You are here: TWiki> VOMS Web>VOMSYAIMGuide (2012-08-28, AndreaCeccanti)

The VOMS YAIM configuration guide

1 Introduction

This guide describes the functionalities provided by the YAIM VOMS module.

2 Configuration examples

Two minimal configurations for a single VO installation on MySQL and Oracle backend are given below. They should serve as a starting point for more complex configurations.

2.1 VOMS MySQL

site-info.def:
MYSQL_PASSWORD="***"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.mysql"
services/glite-voms:
# VOMS server hostname
VOMS_HOST=cert-voms-01.cnaf.infn.it 
VOMS_DB_HOST='localhost'

VO_CERT_MYSQL_VOMS_PORT=15000
VO_CERT_MYSQL_VOMS_DB_USER=cert_mysql_user
VO_CERT_MYSQL_VOMS_DB_PASS="***"
VO_CERT_MYSQL_VOMS_DB_NAME=voms_cert_mysql_db

VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it

2.2 VOMS Oracle

site-info.def:

VOMS_DB_TYPE="oracle"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.oracle"
ORACLE_CLIENT="/usr/lib/oracle/10.2.0.4/client64"

services/glite-voms:

VOMS_HOST=cert-voms-01.cnaf.infn.it 

VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it

ORACLE_CONNECTION_STRING="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST = voms-db-02.cr.cnaf.infn.it)(PORT = 1521)))(CONNECT_DATA=(SERVICE_NAME = vomsdb2.cr.cnaf.infn.it)))"

VO_CERT_ORACLE_VOMS_PORT=15000
VO_CERT_ORACLE_VOMS_DB_USER=admin_25
VO_CERT_ORACLE_VOMS_DB_PASS=***

3 YAIM configuration HOWTO

  1. Take the site-info.def and services/glite-voms examples given above as a starting point for your installation.
  2. Set optional yaim variables following the instructions found in the YAIM reference below.
  3. If configuring a MySQL-based VOMS server, make sure mysql is running with service mysqld status. Start the service in case it's not running with the command: service mysqld start
  4. Launch yaim as follows:
    /opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS
    

4 YAIM variables reference

4.1 Mandatory variables

Variable Name Description Value type YAIM module version
VOS Space-separated list of VOs that will be configured Space-separated VO name list all
VOMS_HOST VOMS server hostname hostname all
VO_<vo-name>_VOMS_PORT The port on the VOMS server listening for request for each VO. This is used in the vomses configuration file. By convention, port numbers are allocated starting with 15000 port number all
VOMS_ADMIN_SMTP_HOST Host to which voms-admin-service-generated emails should be submitted. Use 'localhost' if you have a fully configured SMTP server running on this host. Otherwise specify the hostname of a working SMTP submission service. This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_ADMIN_SMTP_HOST hostname all
VOMS_ADMIN_MAIL E-mail address that is used to send notification mails from the VOMS-admin. This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_ADMIN_MAIL mail all

4.1.1 MySQL Backend

Variable Name Description Value type YAIM module version
MYSQL_PASSWORD Password of the MySQL privileged user account password all
VOMS_DB_HOST Hostname of the database server. Put 'localhost' if you run the database on the same machine. This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS__DB_HOST hostname all
VO_<vo-name>_VOMS_DB_NAME The MySQL database name to be used to store VOMS information. DB name all
VO_<vo-name>_VOMS_DB_USER Name of the DB user DB user name all
VO_<vo-name>_VOMS_DB_PASS Password of the DB user account password all

4.1.2 Oracle Backend

Variable Name Description Value type YAIM module version
ORACLE_CLIENT Location of the Oracle Instantclient installation. See the Examples section above for an example. path all
VO_<vo-name>_VOMS_DB_USER Name of the DB user DB user name all
VO_<vo-name>_VOMS_DB_PASS Password of the DB user account password all
ORACLE_CONNECTION_STRING Specifies the oracle OCI connection string. See the Examples section above for an example. This parameter can be specified per VO in the following way: VO_<vo-name>_ORACLE_CONNECTION_STRING oracle connection string all

4.2 Optional variables

4.2.1 VOMS core

Variable Name Description Value type Default value YAIM module version
VOMS_CORE_LOGROTATE_LOGNUMBER This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_CORE_LOGROTATE_LOGNUMBER number of rotated log files 90 all
VOMS_CORE_LOGROTATE_PERIOD This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_CORE_LOGROTATE_PERIOD daily, weekly, monthly daily all
VOMS_CORE_TIMEOUT The maximum length of validity of the ACs that VOMS will grant (in seconds) The default value is 24 hours This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_CORE_TIMEOUT seconds 86400 all
VOMS_SHORT_FQANS FQANs syntax that will appear in the VO extension information of a voms proxy. true/false false all
VOMS_SKIP_CA_CHECK When this option is set to true, VOMS checks only the certificate subject when assessing user membership in a VO. true/false false all
VOMS_CORE_LOGLEVEL Sets the level of verbosity of log messages (voms-core). Values go from 1 to 5, with 1 set to no logging and 5 to maximum verbosity. 4 all

4.2.2 VOMS Admin

4.2.2.1 General variables

Variable Name Description Value type Default value YAIM module version
VOMS_DB_TYPE DB type oracle/mysql mysql all
VOMS_DB_DEPLOY If set to 'true' it will attempt the creation and deployment of the database schema and initial contents (unless an existing database is found). true/false true all
VOMS_ADMIN_INSTALL Set this variable to 'false' if you don't want to configure voms-admin. true/false true all
VOMS_ADMIN_VERBOSE VOMSAdmin verbosity true/false true all
VOMS_ADMIN_CERT The path of the certificate file (in pem format) of an initial VO administrator. The VO will be set up so that this user has full VO administration privileges. This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_ADMIN_CERT path None all
VOMS_ADMIN_TOMCAT_GROUP The UNIX group that Tomcat is run under group name tomcat all
VOMS_ADMIN_VOMS_GROUP The UNIX group that the VOMS core service is run under group name voms all
VOMS_ADMIN_CA_RELOAD_PERIOD The period (in seconds) by which CAs are synchronized with the voms database. seconds 21600 (every 6 hours) all
VOMS_ADMIN_AUTH_READS Sets whether the VO should be configured to be read accessible for authenticated clients. true/false true all
VOMS_ADMIN_NOTIFICATION_BEHAVIOUR Sets VOMS Admin behaviour in dispatching notification emails. When the value is "admins", notifications resulting from user requests are sent only to administrators that can handle the requests. If no such administrator is found, the service email address is used instead. When the value is "service", notifications are sent only to the service email address specified at VO configuration time. When the value is "all", notifications are sent to admins and the service email address. admins/service/all all all
VOMS_ADMIN_WS_CSRF_LOG_ONLY The VOMS Admin Anti Cross-Site Request Forgery (CSRF) Guard behaviour. The CSRF guard can be switched off by putting it in log-only mode, to ensure backward-compatibility with older clients. true/false true (CSRF guard disabled) all

4.2.2.2 Registration service

Variable Name Description Value type Default value YAIM module version
VOMS_ADMIN_WEB_REGISTRATION_DISABLE Set this variable to true if you want to disable the user registration via the voms-admin web interface. This parameter can be specified per VO: VO__VOMS_ADMIN_WEB_REGISTRATION_DISABLE true/false false all
VOMS_ADMIN_MEMBERSHIP_REQUEST_WARNINGS Should voms-admin send a warning email to the user when his/her uncorfimed request is removed from the database? true/false true all
VOMS_ADMIN_MEMBERSHIP_REQUEST_LIFETIME Time in seconds that unconfirmed requests are kept inside the voms database. seconds 604800 (7 days) all
VOMS_ADMIN_ENABLE_ATTRIBUTE_REQUESTS Enable attribute request at registration time. Setting this option to true will allow users to request membership in VO groups also when first registering at the VO. The VO manager will be given the chance to approve every membership request. true/false false 1.1.0

4.2.2.3 Membership validation service

Variable Name Description Value type Default value YAIM module version
VOMS_ADMIN_MEMBERSHIP_DEFAULT_LIFETIME Default VO membership lifetime duration (in months). This setting is used to compute the default membership expiration date for newly created users. The default value is 12 months months 12 all
VOMS_ADMIN_MEMBERSHIP_CHECK_PERIOD Period for the membership check background thread (in seconds). seconds 600 (10 minutes) 1.1.0
VOMS_ADMIN_MEMBERSHIP_EXPIRATION_WARNING_PERIOD Warning period duration (in days). VOMS Admin will notify of users about to expire in the next number of days expressed by this configuration option. days 30 1.1.0
VOMS_ADMIN_MEMBERSHIP_EXPIRATION_GRACE_PERIOD Membership expiration grace period (in days). In the grace period the user will be maintained active even if its membership has expired. Note that this option has no effect if the VOMS_ADMIN_PRESERVE_EXPIRED_MEMBERS option is set to true. days 7 1.1.0
VOMS_ADMIN_MEMBERSHIP_NOTIFICATION_RESEND_PERIOD Time (in days) that should pass between consecutive warning expiration messages sent to VO administrators to inform about expired and expiring VO members. Note that state about sent notifications is not stored in the database, so the counting is zeroed at every service restart. days 1 (every day) 1.1.0
VOMS_ADMIN_PRESERVE_EXPIRED_MEMBERS When this option value is true, expired users are NOT suspended. VO administrators are always notified of expired and about to expire members via mail. true/false false 1.1.0
VOMS_ADMIN_DISABLE_MEMBERSHIP_END_TIME This flag disables the membership end time checks completely. Turn this setting to true in case you want that user membership lifetime is linked only to the AUP acceptance period. true/false false 1.1.0

4.2.2.4 Acceptable Usage Policy (AUP) validation service

Variable Name Description Value type Default value YAIM module version
VOMS_ADMIN_SIGN_AUP_TASK_LIFETIME The time (in days) given to users to sign the AUP, after being notified, before being suspended. days 15 1.1.0

4.2.2.5 SAML attribute authority

Variable Name Description Value type Default value YAIM module version
VOMS_ADMIN_SAML_MAX_ASSERTION_LIFETIME The lifetime (expressed in minutes) of SAML attribute assertions issued by VOMS Admin. minutes 720 (12 hours) all
VOMS_ADMIN_SAML_AA_CERTIFICATE The location of the certificate used by the SAML Attribute authority. path /etc/grid-security/tomcat-cert.pem all
VOMS_ADMIN_SAML_AA_KEY The location of the private key of the certificate used by the SAML Attribute authority path /etc/grid-security/tomcat-key.pem all

4.2.3 MySQL Backend

Variable Name Description Value type Default value YAIM module version
VOMS_MYSQL_ADMIN MySQL privileged user account. user root all
VOMS_MYSQL_CONFIG_FILE MySQL config file path /etc/my.cnf all
VOMS_MYSQL_LIBRARY MySQL library path path /usr/lib64/libvomsmysql.so all
VOMS_MYSQL_MAX_CONNECTIONS Maximum number of connections to MySQL number 500 all
VOMS_MYSQL_PORT MySQL port port 3306 all

4.2.4 Oracle Backend

Variable Name Description Value type Default value YAIM module version
VOMS_ADMIN_ORACLE_MAX_CONNECTIONS Maximum number of connections to be opened per VO number 20 all
VOMS_ADMIN_ORACLE_MIN_CONNECTIONS Minimum number of connections to be opened per VO number 1 all
VOMS_ADMIN_ORACLE_START_CONNECTIONS Startup number of connections to be opened per VO number 10 all
VOMS_ORACLE_LIBRARY Path to the oracle libraries path /usr/lib64/libvomsoracle.so all

-- AndreaCeccanti - 2012-04-23

Topic revision: r3 - 2012-08-28 - AndreaCeccanti
 
TWIKI.NET
This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback