Скачать презентацию The EPIKH Project Exchange Programme to advance e-Infrastructure
87ca3250da670dad07fe553e160fb2ee.ppt
- Количество слайдов: 36
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Riccardo Rotondo (riccardo. rotondo@ct. infn. it) National Institute of Nuclear Physics Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators Kolkata, 02. 2011 www. epikh. eu Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 Kolkata,
Overview • Virtual Organization Membership Services overview Outline • g. Lite VOMS: • Installation on VOMS • Configuration on VOMS Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 2
VOMS Introduction • Virtual Organization Membership Service (VOMS) – Account Database § Serving information in a special format (VOMS credentials) § Can be administered via command line & via web interface VOMS – Provides information on the user’s relationship with his/her Virtual Organization (VO) § VO - Membership § Group membership § Roles of user Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 3
Authorization • Virtual Organizations: (VOs) are groups of Grid users (authenticated through digital certificates) • VO Management Service: (VOMS) serves as a central database for user authorization information, providing support for sorting users into general group hierarchy, keeping track of their roles, etc. • VO Manager: according to VO policies and rules, authorizes authenticated users to become VO members. • At the time the proxy is created, one or more VOMS servers are contacted. They will return a Attribute Certificate (AC), signed by the VO and contains information about group membership and roles within the VO. VOMS Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 4
VOMS Installation Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 5
Requirements • One machine: • Architecture: 32 bit only (if you want to use mysql server) • Operating System: Scientific Linux 5 or 4 • Public ip address, direct. Requirements and reverse address resolution on a DNS and equipped with an X 509 certificate. Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 6
Metapackage There are several kinds of metapackages to install: lcg-CA LHC Computing Grid rpm collection to support external Certification Authority. glite-VOMS_mysql Which metapackages we are going Contains all rpm for VOMSinstall? to administration and usage. Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 7
Pre-installation Let’s check if date’s machine is correct with: # date • if ntp date isn’t correct # /etc/init. d/ntpd status # ntpdate ntp-1. infn. it • if not let’s configure file and make service start on boot: # /etc/init. d/ntpd start # chkconfig ntpd on Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 8
jpackage official repository is currently broken and not usable #### Use It’s mirror at GARR cat > /etc/yum. repos. d/jpackage. repo <
Repository Add to system repository ones specific for middleware to install # cd /etc/yum. repos. d/ # mv dag. repo. stop Repository set up (by ERI repo) # mv lcg-ca. stop # REPO="dag glite-generic lcg-ca glitevoms_mysql" # for rep_name in $REPO; do wget http: //putlocal-repo/mrepo/$rep_name. repo; done Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 10
Installing Use yum to install needed packets # yum clean all # yum install -y lcg-CA # yum install -y glite-VOMS_mysql enablerepo=dag Middleware component installation Transaction Check Error: file /opt/glite/libvomsapi. a conflicts between attempted installs of glite-security-voms-api-noglobus-1. 9. 10 -6. slc 4 and glite-security-voms-apicpp-1. 9. 10 -12. slc 4 file /opt/glite/libvomsapi. so. 0. 0. 0 conflicts between attempted installs of glite-securityvoms-api-noglobus-1. 9. 10 -6. slc 4 and glite-security-voms-api-cpp-1. 9. 10 -12. slc 4 file /opt/glite/libvomsapi_nog. a conflicts between attempted installs of glite-securityvoms-api-noglobus-1. 9. 10 -6. slc 4 and glite-security-voms-api-cpp-1. 9. 10 -12. slc 4 file /opt/glite/libvomsapi_nog. so. 0. 0. 0 conflicts between attempted installs of glitesecurity-voms-api-noglobus-1. 9. 10 -6. slc 4 and glite-security-voms-api-cpp-1. 9. 1012. slc 4 Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 11
![Installing/2 Disable glite-generic update repo # vi glite-generics. repo [glite-generic_sl 4_i 386_updates] name =](https://present5.com/presentation/87ca3250da670dad07fe553e160fb2ee/image-12.jpg "Installing/2 Disable glite-generic update repo # vi glite-generics. repo [glite-generic_sl 4_i 386_updates] name =")
Installing/2 Disable glite-generic update repo # vi glite-generics. repo [glite-generic_sl 4_i 386_updates] name = g. Lite generic 3. 1 i 386 (updates) Transaction Check Error Solution baseurl = http: //grid-it. cnaf. infn. it/mrepo/glite_sl 4 i 386/RPMS. generic-updates/ enabled = 0 protect = 0 Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 12
Installing/2 Install manually this package: # rpm -ivh http: //glitesoft. cern. ch/EGEE/g. Lite/R 3. 1/glite. VOMS_mysql/sl 4/i 386/RPMS. release/glite-security-voms-apinoglobus-1. 8. 8 -2. slc 4. i 386. rpm # rpm -ivh http: //grid-it. cnaf. infn. it/mrepo/glite_sl 4 Transaction Check Error Solution i 386/RPMS. generic-updates/glite-security-util-java-2. 8. 01. noarch. rpm • And then perform again: # yum install -y glite-VOMS_mysql enablerepo=dag Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 13
Installing/3 Some preliminary step before configuration Install My. SQL server: # yum install mysql-server # /etc/init. d/mysqld start My. SQL Server # chkconfig mysqld on • Setup My. SQL root password # /usr/bin/mysqladmin -u root -h localhost password 'secure. Password' Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 14
Installing/4 Start Mail server: # /etc/init. d/sendmail start # chkconfig sendmail on Mail Server Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 15
Before configuration Certificate • Copy host certificate in the correct path and set right permission. # cd # mv SRVXX. eun. eg/SRVXX. eun. eg-cert. pem /etc/grid-security/hostcert. pem # mv SRVXX. eun. eg/SRVXX. eun. eg-key. pem /etc/grid-security/hostkey. pem # chmod 400 /etc/grid-security/hostkey. pem # chmod 600 /etc/grid-security/hostcert. pem Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 16
Before configuration/2 Configuration • VOMS configuration does not uses YAIM, manual XML configuration is required as old g. Lite installations • Make a copy of template XML files: # cd /opt/glite/etc/config/templates # cp *. xml. . # cd. . • Values to change are flagged by value ”changeme“ Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 17
![glite-global. cfg. xml Configuring/2 • Verify Java version # java –version [root@server 2 ~]#](https://present5.com/presentation/87ca3250da670dad07fe553e160fb2ee/image-18.jpg "glite-global. cfg. xml Configuring/2 • Verify Java version # java –version [root@server 2 ~]#")
glite-global. cfg. xml Configuring/2 • Verify Java version # java –version [root@server 2 ~]# java -version java version "1. 6. 0_20" Java(TM) SE Runtime Environment (build 1. 6. 0_20 -b 02) Java Hot. Spot(TM) 64 -Bit Server VM (build 16. 3 -b 01, mixed mode) • Set the value # vi glite-global. cfg. xml
" src="https://present5.com/presentation/87ca3250da670dad07fe553e160fb2ee/image-19.jpg" alt="glite-security-utils. cfg. xml Configuring/3 # vi glite-secutiry-utils. cfg. xml
glite-voms-server. cfg. xml Configuring/4 • Change this file so that it can include other configuration file putting this lines in the beginning # vi glite-voms-server. cfg. xml
glite-voms-server. cfg. xml Configuring/5 • Parameters to be set in the same file: # vi glite-voms-server. cfg. xml
vo-list. cfg. xml Configuring/7 • Continue editing the file: # vi vo-list. cfg. xml
vo-list. cfg. xml Configuring/8 • Get admin host certificate from UI (in this case I’m using ones created in GILDA UI for this tutorial (password is Grid. CAIXX) # scp cairo. XX@glite-tutor. ct. infn. it: . globus/usercert. pem /etc/gridsecurity/usercert. pem • And put that path in the vo-list. cfg. xml file # vi vo-list. cfg. xml
Running configuration script Configuring/9 • Run python configuration script # scripts/glite-voms-server-config. py --configure • Start VOMS server service # scripts/glite-voms-server-config. py --start • To check the status # scripts/glite-voms-server-config. py --status • Set the environment to use the built-in command line tool source /etc/glite/profile. d/glite_setenv. sh Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 25
Administration test Administration Load the Admin User certificate in your Browser Connect with this brower to: https: //
Registration procedure VOMS new user VO USER VOMS SERVER VO ADMIN Membership request via Web interface Request confirmation via email Confirmation of email address Request notification accept / deny via web interface create user (if accepted) Notification of accept/deny Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 27
Registration confirmation Administration Approval … Acknowledge Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 28
Administration GUI Administration/2 Users list User details Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 29
Usage and Mainteinance Administration/3 People having user certificates delivered by a recognized Cas (LCGCA) may request to subscribe your VO Requests will be notified via e-mail both for requestor and administrator More than one VO can be created From the Web GUI different Roles may be defined to the users Grid services supporting the new VO must have the specific VO setting properly configured in the site-info. def file ##### # euindia # ##### VO_EUINDIA_SW_DIR=$VO_SW_DIR/euindia VO_EUINDIA_DEFAULT_SE=prod-se-02. pd. infn. it VO_EUINDIA_STORAGE_DIR=$CLASSIC_STORAGE_DIR/euindia VO_EUINDIA_VOMS_SERVERS="vomss: //voms 2. cnaf. infn. it: 8443/voms/euindia? /euindia" VO_EUINDIA_VOMSES="euindia voms 2. cnaf. infn. it 15010 /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms 2. cnaf. infn. it euindia" VO_EUINDIA_VOMS_CA_DN="'/C=IT/O=INFN/CN=INFN CA'" VO_EUINDIA_WMS_HOSTS="eu-india-02. pd. infn. it" Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 30
Usage and Mainteinance Administration/4 Take VOMSES string from ‘Configuration’ menu on the web GUI Copy it into. glite/vomses file in your UI’s $HOME account; create it if necessary Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 31
Logs and scripts Log • Log files can be found in /var/log/messages /var/log/glite/voms.
Command Line Interface Testing # voms-admin --help voms-admin v. 2. 0. 10 Usage: voms-admin [OPTIONS] --vo=NAME [--host HOST] [--port PORT] COMMAND PARAM. . . Options: --help Print this short help message. --list-commands Print a list of available commands. --help-command CMD Print help about command CMD. --help-commands Print help for all available commands. --version Print version string. --verbose Print more messages. --nousercert Don't extract DNs from supplied certificates. Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 33
CLI Examples Testing # voms-admin –vo gilda get-vo-name /cerist # voms-admin –vo gilda list-users /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Riccardo Bruno, /C=IT/O=GILDA/CN=GILDA CA riccardo. bruno@ct. infn. it # voms-admin –vo gilda list-roles Role=VO-Admin #voms-admin –vo gilda create-user Missing X 509 cert argument! It is missing the usercert. pem voms-admin –vo gilda create-usercert. pem Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 34
References INFNGRID generic installation guide: http: //igrelease. forge. cnaf. infn. it/doku. php? id=doc: guides: insta ll-3_2 YAIM system administrator guide: https: //twiki. cern. ch/twiki/bin/view/LCG/Yaim. Guide 400 VOMS Installation guide References https: //edms. cern. ch/file/974982/1/voms-installation-configurationguide. pdf Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 35
Any questions ? Thank you for your kind attention ! Kolkata, Asia 2 2011 - Joint CHAIN/EU-India. Grid 2/EPIKH School for Grid Site Administrators, 02. 2011 36