SG VOMS Guide

From EGEE-see WIki

Jump to: navigation, search

Contents

Reference Links

VO Overview: process of setting up a VO

  • VOMS deployment 
* http://grid-deployment.web.cern.ch/grid-deployment/cgi-bin/index.cgi?var=gis/voms-deploy
  • RPM List for VOMS server: for 7.3 use similar rpms for SLC 
* http://lcgdeploy.cvs.cern.ch/cgi-bin/lcgdeploy.cgi/lcg-release/rpmlist/VOMS-server-rpm.h
  • Link to VOMS RPMS 
* http://grid-deployment.web.cern.ch/grid-deployment/download/RpmDir_i386-sl3/wp2/edg-voms-admin*
* http://grid-deployment.web.cern.ch/grid-deployment/download/RpmDir_i386-sl3/wp6/voms*

VOMS Admin 

* short install guide: edg-voms-admin-install-guide.pdf
* voms integration doc: http://grid-it.cnaf.infn.it/fileadmin/sysadm/voms-integration/voms-integration.html

VOMS background 

* EDG page
 * http://edg-wp2.web.cern.ch/edg-wp2/security/voms/
* Admin and user guide
 * service-guide.pdf

Install New: Feb 7 

Steps taken by release team to improve installation process
 * A new voms server rpmlist file has been created: 
  * http://lcgdeploy.cvs.cern.ch/cgi-bin/lcgdeploy.cgi/lcg-release/rpmlist_sl3/VOMS-server-rpm.h
 * `perl-DBD-mysql` rpm is created from `cpan` using `cpan2rpm`
 * `apt-get` repository generated

Setup apt-get

create a new repository for for apt-get

  • e.g. `/etc/apt/sources.list.d/voms.list` with 2 lines
  • first line is for voms and the second is for the lcg SL3 repository
  • there should also a default SLC apt-repository specified for additional rpms 
rpm http://grid-deployment.web.cern.ch/grid-deployment/gis apt/VOMS/en/i386 lcg_sl3
rpm http://grid-deployment.web.cern.ch/grid-deployment/gis apt/LCG-2_3_1/en/i386 lcg_sl3

Setup installation preferences

  • for cern's apt-get version, cern's own rpms will always take priority even if version number are older.
  • so the `/etc/apt/perferences` file must be created to ensure lcg rpms are installed instead
  • add following lines to the file: 
Package: swig
Pin: release o=LCG
Pin-Priority: 995

Package: ant
Pin: release o=LCG
Pin-Priority: 995

Package: perl-TermReadKey
Pin: release o=LCG
Pin-Priority: 995

Package: perl-Time-HiRes
Pin: release o=LCG
Pin-Priority: 995

Package: perl-DBD-mysql
Pin: release o=LCG
Pin-Priority: 995

Install packages

apt-get update
apt-get install lcg-VOMS

Configuration New

Setup NTPD

See node synchronization section at: 

* http://grid-deployment.web.cern.ch/grid-deployment/documentation/LCG2-Manual-Install/LCG2-Manual-Install.html#SECTION00050000000000000000

Setup Crontabs 

13 8 * * * /usr/sbin/tmpwatch -f 240 /var/log/tomcat4              # Log update
13 1,7,13,19 * * * /opt/edg/etc/cron/edg-fetch-crl-cron           #Certificate Revokation List update

Setup host certificates

Startup Mysql security

  • setup password: 
mysqladmin -u root -p password 'newpass'
  • only listen to local host for mysql by modify the startup file `/etc/my.cnf`: 
[mysqld]
bind-address=127.0.0.1
  • then restart mysql and check with `netstat -tlnp`

EDG Configuration

  1. create top level EDG config file

create config directory

  • edg-voms-admin-configure complained: $EDG_LOCATION_VAR (/opt/edg/var) does not exist
  • create: `mkdir /opt/edg/var/etc`

create voms user and group

  • edg-voms-admin-configure complained: Group not found in /etc/group: voms
  • create: `useradd voms`

setup edg-java-security

  • setup edg-java-security to allow for secure connections
    • as specified in the end of `EDG-VOMS-ADMIN INSTALL GUIDE` 
edg-java-security-post-install.sh
edg-java-security-tomcat-configure
ln -s $EDG_LOCATION/etc/init.d/edg-tomcat4 /etc/init.d/edg-tomcat4
ln -s $EDG_LOCATION/etc/init.d/edg-voms-admin /etc/init.d/edg-voms-admin
chkconfig --add edg-tomcat4
chkconfig --add edg-voms-admin

create a new vo 

edg-voms-admin-configure install \
 --vo=seegrid \
 --port 15010 \
 --dbapwd=<root_db_pass> \
 --mail-from=Min-Hong.Tsai@cern.ch \
 --smtp-host=smtp.cern.ch
  • If you obtain error: 
Creating the database...
...loading the scheme
ERROR 1045: Access denied for user: 'VOname_adm@localhost' (Using password: YES)Could not run /usr/bin/mysql with VOname_adm

