1. www.epikh.eu The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra RAHIM(rahim@cnrst.ma) Africa 6 2011 - Joint EUMEDGRID-Support/EPIKH School for Grid Site Administrators Rabat, 02.06.2011

2. 2 Outline Virtual Organization Membership Services overview gLite VOMS: –Installation on VOMS –Configuration on VOMS

3. 3 VOMS Virtual Organization Membership Service (VOMS) –Account Database  Serving information in a special format (VOMS credentials)  Can be administered via command line & via web interface –Provides information on the user’s relationship with his/her Virtual Organization (VO)  VO - Membership  Group membership  Roles of user

4. 4 VOMS Virtual Organizations: (VOs) are groups of Grid users (authenticated through digital certificates) VO Management Service: (VOMS) serves as a central database for user authorization information, providing support for sorting users into general group hierarchy, keeping track of their roles, etc. VO Manager: according to VO policies and rules, authorizes authenticated users to become VO members. At the time the proxy is created, one or more VOMS servers are contacted. They will return a Attribute Certificate (AC), signed by the VO and contains information about group membership and roles within the VO.

5. 5 VOMS Installation 5

6. 6 Requirements One machine: Operating System: Scientific Linux 5 or 4 Public ip address, direct and reverse address resolution on a DNS and equipped with an X509 certificate.

7. 7 Which metapackages we are going to install? There are several kinds of metapackages to install: lcg-CA –rpm collection to support external Certification Authority. glite-VOMS_mysql –Contains all rpm for VOMS administration and usage.

8. 8 Preparing the Linux machine Network Time Protocol settings # yum install ntp Copy the ntp.conf file and the ntp directory from ftp://repo.magrid.ma/pub/CE_WN_BDII/ to /etc/ (Winscp) ftp://repo.magrid.ma/pub/CE_WN_BDII/ Synchronize the date # /etc/init.d/ntpd stop # ntpdate ntp.marwan.ma # /etc/init.d/ntpd start # chkconfig ntpd on Start the ntpd service and configure it to start on boot

9. 9 Preparing the Linux machine Disable Selinux: make sure /etc/selinux/config contains line: SELINUX=disabled # /etc/init.d/iptables stop # chkconfig iptables off Stop iptables Please check If you have a valid hostname #hostname –f # cat /etc/hosts Reboot

10. 10 Repository set up Add to system repository ones specific for middleware to install # cd /etc/yum.repos.d/ export MREPO=http://repo.magrid.ma/yumrepo/glite32 # REPO="dag lcg-CA glite-VOMS_mysql" # for name in $REPO; do wget $MREPO/$name.repo –O /etc/yum.repos.d/$name.repo; done

11. 11 package installation Use yum to install needed packets # yum install lcg-CA ca-policy-egi-core ca-policy-lcg # yum install glite-VOMS_mysql #yum install xml-commons-apis

12. 12 PreConfiguration-MySQL Check that mySQL is running –service mysqld status if not, launch it using –service mysqld start set the root password for mysql: –/usr/bin/mysqladmin -u root password grid2011; At this point, log into mysql using the following commands: mysql -uroot -pgrid2011 grant all on *.* to 'root'@'pcXX' identified by 'grid2011'; grant all on *.* to 'root'@'pcXX.magrid.ma' identified by 'grid2011'; quit;

13. 13 PreConfiguration-SendMail start send mail –/etc/init.d/sendmail start –chkconfig sendmail on

14. 14 PreConfiguration Copy siteinfo.def and services/glite-voms_mysql from '/opt/glite/yaim/examples/siteinfo' into your favourite dir: –mkdir /opt/glite/yaim/etc/siteinfo –mkdir /opt/glite/yaim/etc/siteinfo/services –cp /opt/glite/yaim/examples/siteinfo/site-info.def /opt/glite/yaim/etc/siteinfo –cp /opt/glite/yaim/examples/siteinfo/services/glite- voms_mysql /opt/glite/yaim/etc/siteinfo/services/ Rename glite-voms_mysql as glite-voms: –mv /opt/glite/yaim/etc/siteinfo/services/glite-voms_mysql /opt/glite/yaim/etc/siteinfo/services/glite-voms Or you can copy site-info.def and services/glite-voms located in ftp://repo.magrid.ma/pub/VOMS/ and customizeftp://repo.magrid.ma/pub/VOMS/

15. 15 PreConfiguration:site-info.def Set yaim variables as specified https://twiki.cern.ch/twiki/bin/view/LCG/Site- Info_configuration_variables#VOMShttps://twiki.cern.ch/twiki/bin/view/LCG/Site- Info_configuration_variables#VOMS vi /opt/glite/yaim/etc/siteinfo/site-info.def VOS="voXX" (XX points to your host order in the room) make sure to comment the lines starting with Vo_ and _to avoid syntax errors in site-info.def

16. 16 PreConfiguration:glite-voms set the following variables in /opt/glite/yaim/etc/siteinfo/services/glite-voms MYSQL_PASSWORD=grid2011 VOMS_HOST=pcXX.magrid.ma replace the variables starting with VO_ by VO_VOXX and set their values as follows : VO_VOXX_VOMS_PORT=15000 VO_VOXX_VOMS_DB_NAME=voXX_db VO_VOXX_VOMS_DB_USER=voXX_user VO_VOXX_VOMS_DB_PASS=grid2011 VOMS_DB_HOST='localhost' VOMS_ADMIN_SMTP_HOST=localhost VOMS_ADMIN_MAIL=

17. 17 PreConfiguration-HostCertificates copy the host certificates mv /root/pcXXkey.pem /etc/grid-security/hostkey.pem mv /root/pcXXcert.pem /etc/grid-security/hostcert.pem chmod 400 /etc/grid-security/hostkey.pem chmod 600 /etc/grid-security/hostcert.pem

18. 18 YAIM Configuration run the yaim configuration : /opt/glite/yaim/bin/yaim -c -s /opt/glite/yaim/etc/siteinfo/site-info.def -n VOMS

19. 19 Tests import user certificate in your browser you can use ftp://repo.magrid.ma/pub/VOMS/Grid-School.p12ftp://repo.magrid.ma/pub/VOMS/Grid-School.p12 Password for certificate is :[Grid2011$] use that browser to connect : https://pcXX.magrid.ma:8443/voms/voXX

20. 20 Registration procedure Request confirmation via email Membership request via Web interface VOMS SERVER VO USER VO ADMIN Confirmation of email address Request notification accept / deny via web interface create user (if accepted) Notification of accept/deny

21. 21 VO-ADMIN Copy your usercert.pem to /root/ ( you can use the one in ftp://repo.magrid.ma/pub/VOMS/usercert.pem ) ftp://repo.magrid.ma/pub/VOMS/usercert.pem voms-admin --vo voXX create-user /root/usercert.pem voms-admin --vo voXX assign-role VO VO-ADMIN /root/usercert.pem

22. 22 Usage and Mainteinance People having user certificates delivered by a recognized Cas (LCG-CA) may request to subscribe your VO Requests will be notified via e-mail both for requestor and administrator More than one VO can be created From the Web GUI different Roles may be defined to the users Grid services supporting the new VO must have the specific VO setting properly configured in the site-info.def file ########## # magrid # ########## # MAGRID VO: VO_MAGRID_SW_DIR=$VO_SW_DIR/magrid VO_MAGRID_DEFAULT_SE=$SE_HOST VO_MAGRID_STORAGE_DIR=$CLASSIC_STORAGE_DIR/magrid VO_MAGRID_QUEUES="magrid" # VOMS Specific settings: https://voms.magrid.ma:8443/voms/magrid/Configuration.do VO_MAGRID_VOMS_SERVERS="vomss://voms.magrid.ma:8443/voms/magrid?/magrid" VO_MAGRID_VOMSES="'magrid voms.magrid.ma 15000 /C=MA/O=MaGrid/OU=CNRST/CN=voms.magrid.ma magrid'" VO_MAGRID_VOMS_CA_DN="'/C=MA/O=MaGrid/CN=MaGrid CA' '/C=MA/O=MaGrid/CN=MaGrid CA'" VO_MAGRID_WMS_HOSTS="prod-wms-01.pd.infn.it wms-4.dir.garr.it wms.ulakbim.gov.tr"

23. 23 Logs and scripts Log files can be found in /var/log/messages /var/log/glite/voms. Init scripts can be found in /opt/glite/etc/config/scripts/

24. 24 References INFNGRID generic installation guideMETTERE 32: –http://igrelease.forge.cnaf.infn.it/doku.php?id=doc:guides:insta ll-3_2http://igrelease.forge.cnaf.infn.it/doku.php?id=doc:guides:insta ll-3_2 YAIM system administrator guide: –https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400 VOMS Installation guide https://edms.cern.ch/file/974982/1/voms-installation-configuration- guide.pdfhttps://edms.cern.ch/file/974982/1/voms-installation-configuration- guide.pdf EUMEDGRID wiki: –http://wiki.eumedgrid.eu/bin/viewhttp://wiki.eumedgrid.eu/bin/view EuMedGRID sites installation and setup tips –http://wiki.eumedgrid.eu/twiki/bin/view/InfrastructureStatus/Eu medSiteInstallationhttp://wiki.eumedgrid.eu/twiki/bin/view/InfrastructureStatus/Eu medSiteInstallation EUMEDGRID VOMS@CNAF https://voms2.cnaf.infn.it:8443/voms/eumed/Login.do

25. 25 Thank you for your kind attention ! Any questions ?