Adding a new VO to the CERN VOMS and VOMS-admin

Up to date as of 29th of March 2015

In this example we are adding the na48 VO.

Preparation

You need a user certificate of the VO administrator and an email address that will be delivered to the VO administrators. This should be a maintained mailing list (e-group).

Database Setup

You will have to create the corresponding Database and users. We currently use DBOD to host the voms database.

The name of the DB is 'lcgvoms', lives in host 'dbod-lcgvoms.cern.ch' and in port '5503'

Then you should create a database (for this example na48_db) and two users

• one for VOMS core with only read access (we will call it na48_core)
• one for VOMS-admin with read and write (na48_admin)

VOMS Core and VOMS Admin Setup

The installation is fully puppetized.

Add password to Teigi

First of all you should add the DB password to tbag, so it's accessible in the nodes via teige. From aiadm:

$ tbag set --hg lcgvoms na48_pwd <your-pwd>

Add VO to 'lcgvoms' hostgroup

In code/manifests/service.pp add the following class:

hg_lcgvoms::tbag_pass {'na48':}

voms::core {'na48':
port => '15011',
sqlpwd => 'Nothing here',
passfile => "/etc/voms/na48/voms.secret",
}

The 'sqlpwd' is not really important as it will be ignored and the one set via teigi will be used instead.

You will also have to add the voms-admin bits in code/manifests/service/admin.pp:

voms::admin { 'na48':
port => '15011',
sqlpwd => hiera("na48_pwd", "Wrong password na48 admin"),
mailfrom => 'na48-vo-admin@cern.ch',
passfile => "/etc/voms/na48/voms.secret",
}

Add VO to 'voms' module

This is by no means mandatory, but adding a class for this VO into the voms module will ease the installation of LSC and vomses files.

You can create a class called na48.pp point to the appropriate endpoints.

class voms::na48 {
voms::client{'na48':
servers => [
{
server => 'voms2.cern.ch',
port => '15011',
dn => '/DC=ch/DC=cern/OU=computers/CN=voms2.cern.ch',
ca_dn => '/DC=ch/DC=cern/CN=CERN Grid Certification Authority',
},
{
server => 'lcg-voms2.cern.ch',
port => '15011',
dn => '/DC=ch/DC=cern/OU=computers/CN=lcg-voms2.cern.ch',
ca_dn => '/DC=ch/DC=cern/CN=CERN Grid Certification Authority',
}
]
}
}

Then, if you want to make the VO accessible from lxplus you can simply write include 'voms::na48' in the BI hostgroup definition.

Add a VO-admin to the new VO.

After all the above configuration is in place, running puppet will create the new VO. (Please note that voms and voms-admin will be restarted during this, so taking the machine out of the alias is a good idea)

Once puppet has finished, you will need to put the VO-admin's user certificate into /tmp/usercert.pem and run /etc/voms-admin-puppet/voms-admin-add-admin-na48.sh