VOMS core troubleshooting

A dedicated twiki page here

How to get rid of the whole hostcert.pem of a voms server at a site

WARNING The following node types still need the certificates:
WARNING For each VOMS server the corresponding LSC file should have as name the fully qualified hostname followed by a .lsc extension and the file must appear in a subdirectory /etc/grid-security/vomsdir/VO for each VO that is supported by that VOMS server and by the site (see examples below).

NOTE This will be possible with glite-yaim-core-4.0.3-6 (if you use YAIM for configuration).

This information is addressed to Site Administrators. 
So far, the voms servers' host certificates needed to be stored on your service nodes. 
On every certificate renewal the rpm lcg-vomscerts had to be installed by you. 
It is now possible to only register the voms servers' DNs and CAs instead of the certificates themselves.
This will make most of the VOMS host certificate changes transparent for you.
The sites that use yaim can run the config_vomsdir function to become available in glite-yaim-core 4.0.3-6 currently certified. They can check the status of the release process in YaimPlanning.
They need to do the following manually to configure the function:

./yaim -r -s your-site-info.def -n your-node-type -f config_vomsdir

your-node-type is:

This will be no longer needed in future releases of the yaim modules for
the mentioned node types. At the moment, this is not included in their
function list.

Please bear in mind that you  have to update the site-info.def with
the CA DN of the VOMS server. For LHC VOs, dteam and biomed, this is
distributed in site-info.def in glite-yaim-core 4.0.3-6. For other VOs,
they would need to check with the VO admins. 
Those who do not use yaim or wish to apply the change immediately have to follow this recipe:

You have to create one file per VO per VOMS server : /etc/grid-security/vomsdir//.lsc This file must contain on the 1st line the DN of the VOMS server, and on the 2nd line, the corresponding CA's DN.

For example, the file /etc/grid-security/vomsdir/dteam/voms.cern.ch.lsc contains :

/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
The file /etc/grid-security/vomsdir/dteam/lcg-voms.cern.ch.lsc contains :
/DC=ch/DC=cern/CN=CERN Trusted Certification Authority

The VOMS servers' certificates in /etc/grid-security/vomsdir can be removed. You don't need to install lcg-vomscerts anymore. If the name of the host in the DN is different from the primary hostname, a change has to be done by the VOMS server manager, which will be included in the fix of bug #22973

Extend proxy timeout for a given VO:

This might not survive an upgrade. Opened savannah ticket https://savannah.cern.ch/bugs/?func=detailitem&item_id=17247

1. add line
in /opt/glite/etc/voms/VO_Name/voms.conf

2. restart voms for VO_Name via /opt/glite/etc/init.d/voms restart VO_Name

3. test (if VO_Name member) with command: voms-proxy-init -valid 1000:0 -voms VO_Name


Your identity: /C=CH/O=CERN/OU=GRID/CN=Maria Dimou 7577
Enter GRID pass phrase:
Creating temporary proxy
Contacting  lcg-voms.cern.ch:15002
[/C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch] "cms"
Warning: voms102.cern.ch:15002: validity shortened to 345600 seconds! Done
Creating proxy .............................................. Done
Your proxy is valid until Mon May 22 20:17:18 2006

List VO members with their email (for use by site managers)

The command to list the members of a VO by contacting the voms server is

voms-admin [options] list-users

You need to wget and install the latest rpm glite-security-voms-admin-client from the 'glitesoft.cern.ch' repository.

It should be at least version: http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.Release3.0/glite-security-voms-admin-client-1.2.13-1.noarch.rpm

Then type:
/opt/glite/bin/voms-admin --host [VOMS_Server] --vo [VOName] list-users
/opt/glite/bin/voms-admin --host lcg-voms.cern.ch --vo lhcb list-users

User Unknown to this VO


voms core stopped logging

Recipe by Vincenzo:

   Here it is the recipe to follow to get me the informations I need.

   Between '' I put commands you should execute, into the shell or into gdb.

1) do 'ps aux | grep edg-voms'

2) you will see two processes for each voms.  From here on, I will only consider the process with the lower PID.

3) for each of them (10 in total) do:
   3.a) gdb attach <pid>
   3.b) 'cont'

4) Then, when one VOMS stops logging, go to its respective gdb.

5) Did gdb return control to you?
  5.a) yes:
  5.a.1) record the output you see.
  5.a.2) 'bt'. record the output.
  5.a.3) 'info locals' record the output.
  5.a.4) Send me the output.

  5.b) no:
  5.b.1) Ctrl-c
  5.b.2) 'up' until you are in the bread function
  5.b.3) 'p fd' record the output
  5.b.4) 'cont'
  5.a.4) Send me the output.

6) Done. You may kill all gdbs and restart the vomses. 

List VO users for gridmap file with voms-admin-2

Question: I have some problems updating the grid-mapfile. If I run edg-mkgridmap script I get an error like:

SSL negotiation failed: error:1406D0CB:SSL
routines:GET_SERVER_HELLO:peer error no cipher

Answer: if you use this version edg-mkgridmap-2.9.0-1.noarch or higher, the problem goes away.

Reason: Since 2007-12-10 the VOMS servers at CERN are running voms-admin 2.0.x, with a different interface and with ACLs preventing easy browsing.

The URL to get the VO users (e.g. for Atlas) now is as follows:


We had to adjust edg-mkgridmap to be able to deal with both the old and the new formats. The voms2gacl utility may need to imitate those changes:


This information is kindly provided by Maarten Litmaath

Allowing mkgridmap to download a list of members.

Question: How do I change the ACL to allow a mkgridmap or similar to download a list of members.

Answer: Edit the ACLs in the following way.


VOMS-Admin 2.0.x normal and default ACLs differences

In VOMS-Admin 2.0.x, there are 2 sorts of ACLs:

  • "normal" ACLs: Apply to the current group, and can be propagated to all children during the creation. They also apply to children created at a later time, if there are no default ACLs defined.
  • default ACLs: Apply to the children of the current group. Defining at least one default ACL will prevent normal parent ACLs to be applied to a newly-created child. In that case, the child ACLs will only be the default ones.

So, in most of the cases, there is no need to define default ACLs (all groups have the same ACLs). In other words, default ACLs are useful only when you want children to have different ACLs from their parents.

voms-admin command to list users with GAs

The voms-admin client in production should be 1.2.16, in order to be inter-operable with voms-admin 2.0.8 which provides GA support.

voms-admin --vo lhcb list-user-attributes certificate.pem
lists the attributes for the user whose certificate is certificate.pem.

It's also possible to give the use as DN, CA, ... with the following syntax:

voms-admin --nousercert --vo lhcb list-user-attributes 'DN' 'CA' 'CN' 'EMAIL'
If you are interested in giving only DN,CA couples, you can issue a command like this:
voms-admin --nousercert --vo lhcb list-user-attributes 'DN' 'CA' '' ''
Edit | Attach | Watch | Print version | History: r20 < r19 < r18 < r17 < r16 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r20 - 2009-10-08 - MaartenLitmaath
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback