- VOMS core troubleshooting
- How to get rid of the whole hostcert.pem of a voms server at a site
- Extend proxy timeout for a given VO:
- List VO members with their email (for use by site managers)
- User Unknown to this VO
- voms core stopped logging
- List VO users for gridmap file with voms-admin-2
- Allowing mkgridmap to download a list of members.
- VOMS-Admin 2.0.x normal and default ACLs differences
- voms-admin command to list users with GAs
VOMS core troubleshooting
A dedicated twiki page hereHow to get rid of the whole hostcert.pem of a voms server at a site
WARNING The following node types still need the certificates:glite-FTA glite-FTS glite-WMSWARNING For each VOMS server the corresponding LSC file should have as name the fully qualified hostname followed by a
.lsc extension and
the file must appear in a subdirectory /etc/grid-security/vomsdir/VO for each VO
that is supported by that VOMS server and by the site (see examples below).
NOTE This will be possible with glite-yaim-core-4.0.3-6 (if you use YAIM for configuration).
This information is addressed to Site Administrators. So far, the voms servers' host certificates needed to be stored on your service nodes. On every certificate renewal the rpm lcg-vomscerts had to be installed by you. It is now possible to only register the voms servers' DNs and CAs instead of the certificates themselves. This will make most of the VOMS host certificate changes transparent for you.The sites that use yaim can run the config_vomsdir function to become available in glite-yaim-core 4.0.3-6 currently certified. They can check the status of the release process in YaimPlanning.
They need to do the following manually to configure the function: ./yaim -r -s your-site-info.def -n your-node-type -f config_vomsdir your-node-type is: glite-UI lcg-CE glite-WMS glite-LB lcg-RB glite-LFC_mysql glite-LFC_oracle glite-SE_classic glite-SE_dpm_disk glite-SE_dpm_mysql glite-SE_dpm_oracle glite-WN glite-VOBOX This will be no longer needed in future releases of the yaim modules for the mentioned node types. At the moment, this is not included in their function list. Please bear in mind that you have to update the site-info.def with the CA DN of the VOMS server. For LHC VOs, dteam and biomed, this is distributed in site-info.def in glite-yaim-core 4.0.3-6. For other VOs, they would need to check with the VO admins.Those who do not use yaim or wish to apply the change immediately have to follow this recipe:
You have to create one file per VO per VOMS server : /etc/grid-security/vomsdir/
/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch /DC=ch/DC=cern/CN=CERN Trusted Certification AuthorityThe file /etc/grid-security/vomsdir/dteam/lcg-voms.cern.ch.lsc contains :
/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch /DC=ch/DC=cern/CN=CERN Trusted Certification AuthorityThe VOMS servers' certificates in /etc/grid-security/vomsdir can be removed. You don't need to install lcg-vomscerts anymore. If the name of the host in the DN is different from the primary hostname, a change has to be done by the VOMS server manager, which will be included in the fix of bug #22973
Extend proxy timeout for a given VO:
This might not survive an upgrade. Opened savannah ticket https://savannah.cern.ch/bugs/?func=detailitem&item_id=17247
1. add line --timeout=345600 in /opt/glite/etc/voms/VO_Name/voms.conf 2. restart voms for VO_Name via /opt/glite/etc/init.d/voms restart VO_Name 3. test (if VO_Name member) with command: voms-proxy-init -valid 1000:0 -voms VO_Name Example: Your identity: /C=CH/O=CERN/OU=GRID/CN=Maria Dimou 7577 Enter GRID pass phrase: Creating temporary proxy ....................................................................... Done Contacting lcg-voms.cern.ch:15002 [/C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch] "cms" Warning: voms102.cern.ch:15002: validity shortened to 345600 seconds! Done Creating proxy .............................................. Done Your proxy is valid until Mon May 22 20:17:18 2006
List VO members with their email (for use by site managers)
