Download presentation
Presentation is loading. Please wait.
1
gLite VOMS Installation and Configuration
Jingyan Shi CC-IHEP, CAS EPIKH/EUMEDGRID-Support Event Beijing,
2
Concept Virtual Organizations: (VOs) are groups of Grid users (authenticated through digital certificates) VO Management Service: (VOMS) serves as a central repository for user authorization information, providing support for sorting users into general group hierarchy, keeping track of their roles, etc. VO Manager: according to VO policies and rules, authorizes authenticated users to become VO members. At the time the proxy is created, one or more VOMS servers are contacted. They will return a Attribute Certificate (AC), signed by the VO and contains information about group membership and roles within the VO.
3
Ingredients Attribute Centificates: AC is a PKI container, capable of containing a set of attributes tied to a specific identity. It is the system used by VOMS to issue its attributes. VOMS groups: /seegrid/BG/Bes VOMS roles: /Role=ops FQAN (Fully Qualified Attribute Name) is a compact way to represent user’s membership in a group, along with its role holdership, if any Syntax: <groupname>/Role=<rolename>/Capability=NULL where the /Capability=NULL may be omitted, since it refers to a deprecated feature of VOMS Example: /Bes/Role=Ops/Capability=NULL
4
Architecture Voms core Service Voms-proxy-init (vomsd) Voms-admin cli
VOMS Server Voms-proxy-init GSI Voms core Service (vomsd) VOMS Admin Service Authorization Database Voms-admin cli SOAP+SSL Admin Service SOAP Web browser Web User Interface
5
Architecture VOMS Admin Service: web application providing tools for administering member database for VOMS VOMS admin provides an intuitive web user interface for daily administration tasks, and a SOAP interface for remote clients Entire functionality of the VOMS Admin service is accessible via the SOAP interface Admin package includes a simple command-line SOAP client that is useful for automating frequently occurring batch operations, or simply to serve as an alternative to the full-blown web interface
6
VOMS Virtual Organization Membership Service (VOMS) Account Database
Serving information in a special format (VOMS credentials) Can be administered via command line & via web interface Provides information on the user’s relationship with his/her Virtual Organization (VO) VO - Membership Group membership Roles of user So what is a VOMS? A VOMS is a service that keep track of all the members of a Virtual Organization and grants users authorization to access to the grid resource at VO level. It provides some additional features to support group membership, and role in order to customize as possible the members of the VO. Each VO, in fact, has its own database that holds the information of all the member of the VO. Each time a user wants to work on the grid as first operation he has to contact the VOMS Server and ask for its authorization info. If the user is correctly authenticated the VOMS Server sends the authorization info to the client that will be included within the client's proxy.
7
Installation Provide a coherent set of Java software packages
Consult $wget $ mkdir -p ~/redhat/jdk-1_5_0_15-linux-i586.binBUILD ~/redhat/SOURCES ~/redhat/SPECS ~/redhat/RPMS/i586 ~/redhat/SRPMS $ cat <<EOF > ~/.rpmmacros %_topdir $HOME/redhat %packager Fyum localinstall ~/redhat/RPMS/i586/java sun-devel jpp.i586.rpm irstname Lastname yum localinstall EOF $ rpm -Uvh $mv jdk-1_5_0_15-linux-i586.bin ~/redhad/SOURCES $rpmbuild -ba ~/redhat/SPECS/java sun.spec #yum localinstall ~/redhat/RPMS/i586/java sun jpp.i586.rpm # yum localinstall ~/redhat/RPMS/i586/java sun-devel jpp.i586.rpm Algiers, Joint EPiKH/EUMEDGRID-Support in Algeria,
8
LCG-CA Install the LCG-CA packages Install the GILDA CA