Please note that this is a known MySQL error. This most likely means a vo with the same name already exists in the database and should be removed before configuring the vo again. Use the following command to remove the conflicting vo database: 

edg-voms-admin-configure remove \
 --vo=VOname --port=[PORTNUMBER] -dbapwd==<root_db_pass>

Then. give again the same 'edg-voms-admin-configure install' command.

  • after the successful completion of this command the config file is created
    • `/opt/edg/etc/voms/seegrid/voms.conf`

Start Services 

$EDG_LOCATION/etc/init.d/edg-voms-admin start
/etc/rc.d/init.d/edg-tomcat4 start
$EDG_LOCATION/etc/init.d/voms start
  • make sure firewall ports accessing these services are open
    • for tomcat `8443` and for voms `<the vo voms port e.g. 15000:15020>`
  • test by browsing https://<server>:8443/edg-voms-admin/<voname>/


useful log files

  • these files are useful for trouble shooting
    • tomcat itself:
      • `/var/log/tomcat4/catalina.out`
    • voms-admin
      • `/var/log/tomcat4/voms-admin.<voname>.log`

Final Steps

Admin Setup

Register admin certificates 

edg-voms-admin --url=http://localhost:8080/edg-voms-admin/<voname> \
              create-user <usercert.pem> \
              assign-role <voname> VO-Admin <usercert.pem>

With the certifiate loaded into your browser you should be able to access the VOMS web interface

  • `http://<voms-server>:8080/edg-voms-admin/seegrid`

Mail setup:

  • if mail was not setup during `edg-voms-admin-configure install` you can change the settings in
    • `/opt/edg/var/etc/edg-voms-admin/<vodir>/voms.service.properties`

Allow List Access

Allow all users with a valid certificate so any host can list users.

  1. go to the voms administration page with a vo-admin certificate loaded
  2. go to `Administrate VOMS`->`Global ACL`->`Edit ACL`
  3. set: 
Allow: allow	
Operation: list
For:	
 Anyone who presents a certificate issued by a known CA
 (Including host and service certificates)
  1. `add new entry`

Register Users

User go to the VOMs page and enter registration info Prior to LCG-2_4_0, all seegrid members with certificate and do not plan to register with “dteam�? in the near future or other VO to register at the seegrid VOMS server.

  1. go to: https://voms.irb.hr:8443/voms/seegrid/
  2. click on “Request to admins�?
  3. click on “request VO membership�?
  4. Use your email that is listed in the SEE-GRID project notebook.

Request form users that already exist in the SEE-GRID notebook will be accepted. For VO membership request of people not listed in the notebook, the request will be confirmed with one of the PSC members for that institution.

Setup Site to support SEE-GRID

  • For LCG-2_3_0 the easiest way to use VOMS server is to generate gridmap files using voms. Thus the middleware will not directly interact with VOMS.
  • LCG-2_4_0 release will include configurations necessary to enable voms authorization in the grid middleware. This will allow us to take advantage of multiple vo membership, roles, groups and attributes supported by voms.

2_4_0 YAIM INSTALL

If you have already installed 2_4_0 without seegrid support, you will need to reconfigure the UI, RB, CE, SE and all WNs with the new site-info.def and users.conf modifications below.

  1. modify the `site-info.def`
    1. Add seegrid vo to the `VOS` parameter 
VOS="atlas alice lhcb cms dteam sixt seegrid"
    1. Add seegrid related parameters 
VO_SEEGRID_SW_DIR=$VO_SW_DIR/seegrid
VO_SEEGRID_DEFAULT_SE=$SE_HOST 
VO_SEEGRID_SGM=vomss://voms.irb.hr:8443/voms/seegrid?/seegrid/Role=sgmadmin
VO_SEEGRID_USERS=vomss://voms.irb.hr:8443/voms/seegrid?/seegrid
VO_SEEGRID_STORAGE_DIR=$CE_CLOSE_SE1_ACCESS_POINT/seegrid
VO_SEEGRID_QUEUES="seegrid"

<!> For pre 2_4_0 grid-map generation checks if users are registered with LCG. This should only be necessary with the ldap vo servers. A new version(included in 2_4_0) of the edg-mkgridmap file is now available to prevent it from doing this check for native voms vo servers (for SL):

  1. You will also need to generate pool accounts for seegrid by adding user to YAIM's `users.conf` file 
23110:seegrid001:1099:seegrid:seegrid::
23111:seegrid002:1099:seegrid:seegrid::
23112:seegrid003:1099:seegrid:seegrid::
23113:seegrid004:1099:seegrid:seegrid::
23114:seegrid005:1099:seegrid:seegrid::
23115:seegrid006:1099:seegrid:seegrid::
23116:seegrid007:1099:seegrid:seegrid::
23117:seegrid008:1099:seegrid:seegrid::
23118:seegrid009:1099:seegrid:seegrid::
23119:seegrid010:1099:seegrid:seegrid::
23120:seegrid011:1099:seegrid:seegrid::
23121:seegrid012:1099:seegrid:seegrid::
23122:seegrid013:1099:seegrid:seegrid::
23123:seegrid014:1099:seegrid:seegrid::
23124:seegrid015:1099:seegrid:seegrid::
23125:seegrid016:1099:seegrid:seegrid::
23126:seegrid017:1099:seegrid:seegrid::
23127:seegrid018:1099:seegrid:seegrid::
23128:seegrid019:1099:seegrid:seegrid::
23129:seegrid020:1099:seegrid:seegrid::
23500:seegridsgm:1099:seegrid:seegrid:sgm:

Install seegrid RPM

Install the seegrid RPM on the CE, SE, UI and RB. This rpm installs the vomses file and seegrid voms host certificate on each of these nodes.

  1. Download (using Save as) the rpm
  2. Install/upgrade the rpm.

Older versions of the rpm are also available.

Manual Steps

Make the following manual modification on the CE and SE nodes.

  1. Add the following lines to the file /opt/edg/etc/lcmaps/gridmapfile 
"/VO=seegrid/GROUP=/seegrid/ROLE=sgmadmin" seegridsgm
"/VO=seegrid/GROUP=/seegrid"               .seegrid
  1. Next is /opt/edg/etc/lcmaps/groupmapfile : 
"/VO=seegrid/GROUP=/seegrid/ROLE=sgmadmin" seegrid
"/VO=seegrid/GROUP=/seegrid"               seegrid
  1. Create VO specific Work Load Management file on the UI `/opt/edg/etc/seegrid/edg_wl_ui.conf`: 
[
VirtualOrganisation = "seegrid";
NSAddresses = {"ui.ulakbim.gov.tr:7772", "rb.phy.bg.ac.yu:7772"};
LBAddresses = {{"ui.ulakbim.gov.tr:9000"}, {"rb.phy.bg.ac.yu:9000"}};
MyProxyServer = "myproxy.grid.auth.gr "
]
  • You can change the hostnames to your own RB or MyProxy server if they support this vo.

Testing

  • check if edg-mkgridmap is working correctly: 
$ grep seegrid /etc/grid-security/grid-mapfile
"/DC=ORG/DC=SEE-GRID/O=People/O=RBI/CN=Valentin Vidic" .seegrid
  • as usual create a proxy with `grid-proxy-init` and send a job

Testing: using voms directly (for release LCG-2_4-0)

To create a normal voms proxy 

voms-proxy-init -voms seegrid

To specify a role for the proxy 

voms-proxy-init -voms seegrid:/seegrid/role=sgmadmin`

Check detailed information about proxy created 

voms-proxy-info -all

Run tests from UI

  1. Try `voms-proxy-init` and check if direct voms access is working
  2. then if you have a role, check if you are mapped to your role account

For each test case run

  1. globus-job-run <cename> /usr/bin/id
    • this should map to the correct pool account
    • check the gatekeeper log on CE for details on what happened
      • `/var/log/globus-gatekeeper.log`
  2. globus-url-copy file:`pwd`/testf gsiftp://<ce/se>/..
    • check if file is being created with the correct owner
    • see gridftp log for more details
      • `/var/log/globus-gridftp.log`

Troubleshooting FAQ

Can't create proxy with Role

In the LCG client version 1.3.7 you get the following if you try to create a proxy with a role: 

$ voms-proxy-init -voms twgrid:/twgrid/Role=VO-Admin
Your identity: /C=CH/O=CERN/OU=GRID/CN=Min-Hong Tsai 1700
Enter GRID pass phrase for this identity:
Creating temporary proxy ................................... Done
/C=TW/O=AS/OU=CC/CN=voms.grid.sinica.edu.tw
/C=TW/O=AS/CN=Academia Sinica Grid Computing Certification Authority
Can't interpret AC!
twgrid: Unable to satisfy G/twgrid/Role=VO-Admin Request!
header too long
Function: ASN1_get_objectbad get asn1 object call¨É{    ȱ

This will be fixed in later versions, but there is a easy workaround available:

  • just use `/role=` instead of `/Role=`

For more details see

edg-job-list-match and edg-job-submit fails

There is a problem with the 2_4_0 UI code that has problems handling host certificate from different hosts on the UI. Future version of UI code should resolve this problems.

A possible workaround is: 

> mkdir ~/vomsdir
> cp /etc/grid-security/vomsdir/seegrid ~/vomsdir/.
> export X509_VOMS_DIR=~/vomsdir
  • This however will cause problems for other VOs when using voms authentication

For more info see:

Admin FAQ

How do I syncronize to ldap voms sever?

  • try syncronizing to ldap servers
    • `/opt/edg/etc/cron/edg-voms-ldap-sync`
  • this gets the ldap voms server endpoints from
    • `$EDG_LOCATION/etc/edg-voms-admin/ldap-vo-config.xml`
  • if everything works ok then install cron 
13 2,8,14,20 * * * /opt/edg/etc/cron/edg-voms-ldap-sync       #Contact and fetch LDAP contents

How do I delete a vo from VOMS server

  • use `edg-voms-admin-configure` with the `remove` command
    • `man edg-voms-admin-configure` for more details

Adding user to role

Problem:

  • if you try to add a user to a role, only 100 users are listed and the search feature is not working.

Solution:

  • to work around this problem increase the limit of user in:
    • `/opt/edg/var/etc/edg-voms-admin/<voname>/voms.service.properties
  • increase these numbers 
voms.webui.list.limit.users             100
voms.webui.list.limit.groups            100
voms.webui.list.limit.roles             100
voms.webui.list.limit.capabilities      100

Fix sibling information for voms

Problem:

  • I created a vo with `edg-voms-admin` with the incorrect port number
  • I corrected this in the voms config file `/opt/edg/etc/voms/<voname>/voms.conf`, but it appears incorrectly in the sibiling page for edg-voms-admin

Answer:

  • you still need to modify the vomes file for edg-vo-admin.
    • this file is only used to display this info for edg-vo-admin and not by voms itself. so this is only a cosmetic problem.
  • update `/opt/edg/var/etc/edg-voms-admin/<voname>/vomses`

Tomcat runs out of memory

Problem:

  • edg-voms-admin interface is unresponsive and `catalina.out` complains about running out of memory.
  • this may happen with the default memory settings and if you are running several vos on the same server

Solution:

  • increase the amount of memory available for tomcat. Add these lines to `/var/tomcat4/conf/tomcat4.conf` 
# Java VM options for memory control
JAVA_OPTS="-Xms64m -Xmx256m"

How do I customize the user registration page

This is explained in `/opt/edg/etc/edg-voms-admin/web/README` To create additional web pages for a particular vo place the html file here:

To replace the default user registration page create this page

  • `/opt/edg/var/etc/edg-voms-admin/<voname>/web/UserRequest/create.pp`
  • This file has the default contents of 
<H3>VO User Registration Request</H3>

<P>For access to the VO resources, you must agree to the VO's Usage Rules.
Please fill out all fields in the form below and click on the appropriate
button at the bottom.</P>
<P>After you have confirmed your request by the instructions, which will be
sent to you in an email, this request to join the VO will automatically be
forwarded to the VO manager.</P>

<P><B>IMPORTANT</B>: By submitting this information you agree that it may be
distributed to and stored by VO and site administrators, that action may be
taken to confirm the information you provide is correct, that it may be used
for the purpose of controlling access to VO resources and that it may be used
to contact you in relation to this activity.</P>

How do I dump and backup the VOMS server

Retrieved from "http://wiki.egee-see.org/index.php/SG_VOMS_Guide"
Personal tools