The command to list the members of a VO by contacting the voms server is voms-admin [options] list-users You need to wget and install the latest rpm glite-security-voms-admin-client from the 'glitesoft.cern.ch' repository. It should be at least version: http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.Release3.0/glite-security-voms-admin-client-1.2.13-1.noarch.rpm Then type: /opt/glite/bin/voms-admin --host [VOMS_Server] --vo [VOName] list-users Example: /opt/glite/bin/voms-admin --host lcg-voms.cern.ch --vo lhcb list-users
User Unknown to this VO
http://goc.grid.sinica.edu.tw/gocwiki/Error%3A_voname%3A_User_unknown_to_this_VO
voms core stopped logging
Recipe by Vincenzo:Here it is the recipe to follow to get me the informations I need. Between '' I put commands you should execute, into the shell or into gdb. 1) do 'ps aux | grep edg-voms' 2) you will see two processes for each voms. From here on, I will only consider the process with the lower PID. 3) for each of them (10 in total) do: 3.a) gdb attach <pid> 3.b) 'cont' 4) Then, when one VOMS stops logging, go to its respective gdb. 5) Did gdb return control to you? 5.a) yes: 5.a.1) record the output you see. 5.a.2) 'bt'. record the output. 5.a.3) 'info locals' record the output. 5.a.4) Send me the output. 5.b) no: 5.b.1) Ctrl-c 5.b.2) 'up' until you are in the bread function 5.b.3) 'p fd' record the output 5.b.4) 'cont' 5.a.4) Send me the output. 6) Done. You may kill all gdbs and restart the vomses.
List VO users for gridmap file with voms-admin-2
Question: I have some problems updating the grid-mapfile. If I run edg-mkgridmap script I get an error like:************ voms search(https://voms.cern.ch:8443/voms/cms/services/VOMSCompatibility?method=getGridmapUsers&container=%2Fcms): SSL negotiation failed: error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipherAnswer: if you use this version edg-mkgridmap-2.9.0-1.noarch or higher, the problem goes away. Reason: Since 2007-12-10 the VOMS servers at CERN are running voms-admin 2.0.x, with a different interface and with ACLs preventing easy browsing. The URL to get the VO users (e.g. for Atlas) now is as follows: https://voms.cern.ch:8443/voms/atlas/services/VOMSCompatibility?method=getGridmapUsers&container=%2Fatlas
We had to adjust edg-mkgridmap to be able to deal with both
the old and the new formats. The voms2gacl utility may need
to imitate those changes:
http://jra1mw.cvs.cern.ch:8180/cgi-bin/jra1mw.cgi/Auth/edg-mkgridmap/sbin/
This information is kindly provided by Maarten Litmaath
Allowing mkgridmap to download a list of members.
Question: How do I change the ACL to allow a mkgridmap or similar to download a list of members. Answer: Edit the ACLs in the following way.voms-admin --vo <VO> add-ACL-entry /<VO> ANYONE VOMS_CA CONTAINER_READ,MEMBERSHIP_READ true
VOMS-Admin 2.0.x normal and default ACLs differences
In VOMS-Admin 2.0.x, there are 2 sorts of ACLs:- "normal" ACLs: Apply to the current group, and can be propagated to all children during the creation. They also apply to children created at a later time, if there are no default ACLs defined.
- default ACLs: Apply to the children of the current group. Defining at least one default ACL will prevent normal parent ACLs to be applied to a newly-created child. In that case, the child ACLs will only be the default ones.
voms-admin command to list users with GAs
The voms-admin client in production should be 1.2.16, in order to be inter-operable with voms-admin 2.0.8 which provides GA support.voms-admin --vo lhcb list-user-attributes certificate.pemlists the attributes for the user whose certificate is certificate.pem. It's also possible to give the use as DN, CA, ... with the following syntax:
voms-admin --nousercert --vo lhcb list-user-attributes 'DN' 'CA' 'CN' 'EMAIL'If you are interested in giving only DN,CA couples, you can issue a command like this:
voms-admin --nousercert --vo lhcb list-user-attributes 'DN' 'CA' '' ''
Topic revision: r20 - 2009-10-08 - MaartenLitmaath
LCG Wikis
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback