VOMSctb < LCG

LCG Web>LCGGridDeployment>VOMSctb (2008-12-12, AndrewElwell) (raw view)
---+ VOMS server in the Certification Testbed

%TOC%

---++ Information for testbed users

---+++ General information

We have two testbed VOMS server - one based on gLite 3.0 and one based on gLite 3.1:

   *  The gLite 3.1 VOMS server is hosted by lxbra2309.cern.ch. You can access the web interface via: [[https://lxbra2309.cern.ch:8443/vomses][https://lxbra2309.cern.ch:8443/vomses]]
   *  The gLite 3.0 VOMS server that was on  lxb1928.cern.ch has been decomissioned

---+++ Hosted VOs

The VOMS server presently hosts the following VOs

---+++++ gLite 3.1 / lxbra2309

| *VO Name* |  *vomses entry*  |  *mkgridmap configuration*  |
|  [[https://lxbra2309.cern.ch:8443/voms/atlas][atlas]]  |  "atlas" "lxbra2309.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "atlas"  |  group vomss://lxbra2309.cern.ch:8443/voms/atlas  .atlas  |
|  [[https://lxbra2309.cern.ch:8443/voms/dteam][dteam]]  |  "dteam" "lxbra2309.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "dteam"  |  group vomss://lxbra2309.cern.ch:8443/voms/dteam  .dteam  |
|  [[https://lxbra2309.cern.ch:8443/voms/voms.org.glite][voms.org.glite]]  |  "voms.org.glite" "lxbra2309.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "voms.org.glite"  |  group vomss://lxbra2309.cern.ch:8443/voms/voms.org.glite  .voms.org.glite  |
|  [[https://lxbra2309.cern.ch:8443/voms/org.glite.voms.test][org.glite.voms.test]]  |  "org.glite.voms.test" "lxbra2309.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "org.glite.voms.test"  |  group vomss://lxbra2309.cern.ch:8443/voms/org.glite.voms.test  .org.glite.voms.test  |
|  [[https://lxbra2309.cern.ch:8443/voms/test][test]]  |  "test" "lxbra2309.cern.ch" "15005" "/DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch" "test"  |  group vomss://lxbra2309.cern.ch:8443/voms/test  .test  |



---++ Test users

Each VO has a set of 200 test users (test_user_XXX) registered. You can find the certificates for the test users at /afs/cern.ch/project/gd/yaim-server/BitFace/user_certificates.
Ask Louis or Joachim if you need to get access rights to access them there.

In addition test_user_2 has admin rights on all the VOs.

---++ VOMS management tasks in our Certification Testbed

The tasks associated with our VOMS server in the Certification Testbed are:
   * Upgrading the version of voms core and voms admin in the VOMS host when necessary.
   * Register users when they request it.
   * Debug problems when the users report about them by checking the log files. Reconfigure and restart the server when necessary.
   * Receive the Oracle db admin notifications by registering in project-voms-wg@cern.ch.
   * Renew the crl of our Certification CA once per month and prepare the rpm to be updated in the repositories.
   * Renew the Test user certificates and the root certificate of our CA once per year.

---++ VOMS configuration

Only atlas and dteam are normally configured in the testbed. If you need to configure any of the DNS-like VO names, please contact Louis Poncet.

The VOMS server is configured with the gLite python scripts and the main XML files that describe the configuration are stored in: waiting to know what to do.

<!--
   * [[https://egee-jra1-testing.web.cern.ch/egee-jra1-testing/testbed/config_files/gLite_3.0-cert/VOMS_Oracle_lxb1928.xml][https://egee-jra1-testing.web.cern.ch/egee-jra1-testing/testbed/config_files/gLite_3.0-cert/VOMS_Oracle_lxb1928.xml]]
   * [[https://egee-jra1-testing.web.cern.ch/egee-jra1-testing/testbed/config_files/gLite_3.0-cert/lxb1928-vo_list.xml][https://egee-jra1-testing.web.cern.ch/egee-jra1-testing/testbed/config_files/gLite_3.0-cert/lxb1928-vo_list.xml]] -->

It would be interesting to consider to move these config files in a proper location more related to our section. Probably in =/afs/cern.ch/project/gd/yaim-server=.

The vomses file configuration is:
<verbatim>
"atlas" "lxb1928.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "atlas"
"dteam" "lxb1928.cern.ch" "15002" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "dteam"
"voms.org.glite" "lxb1928.cern.ch" "15003" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "voms.org.glite"
"org.glite.voms-test" "lxb1928.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch" "org.glite.voms-test"
</verbatim>

---++ Oracle configuration

lxb1928.cern.ch is a VOMS oracle server. The details of the oracle accounts are:

We have 10 oracle accounts to do our tests. The ones that are used for the VOMS server are:
   * atlas: lcg_voms_test_1
   * dteam: lcg_voms_test_2
   * voms.org.glite: lcg_voms_test_3
   * org.glite.voms-test: lcg_voms_test_4
The other accounts are currently used by Joachim and Dimitar to do VOMS testing.

The general configuration information of these accounts is:
   * account name: lcg_voms_test_xx (with xx=1 to 10)
   * password: please, contact Joachim, Maria or Dimitar.
   * db server: int11r1-v.cern.ch
   * db name: lcg_voms_int11r
   * Contents of tnsames.ora:
<verbatim>
lcg_voms_int11r=
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = int11r2-v.cern.ch)(PORT = 10121))
    (ADDRESS = (PROTOCOL = TCP)(HOST = int11r1-v.cern.ch)(PORT = 10121))
    (LOAD_BALANCE = yes)
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = lcg_voms_int11r.cern.ch)
</verbatim>

The db admin of the Oracle db affecting our VOMS server is Miguel Anjo. It's very important to register to project-voms-wg@cern.ch to be aware of the latest news about upgrades, migrations, etc. 

The account password expires once per year. Once it's expired, Oracle waits until you log in it to warn you about it and then you have 10 days to change it.

---+++ Useful sql commands

<verbatim>sqlplus lcg_voms_test_1/password@lcg_voms_int11r</verbatim>
It logs in the db account =lcg_voms_test_1=.

<verbatim>select table_names from user_tables;</verbatim>
It gives you a list of tables in the db account.

<verbatim>select 'drop '||object_type||' '||object_name||';' out from user_objects order by object_type;</verbatim>
It deletes the contents of the db. Sometimes the command =--remove-db= doesn't completely drop all the tables, so it could be useful to run this manually.

---++ Host certificate

In order to trust our VOMS server, you can either install the rpm containing the public key:

<verbatim>http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/ctb-vomscerts-0.1-2.noarch.rpm</verbatim>

or configure your node types with the following YAIM variables in site-info.def:

VO_<vo_name>_VOMSES="'vo_name lxb1928.cern.ch port /DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch vo_name'"
VO_<vo_name>_VOMS_CA_DN="'/DC=ch/DC=cern/OU=computers/CN=lxb1928.cern.ch'"


---++ User registration

The users of our VOs are mainly members of the certification team. The command to register a user in the lxb1928.cern.ch CLI is:

<verbatim>voms-admin --vo=<vo_name> create-user --nousercert "User_DN" "CA_DN" "User_CN" "User_Mail"</verbatim>

There are also 202 test users registered in the =dteam= and =atlas= VOs. The Test users can be found in =/afs/cern.ch/project/gd/yaim-server/BitFaceCA/user_certificates/=. Please check the instructions in =/afs/cern.ch/project/gd/yaim-server/BitFaceCA/README= to know how to create more users.

---++++ Adding ourself to the VO

Due to a bug in the glite 3.0 VOMS server the full DN is not taken and therefore a normal ctb user is not recognized. So one need to add the user by hand via:

<verbatim>voms-admin -vo <vo_name> --nousercert create-user "User_DN" "CA_DN" "User_CA" "User_Mail"</verbatim>

<b>where the User_DN and User_CN must match what is shown when you connect to the VOMS server with your normal certificate as a user (normally this means you have to omit the CN=65675765 number part.</b>

---++ Adding ctb member as admin

For gLite 3.0 to add a ctb member as admin, you need to do

<verbatim>voms-admin -vo <vo_name>  -nousercert  add-acl-entry  Global-ACL allow all  "User_DN" "CA_DN"</verbatim>

<b>where the User_DN and User_CN must match what is shown when you connect to the VOMS server with your normal certificate as a user (normally this means you have to omit the CN=65675765 number part.</b>

For gLite 3.1 to add a ctb member as admin, you need to do

<verbatim>
voms-admin --vo=<vo_name> add-ACL-entry /<vo_name> "USER_DN" "CA_DN" ALL TRUE
</verbatim>

if you don't have the certificate otherwise 

<verbatim>
voms-admin --vo=org.glite.voms-test --usercert <CERT_FILE> add-ACL-entry /org.glite.voms-test ALL TRUE
</verbatim>

---++ Mapping of vo to oracle accounts

|  lcg_voms_test_1  |  atlas  |
|  lcg_voms_test_2  |  dteam  |
|  lcg_voms_test_3  |  voms.org.glite  |
|  lcg_voms_test_4  |  org.glite.voms-test  |
|  lcg_voms_test_5  |  |
|  lcg_voms_test_6  |  |
|  lcg_voms_test_7  |  |  
|  lcg_voms_test_8  |  test  |

---++ Certification Authority

The CA that has signed the test certificates is our certification CA. The relevant files are stored in =/afs/cern.ch/project/gd/yaim-server/BitFaceCA/demoCA/=.

In order to install the relevant CA files in /etc/grid-security/certificates and trust the CA, please install the latest version of the rpm =ca_Bitface= from:

[[http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/][http://lxb2042.cern.ch/gLite/APT/R3.0-cert/rhel30/RPMS.internal/]]

or

[[http://grid-deployment.web.cern.ch/grid-deployment/glite/cert/3.1/internal/sl4/i386/RPMS.cert-updates/][http://grid-deployment.web.cern.ch/grid-deployment/glite/cert/3.1/internal/sl4/i386/RPMS.cert-updates/]]

The latest version of the mentioned rpm always contains an up to date crl file. The crl file expires every month. Please, check the instructions in =/afs/cern.ch/project/gd/yaim-server/BitFaceCA/README= to know what to do to renew it.
Topic revision: r9 - 2008-12-12 - AndrewElwell
LCG Wikis
LCG Service
Coordination
LCG Grid
Deployment
LCG
Apps Area
Public webs
Welcome Guest
- Cern Search
- TWiki Search
- Google Search
LCG All webs
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback