VOM(R)S Configuration

Before trying to configure anything, please read VomsNodes.

All voms-core , voms-admin and vomrs configuration is now within CDB with sensitive information stored in SINDES.

VOMS/VOMS-Admin configuration

This is done with YAIM and ncm-yaim. Note the YAIM module for VOMS oracle is not currently released and the functions are actually maintained in the VomsHacksRpm. This will be corrected later following a release.

The CDB configuration can be examined in the template pro_system_gridvoms.tpl.

The very relavent parts to voms and voms-admin configuration are /software/components/yaim and in particular /software/components/yaim/VOMS-ADMIN.

After updating any values the normal # ncm-ncd --configure yaim will implement the configuration across the VOMS servers.

There is nothing left to do and the service should just work.

The DB passwords for voms-admin and voms are retrieved via the yaim-secrets sindes scripts.

VOMRS Configuration

This is handled by the ncm-vomrs component and in particular it use the CDB space /software/components/vomrs.

Again once CDB is configured then vomrs service is 100% configured and the service should just run.

Database passwords are transferred via the vomrs-secrets scripts.

Database Schemas

This quattor configuration has been done in such away that it will never configure the database and only deploy the application. Any schema updates must be done by hand.

Grant required privileges to _W oracle accounts

Script: /usr/sbin/fix-oracle-w-accounts.sh

This is in the VomsHacksRpm

At CERN, services must use _W accounts to connect to the DB. These accounts have no password expiricy, but have limited DB privileges (not able to change the DB schema). "Normal" accounts have full privileges, but the number of simultaneous connections is limited to 10. They have to be used only by humans, or temporarly for DB schema update. The configuration script will create the DB for the normal accounts, but then you have to grant some privileges to _W accounts, to allow VOMS-Core and VOMS-admin to use them.

The command has online which is possibly more up to date than this page.

# ./fix-oracle-w-accounts.sh -h

Usage: ./fix-oracle-w-accounts.sh -p <pass> -c <connectString> -o <owner> -d <TNS_ADMIN dir> [ -v ] [ -a ] || -h

        Given oracle contact details this scripts creates the _W accounts as needed 
        at CERN after any schema upgrade.

         -p Oracle account password, e.g -p OrangesAndLemons
         -o Oracle account owner, e.g -p LCG_VOMS_VALIDATION_20
         -d Oracle tnsnames.ora location, e.g. -d /opt/glite/etc/voms
         -c Oracle connect string, e.g. -c lcg_voms_int11r.cern.ch
         -a Without this option nothing is changed in the database. With the option the changes are made to the DB.
         -v Be Verbose
         -h Print this help.

        ./fix-oracle-w-accounts.sh -h
        ./fix-oracle-w-accounts.sh -v -p OrangesAndLemons -o LCG_VOMS_VALIDATION_20 -d /opt/glite/etc/voms -c lcg_voms_int11r.cern.ch
        ./fix-oracle-w-accounts.sh -v -p OrangesAndLemons -o LCG_VOMS_VALIDATION_20 -d /opt/glite/etc/voms -c lcg_voms_int11r.cern.ch -a
         Steve Traylen <steve.traylen@cern.ch>

There are now also _R read only accounts for use with voms core once it is read only.

CA rollover

This belongs some where else.

Script: fix-carollover.pl

A CA rollover can be peinful for both users and VO-admin (need to register and approve new certificates, or register again in some cases).

During the last UK CA rollover, this script was used to add for each UK user their new certificate (from the new CA) to the VOMRS DB, in an approved state directly. So users and VO-admins need to do nothing.

This script need to be edited to adjust DB usernames and password, old and new CA DN, the date and eventually the reason.

