Tips for the VOMS EMI 2 certification

1 Configuring vomsdir without YAIM

Normally the vomsdir is configured by YAIM. On some platforms YAIM is not available (e.g. Debian), so the configuration must be done manually.

In practice, you have to create (as root):

mkdir /etc/grid-security/vomsdir

For each VO that you want to support, create a subdirectory

=/etc/grid-security/vomsdir/<VO_NAME>

where you're going to place a

=<hostname>.lsc= 

file which describes the certificate chain of the VOMS server.

Example:

For the vo testers.eu-emi.eu the configuration is as follows:

[ceccanti@emitestbed08 testers.eu-emi.eu]$ ls /etc/grid-security/vomsdir/testers.eu-emi.eu/
emitestbed01.cnaf.infn.it.lsc  emitestbed07.cnaf.infn.it.lsc

Two files are listed in the VO directory since there are two VOMS replicas for the VOs. The content of the lsc files is:

[ceccanti@emitestbed08 testers.eu-emi.eu]$ cat /etc/grid-security/vomsdir/testers.eu-emi.eu/emitestbed07.cnaf.infn.it.lsc 
/C=IT/O=INFN/OU=Host/L=CNAF/CN=emitestbed07.cnaf.infn.it
/C=IT/O=INFN/CN=INFN CA

[ceccanti@emitestbed08 testers.eu-emi.eu]$ cat /etc/grid-security/vomsdir/testers.eu-emi.eu/emitestbed01.cnaf.infn.it.lsc 
/C=IT/O=INFN/OU=Host/L=CNAF/CN=emitestbed01.cnaf.infn.it
/C=IT/O=INFN/CN=INFN CA

Runnning the following script on the VOMS server will produce an lsc file for such server:

#/bin/bash
hostname=`hostname -f`

subject=`openssl x509 -in /etc/grid-security/hostcert.pem -noout -subject | sed 's/subject= //'`
issuer=`openssl x509 -in /etc/grid-security/hostcert.pem -noout -issuer | sed 's/issuer= //'`

echo $subject >> $hostname.lsc
echo $issuer >> $hostname.lsc

More instructions can be found in the voms user guide in the Host setup section.

2 Configuring vomses without YAIM

Normally the vomses is configured by YAIM. On some platforms YAIM is not available (e.g. Debian), so the configuration must be done manually.

In practice, you have to create (as root):

mkdir /etc/vomses

Then put a vomses file in such directory for each supported VO.

Example:

For the vo testers.eu-emi.eu the configuration is as follows:

[ceccanti@emitestbed08 vomses]$ ls /etc/vomses
testers.eu-emi.eu-emitestbed01.cnaf.infn.it  testers.eu-emi.eu-emitestbed07.cnaf.infn.it
[ceccanti@emitestbed08 vomses]$ cat testers.eu-emi.eu-emitestbed01.cnaf.infn.it 
"testers.eu-emi.eu" "emitestbed01.cnaf.infn.it" "15002" "/C=IT/O=INFN/OU=Host/L=CNAF/CN=emitestbed01.cnaf.infn.it" "testers.eu-emi.eu"
[ceccanti@emitestbed08 vomses]$ cat testers.eu-emi.eu-emitestbed07.cnaf.infn.it 
"testers.eu-emi.eu" "emitestbed07.cnaf.infn.it" "15002" "/C=IT/O=INFN/OU=Host/L=CNAF/CN=emitestbed07.cnaf.infn.it" "testers.eu-emi.eu"

The vomses information can be obtained from the voms admin configuration page for such VO.

3 VOMS Admin server configuration settings

In order to quickly certify the VOMS Admin service, the default value for some settings has to be changed. All these changes should be put in the YAIM configuration used for certification, in particular in the

<SITE_INFO_DIR>/services/glite-voms

file.

3.1 More frequent membership check

The membership control checkes are done by a VOMS Admin background task that is run, by default, every 10 minutes. In order to quickly see if VOMS Admin membership check behavior works as expected set a more convenient value for the membership check interval using the following YAIM variable:

VOMS_ADMIN_MEMBERSHIP_CHECK_PERIOD=30

3.2 Short Sign AUP task lifetime

Sign AUP tasks are created for users in two cases:

  • when their AUP acceptance record expires (tipycally one year after they have signed the AUP the last time)
  • when explictly requested by the administrator using the "Trigger reacceptance" button in the user detail page or in the AUP details page.

When a Sign AUP task is assigned to a user an expiration time is linked to the task. If the user doesn't sign the aup by this expiration time it is suspended. The time interval given to a user to sign the AUP is a VOMS Admin configuration parameter, with default value 15 days.

For the certification it is convenient to set this value to a negative value:

VOMS_ADMIN_SIGN_AUP_TASK_LIFETIME=-1

In this way Sign AUP tasks are created with the expiration date equal to the creation date is easy to check whether users that didn't sign the AUP are indeed suspended.

A trick below explains another way for changing Sign AUP tasks expiration date.

3.3 YAIM VOMS defaults

The default values and the documentation for VOMS YAIM variables can be found in:

/opt/glite/yaim/defaults/glite-voms.pre

3.4 VOMS and VOMS Admin configuration files

Configuration files for VOMS are found in:

/etc/voms/<vo>

Configuration files for VOMS Admin are found in:

/etc/voms-admin/<vo>

3.5 VOMS and VOMS Admin log files

Log files for VOMS are found in:

/var/log/voms

Log files for VOMS admin are found:

/var/log/tomcat5 (SL5)
/var/log/tomcat6 (SL6)

4 Tips and tricks

4.1 VOMS admin commands help

voms-admin --list-commands  (displays all commands available)
voms-admin --help <command-name> (displays help about a given command)

4.2 VOMS admin and command line arguments

The voms admin client enforce the following convention when parsing command-line arguments:

   voms-admin [options] <command> <arg0> <arg1> <arg2> 

This means that options, i.e. those things prepended by --, MUST always be given before the command. In practice:

  voms-admin --vo cert.mysql --description "test" create-group /cert.mysql/test (OK)

  voms-admin create-group --vo cert.mysql --description "test" /cert.mysql/test (ERROR)

4.3 VOMS admin client and certificates

If you run voms-admin client as root, it will use the host certificate in etc/grid-security/hostcert.pem to authenticate against the voms-admin-server.

If you run voms-admin as a normal user, it will look for a proxy in /tmp and if it doesn't find it it will look in $HOME/.globus. If the private key is protected by a password it will ask for a password whenever a command is run.

A convenient way to use voms-admin as a non-root user is to run voms-proxy-init first to create a grid proxy:

voms-proxy-init

voms-admin will then use the proxy and will not bother about passwords until proxy expiration.

Note that voms-proxy-init is not usually installed on a VOMS node, but can be easily installed with:

yum install voms-clients

4.4 Create multiple users in a row

The following command creates 150 users in VOMS (n.b. change the email address to your own):

for i in `seq 1 150`; do \
  voms-admin --nousercert --vo cert.mysql --name "User $i" \
                       --surname "Test" --institution "IGI" \
                       --address "No address" 
                       --phoneNumber "051 150 051" \
                       create-user \
                       "Test$i" \
                       "/C=IT/O=INFN/CN=INFN CA" \
                       "Test User $i" "andrea.ceccanti@cnaf.infn.it"; \
done

4.5 Create multiple groups in a row

for i in `seq 1 150`; do \
voms-admin --vo cert.mysql --description "This is test group $i" \
   create-group /cert.mysql/test-group-$i; \
done

4.6 How to find out which credentials are used by VOMS to connect to the database

In the default configuration VOMS and VOMS Admin use the same credentials to access the database. These can be found in:

/etc/voms/<vo>/voms.conf (VOMS)
/etc/voms-admin/<vo>/voms.database.properties (VOMS Admin)

4.7 How to quickly change membership expiration date for users

The membership expiration date for each user is stored in the VOMS database in the usr table. To change the end time for all users use the following command on the db:

update usr set end_time = "2012-04-24";

To change it only for a given set of users, use the where clause:

update usr set end_time = "2012-04-24" where userid > 2 and userid  < 10;

The command above changes the end_time only for users whose id is between 3 and 10.

4.8 How to quickly change expiration date for pending Sign AUP tasks

update task set expiryDate = "2012-04-28" where status = "CREATED";

-- AndreaCeccanti - 2012-04-25

Topic revision: r3 - 2012-11-13 - AndreaCeccanti
 
TWIKI.NET
This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback