The VOMS YAIM configuration guide
1 Introduction
This guide describes the functionalities provided by the YAIM VOMS module.
2 Configuration examples
Two minimal configurations for a single VO installation on MySQL and Oracle backend are given below.
They should serve as a starting point for more complex configurations.
2.1 VOMS MySQL
site-info.def:
MYSQL_PASSWORD="***"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.mysql"
services/glite-voms:
# VOMS server hostname
VOMS_HOST=cert-voms-01.cnaf.infn.it
VOMS_DB_HOST='localhost'
VO_CERT_MYSQL_VOMS_PORT=15000
VO_CERT_MYSQL_VOMS_DB_USER=cert_mysql_user
VO_CERT_MYSQL_VOMS_DB_PASS="***"
VO_CERT_MYSQL_VOMS_DB_NAME=voms_cert_mysql_db
VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it
2.2 VOMS Oracle
site-info.def:
VOMS_DB_TYPE="oracle"
SITE_NAME="voms-certification.cnaf.infn.it"
VOS="cert.oracle"
ORACLE_CLIENT="/usr/lib/oracle/10.2.0.4/client64"
services/glite-voms:
VOMS_HOST=cert-voms-01.cnaf.infn.it
VOMS_ADMIN_SMTP_HOST=iris.cnaf.infn.it
VOMS_ADMIN_MAIL=andrea.ceccanti@cnaf.infn.it
ORACLE_CONNECTION_STRING="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST = voms-db-02.cr.cnaf.infn.it)(PORT = 1521)))(CONNECT_DATA=(SERVICE_NAME = vomsdb2.cr.cnaf.infn.it)))"
VO_CERT_ORACLE_VOMS_PORT=15000
VO_CERT_ORACLE_VOMS_DB_USER=admin_25
VO_CERT_ORACLE_VOMS_DB_PASS=***
3 YAIM configuration HOWTO
- Take the
site-info.def
and services/glite-voms
examples given above as a starting point for your installation.
- Set optional yaim variables following the instructions found in the YAIM reference below.
- If configuring a MySQL-based VOMS server, make sure mysql is running with
service mysqld status
. Start the service in case it's not running with the command: service mysqld start
- Launch yaim as follows:
/opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS
4 YAIM variables reference
4.1 Mandatory variables
Variable Name |
Description |
Value type |
YAIM module version |
VOS |
Space-separated list of VOs that will be configured |
Space-separated VO name list |
all |
VOMS_HOST |
VOMS server hostname |
hostname |
all |
VO_<vo-name>_VOMS_PORT |
The port on the VOMS server listening for request for each VO. This is used in the vomses configuration file. By convention, port numbers are allocated starting with 15000 |
port number |
all |
VOMS_ADMIN_SMTP_HOST |
Host to which voms-admin-service-generated emails should be submitted. Use 'localhost' if you have a fully configured SMTP server running on this host. Otherwise specify the hostname of a working SMTP submission service. This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_ADMIN_SMTP_HOST |
hostname |
all |
VOMS_ADMIN_MAIL |
E-mail address that is used to send notification mails from the VOMS-admin. This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_ADMIN_MAIL |
mail |
all |
4.1.1 MySQL Backend
Variable Name |
Description |
Value type |
YAIM module version |
MYSQL_PASSWORD |
Password of the MySQL privileged user account |
password |
all |
VOMS_DB_HOST |
Hostname of the database server. Put 'localhost' if you run the database on the same machine. This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS__DB_HOST |
hostname |
all |
VO_<vo-name>_VOMS_DB_NAME |
The MySQL database name to be used to store VOMS information. |
DB name |
all |
VO_<vo-name>_VOMS_DB_USER |
Name of the DB user |
DB user name |
all |
VO_<vo-name>_VOMS_DB_PASS |
Password of the DB user account |
password |
all |
4.1.2 Oracle Backend
Variable Name |
Description |
Value type |
YAIM module version |
ORACLE_CLIENT |
Location of the Oracle Instantclient installation. See the Examples section above for an example. |
path |
all |
VO_<vo-name>_VOMS_DB_USER |
Name of the DB user |
DB user name |
all |
VO_<vo-name>_VOMS_DB_PASS |
Password of the DB user account |
password |
all |
ORACLE_CONNECTION_STRING |
Specifies the oracle OCI connection string. See the Examples section above for an example. This parameter can be specified per VO in the following way: VO_<vo-name>_ORACLE_CONNECTION_STRING |
oracle connection string |
all |
4.2 Optional variables
4.2.1 VOMS core
Variable Name |
Description |
Value type |
Default value |
YAIM module version |
VOMS_CORE_LOGROTATE_LOGNUMBER |
This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_CORE_LOGROTATE_LOGNUMBER |
number of rotated log files |
90 |
all |
VOMS_CORE_LOGROTATE_PERIOD |
This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_CORE_LOGROTATE_PERIOD |
daily, weekly, monthly |
daily |
all |
VOMS_CORE_TIMEOUT |
The maximum length of validity of the ACs that VOMS will grant (in seconds) The default value is 24 hours This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_CORE_TIMEOUT |
seconds |
86400 |
all |
VOMS_SHORT_FQANS |
FQANs syntax that will appear in the VO extension information of a voms proxy. |
true/false |
false |
all |
VOMS_SKIP_CA_CHECK |
When this option is set to true, VOMS checks only the certificate subject when assessing user membership in a VO. |
true/false |
false |
all |
VOMS_CORE_LOGLEVEL |
Sets the level of verbosity of log messages (voms-core). |
Values go from 1 to 5, with 1 set to no logging and 5 to maximum verbosity. |
4 |
all |
4.2.2 VOMS Admin
4.2.2.1 General variables
Variable Name |
Description |
Value type |
Default value |
YAIM module version |
VOMS_DB_TYPE |
DB type |
oracle/mysql |
mysql |
all |
VOMS_DB_DEPLOY |
If set to 'true' it will attempt the creation and deployment of the database schema and initial contents (unless an existing database is found). |
true/false |
true |
all |
VOMS_ADMIN_WS_CSRF_LOG_ONLY |
The VOMS Admin Anti Cross-Site Request Forgery (CSRF) Guard behaviour. The CSRF guard can be switched off by putting it in log-only mode, to ensure backward-compatibility with older clients. |
true/false |
true (CSRF guard disabled) |
all |
VOMS_ADMIN_VOMS_GROUP |
The UNIX group that the VOMS core service is run under |
group name |
voms |
all |
VOMS_ADMIN_VERBOSE |
VOMSAdmin verbosity |
true/false |
true |
all |
VOMS_ADMIN_TOMCAT_GROUP |
The UNIX group that Tomcat is run under |
group name |
tomcat |
all |
VOMS_ADMIN_NOTIFICATION_BEHAVIOUR |
Sets VOMS Admin behaviour in dispatching notification emails. When the value is "admins", notifications resulting from user requests are sent only to administrators that can handle the requests. If no such administrator is found, the service email address is used instead. When the value is "service", notifications are sent only to the service email address specified at VO configuration time. When the value is "all", notifications are sent to admins and the service email address. |
admins/service/all |
all |
all |
VOMS_ADMIN_INSTALL |
Set this variable to 'false' if you don't want to configure voms-admin. |
true/false |
true |
all |
VOMS_ADMIN_CERT |
The path of the certificate file (in pem format) of an initial VO administrator. The VO will be set up so that this user has full VO administration privileges. This parameter can be specified per VO in the following way: VO_<vo-name>_VOMS_ADMIN_CERT |
path |
None |
all |
VOMS_ADMIN_CA_RELOAD_PERIOD |
The period (in seconds) by which CAs are synchronized with the voms database. |
seconds |
21600 (every 6 hours) |
all |
VOMS_ADMIN_AUTH_READS |
Sets whether the VO should be configured to be read accessible for authenticated clients. |
true/false |
true |
all |
4.2.2.2 Registration service
Variable Name |
Description |
Value type |
Default value |
YAIM module version |
VOMS_ADMIN_WEB_REGISTRATION_DISABLE |
Set this variable to true if you want to disable the user registration via the voms-admin web interface. This parameter can be specified per VO: VO__VOMS_ADMIN_WEB_REGISTRATION_DISABLE |
true/false |
false |
all |
VOMS_ADMIN_MEMBERSHIP_REQUEST_WARNINGS |
Should voms-admin send a warning email to the user when his/her uncorfimed request is removed from the database? |
true/false |
true |
all |
VOMS_ADMIN_MEMBERSHIP_REQUEST_LIFETIME |
Time in seconds that unconfirmed requests are kept inside the voms database. |
seconds |
604800 (7 days) |
all |
VOMS_ADMIN_ENABLE_ATTRIBUTE_REQUESTS |
Enable attribute request at registration time. Setting this option to true will allow users to request membership in VO groups also when first registering at the VO. The VO manager will be given the chance to approve every membership request. |
true/false |
false |
1.1.0 |
4.2.2.3 Membership validation service
Variable Name |
Description |
Value type |
Default value |
YAIM module version |
VOMS_ADMIN_MEMBERSHIP_DEFAULT_LIFETIME |
Default VO membership lifetime duration (in months). This setting is used to compute the default membership expiration date for newly created users. The default value is 12 months |
months |
12 |
all |
VOMS_ADMIN_MEMBERSHIP_CHECK_PERIOD |
Period for the membership check background thread (in seconds). |
seconds |
600 (10 minutes) |
1.1.0 |
VOMS_ADMIN_MEMBERSHIP_EXPIRATION_WARNING_PERIOD |
Warning period duration (in days). VOMS Admin will notify of users about to expire in the next number of days expressed by this configuration option. |
days |
30 |
1.1.0 |
VOMS_ADMIN_MEMBERSHIP_EXPIRATION_GRACE_PERIOD |
Membership expiration grace period (in days). In the grace period the user will be maintained active even if its membership has expired. Note that this option has no effect if the VOMS_ADMIN_PRESERVE_EXPIRED_MEMBERS option is set to true. |
days |
7 |
1.1.0 |
VOMS_ADMIN_MEMBERSHIP_NOTIFICATION_RESEND_PERIOD |
Time (in days) that should pass between consecutive warning expiration messages sent to VO administrators to inform about expired and expiring VO members. Note that state about sent notifications is not stored in the database, so the counting is zeroed at every service restart. |
days |
1 (every day) |
1.1.0 |
VOMS_ADMIN_PRESERVE_EXPIRED_MEMBERS |
When this option value is true, expired users are NOT suspended. VO administrators are always notified of expired and about to expire members via mail. |
true/false |
false |
1.1.0 |
VOMS_ADMIN_DISABLE_MEMBERSHIP_END_TIME |
This flag disables the membership end time checks completely. Turn this setting to true in case you want that user membership lifetime is linked only to the AUP acceptance period. |
true/false |
false |
1.1.0 |
4.2.2.4 Acceptable Usage Policy (AUP) validation service
4.2.2.5 SAML attribute authority
Variable Name |
Description |
Value type |
Default value |
YAIM module version |
VOMS_ADMIN_SAML_MAX_ASSERTION_LIFETIME |
The lifetime (expressed in minutes) of SAML attribute assertions issued by VOMS Admin. |
minutes |
720 (12 hours) |
all |
VOMS_ADMIN_SAML_AA_CERTIFICATE |
The location of the certificate used by the SAML Attribute authority. |
path |
/etc/grid-security/tomcat-cert.pem |
all |
VOMS_ADMIN_SAML_AA_KEY |
The location of the private key of the certificate used by the SAML Attribute authority |
path |
/etc/grid-security/tomcat-key.pem |
all |
4.2.3 MySQL Backend
Variable Name |
Description |
Value type |
Default value |
YAIM module version |
VOMS_MYSQL_ADMIN |
MySQL privileged user account. |
user |
root |
all |
VOMS_MYSQL_CONFIG_FILE |
MySQL config file |
path |
/etc/my.cnf |
all |
VOMS_MYSQL_LIBRARY |
MySQL library path |
path |
/usr/lib64/libvomsmysql.so |
all |
VOMS_MYSQL_MAX_CONNECTIONS |
Maximum number of connections to MySQL |
number |
500 |
all |
VOMS_MYSQL_PORT |
MySQL port |
port |
3306 |
all |
4.2.4 Oracle Backend
Variable Name |
Description |
Value type |
Default value |
YAIM module version |
VOMS_ADMIN_ORACLE_MAX_CONNECTIONS |
Maximum number of connections to be opened per VO |
number |
20 |
all |
VOMS_ADMIN_ORACLE_MIN_CONNECTIONS |
Minimum number of connections to be opened per VO |
number |
1 |
all |
VOMS_ADMIN_ORACLE_START_CONNECTIONS |
Startup number of connections to be opened per VO |
number |
10 |
all |
VOMS_ORACLE_LIBRARY |
Path to the oracle libraries |
path |
/usr/lib64/libvomsoracle.so |
all |
--
AndreaCeccanti - 2012-04-23