOMS-Admin to (INDIGO-) IAM for VO management and to start making gradually more use of WLCG tokens instead of VOMS proxies (see here and links therein). During the transition phase for a given experiment, its IAM service also supports signing VOMS proxies through a dedicated endpoint, whose details will initially need to be configured alongside those of the traditional VOMS service for that experiment. Further details are provided below.

LSC file configuration with rpms

For VOMS servers used by the WLCG VOs since late 2014, there is an rpm per VO that sites may find convenient to use:

The rpms are hosted in the WLCG repository:

Each rpm provides not only the relevant LSC files for proxy verification, but also the corresponding vomses configuration files for proxy generation.

→ NEW ←

For the new WLCG IAM VOMS endpoints, there is an rpm per VO that provides only the corresponding LSC file for the time being:

They are also available in the CentOS 8 repository.

Only when all relevant services support the new VOMS endpoints, can users and workflows of an LHC experiment start using those endpoints. Therefore, a campaign will be run across WLCG to have all relevant services updated first, before the corresponding vomses details will be made available through rpms. See further down.

LSC file configuration by YAIM

NOTE: YAIM will also configure the vomses details that are used to create VOMS proxies e.g. on UI hosts. When a given VOMS server is unavailable, the VOMS clients will automatically try another instance for the VO, but the user may get an unexpected message.

When YAIM is used to configure an EMI node type, the admin needs to define "VO_${VO}_VOMSES" and "VO_${VO}_VOMS_CA_DN" variables (and "VO_${VO}_VOMS_SERVERS" variables for grid-mapfile generation) for each supported VO as described in the YAIM documentation:

Example for ALICE

VO_ALICE_VOMSES="\
'alice lcg-voms2.cern.ch 15000 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch alice 24' \
'alice voms2.cern.ch 15000 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch alice 24' \
'alice voms-alice-auth.app.cern.ch 443 \
/DC=ch/DC=cern/OU=computers/CN=alice-auth.web.cern.ch alice 24' \
"
VO_ALICE_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# only the legacy servers can be used for making grid-mapfiles
#

VO_ALICE_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/alice?/alice/' \
'vomss://lcg-voms2.cern.ch:8443/voms/alice?/alice/' \
"

Example for ATLAS

VO_ATLAS_VOMSES="\
'atlas lcg-voms2.cern.ch 15001 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch atlas 24' \
'atlas voms2.cern.ch 15001 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch atlas 24' \
'atlas voms-atlas-auth.app.cern.ch 443 \
/DC=ch/DC=cern/OU=computers/CN=atlas-auth.web.cern.ch atlas 24' \
"
VO_ATLAS_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# only the legacy servers can be used for making grid-mapfiles
#

VO_ATLAS_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/atlas?/atlas/' \
'vomss://lcg-voms2.cern.ch:8443/voms/atlas?/atlas/' \
"

Example for CMS

VO_CMS_VOMSES="\
'cms lcg-voms2.cern.ch 15002 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch cms 24' \
'cms voms2.cern.ch 15002 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch cms 24' \
'cms voms-cms-auth.app.cern.ch 443 \
/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch cms 24' \
"
VO_CMS_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# only the legacy servers can be used for making grid-mapfiles
#

VO_CMS_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/cms?/cms/' \
'vomss://lcg-voms2.cern.ch:8443/voms/cms?/cms/' \
"

Example for LHCb

VO_LHCB_VOMSES="\
'lhcb lcg-voms2.cern.ch 15003 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch lhcb 24' \
'lhcb voms2.cern.ch 15003 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch lhcb 24' \
'lhcb voms-lhcb-auth.app.cern.ch 443 \
/DC=ch/DC=cern/OU=computers/CN=lhcb-auth.web.cern.ch lhcb 24' \
"
VO_LHCB_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# only the legacy servers can be used for making grid-mapfiles
#

VO_LHCB_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb/' \
'vomss://lcg-voms2.cern.ch:8443/voms/lhcb?/lhcb/' \
"

