The EPIKH Project Exchange Programme to advance e-Infrastructure

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) g. Lite VOMS Installation and Configuration Jingyan Shi (shi. jingyan@ihep. ac. cn) CC-IHEP, CAS EPIKH/EUMEDGRID-Support Event Beijing, 30. 08. 2010 www. epikh. eu

Concept • Virtual Organizations: (VOs) are groups of Grid users (authenticated through digital certificates) • VO Management Service: (VOMS) serves as a central repository for user authorization information, providing support for sorting users into general group hierarchy, keeping track of their roles, etc. • VO Manager: according to VO policies and rules, authorizes authenticated users to become VO members. • At the time the proxy is created, one or more VOMS servers are contacted. They will return a Attribute Certificate (AC), signed by the VO and contains information about group membership and roles within the VO.

Ingredients • Attribute Centificates: AC is a PKI container, capable of containing a set of attributes tied to a specific identity. It is the system used by VOMS to issue its attributes. • VOMS groups: /seegrid/BG/Bes • VOMS roles: /Role=ops • FQAN (Fully Qualified Attribute Name) is a compact way to represent user’s membership in a group, along with its role holdership, if any – Syntax: /Role=/Capability=NULL where the /Capability=NULL may be omitted, since it refers to a deprecated feature of VOMS – Example: /Bes/Role=Ops/Capability=NULL

Architecture VOMS Server Voms-proxy-init GSI Voms core Service (vomsd) VOMS Admin Service Voms-admin cli SOAP+SSL Admin Service SOAP Web browser Web User Interface Authorization Database

Architecture • VOMS Admin Service: web application providing tools for administering member database for VOMS • VOMS admin provides an intuitive web user interface for daily administration tasks, and a SOAP interface for remote clients • Entire functionality of the VOMS Admin service is accessible via the SOAP interface • Admin package includes a simple command-line SOAP client that is useful for automating frequently occurring batch operations, or simply to serve as an alternative to the full-blown web interface

VOMS • Virtual Organization Membership Service (VOMS) – Account Database § Serving information in a special format (VOMS credentials) § Can be administered via command line & via web interface – Provides information on the user’s relationship with his/her Virtual Organization (VO) § VO - Membership § Group membership § Roles of user 6

Installation • Provide a coherent set of Java software packages – Consult https: //twiki. cern. ch/twiki/bin/view/LCG/Generic. Install. Guide 310#j package_and_the_JAVA_repository $wget http: //www. astrogrid. org/maven/downloads/jdk-1_5_0_15 -linux-i 586. bin $ mkdir -p ~/redhat/jdk-1_5_0_15 -linux-i 586. bin. BUILD ~/redhat/SOURCES ~/redhat/SPECS ~/redhat/RPMS/i 586 ~/redhat/SRPMS $ cat < ~/. rpmmacros %_topdir $HOME/redhat %packager Fyum localinstall ~/redhat/RPMS/i 586/java-1. 5. 0 -sun-devel-1. 5. 0. 121 jpp. i 586. rpm irstname Lastname yum localinstall ~/redhat/RPMS/i 586/java 1. 5. 0 -sun-1. 5. 0. 15 -1 jpp. i 586. rp EOF $ rpm -Uvh http: //mirrors. dotsrc. org/jpackage/1. 7/generic/non-free/SRPMS/java 1. 5. 0 -sun-1. 5. 0. 15 -1 jpp. nosrc. rpm $mv jdk-1_5_0_15 -linux-i 586. bin ~/redhad/SOURCES $rpmbuild -ba ~/redhat/SPECS/java-1. 5. 0 -sun. spec #yum localinstall ~/redhat/RPMS/i 586/java-1. 5. 0 -sun-1. 5. 0. 15 -1 jpp. i 586. rpm Algiers, Joint EPi. KH/EUMEDGRID-Support in Algeria, 27. 06. 2010 # yum localinstall ~/redhat/RPMS/i 586/java-1. 5. 0 -sun-devel-1. 5. 0. 15 -1 jpp. i 586. rpm 7

LCG-CA • Install the LCG-CA packages § cd /etc/yum. repos. d § wget http: //grid-deployment. web. cern. ch/griddeployment/glite/repos/3. 1/lcg-CA. repo -O /etc/yum. repos. d/lcg-CA. repo § yum install -y lcg-CA • Install the GILDA CA • wget https: //dist. eugridpma. org/distribution/igtf/ current/worthless/RPMS/ca_GILDA-CA-1. 361. noarch. rpm --no-check-certificate • rpm -ivh ca_GILDA-CA-1. 36 -1. noarch. rpm • VOMS will only recognize subscriptions made by people having certificates delivered by these CAs 8

VOMS Packages and Installations § cd /etc/yum. repos. d § wget http: //grid-it. cnaf. infn. it/mrepo/repos/glite -generic. repo § wget http: //grid-it. cnaf. infn. it/mrepo/repos/glite -voms_mysql. repo § yum install glite-VOMS_mysql --enablerepo=dag Dependency error glite-security-voms-api-noglobus § wget http: //glitesoft. cern. ch/EGEE/g. Lite/R 3. 1/glite. VOMS_mysql/sl 4/i 386/RPMS. release/glite-securityvoms-api-noglobus-1. 8. 8 -2. slc 4. i 386. rpm • rpm -ivh glite-security-voms-api-noglobus-1. 8. 82. slc 4. i 386. rpm • yum install glite. VOMS_mysql --enablerepo=dag 9

My. SQL Server Install My. SQL Server § yum install mysql-server § service mysqld start § chkconfig mysqld on Setup the My. SQL root password § /usr/bin/mysqladmin -u root -h localhost password 'secure' 10

Mail Server/NTP • Install Mail server ‘sendmail’ § service sendmail start § chkconfig sendmail on • Install NTP server § yum install ntp § cat < /etc/ntp. conf § server ntp-1. infn. it § EOF § service ntpd start § Chkconfig ntpd on 11

Configuration • VOMS configuration does not uses YAIM, manual XML configuration is required as old g. Lite installations – Copy Certificates in: /etc/grid-security § wget http: //wn 03. grid. arn. dz/cert/ALGIERS_host_certs/ce rist 02. grid. arn. dz/cerist. XX. grid. arn. dz-cert. pem O /etc/grid-security/hostcert. pem § wget http: //wn 03. grid. arn. dz/cert/ALGIERS_host_certs/ce rist 02. grid. arn. dz/cerist. XX. grid. arn. dz-key. pem -O /etc/grid-security/hostkey. pem § chmod 644 /etc/grid-security/hostcert. pem § chmod 400 /etc/grid-security/hostkey. pem 12

Configuration • Make a copy of template XML files § cd /opt/glite/etc/config/templates § cp *. xml. . § cd. . • Values to change are flagged by value ”changeme“ 13

glite-global. cfg. xml • Open configuration file with a text editor (vi, nano, …) • vi glite-voms-server. cfg. xml JAVA_HOME - value="/usr/java/jdk 1. 6. 0_20" ! PLEASE VERIFY THE Java VERSION /usr/java/jdk… 14

" 15 " src="https://present5.com/presentation/2024bde22d5aeecafa2f3711a780891e/image-15.jpg" alt="glite-security-utils. cfg. xml • cron. mailto § value="" 15 " /> glite-security-utils. cfg. xml • cron. mailto § value="" 15

glite-voms-server. cfg. xml • This XML seems corrupted, AT THE TOP it should look like: 16

glite-voms-server. cfg. xml • Other values to customize … voms. db. type - value="mysql" voms. db. host - value="localhost" voms. admin. smtp. host - value="localhost" voms. mysql. admin. password - value="secure" 17

vo-list. cfg. xml • Other values to customize … vo. name - value="cerist" voms. hostname - value="cerist. XX. grid. arn. dz" port. number - value="15000" voms. cert. url - value="" vo - value="voname" vo. name - value="voname" voms. cert. url - value=”" • Go back to terminal and get server Certificate suject: openssl x 509 -in /etc/gridsecurity/hostcert. pem -subject -noout 18

vo-list. cfg. xml • Complete with other values to customize … voms. cert. subj - value=”" voms. db. name - value="vomsdb" voms. db. user. name - value="vomsusr" voms. db. user. password - value="vomsusrpwd" vo. sgm. vo. role - value="LCGAdmin" pool. account. basename - value="" pool. account. group - value="" pool. account. number - value="1" pool. lsfgid - value="" voms. db. host - value="localhost" voms. admin. smtp. host - value="localhost" voms. admin. notification. e-mail - value="" 19

vo-list. cfg. xml • Get the Admin User Certificate scp algiers. XX@glite-tutor. ct. infn. it: . globus/usercert. pem /etc/grid-security/usercert. pem • Complete the values … voms. admin. certificate="/etc/grid-security/usercert. pem" 20

VOMS Configuration and Execution • Just execute a python configuration scripts/glite-voms-server-config. py --configure • Then execute the VOMS server scripts/glite-voms-server-config. py --configure scripts/glite-voms-server-config. py --start • To check the status scripts/glite-voms-server-config. py --status • To use the built-in command line tools ‘source’ in root’. bashrc file the following file source /etc/glite/profile. d/glite_setenv. sh 21

Testing (Admin) • Load the Admin User certificate in your Browser • Connect with this brower to: – https: //: 8443/voms/cerist – (cerist. XX. grid. arn. dz) • The service works if the Admin page appears … • Subscribe your VO with ‘Register!’ button 22

Registration procedure VOMS SERVER VO USER VO ADMIN Membership request via Web interface Request confirmation via email Confirmation of email address Request notification accept / deny via web interface create user (if accepted) Notification of accept/deny 23

Registration Confirmation Approval … Acknowledge 24

Usage and Maintenance • People having user certificates delivered by a recognized Cas (LCG-CA) may request to subscribe your VO • Requests will be notified via e-mail both for requestor and administrator • More than one VO can be created • From the Web GUI different Roles may be defined to the users • Grid services supporting the new VO must have the specific VO setting properly configured in the site-info. def file ####### # VONAME # ####### VO__SW_DIR=$VO_SW_DIR/africacert VO__DEFAULT_SE=$SE_HOST VO__STORAGE_DIR=$CLASSIC_STORAGE_DIR/africacert VO__VOMS_SERVERS="'vomss: //voms. ct. infn. it: 8443/voms/africacert? /africacert'" VO__VOMSES="'africacert voms. ct. infn. it 15004 /C=IT/O=INFN/OU=Host/L=Catania/CN=voms. ct. infn. it africacert'" VO__VOMS_CA_DN="'/C=IT/O=INFN/CN=INFN CA'" 25

Administration GUI Users list User details 26

UI Testing (User) Take VOMSES string from ‘Configuration’ menu on the web GUI Copy it into. glite/vomses file in your UI’s $HOME account; create it if necessary voms-proxy-init --voms cerist Enter GRID pass phrase: Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Riccardo Bruno Creating temporary proxy. . . . . Done Contacting cerist 02. grid. arn. dz: 15000 [/C=IT/O=GILDA/OU=Host/L=ALGIERS/CN=cerist 02. grid. arn. dz] " cerist" Failed Creating proxy. . . . . Done Your proxy is valid until Tue Jun 29 04: 34: 45 2010 27

Log and scripts • Log files can be found in /var/log/messages /var/log/glite/voms. • Init scripts can be found in /opt/glite/etc/config/scripts/ 28

Command Line Interface # voms-admin --help voms-admin v. 2. 0. 10 Usage: voms-admin [OPTIONS] --vo=NAME [--host HOST] [--port PORT] COMMAND PARAM. . . Options: --help Print this short help message. --list-commands Print a list of available commands. --help-command CMD Print help about command CMD. --help-commands Print help for all available commands. --version Print version string. --verbose --nousercert Print more messages. Don't extract DNs from supplied certificates. 29

CLI examples # voms-admin --vo cerist get-vo-name /cerist # voms-admin --vo cerist list-users /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Riccardo Bruno, /C=IT/O=GILDA/CN=GILDA CA riccardo. bruno@ct. infn. it # voms-admin --vo cerist list-roles Role=VO-Admin #voms-admin --vo cerist create-user Missing X 509 cert argument! It is missing the usercert. pem voms-admin --vo cerist create-usercert. pemf 30

References • VOMS Installation guide – https: //edms. cern. ch/file/974982/1/voms-installation-configuration -guide. pdf • EUMEDGRID-Support Wiki – http: //wiki. eumedgrid. eu/bin/view – http: //wiki. eumedgrid. eu/twiki/bin/view/Infrastructure. Status/Eume d. Site. Installation • EUMEDGRID VOMS@CNAF – https: //voms 2. cnaf. infn. it: 8443/voms/eumed/Login. do 31

Algiers, Joint EPi. KH/EUMEDGRID-Support in Algeria, 27. 06. 2010 32