1 / 44

VOMS and MyProxy Server installation and configuration

VOMS and MyProxy Server installation and configuration. Pedro Henrique Rausch Bello Instituto de Física - UFRJ Third EELA Tutorial for users and managers Rio de Janeiro, 30.06.2006. Outline. Why MyProxy? Proxy Renewal mechanism Why VOMS? Supporting new Virtual Organisations

flynn-christian
Télécharger la présentation

VOMS and MyProxy Server installation and configuration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VOMS and MyProxy Server installation and configuration Pedro Henrique Rausch Bello Instituto de Física - UFRJ Third EELA Tutorial for users and managers Rio de Janeiro, 30.06.2006

  2. Outline • Why MyProxy? • Proxy Renewal mechanism • Why VOMS? • Supporting new Virtual Organisations • MyProxy Server Installation. • Setting server parameters • Startup scripts • Server start • Testing MyProxy Server. • myproxy-init -s <myproxy server> • myproxy-get-delegation –s <myproxy server> Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  3. Outline • VOMS Server Installation • Setting server parameters • Supporting new VO’s • Adding a new VO • Testing the VOMS server Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  4. Why MyProxy? - Long term proxy • Proxy has limited lifetime (default is 12 h) • Long jobs may outlive the validity of the initial proxy; if it happens the job will die prematurely. • WMS allows proxies to be renewed automatically if user’s credentials are stored on a myproxy server (proxy renewal service). • When a user’s proxy is about to expire, the proxy renewal daemon contacts the MyProxy server and performs credentials renewal • User has to store credential using the command: myproxy-init -s <server> -t <hours> -d -n and specify which MyProxy server has to be contacted in jobs JDL: MyProxyServer = “grid001.ct.infn.it”; Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  5. Virtual Organization Membership Service (VOMS) • Account Database • Serving information in a special format (VOMS credentials) • Can be administered via command line & via web interface • Provides information on the user’s relationship with his/her Virtual Organization (VO) • VO - Membership • Group membership • Roles of user Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  6. VOMS - components • VOMS Core Services • Server - returns authorization info to the client. • Client • voms-proxy-initqueries the server for authorization info and create a proxy certificate including it. • voms-proxy-infoshows the info included in a proxy. • voms-proxy-destroy • VOMS AdminA Java server application used to manage users and their privileges for a VO. Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  7. VOMS Server architecture The server is essentially a front-end where all the information about users are kept. Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  8. Registration process VOMS SERVER VO USER VO ADMIN Membership request via Web interface Request confirmation via email Confirmation of email address Request notification accept / deny via web interface create user (if accepted) Notification of accept/deny Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  9. Groups • The number of users of a VO can be very high: • E.g. the experiment ATLAS has 2000 member • Make VO manageable by organizing users in groups: Examples: • VO BIOMED-FRANCE • Group Paris • Sorbonne University • Group Prof. de Gaulle • Central University • Group Lyon • Group Marseille • VO BIOMED-FRANCE • BIOMED-FRANCE/STAFF can write to normal storage • BIOMED-FRANCE/STUDENT can only to volatile space • Groups can have a hierarchical structure • Group membership is added automatically to your proxy when doing a voms-proxy-init Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  10. Roles • Roles are specific roles a user has and that distinguishes him from others in his group: • Software manager • Administrator • Manager • Difference between roles and groups: • Roles have no hierarchical structure – there is no sub-role • Roles are not used in ‘normal operation’ • They are not added to the proxy by default when running voms-proxy-init • But they can be added to the proxy for special purposes when running voms-proxy-init Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  11. Installing MyProxy Server With GILDA middleware Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  12. Installation Pre-requisites • Start from the base machine you installed in the INTRODUCTORY tutorial • Verify that these packages are installed and properly configured: • Java SDK • Ntp daemon • glite-yaim-3.0.0 • gilda_ig-yaim-3.0.0 • Also check that your host certificates are present in /etc/grid-security and have proper permissions: -rw-r--r-- 1 root root 1127 Jun 14 12:27 hostcert.pem -r-------- 1 root root 887 Jun 14 12:28 hostkey.pem Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  13. site-info.def customization • Copy /opt/glite/yaim/examples/site-info.def into /root/site-info.def and edit these fields: • MY_DOMAIN=eela.if.ufrj.br • PX_HOST=eelatut10.$MY_DOMAIN • MON_HOST=eelatut03.$MY_DOMAIN • NTP_HOSTS=“146.164.36.25” • JAVA_LOCATION="/usr/java/j2sdk1.4.2_08“ • INSTALL_SERVER_HOST=gaia.$MY_DOMAIN • OS_REPOSITORY="rpm http://$INSTALL_SERVER_HOST/yam sl305-i386 os updates contrib" • LCG_REPOSITORY="rpm http://$INSTALL_SERVER_HOST/yam glite_sl3-i386 3_0 3_0_externals 3_0_updates" • IG_REPOSITORY="rpm http://$INSTALL_SERVER_HOST/yam ig_sl3-i386 3_0_0 utils" • GILDA_REPOSITORY="rpm http://$INSTALL_SERVER_HOST/yam gilda_sl3-i386 app 3_0_0" • CA_REPOSITORY="rpm http://$INSTALL_SERVER_HOST/yam glite_sl3-i386 security" Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  14. Middleware installation with YAIM • We are ready to install the MyProxyServer: /opt/glite/yaim/scripts/gilda_ig_install_node /root/site-info.def GILDA_ig_PX • This command will download and install all the needed packages. • Now we can configure the node: /opt/glite/yaim/scripts/gilda_ig_configure_node /root/site-info.def GILDA_ig_PX Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  15. Installing MyProxy Server With plain gLite middleware Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  16. Installation Pre-requisites • Start from the base machine you installed in the INTRODUCTORY tutorial • Verify that these packages are installed and properly configured: • Java SDK • Ntp daemon • glite-yaim-3.0.0 • Also check that your host certificates are present in /etc/grid-security and have proper permissions: -rw-r--r-- 1 root root 1127 Jun 14 12:27 hostcert.pem -r-------- 1 root root 887 Jun 14 12:28 hostkey.pem Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  17. site-info.def customization • Copy /opt/glite/yaim/examples/site-info.def into /root/site-info.def and edit these fields: • MY_DOMAIN=eela.if.ufrj.br • PX_HOST=eelatut10.$MY_DOMAIN • MON_HOST=eelatut03.$MY_DOMAIN • JAVA_LOCATION="/usr/java/j2sdk1.4.2_08“ • OS_REPOSITORY="rpm http://gaia.eela.if.ufrj.br/yam sl305-i386 os updates contrib" • LCG_REPOSITORY="rpm http://gaia.eela.if.ufrj.br/yam glite_sl3-i386 3_0 3_0_externals 3_0_updates" • CA_REPOSITORY="rpm http://gaia.eela.if.ufrj.br/yam glite_sl3-i386 security" Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  18. Middleware installation with YAIM • We are ready to install the MyProxy Server: /opt/glite/yaim/scripts/install_node /root/site-info.def glite-PX • This command will download and install all the needed packages. • Now we can configure the node: /opt/glite/yaim/scripts/configure_node /root/site-info.def PX Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  19. Notes on MyProxy Server Installation Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  20. Changes made to the system • The following changes were made to the system: • Software installed in /opt; • Services added to /etc/init.d/ • globus-mds () • rgma-gin () • myproxy () • globus-gatekeeper and globus-gridftp are installed, but not configured for the myproxy installation • MyProxy configuration file: • /etc/myproxy-server.config Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  21. Firewall Configuration • Be sure that your firewall is open for myproxy listening port (7512). • For instance, add the following line to /etc/sysconfig/iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7512 -j ACCEPT Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  22. Testing MyProxy Server Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  23. Changes in myproxy-server.config • Copy /opt/globus/etc/myproxy-server.config to /etc overwriting the existing file • Edit /etc/myproxy-server.configto define the access policies according to your needs. • To authorize all retrievers and renewers uncomment: accepted_credentials "*“ (proxy certificate subjects accepted for storing) authorized_retrievers "*“ (certificate subject allowed to request credentials delegation) default_retrievers "*" authorized_renewers "*“ (certificate subject allowed to request) default_renewers "none" Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  24. Changes to MyProxy Server init script • Edit /etc/init.d/myproxy • Comment this line: • MKCONFIG="/etc/rc.d/init.d/myproxy-generate-config.pl $CERTDIR $X509_USER_CERT $EDG_LOCATION/etc/edg-myproxy.conf $CONFIG“ Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  25. MyProxy commands • myproxy-init -s <host_name> -s: <host_name> specifies the hostname of the myproxy server • myproxy-info -s <host_name> • Get information about stored long living proxy • myproxy-get-delegation -s <host_name> • Get a new proxy from the MyProxy server • myproxy-destroy -s <host_name> • Destroy the credential into the server Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  26. Storing credentials on MyProxy Server myproxy-init -s <server name> -p <port> --voms gilda ... Enter GRID pass phrase for this identity: ... Enter MyProxy pass phrase: ... A proxy valid for 168 hours (7.0 days) for user xxx now exists on eelatut10.eela.if.ufrj.br. Now your credentials are stored on MyProxy server, and are available for delegation or renewal by WMS Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  27. Getting a delegation myproxy-get-delegation -s <server name> -p <port> Enter MyProxy pass phrase: … A proxy has been received for user XXX in /tmp/x509up_u5XX Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  