Tags:
, view all tags

Notes about Installation and Configuration of a MyProxy server - EMI-2 - SL6 x86_64

  • These notes are provided by site admins on a best effort base as a contribution to the IGI communities and MUST not be considered as a subsitute of the Official IGI documentation.
  • This document is addressed to site administrators responsible for middleware installation and configuration.
  • The goal of this page is to provide some hints and examples on how to install and configure an IGI myproxy service based on EMI-2 middleware on SL6.

NB: The myproxy service is a CORE service, it should not be installed at Resource Center level. The official endpoint provided by IGI is myproxy.cnaf.infn.it and MUST be used by all Resource Centers and Services part of the IGI infrastructure.

References

  1. About IGI - Italian Grid infrastructure
  2. About IGI Release
  3. EMI-2 Release
  4. Yaim Guide
  5. site-info.def yaim variables
  6. site-BDII yaim variables
  7. Site Certification GIIS Check
  8. Troubleshooting Guide for Operational Errors on EGI Sites
  9. Grid Administration FAQs page

Service installation

O.S. and Repos

  • Starts from a fresh installation of Scientific Linux 6.x (x86_64).
# cat /etc/redhat-release 
Scientific Linux release 6.2 (Carbon)

* Install the additional repositories: EPEL, Certification Authority, EMI-2

# yum install yum-priorities yum-protectbase epel-release
# rpm -ivh http://emisoft.web.cern.ch/emisoft/dist/EMI/2/sl6/x86_64/base/emi-release-2.0.0-1.sl6.noarch.rpm

# cd /etc/yum.repos.d/
# wget http://repo-pd.italiangrid.it/mrepo/repos/egi-trustanchors.repo

  • Be sure that SELINUX is disabled (or permissive). Details on how to disable SELINUX are here:

# getenforce 
Disabled

yum install

# yum clean all
Loaded plugins: downloadonly, kernel-module, priorities, protect-packages, protectbase, security, verify, versionlock
Cleaning up Everything

# yum install ca-policy-egi-core
# yum install emi-px 

Service configuration

The configuration file for this service is really basic. For autorization:
  • DN list of authorized renewals (WMS and nagios)
  • DN list of trusted retrievers (nagios)

site-info.def

# cp -vr /opt/glite/yaim/examples/siteinfo /root/
`/opt/glite/yaim/examples/siteinfo' -> `/root/siteinfo'
`/opt/glite/yaim/examples/siteinfo/site-info.def' -> `/root/siteinfo/site-info.def'
`/opt/glite/yaim/examples/siteinfo/services' -> `/root/siteinfo/services'
`/opt/glite/yaim/examples/siteinfo/services/glite-px' -> `/root/siteinfo/services/glite-px'
`/opt/glite/yaim/examples/siteinfo/services/glite-bdii_site' -> `/root/siteinfo/services/glite-bdii_site'

# cat /root/siteinfo/site-info.def 
SITE_NAME=IGI-BOLOGNA
PX_HOST=`hostname -f`
BDII_DELETE_DELAY=0

glite-px

# cat siteinfo/services/glite-px 
GRID_AUTHORIZED_RETRIEVERS="\*"

GRID_AUTHORIZED_RENEWERS="
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=gridit-wms-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-wms-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Ferrara/CN=gridrb.fe.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-02.cnaf.infn.it'
'/C=IT/O=INFN/OU=grid014.ct.infn.it/L=Catania/CN=grid014.ct.infn.it/emailAddress=giuseppe.platania@ct.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=gridit-cert-rb.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=eumed-rb-1.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=euchina-rb-1.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-03.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-04.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-05.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-06.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=gridit-rb-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=egrid-rb-01.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=prod-rb-01.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=prod-rb-02.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=prod-wms-01.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=eu-india-02.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=sc2.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Bari/CN=wms1.ba.infn.it'
'/C=IT/O=INFN/OU=Host/L=Bari/CN=wms2.ba.infn.it'
'/C=IT/O=INFN/OU=Host/L=Bari/CN=wms3.ba.infn.it'
'/C=CH/O=CERN/OU=GRID/CN=host/lxn1185.cern.ch'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-07.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-08.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee-rb-09.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-rb-06.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=glite-rb-00.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=glite-rb-01.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel07.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel09.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel10.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel11.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel12.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel14.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel18.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel19.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=devel20.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Padova/CN=cream-06.pd.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms001.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms002.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms003.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms004.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms005.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms006.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms007.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms008.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms009.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms011.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms012.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms013.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms014.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms015.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms016.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=wms017.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-02.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=pps-fts.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=tigerman.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=Milano/CN=egee-rb-01.mi.infn.it'
'/C=IT/O=INFN/OU=Host/L=CIRMMP/CN=wms-enmr.cerm.unifi.it'
'/DC=ch/DC=cern/OU=computers/CN=wms101.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms102.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms103.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms104.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms105.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms106.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms107.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms108.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms109.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms110.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms111.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms112.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms113.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms114.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms115.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms116.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms117.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms118.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms119.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms121.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms122.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms123.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms124.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms125.cern.ch'
'/DC=ch/DC=cern/OU=computers/CN=wms126.cern.ch'
'/O=dutchgrid/O=hosts/OU=nikhef.nl/CN=graszode.nikhef.nl'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=mon-it.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=mon-cnaf.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=bbrbuild01.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=bbr-serv09.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee017.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=sb-serv01.cr.cnaf.infn.it'
"

GRID_TRUSTED_RETRIEVERS="
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=mon-it.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=mon-cnaf.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=bbrbuild01.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=bbr-serv09.cr.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=egee017.cnaf.infn.it'
'/C=IT/O=INFN/OU=Host/L=CNAF/CN=sb-serv01.cr.cnaf.infn.it'
"

host certificate required

# ll /etc/grid-security/host*
-rw-r--r-- 1 root root 1440 Dec 29 09:30 /etc/grid-security/hostcert.pem
-r-------- 1 root root  887 Dec 29 09:30 /etc/grid-security/hostkey.pem

Service configuration

yaim check

#  chmod -R 600 /root/siteinfo

#  /opt/glite/yaim/bin/yaim -v -s /root/siteinfo/site-info.def -n glite-PX
   INFO: Using site configuration file: /root/siteinfo/site-info.def
[...]
   INFO: YAIM terminated succesfully.

yaim config

Please use the debug flag ( "-d 6") to configure the services in order to have detailed information. For your convenience yo can save all the configuration information in a log file you can look at any time, separated from the yaimlog defulat one.
# /opt/glite/yaim/bin/yaim -c -d 6 -s /root/siteinfo/site-info.def -n glite-PX
   DEBUG: Checking siteinfo dir is not world readable
[...]
   INFO: Configuration Complete.                                               [  OK  ]
   INFO: YAIM terminated succesfully.

Know Issue and Workaround

Al momento il servizio non parte al boot (baco di yaim, notificato in GGUS.
# chkconfig myproxy-server on

Service checks

myproxy-init
On a user interface:
# $ myproxy-init -s myproxy.cnaf.infn.it -k veronesi-test
username: veronesi
owner: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
  name: veronesi-test
  timeleft: 167:55:38  (7.0 days)
[veronesi@ui ~]$  myproxy-init -s myproxy.cnaf.infn.it -k veronesi-test
Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
Enter GRID pass phrase for this identity:
Creating proxy ............................................................................................ Done
Proxy Verify OK
Your proxy is valid until: Thu Jan  5 10:03:38 2012
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 168 hours (7.0 days) for user veronesi now exists on myproxy.cnaf.infn.it.
On the MyProxy server:

# tail -f /var/log/messages
Dec 29 10:03:40 myproxy myproxy-server[9119]: Connection from 131.154.101.141
Dec 29 10:03:41 myproxy myproxy-server[9119]: Authenticated client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
Dec 29 10:03:42 myproxy myproxy-server[9119]: Received PUT request for username veronesi
Dec 29 10:03:43 myproxy myproxy-server[9119]: Client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi disconnected

# ls -ltr /var/lib/myproxy/
total 36
-rw------- 1 myproxy myproxy   132 Dec 29 10:03 veronesi-veronesi-test.data
-rw------- 1 myproxy myproxy  5912 Dec 29 10:03 veronesi-veronesi-test.creds

myproxy-info
On a user interface:
# myproxy-info -s myproxy.cnaf.infn.it -k veronesi-test
username: veronesi
owner: /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
  name: veronesi-test
  timeleft: 167:55:38  (7.0 days)

On the MyProxy server:

# tail -f /var/log/messages
Dec 29 10:42:08 myproxy myproxy-server[9209]: Connection from 131.154.101.141
Dec 29 10:42:08 myproxy myproxy-server[9209]: Authenticated client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
Dec 29 10:42:08 myproxy myproxy-server[9209]: Received INFO request for username veronesi
Dec 29 10:42:08 myproxy myproxy-server[9209]: Client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi disconnected

myproxy-get-delegation
On a user interface:
$ myproxy-get-delegation -s myproxy.cnaf.infn.it -k veronesi-test
Enter MyProxy pass phrase:
A credential has been received for user veronesi in /tmp/x509up_u23019.
On the MyProxy server:

# tail -f /var/log/messages
Dec 29 11:01:05 myproxy myproxy-server[31270]: Connection from 131.154.101.141
Dec 29 11:01:05 myproxy myproxy-server[31270]: Authenticated client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi
Dec 29 11:01:08 myproxy myproxy-server[31270]: Received GET request for username veronesi
Dec 29 11:01:08 myproxy myproxy-server[31270]: credential passphrase matched
Dec 29 11:01:08 myproxy myproxy-server[31270]: Delegating credentials for /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi lifetime=43200
Dec 29 11:01:08 myproxy myproxy-server[31270]: Client /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Paolo Veronesi disconnected

Additional notes

In order to make the WMS renewal function it is necessary:
  1. To include the DN of the WMS that process the jobs among the authorized renewers on the MyProxy server, i.e. to add authorized_renewers DN to the configuration and restart the server;
  2. Upload the proxy of the job submitter in the MyProxy server using myproxy-init -s myproxy_server -d -n
  3. Submit the job with the MyProxy server hostname being given in the JDL

Revision

Date Comment
2012-06-12 myproxy fresh installation - EMI 2 Matterhorn Products - gLite-proxyrenewal v. 1.3.25
Edit | Attach | PDF | History: r3 < r2 < r1 | Backlinks | Raw View | More topic actions...
Topic revision: r1 - 2012-06-12 - PaoloVeronesi
 
  • Edit
  • Attach
This site is powered by the TWiki collaboration platformCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback