TWiki> LCG Web>VomrsUpdateLog (revision 27)EditAttachPDF

VOMRS update history

23rd January 2008


--------  Message from Tanya today --------
VOMRS new version is available at:

1. Sync logic between vomrs/voms has been changed to minimize number of calls to voms (before it was done per member basis, now it is done per group group/role basis)
2. Modified VOMS events, so vomrs doesn't  attempt to perform any sync on "expired"/"suspended" member

    A. If you are doing fresh install just install rpm and configure a vo

    B. If you are doing upgrade, do the following:

        a. stop tomcat and vomrs server
        b. wget rpm
        c. rpm -e vomrs-1.3
        d. rpm -i vomrs-1.3-2.noarch.rpm
        e. export VOMRS_LOCATION=/opt/vomrs-1.3
           cd $VOMRS_LOCATION/sbin/release_scripts
        f.  cd $CATALINA_HOME/webapps - clean up vomrs releated dir
        g. restart tomcat and vomrs server

It should be test with tomcat55, oracle, voms 1.2.10

20th December 2007

VOMRS on lcgproduction is upgraded from vomrs-1.3-1e to vomrs-1.3-1f by Tanya 20th Dec.2008.

Features of VOMRS-1.3-1f (3 bugs are fixed):

a. Representative does not receive email where he/she was asked to do the approval of a new member bug#32794

b. deletion from the groups during sync now starts from the "bottom" group bug#32795

- e.g. first from /test/test1/test12

then /test/test1

c. vomrs checks for a "new" status for each group and doesn't try to sync member if the status of at least one of the parent group is New. bug#32796

Below are upgrade steps /tmp; wget

2. service tomcat5 stop

3. service vomrs stop

4. rpm -e vomrs-1.3

5. rpm -i vomrs-1.3-1f.noarch.rpm

6. cd usr/share/tomcat5/webapps

rm -rf vo

7. service tomcat5 start

8 service vomrs start

5th November 2007

Features of vomrs-1.3.1-e, now on, to be put in production end of November 2007. Don't forget the fix for vomrs not synchronising with voms-admin when the CA is expired, entries manually removed by Tanya on 26/10/07. Is there a savannah bug for this? Please mention all the savannah bugs (clickable) fixed in this release.

Features of VOMRS-1.3-1e (3 bugs are fixed):

a. vomrs will not try to synchronize with voms when member status is "Approved" but primary certificate status is not "Approved" - vomrs server bug#31000

b. allow search for members with specific value for GA - it was broken in webui bug#31001

c. added "Expired" certificate status in drop down menu for search criteria in menus related to Certificate - web ui bug#31002

25th September 2007

After running auto-test on lxb1922 and upgrade script test on using test VO by Lanxin. VOMRS in production(voms102,voms103) has been upgraded from 1.3-0 to 1.3-1d. The upgrade is done by Lanxin at 25th Sep, 2007 11:30am(Genava time).

VOMRS-1.3-1d has new features (please see the update log in 4th June. 2007).

Since new voms-admin-server-2.0.X is still in certification, VOMRS-1.3-1d works together with the current VOMS in production. We do not use oracle oci driver and switch off GA support. Here is the configuration in current production.



oracle server

oracle client


  • Version: 1.3-1d
  • ORACLE driver: thin
  • GA support: off


  • voms-admin-server-1.2.19-1
  • tomcat5-5.0.28-11_EGEE

25th September 2007

vomrs-1.3.1-d upgrade plan on a voms-admin-server-1.2.19 production system
  • Prepare vomrs-1.3.1-d rpm for voms-admin-1.2.19, which we run now in production. To see what version of log4j, glite-trust-manager, bcprov libraries are needed for this rpm, login (via to to see all production environment. [Tanya]
  • Install rpm on a test machine with the following steps, offered by Tanya [Lanxin]
1. download rpm:
2. remove old rpm
rpm -e vomrs-1.3
3. install new rpm
rpm -i vomrs-1.3-1c.noarch.rpm
4. cd $VOMRS_LOCATION/sbin/release_scripts/
5. run upgrade script (sqlplus should be in th PATH), below is an example for vo test (if you want to upgrade everything do not specify the name)
    ./vomrs_upgrade_1.3  test
Start VOMRS Upgrade from 1.3.0 to 1.3.1
You will need to provide the following information:
       VOMRS_LOCATION     - root directory of vomrs 1.3
       optional <VO_NAME> - if you would like to upgrade just
                            one of the vo instances
We found a VOMRS_LOCATION variable in your environment.
Verify that this is the correct value: (default: /opt/vomrs-1.3) :
Do you want to continue (y,n,quit): y
Upgrade vomrs test  (y,n,quit): y
Enter oracle user authorzied to alter tables: (default: lcg_vomrs_test_w) : lcg_vomrs_test
...executing sqlplus command: echo "WHENEVER SQLERROR EXIT SQL.SQLCODE ROLLBACK
"| sqlplus 'vomrs_dev1/<db_password>@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)( (CONNECT_DATA=(SERVICE_NAME=d0ofdev1)))'

SQL*Plus: Release - Production on Wed Sep 19 11:58:19 2007
Copyright (c) 1982, 2005, Oracle.  All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release - 64bit Production
With the Partitioning and Data Mining options
Table altered.
Commit complete.
SQL> SQL> Disconnected from Oracle Database 10g Enterprise Edition Release - 64bit Production
With the Partitioning and Data Mining options


Add VOMS GA Support test  [y,n,] (default: n) : n
Replace thin with oci driver vomrs test [y,n,] (default: y) : n


Upgrade events,interfaces and services starts
Executing command: /opt/vomrs-1.3/sbin/loader /opt/vomrs-1.3/var/etc/vomrs_testo/vomrs.xml /opt/vomrs-1.3/etc/dbms/code-related-data/ /opt/vomrs-1.3/etc
/dbms/code-related-data/ /opt/vomrs-1.3/etc/dbms/code-related-data/ /opt/vomrs-1.3/sbin/release_scripts/
The log file name is /var/log/vomrs/vomrs_testo.log
Data committed.
Events, interfaces and services update ended successfully
You have to restart the Apache Tomcat to effect the changes.
You have to start VOMRS Server for this vo:
service vomrs start testo
5. stop tomcat
6. do clean up of webapps
cd  /usr/share/tomcat5/webapps
rm -rf vo
7. restart tomcat
  1. Run tests, at least the auto-test on a test machine. [Lanxin]
  2. When successful, install the current production vomrs-1.3.0 on the 'shadow' host of (voms101 or voms104, which are identical in configuration, choosing the one which is NOT in production). [Remi]
  3. Upgrade the current production vomrs-1.3.0 to vomrs-1.3.1-d on he 'shadow' host of Thus, we are also checking how smooth the upgrade will be. [Lanxin &/or Remi]
  4. Stop the 'test' VO vomrs process on lcg-voms (voms102 or voms103, the one which DOES run vomrs). [Remi]
  5. Start the 'test' VO vomrs process on the 'shadow. [Remi]
  6. Do some 'test' VO vomrs transactions on this environment. Advantages: The whole voms stack and the database is identical to the one on voms101,2,3. NB!!! The test vomrs host DN should be entered via the ACL list to the voms-admin with which it has to synchronise. [Remi]
  7. If all OK, announce and make the upgrade on voms102 and voms103. As there is a database change involved the upgrade to production can't be transparent. The service must be stopped.

The change took place on Sept. 25th at 10:30am CEST.

28th August 2007

vomrs-1.3.0 webui security upgrade. This procedure should be followed on both voms102 and voms103 nodes.

  1. Broadcast to the relevant (10 email addresses) VO Admins via gmod/cic portal.
  2. Identify the slave as in VomsServiceInterventions
  3. Do the following steps:
    1. put both hosts (voms102,103) in maintenance mode via SMS tool (disables lemon alarms)
    2. disable tomcat on slave
    3. cd $VOMRS_LOCATION/webapps on slave
    4. cp vomrs.war vomrs.war.volun on slave
    5. wget on slave
    6. cd $CATALINA_HOME/webapps/vo on slave (this directory should belong to tomcat4:tomcat4)
    7. rm -rf alice atlas cms dteam geant4 lhcb ops sixt test unosat on slave
    8. restart tomcat on slave
    9. stop vomrs processes on master
    10. start vomrs processes on slave
    11. verify that VOMRS is available - use test vo and perform some basic commands (on slave)
    12. Stop vomrs processes on slave
    13. disable tomcat on master
    14. cd $VOMRS_LOCATION/webapps on master
    15. cp vomrs.war vomrs.war.volun on master
    16. wget on master
    17. cd $CATALINA_HOME/webapps/vo on master (this directory should belong to tomcat4:tomcat4)
    18. rm -rf alice atlas cms dteam geant4 lhcb ops sixt test unosat on master
    19. restart tomcat on master
    20. start vomrs processes on master
    21. put both hosts back in production mode via SMS tool (enables lemon alarms)

