VOMS Installation and configuration The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Riccardo Rotondo (riccardo.rotondo@ct.infn.it) National Institute of Nuclear Physics Asia 2 2011 - Joint Joint CHAIN/EU-IndiaGrid2/EPIKH School for Grid Site Administrators Kolkata, 02.02.2011 www.epikh.eu

Overview Outline Virtual Organization Membership Services overview gLite VOMS: Installation on VOMS Configuration on VOMS Outline Kolkata, Asia 2 2011 - Joint CHAIN/EU-IndiaGrid2/EPIKH School for Grid Site Administrators, 02.02.2011

VOMS Introduction VOMS Virtual Organization Membership Service (VOMS) Account Database Serving information in a special format (VOMS credentials) Can be administered via command line & via web interface Provides information on the user’s relationship with his/her Virtual Organization (VO) VO - Membership Group membership Roles of user VOMS Kolkata, Asia 2 2011 - Joint CHAIN/EU-IndiaGrid2/EPIKH School for Grid Site Administrators, 02.02.2011

Authorization Virtual Organizations: (VOs) are groups of Grid users (authenticated through digital certificates) VO Management Service: (VOMS) serves as a central database for user authorization information, providing support for sorting users into general group hierarchy, keeping track of their roles, etc. VO Manager: according to VO policies and rules, authorizes authenticated users to become VO members. At the time the proxy is created, one or more VOMS servers are contacted. They will return a Attribute Certificate (AC), signed by the VO and contains information about group membership and roles within the VO. VOMS Kolkata, Asia 2 2011 - Joint CHAIN/EU-IndiaGrid2/EPIKH School for Grid Site Administrators, 02.02.2011

VOMS Installation Kolkata, Asia 2 2011 - Joint CHAIN/EU-IndiaGrid2/EPIKH School for Grid Site Administrators, 02.02.2011 5

Requirements Requirements One machine: Architecture: 32 bit only (if you want to use mysql server) Operating System: Scientific Linux 5 or 4 Public ip address, direct and reverse address resolution on a DNS and equipped with an X509 certificate. Requirements Kolkata, Asia 2 2011 - Joint CHAIN/EU-IndiaGrid2/EPIKH School for Grid Site Administrators, 02.02.2011

Which metapackages we are going to install? There are several kinds of metapackages to install: lcg-CA LHC Computing Grid rpm collection to support external Certification Authority . glite-VOMS_mysql Contains all rpm for VOMS administration and usage. Which metapackages we are going to install? Kolkata, Asia 2 2011 - Joint CHAIN/EU-IndiaGrid2/EPIKH School for Grid Site Administrators, 02.02.2011

Pre-installation # date # /etc/init.d/ntpd status Let’s check if date’s machine is correct with: # date if ntp date isn’t correct # /etc/init.d/ntpd status # ntpdate ntp-1.infn.it if not let’s configure file and make service start on boot: # /etc/init.d/ntpd start # chkconfig ntpd on

Repository set up (by CNAF repo) jpackage jpackage official repository is currently broken and not usable #### Use It’s mirror at GARR cat > /etc/yum.repos.d/jpackage.repo <<EOF # # JPackage repositories [jpackage5_generic_free] name = JPackage 5 (generic free) baseurl =http://gridsrv2-4.dir.garr.it/mrepo/jpackage5_generic-noarch/RPMS.free/ gpgkey = http://www.jpackage.org/jpackage.asc gpgcheck = 1 enabled = 1 protect = 1 [jpackage5_generic_non-free] name = JPackage 5 (generic non-free) baseurl =http://gridsrv2-4.dir.garr.it/mrepo/jpackage5_generic-noarch/RPMS.non-free/ enabled = 0 EOF Repository set up (by CNAF repo)

Repository set up (by ERI repo) Add to system repository ones specific for middleware to install # cd /etc/yum.repos.d/ # mv dag.repo dag.repo.stop # mv lcg-ca lcg-ca.stop # REPO="dag glite-generic lcg-ca glite-voms_mysql" # for rep_name in $REPO; do wget http://put-local-repo/mrepo/repo/$rep_name.repo; done Repository set up (by ERI repo)

Middleware component installation Installing Use yum to install needed packets # yum clean all # yum install -y lcg-CA # yum install -y glite-VOMS_mysql enablerepo=dag Middleware component installation Transaction Check Error Transaction Check Error: file /opt/glite/lib/libvomsapi.a conflicts between attempted installs of glite-security-voms-api-noglobus-1.9.10-6.slc4 and glite-security-voms-api-cpp-1.9.10-12.slc4 file /opt/glite/lib/libvomsapi.so.0.0.0 conflicts between attempted installs of glite-security-voms-api-noglobus-1.9.10-6.slc4 and glite-security-voms-api-cpp-1.9.10-12.slc4 file /opt/glite/lib/libvomsapi_nog.a conflicts between attempted installs of glite-security-voms-api-noglobus-1.9.10-6.slc4 and glite-security-voms-api-cpp-1.9.10-12.slc4 file /opt/glite/lib/libvomsapi_nog.so.0.0.0 conflicts between attempted installs of glite-security-voms-api-noglobus-1.9.10-6.slc4 and glite-security-voms-api-cpp-1.9.10-12.slc4

Transaction Check Error Solution Installing/2 Disable glite-generic update repo # vi glite-generics.repo [glite-generic_sl4_i386_updates] name = gLite generic 3.1 i386 (updates) baseurl = http://grid-it.cnaf.infn.it/mrepo/glite_sl4-i386/RPMS.generic-updates/ enabled = 0 protect = 0 Transaction Check Error Solution

Transaction Check Error Solution Installing/2 Install manually this package: # rpm -ivh http://glitesoft.cern.ch/EGEE/gLite/R3.1/glite-VOMS_mysql/sl4/i386/RPMS.release/glite-security-voms-api-noglobus-1.8.8-2.slc4.i386.rpm # rpm -ivh http://grid-it.cnaf.infn.it/mrepo/glite_sl4-i386/RPMS.generic-updates/glite-security-util-java-2.8.0-1.noarch.rpm Transaction Check Error Solution And then perform again: # yum install -y glite-VOMS_mysql enablerepo=dag

Installing/3 MySQL Server # yum install mysql-server Some preliminary step before configuration Install MySQL server: # yum install mysql-server # /etc/init.d/mysqld start # chkconfig mysqld on MySQL Server Setup MySQL root password # /usr/bin/mysqladmin -u root -h localhost password 'securePassword'

Installing/4 Mail Server # /etc/init.d/sendmail start Start Mail server: # /etc/init.d/sendmail start # chkconfig sendmail on Mail Server

Certificate Before configuration Copy host certificate in the correct path and set right permission. # cd # mv SRVXX.eun.eg/SRVXX.eun.eg-cert.pem /etc/grid-security/hostcert.pem # mv SRVXX.eun.eg/SRVXX.eun.eg-key.pem /etc/grid-security/hostkey.pem # chmod 400 /etc/grid-security/hostkey.pem # chmod 600 /etc/grid-security/hostcert.pem

Before configuration/2 VOMS configuration does not uses YAIM, manual XML configuration is required as old gLite installations Make a copy of template XML files: # cd /opt/glite/etc/config/templates # cp *.xml .. # cd .. Values to change are flagged by value ”changeme“

Configuring/2 glite-global.cfg.xml Verify Java version Set the value [root@server2 ~]# java -version java version "1.6.0_20" Java(TM) SE Runtime Environment (build 1.6.0_20-b02) Java HotSpot(TM) 64-Bit Server VM (build 16.3-b01, mixed mode) Set the value # vi glite-global.cfg.xml <JAVA_HOME ... value="/usr/java/jdk1.6.0_20"/>

Configuring/3 glite-security-utils.cfg.xml # vi glite-secutiry-utils.cfg.xml <cron.mailto ... value="mail_administrator"/>

Configuring/4 glite-voms-server.cfg.xml Change this file so that it can include other configuration file putting this lines in the beginning # vi glite-voms-server.cfg.xml <config xmlns:xi="http://www.w3.org/2001/XInclude"> <xi:include href="glite-global.cfg.xml" xpointer=""/> <xi:include href="glite-security-utils.cfg.xml" xpointer=""/> <xi:include href="vo-list.cfg.xml" xpointer=""/> <!-- =================================================================== VO instances All VO parameters are defined in separate VO instances. The VOMS Server instances are created here by iterating along the list of defined VOs. If custom VOMS instances have to be created, then they must be manually defined here by assigning a unique name and removing the iterate attribute =================================================================== --> <instance service="voms" iterate="volist"> <include name="gilda"/> </instance>

Configuring/5 glite-voms-server.cfg.xml # vi glite-voms-server.cfg.xml Parameters to be set in the same file: # vi glite-voms-server.cfg.xml <voms.db.type ... value="mysql"/> <voms.db.host ... value="localhost"/> <voms.admin.smtp.host ... <voms.mysql.admin.password ... value="securePassword"/>

Configuring/6 vo-list.cfg.xml Get server certificate subject # vi vo-list.cfg.xml <vo name="gilda”> <vo.name ... value="gilda"/> <voms.hostname ... value="put-your-voms-hostname"/> <port.number ... value="15000"/> <voms.cert.url ... Value=""/> Get server certificate subject # openssl x509 -in /etc/grid-security/hostcert.pem -noout –subject subject= /C=IT/O=GILDA/OU=Host/L=CAIRO/CN=your-voms-hostname

Configuring/7 vo-list.cfg.xml Continue editing the file: # vi vo-list.cfg.xml <voms.cert.subject ... value="subjcet_you_get"/> <voms.db.name ... value="vomsdb"/> <voms.db.user.name ... value="vomsuser"/> <voms.db.user.password ... value="vomsusrpassword"/> <pool.account.basename ... Value=""/> <pool.account.group ... value=""/> <pool.account.number ... value="1"/> <pool.lsfgid ... <voms.db.host ... value="localhost"/> <voms.admin.smtp.host ... <voms.admin.notification.e-mail ... value="mail_administrator"/>

Configuring/8 vo-list.cfg.xml Get admin host certificate from UI (in this case I’m using ones created in GILDA UI for this tutorial (password is GridCAIXX) # scp cairoXX@glite-tutor.ct.infn.it:.globus/usercert.pem /etc/grid-security/usercert.pem And put that path in the vo-list.cfg.xml file # vi vo-list.cfg.xml <vo.admin.certificate ... value="/etc/grid-security/usercert.pem"/>

Running configuration script Configuring/9 Running configuration script Run python configuration script # scripts/glite-voms-server-config.py --configure Start VOMS server service # scripts/glite-voms-server-config.py --start To check the status # scripts/glite-voms-server-config.py --status Set the environment to use the built-in command line tool source /etc/glite/profile.d/glite_setenv.sh

https://<SRVXX.eun.eg>:8443/voms/gilda Administration Administration test Load the Admin User certificate in your Browser Connect with this brower to: https://<SRVXX.eun.eg>:8443/voms/gilda The service works if the Admin page appears … Subscribe your VO with ‘Register!’ button

Registration procedure VOMS new user Registration procedure VO USER VOMS SERVER VO ADMIN Membership request via Web interface Request confirmation via email Confirmation of email address Request notification accept / deny via web interface create user (if accepted) Notification of accept/deny

Registration confirmation Administration Registration confirmation Approval … Acknowledge

Administration/2 Administration GUI Users list User details

Usage and Mainteinance Administration/3 Usage and Mainteinance People having user certificates delivered by a recognized Cas (LCG- CA) may request to subscribe your VO Requests will be notified via e-mail both for requestor and administrator More than one VO can be created From the Web GUI different Roles may be defined to the users Grid services supporting the new VO must have the specific VO setting properly configured in the site-info.def file ######### # euindia # VO_EUINDIA_SW_DIR=$VO_SW_DIR/euindia VO_EUINDIA_DEFAULT_SE=prod-se-02.pd.infn.it VO_EUINDIA_STORAGE_DIR=$CLASSIC_STORAGE_DIR/euindia VO_EUINDIA_VOMS_SERVERS="vomss://voms2.cnaf.infn.it:8443/voms/euindia?/euindia" VO_EUINDIA_VOMSES="euindia voms2.cnaf.infn.it 15010 /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms2.cnaf.infn.it euindia" VO_EUINDIA_VOMS_CA_DN="'/C=IT/O=INFN/CN=INFN CA' '/C=IT/O=INFN/CN=INFN CA'" VO_EUINDIA_WMS_HOSTS="eu-india-02.pd.infn.it"

Usage and Mainteinance Administration/4 Usage and Mainteinance Take VOMSES string from ‘Configuration’ menu on the web GUI Copy it into.glite/vomses file in your UI’s $HOME account; create it if necessary

Log Logs and scripts Log files can be found in /var/log/messages /var/log/glite/voms.<VO NAME> Init scripts can be found in /opt/glite/etc/config/scripts/

Command Line Interface Testing Command Line Interface # voms-admin --help voms-admin v. 2.0.10 Usage: voms-admin [OPTIONS] --vo=NAME [--host HOST] [--port PORT] COMMAND PARAM... Options: --help Print this short help message. --list-commands Print a list of available commands. --help-command CMD Print help about command CMD. --help-commands Print help for all available commands. --version Print version string. --verbose Print more messages. --nousercert Don't extract DNs from supplied certificates.

Testing CLI Examples # voms-admin –vo gilda get-vo-name /cerist # voms-admin –vo gilda list-users /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Riccardo Bruno, /C=IT/O=GILDA/CN=GILDA CA - riccardo.bruno@ct.infn.it # voms-admin –vo gilda list-roles Role=VO-Admin #voms-admin –vo gilda create-user Missing X509 cert argument! It is missing the usercert.pem voms-admin –vo gilda create-user usercert.pem

References References INFNGRID generic installation guide: http://igrelease.forge.cnaf.infn.it/doku.php?id=doc:guides:insta ll-3_2 YAIM system administrator guide: https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400 VOMS Installation guide https://edms.cern.ch/file/974982/1/voms-installation-configuration- guide.pdf References

Thank you for your kind attention ! Any questions ? Thank you for your kind attention !