Example for OPS

VO_OPS_VOMSES="\
'ops lcg-voms2.cern.ch 15009 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch ops 24' \
'ops voms2.cern.ch 15009 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch ops 24' \
"
VO_OPS_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# both of them should be used for making grid-mapfiles
#

VO_OPS_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/ops?/ops/' \
'vomss://lcg-voms2.cern.ch:8443/voms/ops?/ops/' \
"

LSC file configuration by other means

For each supported VO, for each of its VOMS servers there needs to be an LSC file in the directory $X509_VOMS_DIR/${VO} (by default /etc/grid-security/vomsdir/${VO}). The name of the file needs to be the fully qualified host name of the VOMS server followed by a ".lsc" extension. Each such file needs to contain 2 lines:

  • the first line contains the subject DN of the VOMS server host certificate without quotes
  • the second line contains the subject DN of the CA that issued the VOMS server host certificate, also without quotes

Example for ALICE

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/alice/
total 12
-rw-r--r-- 1 root root 101 Feb 11  2014 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root 106 Apr 29 20:43 voms-alice-auth.app.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11  2014 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/alice/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/alice/voms-alice-auth.app.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=alice-auth.web.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/alice/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

Example for ATLAS

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/atlas/
total 12
-rw-r--r-- 1 root root 101 Feb 11  2014 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root 106 Apr 29 20:43 voms-atlas-auth.app.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11  2014 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/atlas/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/atlas/voms-atlas-auth.app.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=atlas-auth.web.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/atlas/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

Example for CMS

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/cms/
total 12
-rw-r--r-- 1 root root 101 Feb 11  2014 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root 104 Apr 21 22:18 voms-cms-auth.app.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11  2014 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/cms/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/cms/voms-cms-auth.app.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/cms/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

Example for LHCb

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/lhcb/
total 12
-rw-r--r-- 1 root root 101 Feb 11  2014 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root 105 Apr 29 20:44 voms-lhcb-auth.app.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11  2014 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/lhcb/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/lhcb/voms-lhcb-auth.app.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lhcb-auth.web.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/lhcb/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

Example for OPS

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/ops/
total 12
-rw-r--r-- 1 root root 101 Feb 11 2014 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11 2014 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/ops/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/ops/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

vomses file configuration by rpms

Update Nov 11, 2021:

CMS are ready for their IAM VOMS endpoint to be used alongside their legacy VOMS servers and an rpm with the corresponding vomses file is published now:

  • wlcg-iam-vomses-cms (noarch) for el7, el8

Update Jan 24, 2022:

Also the rpm for ATLAS is available now:

  • wlcg-iam-vomses-atlas (noarch) for el7, el8

Updates for the other experiments will be added when they are ready.

vomses file configuration by other means

NOTE: the vomses details are used to create VOMS proxies e.g. on UI hosts. When a given VOMS server is unavailable, the VOMS clients will automatically try another instance for the VO, but the user may get an unexpected message.

----------------------------------------------------------------------
# ls -l /etc/vomses/ | awk '$NF ~ /^(voms-)?(alice|atlas|cms|lhcb|ops)-/'
-rw-r--r--. 1 root root 100 Jun  4 09:46 alice-lcg-voms2.cern.ch
-rw-r--r--. 1 root root  92 Jun  4 09:46 alice-voms2.cern.ch
-rw-r--r--. 1 root root 100 Jun  4 09:46 atlas-lcg-voms2.cern.ch
-rw-r--r--. 1 root root  92 Jun  4 09:46 atlas-voms2.cern.ch
-rw-r--r--. 1 root root  96 Jun  4 09:46 cms-lcg-voms2.cern.ch
-rw-r--r--. 1 root root  88 Jun  4 09:46 cms-voms2.cern.ch
-rw-r--r--. 1 root root  98 Jun  4 09:46 lhcb-lcg-voms2.cern.ch
-rw-r--r--. 1 root root  90 Jun  4 09:46 lhcb-voms2.cern.ch
-rw-r--r--. 1 root root  96 Jun  4 09:46 ops-lcg-voms2.cern.ch
-rw-r--r--. 1 root root  88 Jun  4 09:46 ops-voms2.cern.ch
-rw-r--r--. 1 root root 108 Apr 29 20:39 voms-alice-auth.app.cern.ch.vomses
-rw-r--r--. 1 root root 108 Apr 29 20:37 voms-atlas-auth.app.cern.ch.vomses
-rw-r--r--. 1 root root 100 Apr 21 22:20 voms-cms-auth.app.cern.ch.vomses
-rw-r--r--. 1 root root 104 Apr 29 20:39 voms-lhcb-auth.app.cern.ch.vomses
----------------------------------------------------------------------
# cat /etc/vomses/alice-lcg-voms2.cern.ch 
"alice" "lcg-voms2.cern.ch" "15000" "/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch" "alice" "24"
----------------------------------------------------------------------
# cat /etc/vomses/alice-voms2.cern.ch
"alice" "voms2.cern.ch" "15000" "/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch" "alice" "24"
----------------------------------------------------------------------
# cat /etc/vomses/atlas-lcg-voms2.cern.ch
"atlas" "lcg-voms2.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch" "atlas" "24"
----------------------------------------------------------------------
# cat /etc/vomses/atlas-voms2.cern.ch
"atlas" "voms2.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch" "atlas" "24"
----------------------------------------------------------------------
# cat /etc/vomses/cms-lcg-voms2.cern.ch
"cms" "lcg-voms2.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch" "cms" "24"
----------------------------------------------------------------------
# cat /etc/vomses/cms-voms2.cern.ch
"cms" "voms2.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch" "cms" "24"
----------------------------------------------------------------------
# cat /etc/vomses/lhcb-lcg-voms2.cern.ch
"lhcb" "lcg-voms2.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch" "lhcb" "24"
----------------------------------------------------------------------
# cat /etc/vomses/lhcb-voms2.cern.ch
"lhcb" "voms2.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch" "lhcb" "24"
----------------------------------------------------------------------
# cat /etc/vomses/ops-lcg-voms2.cern.ch
"ops" "lcg-voms2.cern.ch" "15009" "/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch" "ops" "24"
----------------------------------------------------------------------
# cat /etc/vomses/ops-voms2.cern.ch
"ops" "voms2.cern.ch" "15009" "/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch" "ops" "24"
----------------------------------------------------------------------
# cat /etc/vomses/voms-alice-auth.app.cern.ch.vomses
"alice" "voms-alice-auth.app.cern.ch" "443" "/DC=ch/DC=cern/OU=computers/CN=alice-auth.web.cern.ch" "alice"
----------------------------------------------------------------------
# cat /etc/vomses/voms-atlas-auth.app.cern.ch.vomses
"atlas" "voms-atlas-auth.app.cern.ch" "443" "/DC=ch/DC=cern/OU=computers/CN=atlas-auth.web.cern.ch" "atlas"
----------------------------------------------------------------------
# cat /etc/vomses/voms-cms-auth.app.cern.ch.vomses
"cms" "voms-cms-auth.app.cern.ch" "443" "/DC=ch/DC=cern/OU=computers/CN=cms-auth.web.cern.ch" "cms"
----------------------------------------------------------------------
# cat /etc/vomses/voms-lhcb-auth.app.cern.ch.vomses
"lhcb" "voms-lhcb-auth.app.cern.ch" "443" "/DC=ch/DC=cern/OU=computers/CN=lhcb-auth.web.cern.ch" "lhcb"
----------------------------------------------------------------------

Note for DPM sites managed by puppet (lcgdm-voms puppet module)

Be aware that DPM with dmlite version < 1.15.1-8 configured by puppet removes LSC files that come from wlcg-iam-lsc-* RPM packages. There are several options how to fix/update lcgdm-voms puppet module:

  • install latest dmlite 1.15.1-8 and its puppet modules
  • update your puppet repository with modules from puppet forge
  • modify existing /usr/share/dmlite/puppet/modules/voms/manifests/client.pp according to this patch
  • sites using the cernops puppet VOMS module may want to look into this commit
After updating puppet modules you have to run puppet apply to get new IAM VOMS LSC configuration files.
Edit | Attach | Watch | Print version | History: r15 < r14 < r13 < r12 < r11 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r15 - 2022-01-24 - MaartenLitmaath
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback