voms installation and configuration
DESCRIPTION
The EPIKH Project. (Exchange Programme to advance e-Infrastructure Know-How). VOMS Installation and configuration. Bouchra RAHIM([email protected]) Africa 6 2011 - Joint EUMEDGRID-Support/EPIKH School for Grid Site Administrators Rabat, 02.06.2011. www.epikh.eu. Outline. - PowerPoint PPT PresentationTRANSCRIPT
www.epikh.eu
The EPIKH Project(Exchange Programme to advance e-Infrastructure Know-How)
VOMS Installation and configuration
Bouchra RAHIM([email protected])
Africa 6 2011 - Joint EUMEDGRID-Support/EPIKH School for Grid Site Administrators
Rabat, 02.06.2011
2
Outline
• Virtual Organization Membership Services overview
• gLite VOMS:– Installation on VOMS– Configuration on VOMS
3
VOMS• Virtual Organization Membership Service (VOMS)
– Account Database
Serving information in a special format (VOMS credentials) Can be administered via command line & via web interface
– Provides information on the user’s relationship with his/her Virtual Organization (VO)
VO - Membership Group membership Roles of user
4
VOMS
• Virtual Organizations: (VOs) are groups of Grid users (authenticated through digital certificates)
• VO Management Service: (VOMS) serves as a central database for user authorization information, providing support for sorting users into general group hierarchy, keeping track of their roles, etc.
• VO Manager: according to VO policies and rules, authorizes authenticated users to become VO members.
• At the time the proxy is created, one or more VOMS servers are contacted. They will return a Attribute Certificate (AC), signed by the VO and contains information about group membership and roles within the VO.
6
Requirements
• One machine:• Operating System: Scientific Linux 5 or 4• Public ip address, direct and reverse address
resolution on a DNS and equipped with an X509 certificate.
7
Which metapackages we are going to install?
•There are several kinds of metapackages to install:
•lcg-CA – rpm collection to support external Certification Authority .
•glite-VOMS_mysql– Contains all rpm for VOMS administration and usage.
8
Preparing the Linux machine
• Network Time Protocol settings
# yum install ntp• Copy the ntp.conf file and the ntp directory from
ftp://repo.magrid.ma/pub/CE_WN_BDII/ to /etc/ (Winscp)• Synchronize the date
# /etc/init.d/ntpd stop# ntpdate ntp.marwan.ma
# /etc/init.d/ntpd start# chkconfig ntpd on
• Start the ntpd service and configure it to start on boot
9
Preparing the Linux machine
• Disable Selinux: make sure /etc/selinux/config contains line:SELINUX=disabled
# /etc/init.d/iptables stop# chkconfig iptables off
• Stop iptables
• Please check If you have a valid hostname
#hostname –f# cat /etc/hosts
• Reboot
10
Repository set up
• Add to system repository ones specific for middleware to install
# cd /etc/yum.repos.d/export MREPO=http://repo.magrid.ma/yumrepo/glite32
# REPO="dag lcg-CA glite-VOMS_mysql"# for name in $REPO;do wget $MREPO/$name.repo –O
/etc/yum.repos.d/$name.repo; done
11
package installation
• Use yum to install needed packets
# yum install lcg-CA ca-policy-egi-core ca-policy-lcg# yum install glite-VOMS_mysql#yum install xml-commons-apis
12
PreConfiguration-MySQL
• Check that mySQL is running – service mysqld status
• if not, launch it using – service mysqld start
• set the root password for mysql:– /usr/bin/mysqladmin -u root password grid2011;
• At this point, log into mysql using the following commands:• mysql -uroot -pgrid2011
• grant all on *.* to 'root'@'pcXX' identified by 'grid2011';
• grant all on *.* to 'root'@'pcXX.magrid.ma' identified by 'grid2011';
• quit;
14
PreConfiguration
• Copy siteinfo.def and services/glite-voms_mysql from '/opt/glite/yaim/examples/siteinfo'
• into your favourite dir:– mkdir /opt/glite/yaim/etc/siteinfo– mkdir /opt/glite/yaim/etc/siteinfo/services– cp /opt/glite/yaim/examples/siteinfo/site-info.def
/opt/glite/yaim/etc/siteinfo– cp /opt/glite/yaim/examples/siteinfo/services/glite-
voms_mysql /opt/glite/yaim/etc/siteinfo/services/
• Rename glite-voms_mysql as glite-voms:– mv /opt/glite/yaim/etc/siteinfo/services/glite-voms_mysql
/opt/glite/yaim/etc/siteinfo/services/glite-voms
• Or you can copy site-info.def and services/glite-voms
located in ftp://repo.magrid.ma/pub/VOMS/ and customize
15
PreConfiguration:site-info.def
• Set yaim variables as specified• https://twiki.cern.ch/twiki/bin/view/LCG/Site-Info_configuration_v
ariables#VOMS
• vi /opt/glite/yaim/etc/siteinfo/site-info.def• VOS="voXX" (XX points to your host order in the room)
• make sure to comment the lines starting with Vo_<vo_name> and <queue-name>_to avoid syntax errors in site-info.def
16
PreConfiguration:glite-voms
• set the following variables in /opt/glite/yaim/etc/siteinfo/services/glite-voms
MYSQL_PASSWORD=grid2011VOMS_HOST=pcXX.magrid.ma
• replace the variables starting with VO_<vo_name> by VO_VOXX and set their values as follows : VO_VOXX_VOMS_PORT=15000 VO_VOXX_VOMS_DB_NAME=voXX_dbVO_VOXX_VOMS_DB_USER=voXX_userVO_VOXX_VOMS_DB_PASS=grid2011VOMS_DB_HOST='localhost'VOMS_ADMIN_SMTP_HOST=localhostVOMS_ADMIN_MAIL=<admin Email>
17
PreConfiguration-HostCertificates
• copy the host certificates• mv /root/pcXXkey.pem /etc/grid-security/hostkey.pem
• mv /root/pcXXcert.pem /etc/grid-security/hostcert.pem
• chmod 400 /etc/grid-security/hostkey.pem
• chmod 600 /etc/grid-security/hostcert.pem
18
YAIM Configuration
• run the yaim configuration :• /opt/glite/yaim/bin/yaim -c -s
/opt/glite/yaim/etc/siteinfo/site-info.def -n VOMS
19
Tests
• import user certificate in your browseryou can use ftp://repo.magrid.ma/pub/VOMS/Grid-School.p12Password for certificate is :[Grid2011$]
• use that browser to connect :https://pcXX.magrid.ma:8443/voms/voXX
20
Registration procedure
Request confirmationvia email
Membership request via Web interface
VOMS SERVERVO USER VO ADMIN
Confirmation of email addressRequest notification
accept / deny via web interface
create user(if accepted)
Notification of accept/deny
21
VO-ADMIN
• Copy your usercert.pem to /root/ (you can use the one in
ftp://repo.magrid.ma/pub/VOMS/usercert.pem)voms-admin --vo voXX create-user /root/usercert.pemvoms-admin --vo voXX assign-role VO VO-ADMIN /root/usercert.pem
22
Usage and Mainteinance• People having user certificates delivered by a recognized Cas
(LCG-CA) may request to subscribe your VO
• Requests will be notified via e-mail both for requestor and administrator
• More than one VO can be created
• From the Web GUI different Roles may be defined to the users
• Grid services supporting the new VO must have the specific VO setting properly configured in the site-info.def file
########### magrid ############ MAGRID VO: VO_MAGRID_SW_DIR=$VO_SW_DIR/magridVO_MAGRID_DEFAULT_SE=$SE_HOSTVO_MAGRID_STORAGE_DIR=$CLASSIC_STORAGE_DIR/magridVO_MAGRID_QUEUES="magrid"
# VOMS Specific settings: https://voms.magrid.ma:8443/voms/magrid/Configuration.doVO_MAGRID_VOMS_SERVERS="vomss://voms.magrid.ma:8443/voms/magrid?/magrid"VO_MAGRID_VOMSES="'magrid voms.magrid.ma 15000 /C=MA/O=MaGrid/OU=CNRST/CN=voms.magrid.ma magrid'"VO_MAGRID_VOMS_CA_DN="'/C=MA/O=MaGrid/CN=MaGrid CA' '/C=MA/O=MaGrid/CN=MaGrid CA'"VO_MAGRID_WMS_HOSTS="prod-wms-01.pd.infn.it wms-4.dir.garr.it wms.ulakbim.gov.tr"
23
Logs and scripts
• Log files can be found in
/var/log/messages/var/log/glite/voms.<VO NAME>
• Init scripts can be found in
/opt/glite/etc/config/scripts/
24
References• INFNGRID generic installation guideMETTERE 32:
– http://igrelease.forge.cnaf.infn.it/doku.php?id=doc:guides:install-3_2
• YAIM system administrator guide:– https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400
• VOMS Installation guide
• https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf
• EUMEDGRID wiki:– http://wiki.eumedgrid.eu/bin/view
• EuMedGRID sites installation and setup tips– http://wiki.eumedgrid.eu/twiki/bin/view/InfrastructureStatus/Eu
medSiteInstallation
• EUMEDGRID VOMS@CNAF
• https://voms2.cnaf.infn.it:8443/voms/eumed/Login.do