VOMS server in the Certification Testbed
Information for testbed users
General information
We have two testbed VOMS server - one based on gLite 3.0 and one based on gLite 3.1:- The gLite 3.1 VOMS server is hosted by lxbra2309.cern.ch. You can access the web interface via: https://lxbra2309.cern.ch:8443/vomses
- The gLite 3.0 VOMS server that was on lxb1928.cern.ch has been decomissioned
Hosted VOs
The VOMS server presently hosts the following VOsgLite 3.1 / lxbra2309
| VO Name | vomses entry | mkgridmap configuration |
|---|---|---|
| atlas |
"atlas" "lxbra2309.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "atlas" | group vomss://lxbra2309.cern.ch:8443/voms/atlas .atlas |
| dteam |
"dteam" "lxbra2309.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "dteam" | group vomss://lxbra2309.cern.ch:8443/voms/dteam .dteam |
| voms.org.glite |
"voms.org.glite" "lxbra2309.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "voms.org.glite" | group vomss://lxbra2309.cern.ch:8443/voms/voms.org.glite .voms.org.glite |
| org.glite.voms.test |
"org.glite.voms.test" "lxbra2309.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "org.glite.voms.test" | group vomss://lxbra2309.cern.ch:8443/voms/org.glite.voms.test .org.glite.voms.test |
| test |
"test" "lxbra2309.cern.ch" "15005" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "test" | group vomss://lxbra2309.cern.ch:8443/voms/test .test |
Test users
Each VO has a set of 200 test users (test_user_XXX) registered. You can find the certificates for the test users at /afs/cern.ch/project/gd/yaim-server/BitFace/user_certificates. Ask Louis or Joachim if you need to get access rights to access them there. In addition test_user_2 has admin rights on all the VOs.VOMS management tasks in our Certification Testbed
The tasks associated with our VOMS server in the Certification Testbed are:- Upgrading the version of voms core and voms admin in the VOMS host when necessary.
- Register users when they request it.
- Debug problems when the users report about them by checking the log files. Reconfigure and restart the server when necessary.
- Receive the Oracle db admin notifications by registering in project-voms-wg@cernNOSPAMPLEASE.ch.
- Renew the crl of our Certification CA once per month and prepare the rpm to be updated in the repositories.
- Renew the Test user certificates and the root certificate of our CA once per year.
VOMS configuration
Only atlas and dteam are normally configured in the testbed. If you need to configure any of the DNS-like VO names, please contact Louis Poncet. The VOMS server is configured with the gLite python scripts and the main XML files that describe the configuration are stored in: waiting to know what to do. It would be interesting to consider to move these config files in a proper location more related to our section. Probably in/afs/cern.ch/project/gd/yaim-server.
The vomses file configuration is:
"atlas" "lxb1928.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "atlas" "dteam" "lxb1928.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "dteam" "voms.org.glite" "lxb1928.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "voms.org.glite" "org.glite.voms-test" "lxb1928.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "org.glite.voms-test"
Oracle configuration
lxb1928.cern.ch is a VOMS oracle server. The details of the oracle accounts are: We have 10 oracle accounts to do our tests. The ones that are used for the VOMS server are:- atlas: lcg_voms_test_1
- dteam: lcg_voms_test_2
- voms.org.glite: lcg_voms_test_3
- org.glite.voms-test: lcg_voms_test_4
- account name: lcg_voms_test_xx (with xx=1 to 10)
- password: please, contact Joachim, Maria or Dimitar.
- db server: int11r1-v.cern.ch
- db name: lcg_voms_int11r
- Contents of tnsames.ora:
lcg_voms_int11r=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = int11r2-v.cern.ch)(PORT = 10121))
(ADDRESS = (PROTOCOL = TCP)(HOST = int11r1-v.cern.ch)(PORT = 10121))
(LOAD_BALANCE = yes)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = lcg_voms_int11r.cern.ch)
The db admin of the Oracle db affecting our VOMS server is Miguel Anjo. It's very important to register to project-voms-wg@cernNOSPAMPLEASE.ch to be aware of the latest news about upgrades, migrations, etc.
The account password expires once per year. Once it's expired, Oracle waits until you log in it to warn you about it and then you have 10 days to change it.
Useful sql commands
sqlplus lcg_voms_test_1/password@lcg_voms_int11rIt logs in the db account
lcg_voms_test_1.
select table_names from user_tables;It gives you a list of tables in the db account.
select 'drop '||object_type||' '||object_name||';' out from user_objects order by object_type;It deletes the contents of the db. Sometimes the command
--remove-db doesn't completely drop all the tables, so it could be useful to run this manually.
Host certificate
In order to trust our VOMS server, you can either install the rpm containing the public key:http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/ctb-vomscerts-0.1-2.noarch.rpmor configure your node types with the following YAIM variables in site-info.def: VO_
User registration
The users of our VOs are mainly members of the certification team. The command to register a user in the lxb1928.cern.ch CLI is:voms-admin --vo=<vo_name> create-user --nousercert "User_DN" "CA_DN" "User_CN" "User_Mail"There are also 202 test users registered in the
dteam and atlas VOs. The Test users can be found in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/user_certificates/. Please check the instructions in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/README to know how to create more users.
Adding ourself to the VO
Due to a bug in the glite 3.0 VOMS server the full DN is not taken and therefore a normal ctb user is not recognized. So one need to add the user by hand via:voms-admin -vo <vo_name> --nousercert create-user "User_DN" "CA_DN" "User_CA" "User_Mail"where the User_DN and User_CN must match what is shown when you connect to the VOMS server with your normal certificate as a user (normally this means you have to omit the CN=65675765 number part.
Adding ctb member as admin
For gLite 3.0 to add a ctb member as admin, you need to dovoms-admin -vo <vo_name> -nousercert add-acl-entry Global-ACL allow all "User_DN" "CA_DN"where the User_DN and User_CN must match what is shown when you connect to the VOMS server with your normal certificate as a user (normally this means you have to omit the CN=65675765 number part. For gLite 3.1 to add a ctb member as admin, you need to do
voms-admin --vo=<vo_name> add-ACL-entry /<vo_name> "USER_DN" "CA_DN" ALL TRUEif you don't have the certificate otherwise
voms-admin --vo=org.glite.voms-test --usercert <CERT_FILE> add-ACL-entry /org.glite.voms-test ALL TRUE
Mapping of vo to oracle accounts
| lcg_voms_test_1 | atlas |
| lcg_voms_test_2 | dteam |
| lcg_voms_test_3 | voms.org.glite |
| lcg_voms_test_4 | org.glite.voms-test |
| lcg_voms_test_5 | |
| lcg_voms_test_6 | |
| lcg_voms_test_7 | |
| lcg_voms_test_8 | test |
Certification Authority
The CA that has signed the test certificates is our certification CA. The relevant files are stored in/afs/cern.ch/project/gd/yaim-server/BitFaceCA/demoCA/.
In order to install the relevant CA files in /etc/grid-security/certificates and trust the CA, please install the latest version of the rpm ca_Bitface from:
http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/
or
http://grid-deployment.web.cern.ch/grid-deployment/glite/cert/3.1/internal/sl4/i386/RPMS.cert-updates/
The latest version of the mentioned rpm always contains an up to date crl file. The crl file expires every month. Please, check the instructions in /afs/cern.ch/project/gd/yaim-server/BitFaceCA/README to know what to do to renew it. Topic revision: r9 - 2008-12-12 - AndrewElwell
LCG Wikis
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback