You are here:
TWiki
>
VOMS Web
>
VOMSSystemAdministratorGuide
(revision 2) (raw view)
---+ !!VOMS System Administrator Guide %TOC% ---# Introduction The Virtual Organization Membership Service (VOMS) is an attribute authority which serves as central repository for VO user authorization information, providing support for sorting users into group hierarchies, keeping track of their roles and other attributes in order to issue trusted attribute certificates and SAML assertions used in the Grid environment for authorization purposes. VOMS is composed of two main components: * the VOMS core service, which issues attribute certificates to authenticated clients * the VOMS Admin service, which is used by VO manager to administer VOs and manage user membership details. ---## Quickstart guide This quickstart guide covers the !MySQL installation of VOMS. 1. Install the [[#][EMI 2 release package]]. 1. Install the =emi-voms-mysql= metapackage. 1. Install the =xml-commons-apis= package to avoid useless warnings when running Tomcat. 1. Set a sensible password for the !MySQL root user, as explained in the instructions below. 1. Configure the VOMS service with YAIM as explained in [[#][this section]]. ---## Prerequisistes and recommendations ---### Hardware * CPU: No specific requirements * Memory: 2GB if serving <= 10 VOs, more otherwise * Disk: 10GB free space (besides OS and EMI packages) ---### Software ---#### Operating system * NTP Time synchronization: required. * Host certificates: required * Networking * Open ports : see [[VOMSServiceReferenceCard][service reference card]] ---#### Preinstalled software Besides the usual OS and EMI release packages, you will need the =oracle-instantclient-basic= package, version 10.2.0.4, installed on the system (in case of an Oracle-based installation). All the other dependencies are resolved by the installation of the VOMS metapackages, i.e.: * =emi-voms-mysql=, in case of a !MySQL installation, * =emi-voms-oracle=, in case of an Oracle installation. ---## Recommended deployment scenarios A single-node installation, with the hardware recommendations given above should serve well most scenarios. It is not recommended to deploy a large number of VOs (> 20) on a single installation. This is due to an architectural limitation of VOMS (i.e., independent web applications and service for each VO) that will be solved in a future VOMS release. ---## Installation instruction ---### Software repositories Follow the general EMI 1 or 2 installation instructions. VOMS requires that the OS and EPEL repositories are active and correctly configured on the target machine. If oracle is used, a repository where Oracle packages are available should also be provided. Otherwise Oracle packages need to be installed manually. ---### Clean installation * In case you plan to install the =emi-voms-oracle= metapackage, download and install the Oracle instant client [[http://download.oracle.com/otn/linux/instantclient/10204/oracle-instantclient-basic-10.2.0.4-1.x86_64.rpm][basic]] libraries (v. 10.2.0.4-1) on your system: * =yum localinstall oracle-instantclient-basic-10.2.0.4-1.x86_64.rpm= * Install the =emi-voms-mysql= metapackage or =emi-voms-oracle= depending on the database backend you are using (mysql or Oracle): * =yum install emi-voms-mysql= *or* =yum install emi-voms-oracle= * Manually install =xml-commons-apis= libraries (after having installed the right metapackage for your installation), as the ones provided by the default OS JREs cause warnings when starting/stopping tomcat: * =yum install xml-commons-apis= ---### Upgrade installation ---#### Upgrade from gLite 3.2 VOMS ---##### Install and configure a SL5 or SL6 X86_64 EPEL machine In order to install the EMI VOMS metapackage you will need a *clean* SL5 or SL6 X86_64 machine with the EPEL repository configured and the emi release package correctly installed. SL5, as configured by gLite 3.2, is *not* suitable for installing the EMI VOMS since gLite uses the DAG repository, which is *alternative* and *incompatible* with EPEL. Once you have a clean machine configured, install the =emi-voms-mysql= metapackage *without launching yaim configuration*. ---##### !VOMS database dump and YAIM configuration On your existing gLite 3.2 !VOMS node dump the !VOMS database for all the VOs issuing the following command: <verbatim> mysqldump -uroot -p<MYSQL_ROOT_PASSWORD> --all-databases --flush-privileges > voms_database_dump.sql </verbatim> You will then copy the dump file on the new EMI !VOMS node. Remember to save your YAIM configuration (in most cases, =site-info.def= and =services/glite-voms= in your =siteinfo= directory) and copy it on the new EMI !VOMS node. ---##### Restoring the !VOMS database on the EMI node You should now have the =mysql= daemon installed in your EMI machine (it was installed as a dependency of the =emi-voms-mysql= metapackage). Follow the instructions in this [[#MySQLAdminConf][section]] to properly configure the mysql root account. Once the root account is configured and working (check that you can login issuing the command =mysql -uroot -p<MYSQL_ROOT_PASSWORD>=), you can restore the !VOMS database issuing the following command: <verbatim> mysql -uroot -p<PASSWORD> < voms_database_dump.sql </verbatim> ---##### Configuring !VOMS on the EMI node The gLite 3.2 YAIM configuration should work in your EMI installation. Just check that no gLite-specific paths are referenced in your configuration and possibly integrate it with the new options provided by EMI VOMS. In order to configure !VOMS, place the YAIM configuration files in your favorite directory and launch the following command: <verbatim> /opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS </verbatim> ---##### Known issues for the gLite 3.2 to EMI upgrade ---###### AUP is not shown correctly after upgrade to EMI After upgrading a gLite 3.2 VOMS Admin the URL pointing to the default AUP text (/var/glite/etc/voms-admin/<vo>/vo-aup.txt) is not upgraded to the new location (/etc/voms-admin/<vo>/vo-aup.txt). This issue lead to an empty AUP shown to the users for the upgraded VOMS. To solve this issue, change the AUP url from the VOMS admin web interface by pointing your browser to: <verbatim> https://<voms-hostname>:8443/voms/<vo>/aup/load.action </verbatim> The default URL for the new aup is: <verbatim> file:/etc/voms-admin/<vo>/vo-aup.txt </verbatim> ---#### Upgrade from EMI 1 VOMS ---##### Upgrading an SL5 EMI 1 installation 1. Install the [[#][emi-release package]] for EMI 2. 2. Update packages via =yum update=. ---### Configuration ---#### Configuring the database backend #MySQLAdminConf ---##### !MySQL configuration Make sure that the !MySQL administrator password that you specify in the YAIM !VOMS configuration files matches the password that is set for the root !MySQL account. *Yaim configuration script does not set it for you*. If you want to set a !MySQL administrator password: 1. Check that mySQL is running; if not, launch it using =service mysqld start= 2. Issue the following commands as root (putting appropriate information in the =<adminPassword>= and =<hostname>= placeholders)<verbatim> /usr/bin/mysqladmin -u root password <adminPassword> /usr/bin/mysqladmin -u root -h <hostname> password <adminPassword>; </verbatim> The above command sets a password for the mysql root account. ---##### Oracle configuration Create the necessary users and databases in Oracle. Please see the Oracle manuals for details. ---#### Configuring the !VOMS server with !YAIM ---##### !YAIM siteinfo and =glite-voms= example files ---###### !MySQL backend Below is a siteinfo and service file for a VOMS mysql node configuration:<br> <verbatim> site-info.def: MYSQL_PASSWORD="pwd" SITE_NAME="voms-certification.cnaf.infn.it" VOS="cert.mysql" services/glite-voms: # VOMS server hostname VOMS_HOST=cert-voms-01.cnaf.infn.it VOMS_DB_HOST='localhost' VO_CERT_MYSQL_VOMS_PORT=15000 VO_CERT_MYSQL_VOMS_DB_USER=cert_mysql_user VO_CERT_MYSQL_VOMS_DB_PASS="pwd" VO_CERT_MYSQL_VOMS_DB_NAME=voms_cert_mysql_db VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it </verbatim> ---###### Oracle backend <verbatim> site-info.def: VOMS_DB_TYPE="oracle" SITE_NAME="voms-certification.cnaf.infn.it" VOS="cert.oracle" ORACLE_CLIENT="/usr/lib/oracle/10.2.0.4/client64" services/glite-voms: VOMS_HOST=cert-voms-01.cnaf.infn.it VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it VOMS_ADMIN_CERT=/root/andreacert.pem ORACLE_CONNECTION_STRING="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST = voms-db-02.cr.cnaf.infn.it)(PORT = 1521)))(CONNECT_DATA=(SERVICE_NAME = vomsdb2.cr.cnaf.infn.it)))" VO_CERT_ORACLE_VOMS_PORT=15000 VO_CERT_ORACLE_VOMS_DB_USER=admin_25 VO_CERT_ORACLE_VOMS_DB_PASS=*** </verbatim> ---#### YAIM configuration steps 1. Take the =site-info.def= and =services/glite-voms= examples given above as a starting point for your installation. 1. Set yaim variables as specified [[https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables#VOMS][in the VOMS !YAIM configuration guide]] 1. Make sure mysql is running with =service mysqld status=. Start the service in case it's not running with the command: =service mysqld start= 1. Launch yaim as follows:<verbatim> /opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS </verbatim> ---## Service operation The YAIM configuration step is enough to have the VOMS core and admin services up and running. To start and stop the VOMS core service use: <verbatim> service voms start/stop </verbatim> To start and stop VOMS admin, use the tomcat start/stop scripts: <verbatim> service tomcat5 start/stop (SL5) service tomcat6 start/stop (SL6) </verbatim> If you want to restart individual VOMS admin VO web applications, you can use: <verbatim> service voms-admin start/stop <vo> </verbatim> Use the above commands only in exceptional cases, and to deal with potential issues that affect only individual VOs. *The recommended way to start and stop VOMS admin is by using the tomcat startup scripts*. For other information regarding service operation see the [[#][VOMS service reference card]]. ---### Validation and monitoring TBD ---### Migration In order to migrate VOMS to a different machine, the following items will need to be migrated: 1. The configuration 2. The database content. This holds only if VOMS was configured to access a local database instance. if a remote database is used for VOMS only the configuration will need to be migrated to the new installation. ---#### VOMS configuration migration To migrate VOMS configuration, just archive the contents of the YAIM configuration directory and move this archive to the new installation. In case YAIM is not used, you will need to archive and move the following directories: <verbatim> /etc/voms/* (EMI1 VOMS) /etc/voms-admin/* (EMI1 VOMS Admin) $GLITE_LOCATION/etc/voms/* (gLite 3.2 VOMS) $GLITE_LOCATION_VAR/etc/voms-admin/* (glite 3.2 VOMS Admin) </verbatim> ---#### VOMS database migration (!MySQL backend) In order to dump the contents of the VOMS datbase issue the following command on the original VOMS installation machine: <verbatim> mysqldump -uroot -p<MYSQL_ROOT_PASSWORD> --all-databases --flush-privileges > voms_database_dump.sql </verbatim> This database dump contains all the VOMS data and can be moved to the new VOMS installation machine. To restore the database contents on the new VOMS installation machine, ensure that: 1. mysql-server is installed and running 1. The password for the MySQL root account is properly configured (follow the instructions in this [[#MySQLAdminConf][section]] to configure the root account password). The database content can then be restored using the following command: <verbatim> mysql -uroot -p<PASSWORD> < voms_database_dump.sql </verbatim> ---##### Migrating database accounts TBD ---## Troubleshooting See the [[KnownIssues][VOMS known issues page]]. -- Main.AndreaCeccanti - 2012-03-03
Edit
|
Attach
|
P
rint version
|
H
istory
:
r7
|
r4
<
r3
<
r2
<
r1
|
B
acklinks
|
V
iew topic
|
More topic actions...
Topic revision: r2 - 2012-04-24
-
AndreaCeccanti
VOMS
Home
Releases
Documentation
Support
TWIKI.NET
VOMS
Edit
Attach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback