TWiki
>
LHCb Web
>
LHCbComputing
>
WMSSecureGW
(2017-03-10,
unknown
)
(raw view)
E
dit
A
ttach
P
DF
<center> <font size="6"> *The gateway architecture* </font> <P> <P> <P> <img src="%ATTACHURLPATH%/Resized-V586R.jpg" alt="Resized-V586R.jpg" width="1100" height="1026" /> <P> <P> <P> <P> <font size="6"> *How to set up the gateway machine* </font> <P> <P> <P> </center> <font size="3"> * Create a dummy CA certificate: =openssl genrsa -out cakey.pem 2048= =openssl req -new -x509 -days 3650 -key cakey.pem -out cacert.pem -subj "/O=$(whoami)-dom/OU=PersonalCA"= * Generate user certificate signed by the dummy CA and save it on the gateway machine under ~/.globus: =openssl genrsa -out userkey.pem 2048= =openssl req -new -key userkey.pem -out userreq.csr -subj "/O=$(whoami)-dom/OU=PersonalCA/CN=$(whoami)"= =openssl x509 -req -in userreq.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out usercert.pem -days 500= * Generate a host certificate signed by the dummy CA (to be saved on any BOINC VM in /etc/grid-security): =openssl genrsa -out hostkey.pem 2048= =openssl req -new -key hostkey.pem -out hostreq.csr -subj "/O=$(whoami)-dom/OU=PersonalCA/CN=$(hostname -f)"= =openssl x509 -req -in hostreq.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out hostcert.pem -days 500= * Generate a host certificate signed by the CERN CA, https://gridca.cern.ch/gridca/ and register it in the DIRAC CS, this has to be saved in the gateway machine under /opt/dirac/etc/grid-security. * Setup CS and SystemAdministrator services by following the instruction here http://diracgrid.org/files/docs/AdministratorGuide/InstallingDIRACService/index.html * Be sure that the CA certificate and key is in /opt/dirac/etc/grid-security/ , copy the cacert.pem in /etc/grid-security/certificates * The install.cfg should be: <verbatim> LocalInstallation { # DIRAC release version Release = v8r1p3 # Python version os the installation PythonVersion = 27 # To install the Server version of DIRAC (the default is client) InstallType = server # If this flag is set to yes, each DIRAC update will be installed # in a separate directory, not overriding the previous ones UseVersionsDir = yes # The directory of the DIRAC software installation TargetPath = /opt/dirac # DIRAC extensions to be installed i.e. LHCb, LHCbWeb for LHCb ExtraModules = LHCb Project = LHCb VirtualOrganization = LHCb Extensions = LHCb # These are options for the configuration of the installed DIRAC software # i.e., to produce the initial dirac.cfg for the server # Give a Name to your User Community, it does not need to be the same name as in EGI VirtualOrganization = LHCb # Site name: it should follow the convention [Infrastructure].[name].[country code] SiteName = BOINC.World.org # Setup name Setup = LHCb-Certification # Default name of system instances InstanceName = boincInstance # Flag to use the server certificates UseServerCertificate = yes # Do not download CAs, CRLs SkipCADownload = No # Flag to set up the Configuration Server as Master (use only in the primary server) ConfigurationMaster = yes # Configuration Name ConfigurationName = BOINC-Conf # These options define the DIRAC components to be installed on "this" DIRAC server. # The next options should only be set for the primary server, # they properly initialize the configuration data # # Name of the Admin user (default: None ) AdminUserName = MrBoinc # DN of the Admin user certificate (default: None ) # AdminUserEmail = MrBoinc@cern.ch AdminUserDN = DN = /O=MrBoinc-dom/OU=boincCA/CN=MrBoinc # Name of the Admin group (default: dirac_admin ) AdminGroupName = boinc_user # Name of the installation host (default: the current host ) # Used to build the URLs the services will publish Host = boin-deploy-test.cern.ch # DN of the host certificate (default: None ) HostDN = /DC=ch/DC=cern/OU=computers/CN=lhcb-boinc.cern.ch # Components to deploy Systems = Configuration Systems += Framework Services = Configuration/Server Services+= Framework/SystemAdministrator } </verbatim> You will get dirac.cfg and BOINC-Conf.cfg in /opt/dirac/etc/. Add the section Registry in dirac.cfg registering the MrBoinc user. Add the section Systems/WorkloadManagement/Services/WMSSecureGW in the dirac.cfg <verbatim> Systems { WorkloadManagement { boincInstance { Services { WMSSecureGW { Port = 3424 HandlerPath = LHCbDIRAC/WorkloadManagementSystem/Service/WMSSecureGW.py Authorization { Default = all } } } } } } </verbatim> The dirac.cfg has the Central CS ULR so all the services address needed by the WMSSecureGW service are taken directly from the CS. An updated version of the dirac.cfg can be found on the trunk of the LHCbDIRAC repository. * Get a proxy: dirac-proxy-init -v long term * Start the cli: dirac-admin-sysadmin-cli --host boin-deploy-test * Install the new service: [boin-deploy-test]> install service WorkloadManagement WMSSecureGW * You will need to install also: ReqDB, ReqManager, RequestExecutingAgent, StorageElement, StorageElementProxy, ProxyManager, SandboxStore, SandboxMetadataDB . N.B. The WMSSecureGW has been added to the WorkloadManagement/Service/ConfigTemplate.cfg , so yuo con install it as any other DIRAC service using the procedure here http://diracgrid.org/files/docs/AdministratorGuide/InstallingDIRACService/index.html The BOINC Storage Element has to be declared in the central CS and then BANNED for access write and read adding a policy in the ResourceStatus section. We live the RemoveAccess that is needed by the ResourceCleaningAgent. The BOINC Storage Element is declared in the BOINC CE, where you put the read, write, check and remove to Active <verbatim> StorageElements { BOINC-SE { StorageBackend = DISET ReadAccess = Active WriteAccess = Active CheckAccess = Active RemoveAccess = Active AccessProtocol.1 { Host = lbboinccertif.cern.ch Port = 9148 ProtocolName = DIP Protocol = dips Path = /DataManagement/StorageElement Access = remote SpaceToken = WSUrl = } } </verbatim> </font> -- Main.CinziaLuzzi - 2015-07-15
Attachments
Attachments
Topic attachments
I
Attachment
History
Action
Size
Date
Who
Comment
jpg
Resized-V586R.jpg
r1
manage
143.2 K
2016-03-04 - 11:05
UnknownUser
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r7
<
r6
<
r5
<
r4
<
r3
|
B
acklinks
|
V
iew topic
|
WYSIWYG
|
M
ore topic actions
Topic revision: r7 - 2017-03-10
-
unknown
Log In
LHCb
LHCb Web
LHCb Web Home
Changes
Index
Search
LHCb webs
LHCbComputing
LHCb FAQs
LHCbOnline
LHCbPhysics
LHCbVELO
LHCbST
LHCbOT
LHCbPlume
LHCbRICH
LHCbMuon
LHCbTrigger
LHCbDetectorAlignment
LHCbTechnicalCoordination
LHCbUpgrade
Public webs
Public webs
ABATBEA
ACPP
ADCgroup
AEGIS
AfricaMap
AgileInfrastructure
ALICE
AliceEbyE
AliceSPD
AliceSSD
AliceTOF
AliFemto
ALPHA
Altair
ArdaGrid
ASACUSA
AthenaFCalTBAna
Atlas
AtlasLBNL
AXIALPET
CAE
CALICE
CDS
CENF
CERNSearch
CLIC
Cloud
CloudServices
CMS
Controls
CTA
CvmFS
DB
DefaultWeb
DESgroup
DPHEP
DM-LHC
DSSGroup
EGEE
EgeePtf
ELFms
EMI
ETICS
FIOgroup
FlukaTeam
Frontier
Gaudi
GeneratorServices
GuidesInfo
HardwareLabs
HCC
HEPIX
ILCBDSColl
ILCTPC
IMWG
Inspire
IPv6
IT
ItCommTeam
ITCoord
ITdeptTechForum
ITDRP
ITGT
ITSDC
LAr
LCG
LCGAAWorkbook
Leade
LHCAccess
LHCAtHome
LHCb
LHCgas
LHCONE
LHCOPN
LinuxSupport
Main
Medipix
Messaging
MPGD
NA49
NA61
NA62
NTOF
Openlab
PDBService
Persistency
PESgroup
Plugins
PSAccess
PSBUpgrade
R2Eproject
RCTF
RD42
RFCond12
RFLowLevel
ROXIE
Sandbox
SocialActivities
SPI
SRMDev
SSM
Student
SuperComputing
Support
SwfCatalogue
TMVA
TOTEM
TWiki
UNOSAT
Virtualization
VOBox
WITCH
XTCA
Welcome Guest
Login
or
Register
Cern Search
TWiki Search
Google Search
LHCb
All webs
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use
Discourse
or
Send feedback