VOMS will only recognize subscriptions made by people having certificates delivered by these CAs cd /etc/yum.repos.d wget -O /etc/yum.repos.d/lcg-CA.repo yum install -y lcg-CA wget --no-check-certificate rpm -ivh ca_GILDA-CA noarch.rpm
9
VOMS Packages and Installations
cd /etc/yum.repos.d wget wget yum install glite-VOMS_mysql --enablerepo=dag Dependency error glite-security-voms-api-noglobus wget rpm -ivh glite-security-voms-api-noglobus slc4.i386.rpm yum install gliteVOMS_mysql --enablerepo=dag
10
Setup the MySQL root password
MySQL Server Install MySQL Server yum install mysql-server service mysqld start chkconfig mysqld on Setup the MySQL root password /usr/bin/mysqladmin -u root -h localhost password 'secure'
11
Mail Server/NTP Install Mail server ‘sendmail’ Install NTP server
service sendmail start chkconfig sendmail on yum install ntp cat <<EOF > /etc/ntp.conf server ntp-1.infn.it EOF service ntpd start Chkconfig ntpd on
12
Configuration VOMS configuration does not uses YAIM, manual XML configuration is required as old gLite installations Copy Certificates in: /etc/grid-security wget -O /etc/grid-security/hostcert.pem wget -O /etc/grid-security/hostkey.pem chmod 644 /etc/grid-security/hostcert.pem chmod 400 /etc/grid-security/hostkey.pem
13
Configuration Make a copy of template XML files
Values to change are flagged by value ”changeme“ cd /opt/glite/etc/config/templates cp *.xml .. cd ..
14
JAVA_HOME - value="/usr/java/jdk1.6.0_20"
glite-global.cfg.xml Open configuration file with a text editor (vi, nano,…) vi glite-voms-server.cfg.xml JAVA_HOME - value="/usr/java/jdk1.6.0_20" ! PLEASE VERIFY THE Java VERSION /usr/java/jdk…
15
glite-security-utils.cfg.xml cron.mailto value="<admin mail>"
16
glite-voms-server.cfg.xml This XML seems corrupted, AT THE TOP it should look like: <config xmlns:xi=" <!-- =================================================================== VO instances All VO parameters are defined in separate VO instances. The VOMS Server instances are created here by iterating along the list of defined VOs. If custom VOMS instances have to be created, then they must be manually defined here by assigning a unique name and removing the iterate attribute =================================================================== --> <instance service="voms" iterate="volist"> <include name="cerist"/> </instance> <parameters> <xi:include href="glite-global.cfg.xml" xpointer="//config"/> <xi:include href="glite-security-utils.cfg.xml" xpointer="//config"/> <xi:include href="vo-list.cfg.xml" xpointer="//config"/>
17
glite-voms-server.cfg.xml Other values to customize …
voms.db.type - value="mysql" voms.db.host - value="localhost" voms.admin.smtp.host - value="localhost" voms.mysql.admin.password - value="secure"
18
vo-list.cfg.xml Other values to customize …
Go back to terminal and get server Certificate suject: vo.name - value="cerist" voms.hostname - value="ceristXX.grid.arn.dz" port.number - value="15000" voms.cert.url - value="" vo - value="voname" vo.name - value="voname" voms.cert.url - value=”<URL to hostcert.pem>" openssl x509 -in /etc/grid-security/hostcert.pem -subject -noout
19
vo-list.cfg.xml Complete with other values to customize …
voms.cert.subj - value=”<HOSTCERT_SUBJECT>" voms.db.name - value="vomsdb" voms.db.user.name - value="vomsusr" voms.db.user.password - value="vomsusrpwd" vo.sgm.vo.role - value="LCGAdmin" pool.account.basename - value="" pool.account.group - value="" pool.account.number - value="1" pool.lsfgid - value="" voms.db.host - value="localhost" voms.admin.smtp.host - value="localhost" voms.admin.notification. - value="<admin address>"
20
vo-list.cfg.xml Get the Admin User Certificate Complete the values …
scp /etc/grid-security/usercert.pem voms.admin.certificate="/etc/grid-security/usercert.pem"
21
VOMS Configuration and Execution
Just execute a python configuration script Then execute the VOMS server To check the status To use the built-in command line tools ‘source’ in root’ .bashrc file the following file scripts/glite-voms-server-config.py --configure scripts/glite-voms-server-config.py --configure scripts/glite-voms-server-config.py --start scripts/glite-voms-server-config.py --status source /etc/glite/profile.d/glite_setenv.sh
22
Testing (Admin) Load the Admin User certificate in your Browser
Connect with this brower to: (ceristXX.grid.arn.dz) The service works if the Admin page appears … Subscribe your VO with ‘Register!’ button
23
Registration procedure
VO USER VOMS SERVER VO ADMIN Membership request via Web interface Request confirmation via Confirmation of address Request notification accept / deny via web interface The registration process that allow to each user to become a new member of the VO can be described using the following figure. - First of all the user submits his request to become a new member of the VO using the WEB Interface. - The VOMS Server answer to this request and wait for a confirmation. - If the VOMS Server receive the confirmation from the user, the request is forwarded to the VOMS Admin. - The request is accepted or rejected by the VOMS Admin and a final notification about this is sent to the user. create user (if accepted) Notification of accept/deny
24
Registration Confirmation
Approval … Acknowledge
25
Usage and Maintenance People having user certificates delivered by a recognized Cas (LCG-CA) may request to subscribe your VO Requests will be notified via both for requestor and administrator More than one VO can be created From the Web GUI different Roles may be defined to the users Grid services supporting the new VO must have the specific VO setting properly configured in the site-info.def file ############## # VONAME # VO_<VONAME>_SW_DIR=$VO_SW_DIR/africacert VO_<VONAME>_DEFAULT_SE=$SE_HOST VO_<VONAME>_STORAGE_DIR=$CLASSIC_STORAGE_DIR/africacert VO_<VONAME>_VOMS_SERVERS="'vomss://voms.ct.infn.it:8443/voms/africacert?/africacert'" VO_<VONAME>_VOMSES="'africacert voms.ct.infn.it /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it africacert'" VO_<VONAME>_VOMS_CA_DN="'/C=IT/O=INFN/CN=INFN CA'"
26
Administration GUI Users list User details
27
UI Testing (User) Take VOMSES string from ‘Configuration’ menu on the web GUI Copy it into.glite/vomses file in your UI’s $HOME account; create it if necessary voms-proxy-init --voms cerist Enter GRID pass phrase: Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Riccardo Bruno Creating temporary proxy Done Contacting cerist02.grid.arn.dz:15000 [/C=IT/O=GILDA/OU=Host/L=ALGIERS/CN=cerist02.grid.arn.dz] "cerist" Failed Creating proxy Done Your proxy is valid until Tue Jun 29 04:34:
28
Log and scripts Log files can be found in /var/log/messages
/var/log/glite/voms.<VO NAME> Init scripts can be found in /opt/glite/etc/config/scripts/
29
Command Line Interface
# voms-admin --help voms-admin v Usage: voms-admin [OPTIONS] --vo=NAME [--host HOST] [--port PORT] COMMAND PARAM... Options: --help Print this short help message. --list-commands Print a list of available commands. --help-command CMD Print help about command CMD. --help-commands Print help for all available commands. --version Print version string. --verbose Print more messages. --nousercert Don't extract DNs from supplied certificates.
30
CLI examples # voms-admin --vo cerist get-vo-name
# voms-admin --vo cerist list-users /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Riccardo Bruno, /C=IT/O=GILDA/CN=GILDA CA - # voms-admin --vo cerist list-roles Role=VO-Admin #voms-admin --vo cerist create-user <!> Missing X509 cert argument! <!> It is missing the usercert.pem voms-admin --vo cerist create-user usercert.pemf
31
References VOMS Installation guide EUMEDGRID-Support Wiki
EUMEDGRID-Support Wiki EUMEDGRID
32
Algiers, Joint EPiKH/EUMEDGRID-Support in Algeria, 27.06.2010
Similar presentations
