VOMS server in the Certification Testbed

Information for testbed users

General information

We have two testbed VOMS server - one based on gLite 3.0 and one based on gLite 3.1:

Hosted VOs

The VOMS server presently hosts the following VOs

gLite 3.1 / lxbra2309

VO Name vomses entry mkgridmap configuration
atlas "atlas" "lxbra2309.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "atlas" group vomss://lxbra2309.cern.ch:8443/voms/atlas .atlas
dteam "dteam" "lxbra2309.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "dteam" group vomss://lxbra2309.cern.ch:8443/voms/dteam .dteam
voms.org.glite "voms.org.glite" "lxbra2309.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "voms.org.glite" group vomss://lxbra2309.cern.ch:8443/voms/voms.org.glite .voms.org.glite
org.glite.voms.test "org.glite.voms.test" "lxbra2309.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "org.glite.voms.test" group vomss://lxbra2309.cern.ch:8443/voms/org.glite.voms.test .org.glite.voms.test
test "test" "lxbra2309.cern.ch" "15005" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "test" group vomss://lxbra2309.cern.ch:8443/voms/test .test

Test users

Each VO has a set of 200 test users (test_user_XXX) registered. You can find the certificates for the test users at /afs/cern.ch/project/gd/yaim-server/BitFace/user_certificates. Ask Louis or Joachim if you need to get access rights to access them there.

In addition test_user_2 has admin rights on all the VOs.

VOMS management tasks in our Certification Testbed

The tasks associated with our VOMS server in the Certification Testbed are:

  • Upgrading the version of voms core and voms admin in the VOMS host when necessary.
  • Register users when they request it.
  • Debug problems when the users report about them by checking the log files. Reconfigure and restart the server when necessary.
  • Receive the Oracle db admin notifications by registering in project-voms-wg@cernNOSPAMPLEASE.ch.
  • Renew the crl of our Certification CA once per month and prepare the rpm to be updated in the repositories.
  • Renew the Test user certificates and the root certificate of our CA once per year.

VOMS configuration

Only atlas and dteam are normally configured in the testbed. If you need to configure any of the DNS-like VO names, please contact Louis Poncet.

The VOMS server is configured with the gLite python scripts and the main XML files that describe the configuration are stored in: waiting to know what to do.

It would be interesting to consider to move these config files in a proper location more related to our section. Probably in /afs/cern.ch/project/gd/yaim-server.

The vomses file configuration is:

"atlas" "lxb1928.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "atlas"
"dteam" "lxb1928.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "dteam"
"voms.org.glite" "lxb1928.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "voms.org.glite"
"org.glite.voms-test" "lxb1928.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "org.glite.voms-test"

Oracle configuration

lxb1928.cern.ch is a VOMS oracle server. The details of the oracle accounts are:

We have 10 oracle accounts to do our tests. The ones that are used for the VOMS server are:

  • atlas: lcg_voms_test_1
  • dteam: lcg_voms_test_2
  • voms.org.glite: lcg_voms_test_3
  • org.glite.voms-test: lcg_voms_test_4
The other accounts are currently used by Joachim and Dimitar to do VOMS testing.

The general configuration information of these accounts is:

  • account name: lcg_voms_test_xx (with xx=1 to 10)
  • password: please, contact Joachim, Maria or Dimitar.
  • db server: int11r1-v.cern.ch
  • db name: lcg_voms_int11r
  • Contents of tnsames.ora:
lcg_voms_int11r=
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = int11r2-v.cern.ch)(PORT = 10121))
    (ADDRESS = (PROTOCOL = TCP)(HOST = int11r1-v.cern.ch)(PORT = 10121))
    (LOAD_BALANCE = yes)
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = lcg_voms_int11r.cern.ch)

The db admin of the Oracle db affecting our VOMS server is Miguel Anjo. It's very important to register to project-voms-wg@cernNOSPAMPLEASE.ch to be aware of the latest news about upgrades, migrations, etc.

The account password expires once per year. Once it's expired, Oracle waits until you log in it to warn you about it and then you have 10 days to change it.

Useful sql commands

sqlplus lcg_voms_test_1/password@lcg_voms_int11r
It logs in the db account lcg_voms_test_1.

select table_names from user_tables;
It gives you a list of tables in the db account.

select 'drop '||object_type||' '||object_name||';' out from user_objects order by object_type;
It deletes the contents of the db. Sometimes the command --remove-db doesn't completely drop all the tables, so it could be useful to run this manually.

Host certificate

In order to trust our VOMS server, you can either install the rpm containing the public key:

http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/ctb-vomscerts-0.1-2.noarch.rpm

or configure your node types with the following YAIM variables in site-info.def:

VO__VOMSES="'vo_name lxb1928.cern.ch port /DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch vo_name'" VO__VOMS_CA_DN="'/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch'"

User registration

The users of our VOs are mainly members of the certification team. The command to register a user in the lxb1928.cern.ch CLI is:

voms-admin --vo=<vo_name> create-user --nousercert "User_DN" "CA_DN" "User_CN" "User_Mail"

There are also 202 test users registered in the dteam and atlas VOs. The Test users can be found in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/user_certificates/. Please check the instructions in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/README to know how to create more users.

Adding ourself to the VO

Due to a bug in the glite 3.0 VOMS server the full DN is not taken and therefore a normal ctb user is not recognized. So one need to add the user by hand via:

voms-admin -vo <vo_name> --nousercert create-user "User_DN" "CA_DN" "User_CA" "User_Mail"

where the User_DN and User_CN must match what is shown when you connect to the VOMS server with your normal certificate as a user (normally this means you have to omit the CN=65675765 number part.

Adding ctb member as admin

For gLite 3.0 to add a ctb member as admin, you need to do

voms-admin -vo <vo_name>  -nousercert  add-acl-entry  Global-ACL allow all  "User_DN" "CA_DN"

where the User_DN and User_CN must match what is shown when you connect to the VOMS server with your normal certificate as a user (normally this means you have to omit the CN=65675765 number part.

For gLite 3.1 to add a ctb member as admin, you need to do

voms-admin --vo=<vo_name> add-ACL-entry /<vo_name> "USER_DN" "CA_DN" ALL TRUE

if you don't have the certificate otherwise

voms-admin --vo=org.glite.voms-test --usercert <CERT_FILE> add-ACL-entry /org.glite.voms-test ALL TRUE

Mapping of vo to oracle accounts

lcg_voms_test_1 atlas
lcg_voms_test_2 dteam
lcg_voms_test_3 voms.org.glite
lcg_voms_test_4 org.glite.voms-test
lcg_voms_test_5  
lcg_voms_test_6  
lcg_voms_test_7  
lcg_voms_test_8 test

Certification Authority

The CA that has signed the test certificates is our certification CA. The relevant files are stored in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/demoCA/.

In order to install the relevant CA files in /etc/grid-security/certificates and trust the CA, please install the latest version of the rpm ca_Bitface from:

http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/

or

http://grid-deployment.web.cern.ch/grid-deployment/glite/cert/3.1/internal/sl4/i386/RPMS.cert-updates/

The latest version of the mentioned rpm always contains an up to date crl file. The crl file expires every month. Please, check the instructions in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/README to know what to do to renew it.

Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r9 - 2008-12-12 - AndrewElwell
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback