VOMS Installation and configuration

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra RAHIM(rahim@cnrst.ma) Africa 6 2011 - Joint EUMEDGRID-Support/EPIKH School for Grid Site Administrators Rabat, 02.06.2011 www.epikh.eu

Outline Virtual Organization Membership Services overview gLite VOMS: Installation on VOMS Configuration on VOMS

VOMS • Virtual Organization Membership Service (VOMS) • Account Database • Serving information in a special format (VOMS credentials) • Can be administered via command line & via web interface • Provides information on the user’s relationship with his/her Virtual Organization (VO) • VO - Membership • Group membership • Roles of user

VOMS • Virtual Organizations: (VOs) are groups of Grid users (authenticated through digital certificates) • VO Management Service: (VOMS) serves as a central database for user authorization information, providing support for sorting users into general group hierarchy, keeping track of their roles, etc. • VO Manager: according to VO policies and rules, authorizes authenticated users to become VO members. • At the time the proxy is created, one or more VOMS servers are contacted. They will return a Attribute Certificate (AC), signed by the VO and contains information about group membership and roles within the VO.

VOMS Installation 5

Requirements • One machine: • Operating System: Scientific Linux 5 or 4 • Public ip address, direct and reverse address resolution on a DNS and equipped with an X509 certificate.

Which metapackages we are going to install? There are several kinds of metapackages to install: lcg-CA rpm collection to support external Certification Authority . glite-VOMS_mysql Contains all rpm for VOMS administration and usage.

Preparing the Linux machine Network Time Protocol settings # yum install ntp • Copy the ntp.conf file and the ntp directory from ftp://repo.magrid.ma/pub/CE_WN_BDII/ to /etc/ (Winscp) • Synchronize the date # /etc/init.d/ntpd stop # ntpdate ntp.marwan.ma • Start the ntpd service and configure it to start on boot # /etc/init.d/ntpd start # chkconfig ntpd on

Preparing the Linux machine Disable Selinux: make sure /etc/selinux/config contains line: • SELINUX=disabled • Please check If you have a valid hostname • #hostname –f • # cat /etc/hosts • Stop iptables # /etc/init.d/iptables stop # chkconfig iptables off • Reboot

Repository set up Add to system repository ones specific for middleware to install # cd /etc/yum.repos.d/ export MREPO=http://repo.magrid.ma/yumrepo/glite32 # REPO="dag lcg-CA glite-VOMS_mysql" # for name in $REPO; do wget $MREPO/$name.repo –O /etc/yum.repos.d/$name.repo; done

package installation Use yum to install needed packets # yum install lcg-CA ca-policy-egi-core ca-policy-lcg # yum install glite-VOMS_mysql #yum install xml-commons-apis

PreConfiguration-MySQL Check that mySQL is running service mysqld status if not, launch it using service mysqld start set the root password for mysql: /usr/bin/mysqladmin -u root password grid2011; • At this point, log into mysql using the following commands: • mysql -uroot -pgrid2011 • grant all on *.* to 'root'@'pcXX' identified by 'grid2011'; • grant all on *.* to 'root'@'pcXX.magrid.ma' identified by 'grid2011'; • quit;

PreConfiguration-SendMail start send mail /etc/init.d/sendmail start chkconfigsendmail on

PreConfiguration Copy siteinfo.def and services/glite-voms_mysql from '/opt/glite/yaim/examples/siteinfo' into your favourite dir: mkdir /opt/glite/yaim/etc/siteinfo mkdir /opt/glite/yaim/etc/siteinfo/services cp /opt/glite/yaim/examples/siteinfo/site-info.def /opt/glite/yaim/etc/siteinfo cp /opt/glite/yaim/examples/siteinfo/services/glite-voms_mysql /opt/glite/yaim/etc/siteinfo/services/ Rename glite-voms_mysql as glite-voms: mv /opt/glite/yaim/etc/siteinfo/services/glite-voms_mysql /opt/glite/yaim/etc/siteinfo/services/glite-voms • Or you can copy site-info.def and services/glite-voms • located in ftp://repo.magrid.ma/pub/VOMS/ and customize

PreConfiguration:site-info.def Set yaim variables as specified https://twiki.cern.ch/twiki/bin/view/LCG/Site-Info_configuration_variables#VOMS • vi /opt/glite/yaim/etc/siteinfo/site-info.def • VOS="voXX" • (XX points to your host order in the room) • make sure to comment the lines starting with Vo_<vo_name> and <queue-name>_to avoid syntax errors in site-info.def

PreConfiguration:glite-voms • set the following variables in /opt/glite/yaim/etc/siteinfo/services/glite-voms • MYSQL_PASSWORD=grid2011 • VOMS_HOST=pcXX.magrid.ma • replace the variables starting with VO_<vo_name> by VO_VOXX and set their values as follows : • VO_VOXX_VOMS_PORT=15000 • VO_VOXX_VOMS_DB_NAME=voXX_db • VO_VOXX_VOMS_DB_USER=voXX_user • VO_VOXX_VOMS_DB_PASS=grid2011 • VOMS_DB_HOST='localhost' • VOMS_ADMIN_SMTP_HOST=localhost • VOMS_ADMIN_MAIL=<admin Email>

PreConfiguration-HostCertificates • copy the host certificates • mv /root/pcXXkey.pem /etc/grid-security/hostkey.pem • mv /root/pcXXcert.pem /etc/grid-security/hostcert.pem • chmod 400 /etc/grid-security/hostkey.pem • chmod 600 /etc/grid-security/hostcert.pem

YAIM Configuration • run the yaim configuration : • /opt/glite/yaim/bin/yaim -c -s /opt/glite/yaim/etc/siteinfo/site-info.def -n VOMS

Tests • import user certificate in your browser • you can use ftp://repo.magrid.ma/pub/VOMS/Grid-School.p12 • Password for certificateis :[Grid2011$] • use that browser to connect : • https://pcXX.magrid.ma:8443/voms/voXX

Registration procedure VOMS SERVER VO USER VO ADMIN Membership request via Web interface Request confirmation via email Confirmation of email address Request notification accept / deny via web interface create user (if accepted) Notification of accept/deny

VO-ADMIN • Copy your usercert.pem to /root/ (you can use the one in ftp://repo.magrid.ma/pub/VOMS/usercert.pem) • voms-admin --vovoXX create-user /root/usercert.pem • voms-admin --vovoXX assign-role VO VO-ADMIN /root/usercert.pem

Usage and Mainteinance • People having user certificates delivered by a recognized Cas (LCG-CA) may request to subscribe your VO • Requests will be notified via e-mail both for requestor and administrator • More than one VO can be created • From the Web GUI different Roles may be defined to the users • Grid services supporting the new VO must have the specific VO setting properly configured in the site-info.def file ########## # magrid # ########## # MAGRID VO: VO_MAGRID_SW_DIR=$VO_SW_DIR/magrid VO_MAGRID_DEFAULT_SE=$SE_HOST VO_MAGRID_STORAGE_DIR=$CLASSIC_STORAGE_DIR/magrid VO_MAGRID_QUEUES="magrid" # VOMS Specific settings: https://voms.magrid.ma:8443/voms/magrid/Configuration.do VO_MAGRID_VOMS_SERVERS="vomss://voms.magrid.ma:8443/voms/magrid?/magrid" VO_MAGRID_VOMSES="'magrid voms.magrid.ma 15000 /C=MA/O=MaGrid/OU=CNRST/CN=voms.magrid.ma magrid'" VO_MAGRID_VOMS_CA_DN="'/C=MA/O=MaGrid/CN=MaGrid CA' '/C=MA/O=MaGrid/CN=MaGrid CA'" VO_MAGRID_WMS_HOSTS="prod-wms-01.pd.infn.it wms-4.dir.garr.it wms.ulakbim.gov.tr"

Logs and scripts • Log files can be found in • /var/log/messages • /var/log/glite/voms.<VO NAME> • Init scripts can be found in • /opt/glite/etc/config/scripts/

References INFNGRID generic installation guideMETTERE 32: http://igrelease.forge.cnaf.infn.it/doku.php?id=doc:guides:install-3_2 YAIM system administrator guide: https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400 VOMS Installation guide https://edms.cern.ch/file/974982/1/voms-installation-configuration-guide.pdf EUMEDGRID wiki: http://wiki.eumedgrid.eu/bin/view EuMedGRID sites installation and setup tips http://wiki.eumedgrid.eu/twiki/bin/view/InfrastructureStatus/EumedSiteInstallation EUMEDGRID VOMS@CNAF https://voms2.cnaf.infn.it:8443/voms/eumed/Login.do

Thank you for your kind attention ! Any questions ?

VOMS Installation and configuration