28. Installing VOMS Server With GILDA middleware Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  29. Installation Pre-requisites • Start from the base machine you installed in the INTRODUCTORY tutorial • Verify that these packages are installed and properly configured: • Java SDK • Ntp daemon • Also check that your host certificates are present in /etc/grid-security and have proper permissions: -rw-r--r-- 1 root root 1127 Jun 14 12:27 hostcert.pem -r-------- 1 root root 887 Jun 14 12:28 hostkey.pem Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  30. Manual Installation • Currently, There’s no YAIM profile for the installation of VOMS • We are going to proceed with the manual installation • First, we have to add the following files to /etc/apt/sources.list.d/ • rm –f /etc/apt/sources.list.d/* • sl.list: • rpm http://gaia.eela.if.ufrj.br/yam sl305-i386 os contrib updates • glite.list: • rpm http://gaia.eela.if.ufrj.br/yam glite_sl3-i386 3_0 3_0_updates 3_0_externals security Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  31. Manual Installation • Next, update the apt package databases: • apt-get update • Install the base package for VOMS: • apt-get install glite-VOMS_mysql lcg-CA • Also install GILDA VO and CA RPMs: • rpm –ivh http://gaia.eela.if.ufrj.br/yam/gilda_sl3-i386/RPMS.all/ca_GILDA-1.0-2.i386.rpmhttp://gaia.eela.if.ufrj.br/yam/gilda_sl3-i386/RPMS.all/lcg-voms-vo-gilda-1.0-0.noarch.rpm (all in one line) Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  32. NTP Configuration • Add the following lines to /etc/ntp.conf restrict 146.164.36.25 mask 255.255.255.255 nomodify notrap noquery server 146.164.36.25 • Add the following line to /etc/ntp/step-tickers 146.164.36.25 Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  33. Middleware configuration • Go to configuration directory and copy templates • cd /opt/glite/etc/config • cp templates/*.xml . • Customize configuration files by replacing all ‘changeme’ values with the proper values Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  34. glite-global.cfg.xml • Change JAVA_HOME variable to the path of the JVM • value="/usr/java/j2re1.4.2_08“ • Change also the variable GLITE_LOCATION_VAR • Value=“/opt/glite/var” Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  35. glite-rgma-common.cfg.xml • Change the following values: • rgma.server.hostname = rgmasrv.ct.infn.it • rgma.schema.hostname = rgmasrv.ct.infn.it • rgma.registry.hostname = rgmasrv.ct.infn.it Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  36. glite-rgma-servicetool.cfg.xml • Change the following values: • rgma.servicetool.siteId = eelatut03.eela.if.ufrj.br Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  37. glite-rgma-servicetool-externalServices.cfg.xml • Change the following values: • rgma.servicetool.service_type = org.glite.voms.server Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  38. glite-security-utils.cfg.xml • Change the following values: • Cron.mailto = grid-prod@if.ufrj.br Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  39. glite-voms-server.cfg.xml • Change the following values: • voms.db.type = mysql • voms.db.host = localhost • voms.admin.smtp.host = master.if.ufrj.br • voms.mysql.admin.password = “secret” Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  40. vo-list.cfg.xml • Change the following values: • Vo = gilda • Vo.name = gilda • voms.hostname = eelatut10.eela.if.ufrj.br • voms.port.number = 15001 • voms.cert.url = http://eelatut10.eela.if.ufrj.br/voms-server.pem • voms.cert.url = subject= /C=IT/O=GILDA/OU=Host/L=Universidade Federal do Rio de Janeiro/CN=eelatut15.eela.if.ufrj.br/emailAddress=rausch@if.ufrj.br • Voms.db.name = voms_gilda • Voms.db.user.name = vo_adm • Voms.db.user.password = secret • vo.sgm.vo.role = LCGAdmin Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  41. vo-list.cfg.xml • Change the following values: • pool.account.basename = gilda • pool.account.group = gilda • pool.account.number = 200 • Voms.db.host = localhost • voms.admin.smtp.host = master.if.ufrj.br • voms.admin.notification.e-mail = grid-prod@if.ufrj.br • voms.admin.certificate = /C=IT/O=GILDA/OU=Personal Certificate/L=RIODEJANEIRO/CN=RIODEJANEIRO04/Email=tony.calanducci@ct.infn.it • You also have to copy the User certificate to the machine: • scp .globus/usercert.pem eelatut15:/etc/grid-security/admin-usercert.pem Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  42. Firewall Configuration • Put these lines in /etc/sysconfig/iptables • A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT • A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 15001 -j ACCEPT • Restart the firewall Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  43. MySQL Configuration • Set the password for mysql access • mysqladmin –u root password secret Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

  44. Start the configuration • Fix bug in glite-voms-server-config.py (line 387) • Finally, we can start the configuration: • cd /opt/glite/etc/config/scripts • ./glite-voms-server-config.py --configure • Start the service • ./glite-voms-server-config.py --start Rio de Janeiro, 3rd EELA Tutorial, 26.06.2006

More Related