VOMS server in the Certification Testbed
Information for testbed users
General information
We have two testbed
VOMS server - one based on gLite 3.0 and one based on gLite 3.1:
Hosted VOs
The
VOMS server presently hosts the following VOs
gLite 3.1 / lxbra2309
VO Name |
vomses entry |
mkgridmap configuration |
atlas |
"atlas" "lxbra2309.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "atlas" |
group vomss://lxbra2309.cern.ch:8443/voms/atlas .atlas |
dteam |
"dteam" "lxbra2309.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "dteam" |
group vomss://lxbra2309.cern.ch:8443/voms/dteam .dteam |
voms.org.glite |
"voms.org.glite" "lxbra2309.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "voms.org.glite" |
group vomss://lxbra2309.cern.ch:8443/voms/voms.org.glite .voms.org.glite |
org.glite.voms.test |
"org.glite.voms.test" "lxbra2309.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "org.glite.voms.test" |
group vomss://lxbra2309.cern.ch:8443/voms/org.glite.voms.test .org.glite.voms.test |
test |
"test" "lxbra2309.cern.ch" "15005" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "test" |
group vomss://lxbra2309.cern.ch:8443/voms/test .test |
Test users
Each VO has a set of 200 test users (test_user_XXX) registered. You can find the certificates for the test users at /afs/cern.ch/project/gd/yaim-server/BitFace/user_certificates.
Ask Louis or Joachim if you need to get access rights to access them there.
In addition test_user_2 has admin rights on all the VOs.
VOMS management tasks in our Certification Testbed
The tasks associated with our
VOMS server in the Certification Testbed are:
- Upgrading the version of voms core and voms admin in the VOMS host when necessary.
- Register users when they request it.
- Debug problems when the users report about them by checking the log files. Reconfigure and restart the server when necessary.
- Receive the Oracle db admin notifications by registering in project-voms-wg@cernNOSPAMPLEASE.ch.
- Renew the crl of our Certification CA once per month and prepare the rpm to be updated in the repositories.
- Renew the Test user certificates and the root certificate of our CA once per year.
VOMS configuration
Only atlas and dteam are normally configured in the testbed. If you need to configure any of the DNS-like VO names, please contact Louis Poncet.
The
VOMS server is configured with the gLite python scripts and the main XML files that describe the configuration are stored in: waiting to know what to do.
It would be interesting to consider to move these config files in a proper location more related to our section. Probably in
/afs/cern.ch/project/gd/yaim-server
.
The vomses file configuration is:
"atlas" "lxb1928.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "atlas"
"dteam" "lxb1928.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "dteam"
"voms.org.glite" "lxb1928.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "voms.org.glite"
"org.glite.voms-test" "lxb1928.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "org.glite.voms-test"
Oracle configuration
lxb1928.cern.ch is a
VOMS oracle server. The details of the oracle accounts are:
We have 10 oracle accounts to do our tests. The ones that are used for the
VOMS server are:
- atlas: lcg_voms_test_1
- dteam: lcg_voms_test_2
- voms.org.glite: lcg_voms_test_3
- org.glite.voms-test: lcg_voms_test_4
The other accounts are currently used by Joachim and Dimitar to do
VOMS testing.
The general configuration information of these accounts is:
- account name: lcg_voms_test_xx (with xx=1 to 10)
- password: please, contact Joachim, Maria or Dimitar.
- db server: int11r1-v.cern.ch
- db name: lcg_voms_int11r
- Contents of tnsames.ora:
lcg_voms_int11r=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = int11r2-v.cern.ch)(PORT = 10121))
(ADDRESS = (PROTOCOL = TCP)(HOST = int11r1-v.cern.ch)(PORT = 10121))
(LOAD_BALANCE = yes)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = lcg_voms_int11r.cern.ch)
The db admin of the Oracle db affecting our
VOMS server is Miguel Anjo. It's very important to register to
project-voms-wg@cernNOSPAMPLEASE.ch to be aware of the latest news about upgrades, migrations, etc.
The account password expires once per year. Once it's expired, Oracle waits until you log in it to warn you about it and then you have 10 days to change it.
Useful sql commands
sqlplus lcg_voms_test_1/password@lcg_voms_int11r
It logs in the db account
lcg_voms_test_1
.
select table_names from user_tables;
It gives you a list of tables in the db account.
select 'drop '||object_type||' '||object_name||';' out from user_objects order by object_type;
It deletes the contents of the db. Sometimes the command
--remove-db
doesn't completely drop all the tables, so it could be useful to run this manually.
Host certificate
In order to trust our
VOMS server, you can either install the rpm containing the public key:
http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/ctb-vomscerts-0.1-2.noarch.rpm
or configure your node types with the following YAIM variables in site-info.def:
VO_
_VOMSES="'vo_name lxb1928.cern.ch port /DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch vo_name'"
VO__VOMS_CA_DN="'/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch'"
User registration
The users of our VOs are mainly members of the certification team. The command to register a user in the lxb1928.cern.ch CLI is:
voms-admin --vo=<vo_name> create-user --nousercert "User_DN" "CA_DN" "User_CN" "User_Mail"
There are also 202 test users registered in the dteam
and atlas
VOs. The Test users can be found in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/user_certificates/
. Please check the instructions in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/README
to know how to create more users.
Adding ourself to the VO
Due to a bug in the glite 3.0 VOMS server the full DN is not taken and therefore a normal ctb user is not recognized. So one need to add the user by hand via:
voms-admin -vo <vo_name> --nousercert create-user "User_DN" "CA_DN" "User_CA" "User_Mail"
where the User_DN and User_CN must match what is shown when you connect to the VOMS server with your normal certificate as a user (normally this means you have to omit the CN=65675765 number part.
Adding ctb member as admin
For gLite 3.0 to add a ctb member as admin, you need to do
voms-admin -vo <vo_name> -nousercert add-acl-entry Global-ACL allow all "User_DN" "CA_DN"
where the User_DN and User_CN must match what is shown when you connect to the VOMS server with your normal certificate as a user (normally this means you have to omit the CN=65675765 number part.
For gLite 3.1 to add a ctb member as admin, you need to do
voms-admin --vo=<vo_name> add-ACL-entry /<vo_name> "USER_DN" "CA_DN" ALL TRUE
if you don't have the certificate otherwise
voms-admin --vo=org.glite.voms-test --usercert <CERT_FILE> add-ACL-entry /org.glite.voms-test ALL TRUE
Mapping of vo to oracle accounts
lcg_voms_test_1 |
atlas |
lcg_voms_test_2 |
dteam |
lcg_voms_test_3 |
voms.org.glite |
lcg_voms_test_4 |
org.glite.voms-test |
lcg_voms_test_5 |
|
lcg_voms_test_6 |
|
lcg_voms_test_7 |
|
lcg_voms_test_8 |
test |
Certification Authority
The CA that has signed the test certificates is our certification CA. The relevant files are stored in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/demoCA/
.
In order to install the relevant CA files in /etc/grid-security/certificates and trust the CA, please install the latest version of the rpm ca_Bitface
from:
http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/
or
http://grid-deployment.web.cern.ch/grid-deployment/glite/cert/3.1/internal/sl4/i386/RPMS.cert-updates/
The latest version of the mentioned rpm always contains an up to date crl file. The crl file expires every month. Please, check the instructions in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/README
to know what to do to renew it.