VOMS core troubleshooting
A dedicated twiki page here
How to get rid of the whole hostcert.pem of a voms server at a site
WARNING The following node types
still need the
certificates:
glite-FTA
glite-FTS
glite-WMS
WARNING For each
VOMS server the corresponding LSC file should have as name
the
fully qualified hostname followed by a
.lsc
extension and
the file must appear in a
subdirectory /etc/grid-security/vomsdir/VO
for
each VO
that is supported by that
VOMS server and by the site (see examples below).
NOTE This will be possible with glite-yaim-core-4.0.3-6 (if you use YAIM for configuration).
This information is addressed to Site Administrators.
So far, the voms servers' host certificates needed to be stored on your service nodes.
On every certificate renewal the rpm lcg-vomscerts had to be installed by you.
It is now possible to only register the voms servers' DNs and CAs instead of the certificates themselves.
This will make most of the VOMS host certificate changes transparent for you.
The sites that use yaim can run the config_vomsdir function to become available in glite-yaim-core 4.0.3-6
currently certified. They can check the status of the release process in
YaimPlanning.
They need to do the following manually to configure the function:
./yaim -r -s your-site-info.def -n your-node-type -f config_vomsdir
your-node-type is:
glite-UI
lcg-CE
glite-WMS
glite-LB
lcg-RB
glite-LFC_mysql
glite-LFC_oracle
glite-SE_classic
glite-SE_dpm_disk
glite-SE_dpm_mysql
glite-SE_dpm_oracle
glite-WN
glite-VOBOX
This will be no longer needed in future releases of the yaim modules for
the mentioned node types. At the moment, this is not included in their
function list.
Please bear in mind that you have to update the site-info.def with
the CA DN of the VOMS server. For LHC VOs, dteam and biomed, this is
distributed in site-info.def in glite-yaim-core 4.0.3-6. For other VOs,
they would need to check with the VO admins.
Those who do not use yaim or wish to apply the change immediately have to follow this recipe:
You have to create one file per VO per
VOMS server :
/etc/grid-security/vomsdir/
/.lsc
This file must contain on the 1st line the DN of the VOMS server, and on
the 2nd line, the corresponding CA's DN.
For example, the file /etc/grid-security/vomsdir/dteam/voms.cern.ch.lsc
contains :
/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch
/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
The file /etc/grid-security/vomsdir/dteam/lcg-voms.cern.ch.lsc
contains :
/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch
/DC=ch/DC=cern/CN=CERN Trusted Certification Authority
The VOMS servers' certificates in /etc/grid-security/vomsdir can be
removed. You don't need to install lcg-vomscerts anymore.
If the name of the host in the DN is different from the primary hostname,
a change has to be done by the VOMS server manager, which will
be included in the fix of bug #22973
Extend proxy timeout for a given VO:
This might not survive an upgrade.
Opened savannah ticket https://savannah.cern.ch/bugs/?func=detailitem&item_id=17247
1. add line
--timeout=345600
in /opt/glite/etc/voms/VO_Name/voms.conf
2. restart voms for VO_Name via /opt/glite/etc/init.d/voms restart VO_Name
3. test (if VO_Name member) with command: voms-proxy-init -valid 1000:0 -voms VO_Name
Example:
Your identity: /C=CH/O=CERN/OU=GRID/CN=Maria Dimou 7577
Enter GRID pass phrase:
Creating temporary proxy
.......................................................................
Done
Contacting lcg-voms.cern.ch:15002
[/C=CH/O=CERN/OU=GRID/CN=host/lcg-voms.cern.ch] "cms"
Warning: voms102.cern.ch:15002: validity shortened to 345600 seconds! Done
Creating proxy .............................................. Done
Your proxy is valid until Mon May 22 20:17:18 2006
List VO members with their email (for use by site managers)
The command to list the members of a VO by contacting the voms server is
voms-admin [options] list-users
You need to wget and install the latest rpm glite-security-voms-admin-client from the 'glitesoft.cern.ch' repository.
It should be at least version: http://glitesoft.cern.ch/EGEE/gLite/APT/R3.0/rhel30/RPMS.Release3.0/glite-security-voms-admin-client-1.2.13-1.noarch.rpm
Then type:
/opt/glite/bin/voms-admin --host [VOMS_Server] --vo [VOName] list-users
Example:
/opt/glite/bin/voms-admin --host lcg-voms.cern.ch --vo lhcb list-users
User Unknown to this VO
http://goc.grid.sinica.edu.tw/gocwiki/Error%3A_voname%3A_User_unknown_to_this_VO
voms core stopped logging
Recipe by Vincenzo:
Here it is the recipe to follow to get me the informations I need.
Between '' I put commands you should execute, into the shell or into gdb.
1) do 'ps aux | grep edg-voms'
2) you will see two processes for each voms. From here on, I will only consider the process with the lower PID.
3) for each of them (10 in total) do:
3.a) gdb attach <pid>
3.b) 'cont'
4) Then, when one VOMS stops logging, go to its respective gdb.
5) Did gdb return control to you?
5.a) yes:
5.a.1) record the output you see.
5.a.2) 'bt'. record the output.
5.a.3) 'info locals' record the output.
5.a.4) Send me the output.
5.b) no:
5.b.1) Ctrl-c
5.b.2) 'up' until you are in the bread function
5.b.3) 'p fd' record the output
5.b.4) 'cont'
5.a.4) Send me the output.
6) Done. You may kill all gdbs and restart the vomses.
List VO users for gridmap file with voms-admin-2
Question: I have some problems updating the grid-mapfile. If I run edg-mkgridmap
script I get an error like:
************
voms
search(https://voms.cern.ch:8443/voms/cms/services/VOMSCompatibility?method=getGridmapUsers&container=%2Fcms):
SSL negotiation failed: error:1406D0CB:SSL
routines:GET_SERVER_HELLO:peer error no cipher
Answer: if you use this version edg-mkgridmap-2.9.0-1.noarch or higher, the problem goes away.
Reason:
Since 2007-12-10 the VOMS servers at CERN are
running voms-admin 2.0.x, with a different interface
and with ACLs preventing easy browsing.
The URL to get the VO users (e.g. for Atlas) now is as follows:
https://voms.cern.ch:8443/voms/atlas/services/VOMSCompatibility?method=getGridmapUsers&container=%2Fatlas
We had to adjust edg-mkgridmap to be able to deal with both
the old and the new formats. The voms2gacl utility may need
to imitate those changes:
http://jra1mw.cvs.cern.ch:8180/cgi-bin/jra1mw.cgi/Auth/edg-mkgridmap/sbin/
This information is kindly provided by Maarten Litmaath
Allowing mkgridmap to download a list of members.
Question: How do I change the ACL to allow a mkgridmap or similar to download a list of members.
Answer: Edit the ACLs in the following way.
voms-admin --vo <VO> add-ACL-entry /<VO> ANYONE VOMS_CA CONTAINER_READ,MEMBERSHIP_READ true
VOMS-Admin 2.0.x normal and default ACLs differences
In VOMS-Admin 2.0.x, there are 2 sorts of ACLs:
- "normal" ACLs: Apply to the current group, and can be propagated to all children during the creation. They also apply to children created at a later time, if there are no default ACLs defined.
- default ACLs: Apply to the children of the current group. Defining at least one default ACL will prevent normal parent ACLs to be applied to a newly-created child. In that case, the child ACLs will only be the default ones.
So, in most of the cases, there is no need to define default ACLs (all groups have the same ACLs).
In other words, default ACLs are useful only when you want children to have different ACLs from their parents.
voms-admin command to list users with GAs
The voms-admin client in production should be 1.2.16, in order to be
inter-operable with voms-admin 2.0.8 which provides GA support.
voms-admin --vo lhcb list-user-attributes certificate.pem
lists the attributes for the user whose certificate is certificate.pem.
It's also possible to give the use as DN, CA, ... with the following syntax:
voms-admin --nousercert --vo lhcb list-user-attributes 'DN' 'CA' 'CN' 'EMAIL'
If you are interested in giving only DN,CA couples, you can issue a
command like this:
voms-admin --nousercert --vo lhcb list-user-attributes 'DN' 'CA' '' ''