How to configure VOMS LSC files

Introduction

A VOMS-aware service needs to have a way to verify if the proxy presented by a client was signed by a trusted VOMS server. In the past, VOMS-aware middleware required a copy of the host certificate of each trusted VOMS server to be present in $X509_VOMS_DIR (by default /etc/grid-security/vomsdir). These days VOMS-aware node types can instead be configured with LSC files whose contents only need to be updated when the certificate subject or the CA subject for a VOMS server has changed. The LSC acronym stands for "list of certificates".

LSC file configuration with rpms

In the course of 2014 the CERN VOMS service has been moving to new hosts whose host certificates are signed by the new (SHA-2) CERN CA. As of Nov 29 CET the old hosts are no longer relevant for VOMS proxies and hence they no longer need to be present in configuration files. To facilitate the addition of the new hosts in the relevant places, a set of rpms have been created, one per WLCG-related VO:

The rpms are hosted in the WLCG repository:

Each rpm provides not only the relevant LSC files for proxy verification, but also the corresponding vomses configuration files for proxy generation.

To add support for the new VOMS servers, one can just install the rpms for the supported VOs, without the need to reconfigure the services otherwise.

The old servers (lcg-voms.cern.ch and voms.cern.ch) should be removed from the following configuration files and client configuration directory, to avoid potential timeouts and error messages:

  • /etc/edg-mkgridmap.conf
  • /etc/lcgdm-mkgridmap.conf
  • /etc/vomses

LSC file configuration by YAIM

When YAIM is used to configure an EMI node type, the admin needs to define "VO_${VO}_VOMSES" and "VO_${VO}_VOMS_CA_DN" variables (and "VO_${VO}_VOMS_SERVERS" variables for grid-mapfile generation) for each supported VO as described in the YAIM documentation:

Example for ALICE

VO_ALICE_VOMSES="\
'alice lcg-voms2.cern.ch 15000 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch alice 24' \
'alice voms2.cern.ch 15000 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch alice 24' \
"
VO_ALICE_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# both of them should be used for making grid-mapfiles
#

VO_ALICE_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/alice?/alice/' \
'vomss://lcg-voms2.cern.ch:8443/voms/alice?/alice/' \
"

Example for ATLAS

NOTE: the server at BNL should no longer be used and has therefore been removed from this example.

VO_ATLAS_VOMSES="\
'atlas lcg-voms2.cern.ch 15001 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch atlas 24' \
'atlas voms2.cern.ch 15001 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch atlas 24' \
"
VO_ATLAS_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# both of them should be used for making grid-mapfiles
#

VO_ATLAS_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/atlas?/atlas/' \
'vomss://lcg-voms2.cern.ch:8443/voms/atlas?/atlas/' \
"

Example for CMS

VO_CMS_VOMSES="\
'cms lcg-voms2.cern.ch 15002 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch cms 24' \
'cms voms2.cern.ch 15002 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch cms 24' \
"
VO_CMS_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# both of them should be used for making grid-mapfiles
#

VO_CMS_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/cms?/cms/' \
'vomss://lcg-voms2.cern.ch:8443/voms/cms?/cms/' \
"

Example for LHCb

VO_LHCB_VOMSES="\
'lhcb lcg-voms2.cern.ch 15003 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch lhcb 24' \
'lhcb voms2.cern.ch 15003 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch lhcb 24' \
"
VO_LHCB_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# both of them should be used for making grid-mapfiles
#

VO_LHCB_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/lhcb?/lhcb/' \
'vomss://lcg-voms2.cern.ch:8443/voms/lhcb?/lhcb/' \
"

Example for OPS

VO_OPS_VOMSES="\
'ops lcg-voms2.cern.ch 15009 \
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch ops 24' \
'ops voms2.cern.ch 15009 \
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch ops 24' \
"
VO_OPS_VOMS_CA_DN="\
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
'/DC=ch/DC=cern/CN=CERN Grid Certification Authority' \
"

#
# both of them should be used for making grid-mapfiles
#

VO_OPS_VOMS_SERVERS="\
'vomss://voms2.cern.ch:8443/voms/ops?/ops/' \
'vomss://lcg-voms2.cern.ch:8443/voms/ops?/ops/' \
"

LSC file configuration by other means

For each supported VO, for each of its VOMS servers there needs to be an LSC file in the directory $X509_VOMS_DIR/${VO} (by default /etc/grid-security/vomsdir/${VO}). The name of the file needs to be the fully qualified host name of the VOMS server followed by a ".lsc" extension. Each such file needs to contain 2 lines:

  • the first line contains the subject DN of the VOMS server host certificate without quotes
  • the second line contains the subject DN of the CA that issued the VOMS server host certificate, also without quotes

Example for ALICE

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/alice/
total 12
-rw-r--r-- 1 root root 101 Feb 11 20:40 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11 20:40 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/alice/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/alice/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

Example for ATLAS

NOTE: the server at BNL should no longer be used and has therefore been removed from this example.

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/atlas/
total 12
-rw-r--r-- 1 root root 101 Feb 11 20:40 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11 20:40 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/atlas/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/atlas/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

Example for CMS

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/cms/
total 12
-rw-r--r-- 1 root root 101 Feb 11 20:40 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11 20:40 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/cms/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/cms/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

Example for LHCb

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/lhcb/
total 12
-rw-r--r-- 1 root root 101 Feb 11 20:40 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11 20:40 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/lhcb/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/lhcb/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------

Example for OPS

----------------------------------------------------------------------
# ls -l /etc/grid-security/vomsdir/ops/
total 12
-rw-r--r-- 1 root root 101 Feb 11 20:40 lcg-voms2.cern.ch.lsc
-rw-r--r-- 1 root root  97 Feb 11 20:40 voms2.cern.ch.lsc
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/ops/lcg-voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
# cat /etc/grid-security/vomsdir/ops/voms2.cern.ch.lsc
/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch
/DC=ch/DC=cern/CN=CERN Grid Certification Authority
----------------------------------------------------------------------
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2014-12-02 - MaartenLitmaath
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback