VOMS Installation and configuration

richnessokahumpkaΔιακομιστές

9 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

213 εμφανίσεις

www.epikh.eu

The EPIKH Project

(Exchange Programme to advance e
-
Infrastructure Know
-
How)

VOMS

Installation and configuration

Bouchra RAHIM(rahim@cnrst.ma)

Africa 6 2011
-

Joint EUMEDGRID
-
Support/EPIKH
School for Grid Site Administrators

Rabat, 02.06.2011

2

Outline



Virtual Organization Membership Services
overview


gLite VOMS:


Installation on VOMS


Configuration on VOMS

3

VOMS


Virtual Organization Membership Service (VOMS)



Account Database



Serving information in a special format (VOMS credentials)


Can be administered via command line & via web interface



Provides information on the user’s relationship with his/her Virtual
Organization (VO)



VO
-

Membership


Group membership


Roles of user


4

VOMS


Virtual Organizations: (
VOs
) are groups of Grid users
(authenticated through digital certificates)


VO Management Service: (VOMS) serves as a central
database for user authorization information, providing
support for sorting users into general group hierarchy,
keeping track of their roles, etc.


VO Manager: according to VO policies and rules,
authorizes authenticated users to become VO
members.


At the time the proxy is created, one or more VOMS
servers are contacted. They will return a Attribute
Certificate (AC), signed by the VO and contains
information about group membership and roles within
the VO.

5

VOMS Installation

5

6

Requirements


One machine:


Operating System: Scientific Linux
5
or
4


Public ip address, direct and reverse address
resolution on a DNS and equipped with an X
509
certificate.

7

Which metapackages we are going to install?


There are several kinds of
metapackages

to install:



lcg
-
CA


rpm collection to support external Certification Authority .


glite
-
VOMS_mysql


Contains all rpm for VOMS administration and usage.

8

Preparing the Linux machine


Network Time Protocol settings

# yum
install
ntp


Copy the ntp.conf file and the ntp directory from
ftp://repo.magrid.ma/pub/CE_WN_BDII/

to /etc/ (Winscp)



Synchronize the date

# /etc/init.d/ntpd stop

# ntpdate ntp.marwan.ma

# /etc/init.d/ntpd start

# chkconfig ntpd on


Start the ntpd service and configure it to start on
boot

9

Preparing the Linux machine


Disable
Selinux
: make sure /etc/
selinux
/
config

contains line:

SELINUX=disabled

# /etc/init.d/iptables stop

# chkconfig iptables off


Stop iptables


Please check If you have a valid hostname

#hostname

f

# cat /etc/hosts


Reboot

10

Repository set up


Add to system repository ones specific for middleware
to install

#
cd

/etc/
yum.repos.d
/

export
MREPO=
http://repo.magrid.ma/yumrepo/glite
32


# REPO="dag
lcg
-
CA
glite
-
VOMS_mysql
"

#
for name in $REPO;

do
wget

$MREPO/$
name.repo


O
/etc/
yum.repos.d
/$
name.repo
; done

11


package installation


Use
yum

to install needed packets



#

yum

install

lcg
-
CA

ca
-
policy
-
egi
-
core

ca
-
policy
-
lcg

#

yum

install

glite
-
VOMS_mysql

#yum

install

xml
-
commons
-
apis


12

PreConfiguration
-
MySQL


Check that mySQL is running


service mysqld status


if not, launch it using


service mysqld start


set the root password for mysql:


/usr/bin/mysqladmin
-
u root password grid
2011
;


At this point, log into
mysql

using the following
commands:


mysql

-
uroot

-
pgrid
2011


grant all on *.* to '
root'@
'pcXX
'
identified by 'grid
2011
';


grant all on *.* to '
root'@
'pcXX.magrid.ma
' identified by
'grid
2011
';


quit;

13

PreConfiguration
-
SendMail



start send mail


/etc/
init.d
/
sendmail

start


chkconfig

sendmail

on

14

PreConfiguration


Copy siteinfo.def and services/
glite
-
voms_mysql

from
'/opt/
glite
/
yaim
/examples/
siteinfo
'


into your
favourite

dir:


mkdir

/opt/
glite
/
yaim
/etc/
siteinfo


mkdir

/opt/
glite
/
yaim
/etc/
siteinfo
/services


cp /opt/
glite
/
yaim
/examples/
siteinfo
/site
-
info.def
/opt/
glite
/
yaim
/etc/
siteinfo


cp /opt/
glite
/
yaim
/examples/
siteinfo
/services/
glite
-
voms_mysql

/opt/
glite
/
yaim
/etc/
siteinfo
/services/


Rename
glite
-
voms_mysql

as
glite
-
voms
:


mv

/opt/
glite
/
yaim
/etc/
siteinfo
/services/
glite
-
voms_mysql

/opt/
glite
/
yaim
/etc/
siteinfo
/services/
glite
-
voms


Or you can copy
site
-
info.def
and

services/
glite
-
voms


located
in
ftp
://repo.magrid.ma/pub/VOMS/


and customize

15

PreConfiguration:site
-
info.def


Set yaim variables as specified


https://twiki.cern.ch/twiki/bin/view/LCG/Site
-
Info_configuration_variables#VOMS




vi /
opt/
glite
/
yaim
/etc/
siteinfo
/site
-
info.def


VOS="
voXX
"

(XX points to your host order in the room)


make sure to comment the lines starting
with
Vo_<
vo_name
> and <queue
-
name>_to avoid syntax
errors in site
-
info.def

16

PreConfiguration:glite
-
voms



set the following variables in
/opt/
glite
/
yaim
/etc/
siteinfo
/services/
glite
-
voms


MYSQL_PASSWORD=grid2011

VOMS_HOST=pcXX.magrid.ma



replace the variables starting with VO_<
vo_name
>
by VO_VOXX and set their values as follows :

VO_VOXX_VOMS_PORT=15000

VO_VOXX_VOMS_DB_NAME=
voXX_db

VO_VOXX_VOMS_DB_USER=
voXX_user

VO_VOXX_VOMS_DB_PASS=grid2011

VOMS_DB_HOST='
localhost
'

VOMS_ADMIN_SMTP_HOST=
localhost

VOMS_ADMIN_MAIL=<admin Email>

17

PreConfiguration
-
HostCertificates



copy the host certificates


mv

/root/pcXXkey.pem /etc/grid
-
security/hostkey.pem


mv

/root/pcXXcert.pem /etc/grid
-
security/hostcert.pem


chmod

400
/etc/grid
-
security/hostkey.pem


chmod

600
/etc/grid
-
security/hostcert.pem

18

YAIM Configuration



run the
yaim

configuration :


/opt/glite/yaim/bin/yaim
-
c
-
s
/opt/glite/yaim/etc/siteinfo/site
-
info.def
-
n VOMS

19

Tests



import user certificate in your browser

you can use
ftp://
repo.magrid.ma/pub/VOMS/Grid
-
School.p
12

Password

for
certificate

is

:[Grid
2011
$]



use that browser to connect :

https://pcXX.magrid.ma:
8443
/voms/voXX

20

Registration procedure

Request confirmation

via email

Membership request

via Web interface

VOMS SERVER

VO USER

VO ADMIN

Confirmation of email address

Request notification

accept / deny via web interface

create user

(if accepted)

Notification of accept/deny

21

VO
-
ADMIN



Copy your usercert.pem to /root/ (
you can use the one in
ftp://
repo.magrid.ma/pub/VOMS/usercert.pem
)

voms
-
admin
--
vo

voXX

create
-
user /root/usercert.pem

voms
-
admin
--
vo

voXX

assign
-
role VO
VO
-
ADMIN /root/usercert.pem

22

Usage and Mainteinance


People having user certificates delivered by a recognized Cas
(LCG
-
CA) may request to subscribe your VO


Requests will be notified via e
-
mail both for requestor and
administrator


More than one VO can be created


From the Web GUI different Roles may be defined to the users


Grid services supporting the new VO must have the specific VO
setting properly configured in the
site
-
info.def
file


##########

# magrid #

##########

# MAGRID VO:

VO_MAGRID_SW_DIR=$VO_SW_DIR/magrid

VO_MAGRID_DEFAULT_SE=$SE_HOST

VO_MAGRID_STORAGE_DIR=$CLASSIC_STORAGE_DIR/magrid

VO_MAGRID_QUEUES="magrid"


# VOMS Specific settings: https://voms.magrid.ma:
8443
/voms/magrid/Configuration.do

VO_MAGRID_VOMS_SERVERS="vomss://voms.magrid.ma:
8443
/voms/magrid?/magrid"

VO_MAGRID_VOMSES="'magrid voms.magrid.ma
15000
/C=MA/O=MaGrid/OU=CNRST/CN=voms.magrid.ma magrid'"

VO_MAGRID_VOMS_CA_DN="'/C=MA/O=MaGrid/CN=MaGrid CA' '/C=MA/O=MaGrid/CN=MaGrid CA'"

VO_MAGRID_WMS_HOSTS="prod
-
wms
-
01
.pd.infn.it wms
-
4
.dir.garr.it wms.ulakbim.gov.tr"

23

Logs and scripts


Log files can be found in



/var/log/messages


/var/log/glite/voms.<VO NAME>




Init scripts can be found in



/opt/glite/etc/config/scripts/


24

References


INFNGRID generic installation guideMETTERE 32:


http://igrelease.forge.cnaf.infn.it/doku.php?id=doc:guides:insta
ll
-
3_2


YAIM system administrator guide:


https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400


VOMS Installation guide


https://edms.cern.ch/file/974982/1/voms
-
installation
-
configuration
-
guide.pdf


EUMEDGRID wiki:


http://wiki.eumedgrid.eu/bin/view



EuMedGRID sites installation and setup tips


http://wiki.eumedgrid.eu/twiki/bin/view/InfrastructureStatus/Eu
medSiteInstallation


EUMEDGRID VOMS@CNAF


https://voms2.cnaf.infn.it:8443/voms/eumed/Login.do

25

Thank you for your kind attention !

Any questions ?