4th June. 2007

VOMRS-1.3-1 new features:

1. Implemented VOMS GA support:

a. vomrs can be configured to support voms generic attributes (GA) ( on in vomrs.xml)

b. if the option set off, voms GAs are not supported

c. if the options set on, vo administrator could add any VOMS Attribute via "Add/Modify Personal Info" web ui dialog while selecting options for a new personal info token, he should select the following:

.) name e.g. nickname

.) isPrivate e.g could be checked or no checked

.) isPersistent e.g should be checked

.) isVomsAttribute e.g should be cheacked

.) isExternal e.g should be unchecked if only VO Admin is allowed to change teh value of this token

.) phase e.g II

.) default

d. VO Administrator can fill out the VOMS attribute when approving an applicant via "Set Status" web ui

e. VO Administrator can change VOMS Attribute value at any time by using "Edit Personal Info" web ui

f. Addition/deletion of VOMS Attribute as well as any modification of the value of VOMS Attribute for any member will be synchronize with VOMS

g. VO Admin & Member will get email notification every time the value of VOMS Admin has been changed

h. If VO Admin wants user to request a VOMS Attribute, he/she could add a Personal Information token that will be external (fill out by user) and select appropriate name for this token. For example, "Requested nickname" could be a source for VO Admin when he/she choses nickname for a user.

i. when you add a new member as a VO Admin you will have to provide nickname

j. nickname of approved member should be pushed to VOMS

k. (savannah #26182) add event-- vo admin get notification when voms attribute had been changed

2. Implemented OCI support

a. (savannah bug #19692) vomrs use OCI to connect to Oracle db backend accounts

b. (savannah bug #19690) vomrs use OCI to connect to CERN HR db

3. Bug fixes

a. (savannah #17431) Allows to change Representative for multiple users simultaneously

b. (savannah #184620) fixed display of scroll controls

c. (savannah #16564) VOMRS is synchronizing change of email address with VOMS

d. (savannah #15788) vomrs server startup script does not use version

e. (savannah #14991) emails with the same subject line about events that has been generated during one "notification cycle" are combined in own email

f. added search by Expired status

g. disable selection box for "approved" member when "denied" status is selected etc in "Set Status", "Set Certificate Status" web ui

h. (savannah #26335) allow representative in VOMRS to remove users from the vo

4. Provide way to disable email sending by setting env variable VOMRS_MAIL to nosend

13th Feb. 2007

The oracle connection changed to


Due to the LCGR database is scheduled to be moved to new hardware and expanded to 8 nodes. At the same time it is planed to upgrade the database to the latest patch release version

24th Jan. 2007

CERN HR DB short connection string is replaced with the long connection string in alice, atlas, cms and lhcb on voms102 and voms103.

The long string:


The short string:

jdbc.URL jdbc:oracle:thin:@//

23th Jan. 2007

Oracle DB long connection string is replaced with the new string by Lanxin on voms102 and voms103.

The new string:


The old string:


22th Jan. 2007

vomrs has been patched with new vomrs.war file by Tanya on voms102 and voms103 for fixing the bug "Add Certificates". When user add certificates, click " Search", the following error happaned.

No data match your selection! Please try some other criteria

17th Jan. 2007

vomrs has been patched by Tanya on voms102 and voms103.The down time was less then a minute.

Patches should fix bug #22762( VOMRS Manage Groups and Group Roles search fails to find users and use FQAN for vomrs_sequence table, so hopefully the it fixes bug #18722( VOMRS-1.3 bugs (latest entry)

12th Dec. 2006

vomrs has been patched with the problem role sync under root group ( on voms103 by Lanxin, and by Tanya on voms102.


1. copy fixed vomrs.war to /opt/vomrs-1.3/webapps
cp vomrs.war /opt/vomrs-1.3/webapps/

2. stop tomcat

3. rm -rf /usr/share/tomcat5/webapps/vo

4. restart tomcat

5. restart vomrs servers

4th Dec. 2006

VOMRS rpm has been upgraded from vomrs-1.2-3-pached(2) to vomrs-1.3-0 on voms102 and voms103 at 17:00 in 4th Dec ,2006 (CERN time) by Tanya.

vomrs-1.3-0 rpm link:

About the new feature of vomrs-1.3-0, please see the information below.

