WMSSecureGW < LHCb

LHCb Web>LHCbComputing>WMSSecureGW (2017-03-10, CinziaLuzzi) (raw view)
<center>
       
     <font size="6"> *The gateway architecture* </font>
     <P> &nbsp; <P> &nbsp; <P>
     <img src="%ATTACHURLPATH%/Resized-V586R.jpg" alt="Resized-V586R.jpg" width="1100" height="1026" />
   <P> &nbsp; <P> &nbsp; <P> &nbsp; <P>

       
     <font size="6"> *How to set up the gateway machine* </font>
      <P> &nbsp; <P> &nbsp; <P>
</center> 
 <font size="3">
*  Create a dummy CA certificate:

    =openssl genrsa -out cakey.pem 2048=

    =openssl req -new -x509 -days 3650 -key cakey.pem -out cacert.pem -subj "/O=$(whoami)-dom/OU=PersonalCA"=



*   Generate user certificate signed by the dummy CA and save it on the gateway machine under ~/.globus:

=openssl genrsa -out userkey.pem 2048=

=openssl req -new -key userkey.pem -out userreq.csr -subj "/O=$(whoami)-dom/OU=PersonalCA/CN=$(whoami)"=

=openssl x509 -req -in userreq.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out usercert.pem -days 500=

*   Generate a host certificate signed by the dummy CA (to be saved on any BOINC VM in /etc/grid-security):

=openssl genrsa -out hostkey.pem 2048=
=openssl req -new -key hostkey.pem -out hostreq.csr -subj "/O=$(whoami)-dom/OU=PersonalCA/CN=$(hostname -f)"=
=openssl x509 -req -in hostreq.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out hostcert.pem -days 500=


* Generate a host certificate signed by the CERN CA, https://gridca.cern.ch/gridca/ and register it in the DIRAC CS, this has to be saved in the gateway machine under  /opt/dirac/etc/grid-security. 
 
* Setup CS and SystemAdministrator services by following the instruction here http://diracgrid.org/files/docs/AdministratorGuide/InstallingDIRACService/index.html

* Be sure that the CA certificate and key is in  /opt/dirac/etc/grid-security/ , copy the cacert.pem in /etc/grid-security/certificates



* The install.cfg should be:

<verbatim>
LocalInstallation
{
  #  DIRAC release version
  Release = v8r1p3
  #  Python version os the installation
  PythonVersion = 27
  #  To install the Server version of DIRAC (the default is client)
  InstallType = server
  #  If this flag is set to yes, each DIRAC update will be installed
  #  in a separate directory, not overriding the previous ones
  UseVersionsDir = yes
  #  The directory of the DIRAC software installation
  TargetPath = /opt/dirac
  #  DIRAC extensions to be installed i.e. LHCb, LHCbWeb for LHCb
  ExtraModules = LHCb
  Project = LHCb
  VirtualOrganization = LHCb
  Extensions = LHCb
  #   These are options for the configuration of the installed DIRAC software
  #   i.e., to produce the initial dirac.cfg for the server
  #  Give a Name to your User Community, it does not need to be the same name as in EGI
  VirtualOrganization = LHCb
  #  Site name: it should follow the convention [Infrastructure].[name].[country code]
  SiteName = BOINC.World.org
  #  Setup name
  Setup = LHCb-Certification
  #  Default name of system instances
  InstanceName = boincInstance
  #  Flag to use the server certificates
  UseServerCertificate = yes
  #  Do not download CAs, CRLs
  SkipCADownload = No
  #  Flag to set up the Configuration Server as Master (use only in the primary server)
  ConfigurationMaster = yes
  #  Configuration Name
  ConfigurationName =  BOINC-Conf
  #  These options define the DIRAC components to be installed on "this" DIRAC server.
  #  The next options should only be set for the primary server,
  #  they properly initialize the configuration data
  #
  #  Name of the Admin user (default: None )
  AdminUserName = MrBoinc
  #  DN of the Admin user certificate (default: None )
  #
  AdminUserEmail = MrBoinc@cern.ch
  AdminUserDN =  DN = /O=MrBoinc-dom/OU=boincCA/CN=MrBoinc
  #  Name of the Admin group (default: dirac_admin )
  AdminGroupName = boinc_user
  #  Name of the installation host (default: the current host )
  #  Used to build the URLs the services will publish
  Host = boin-deploy-test.cern.ch
  #  DN of the host certificate (default: None )
  HostDN = /DC=ch/DC=cern/OU=computers/CN=lhcb-boinc.cern.ch
  #  Components to deploy
  Systems = Configuration
  Systems += Framework
  Services  = Configuration/Server
  Services+= Framework/SystemAdministrator
}
</verbatim>

You will get dirac.cfg and BOINC-Conf.cfg in /opt/dirac/etc/.

Add the section Registry in dirac.cfg registering the MrBoinc user.
Add the section Systems/WorkloadManagement/Services/WMSSecureGW in the dirac.cfg

<verbatim>
Systems
{
  WorkloadManagement
  {
    boincInstance
    {
      Services
      {
        WMSSecureGW
        {
          Port = 3424
          HandlerPath = LHCbDIRAC/WorkloadManagementSystem/Service/WMSSecureGW.py
          Authorization
          {
            Default = all
          }
        }
      }
    }
  }
}
</verbatim>

The dirac.cfg has the Central CS ULR so all the services address needed by the WMSSecureGW service are taken directly from the CS.  
An updated version of the dirac.cfg can be found on the trunk of the LHCbDIRAC repository.  

* Get a proxy:

dirac-proxy-init -v long term

* Start the cli:

dirac-admin-sysadmin-cli --host boin-deploy-test

* Install the new service:

[boin-deploy-test]> install service WorkloadManagement WMSSecureGW

* You will need to install also:

ReqDB, ReqManager, RequestExecutingAgent, StorageElement, StorageElementProxy, ProxyManager,  SandboxStore, SandboxMetadataDB .

N.B.

The WMSSecureGW has been added to the WorkloadManagement/Service/ConfigTemplate.cfg , so yuo con install it as any other DIRAC service using the procedure here http://diracgrid.org/files/docs/AdministratorGuide/InstallingDIRACService/index.html

The BOINC Storage Element has to be declared in the central CS and then BANNED for access write and read adding a policy in the ResourceStatus section. We live the RemoveAccess that is needed by the ResourceCleaningAgent.   
The BOINC Storage Element is declared in the BOINC CE, where you put the read, write, check and remove to Active

<verbatim>
StorageElements
  {
    BOINC-SE
    {
      StorageBackend = DISET
      ReadAccess = Active
      WriteAccess = Active
      CheckAccess = Active
      RemoveAccess = Active
      AccessProtocol.1
      {
        Host = lbboinccertif.cern.ch
        Port = 9148
        ProtocolName = DIP
        Protocol = dips
        Path = /DataManagement/StorageElement
        Access = remote
        SpaceToken = 
        WSUrl = 
      }
    }
</verbatim>

 </font>



-- Main.CinziaLuzzi - 2015-07-15
Attachments
Topic attachments
I	Attachment	History	Action	Size	Date	Who	Comment
jpg	Resized-V586R.jpg	r1	manage	143.2 K	2016-03-04 - 11:05	CinziaLuzzi
Topic revision: r7 - 2017-03-10 - CinziaLuzzi
LHCb
Public webs
Welcome Guest
- Cern Search
- TWiki Search
- Google Search
LHCb All webs