30th Nov. 2006

Detailed plan for VOMRS Upgrade to v.1.3.0:

  1. Date/time decided, FIO, voms developers, GMoD, CERN ROC informed by Email. (Maria).
  2. Announce via the text in GmodJournal#20061201_Actions (Maite)
  3. Prepare new files with AUPs, Groups, Group/Roles on voms102 and voms103.(Maria)
  4. Disable the operators' alarm TOMCAT_WRONG on December 4th 2006 @15hrs CET . Tomcat must stay down during the upgrade (Tim).
  5. Oracle database copy on December 4th 2006 @16hrs CET. Email Tanya when done (Miguel).
  6. Identify the slave between voms102 and voms103 (the one where vomrs doesn't run). Type service gLite stop as root . Upgrade vomrs. Do not start the service. (Tanya).
  7. Stop vomrs, voms-admin and tomcat on the master. Upgrade vomrs. Restart all services. (Tanya).
  8. Check the service on master, restart voms only (not vomrs!!) on the slave. Request the re-activation of TOMCAT_WRONG. (Maria).

6th Sep. 2006

vomrs-1.3.0 announced for testing with new features:

1. Modification of group/group role handling (pending state transition diagrams).

a. Each group and group role has definition that will be available to the users during selection (see details at

b. An administrator has means to change the group and group role definition via VOMRS interface

c. A Group role can be linked/unlinked to/from a group.

d. A VO Administrator or Representative must approve/disapprove group and group role selection before a user becomes the valid member of the group bug #15011. More information about the design of this feature in

e. A member can request re-assigning to a group and a group role via VOMRS interface. The request should be approved by an administrator

f. A member assigned to a subgroup is automatically assigned to all parent groups.

g. A member with Denied access to a parent group is automatically removed from all subgroups and the group roles she/he is assigned within subgroups of abovementioned group.

h. DTEAM VO users are first approved in the Group, and then in the VO according to

2. Modification of AUP handling (see details at

a. The AUP document may be provided either by link or stored locally.

b. VOMRS checks that the document was "really" read. In case when the url is provided it verifies that the link has been pressed. In case of locally stored documents it verifies that a user scrolled the text embeded in the web page to the end of the document before it allows to accept the rules.

3. In case when a user registers a new certificate or vo admin registers a new user do not ask about certificate serial number.

4. VO amdin can add a new cerificate, approve it and make it a primary ceritificate in one step

5. Improved performance.

6. vomrs server starts/stops via "service" command

29th Aug. 2006

VOMRS rpm has been upgraded from vomrs-1.2-3 to vomrs1.2-3-pached(2) on voms102 and voms103 at 9:00pm in 29th ,2006 (CERN time).

vomrs-1.2-3-pached(2) rpm link:

vomrs-1.2-3-pached(2) new feature:

1. Use full queliafied name when query Oracle DB due to Oracle bug #2508682

2. Allow users request additional certificates with same DN but different CA

3. Change URL of AUP in /opt/vomrs-1.2/sbin/python/

17th Aug. 2006

VOMRS was re-started, with management agreement. after code was changed to use the Oracle-suggested Fully Qualified Object Names. Monitoring on the database side showed that some queries running against VOMRS schemas are still not using Fully Qualified Names so another rpm from the developer is imminent.

11th July 2006

VOMRS rpm has been upgraded from vomrs1.2-2 to vomrs1.2-3 on voms102 and voms103 in 11th July,2006 from 16:00 to 18:00 (CERN time).

VOMRS1.2-3 rpm including CERN HR db (foundation) view interface

VOMRS1.2-3 New features and bug fixes

1. Web UI - allows to specified the status of the certificate in search criteria for all pages dealing with certificate
2. Web UI - shows subset of CN information instead certificate subject (DN) when selection representative, group owner, managers, etc
3. Web UI - LCG registration type do not have add Institution and Site menu and do not allow to select "institution", displays "Institute" information fetched from CERN HR DB if chosen (savannah #15134)
4. Web UI - better(?) layout for group/role selection
5. Added subset of CN information in mail subject when it is relevant (savannah bug #14653)
6. Added Registration Type for each event, so different types of registration can have its own set of events

Bug fixes:

1. Fixed the generation of the link in notification email, so the "(" in the certificate subject can be handled correctly)
2. Fixed some error and warning, as well as some wording and labels in help pages
3. Fixed handling of expiration date for LCG Type of registration (savannah bug #15146)
4. Implemented work around for Oracle bug (savannah bug #14286)
5. Fixed VOMRS Web UI displays user's certificates status incorrectly if user is login with a "New" certificate" (savannah bug #18002)

Release notes by Tanya Levshina / Text by Lanxin Ma
Edit | Attach | Watch | Print version | History: r31 | r29 < r28 < r27 < r26 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r27 - 2008-01-24 - MariaDimou
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback