Setup Certificates Update
- 1 Auto-update With IGTF-PRAGMA COMBO Distribution (recommended)
- 2 Auto-update With Seperate IGTF, PRAGMA Distributions
- 3 Manual-update With Seperate IGTF, PRAGMA Distributions
- 4 Setup auto-synch grid-mapfile with PRAGMA VO groups
Note - please use the most current software packages.
Auto-update With IGTF-PRAGMA COMBO Distribution (recommended)
- If pacman has not been installed, install pacman
# wget http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-latest.tar.gz # cd /opt # tar xvzf /root/pacman-latest.tar.gz # cd pacman-3.29/ # source ./setup.sh
- If VDT certificate updater has not been installed (VDT certificate updater 1.8.1 or older will not work, since it ignores the cacerts_url entry in the configuration file, so you will need to upgrade to the current version)
# cd /opt # mkdir vdt # cd vdt # pacman -get http://vdt.cs.wisc.edu/vdt_200_cache:CA-Certificates
The installation will ask series questions. This example is based on answering all questions "yes".
- Add this line in /opt/vdt/vdt/etc/vdt-update-certs.conf
# . $VDT_LOCATION/setup.sh # . $VDT_LOCATION/vdt-questions.sh # $VDT_LOCATION/vdt/sbin/vdt-setup-ca-certificates --certs-dir /etc/grid-security
- Check VDT services
# vdt-control --list Service | Type | Desired State -------------------+--------+-------------- fetch-crl | cron | enable vdt-rotate-logs | cron | enable vdt-update-certs | cron | enable
- Enable all relevant vdt services
If any of the above services is not enabled, enable it by running
# vdt-control --enable <service-name>
- Activate all VDT services
# vdt-control --on
- Check the results in $VDT_LOCATION/vdt/var/log/vdt-update-certs.log and /etc/grid-security/certificates.
Auto-update With Seperate IGTF, PRAGMA Distributions
See an example
Manual-update With Seperate IGTF, PRAGMA Distributions
Install and update from IGTF distribution
- download accredited installation bundle igtf-policy-installation-bundle-<version>.tar.gz from https://dist.eugridpma.info/distribution/igtf/current/accredited
- execute the following commands as any user:
$ gunzip -c igtf-policy-installation-bundle-<version>.tar.gz | tar xvf - $ cd igtf-policy-installation-bundle-<version> $ ./configure --with-profile=classic NOTE: for multiple profiles, use multiple arguments as in: $ ./configure --with-profile=classic --with-profile=slcs
- Become a superuser and execute the actual install
# cd <path>gtf-policy-installation-bundle-<version> # make install
- Find obsolite CA files, for example, assume the current version is 1.24 and there is no ~.info files for non-IGTF CAs, run
$ grep version /etc/grid-security/certificates/*.info | grep -v '1\.24'
- The above command should print out the hash and other info of all obsolite CAs. Examine before removing the obsolite CAs files from /etc/grid-security/certificates directory.
Install and update from non-IGTF PRAGMA certs distribution
For clean install, fetch the latest bundle from https://goc.pragma-grid.net/secure/certificates/pragma-certs.tar.gz, then unzip and untar to get all non-IGTF PRAGMA CA files.
Currently, incremental update is done by announcing individual update request in Update log and pragma-grid-team mailing list. Site administrator need to manually update the CA files. When we change to IGTF distribution standard in the future, will update this procedure then.
Setup CRL auto-update
Check certificate expiration date - script by Nadya Williams
The CertTime script checks the expiration time (next update) for certificates and crls. The output is sorted and gives the number of days till the next update. Negative number of days means the expired certificate. This script can be run periodically by any user to monitor the certificates expiration. The script was updated on 10.06.2009 to accommodate the change of the CRL files format from text to CRL PEM.
Setup auto-synch grid-mapfile with PRAGMA VO groups
In PRAGMA grid, a VOMRS server is used to manage user membership in groups corresponding to individual projects.
See an example below on how to configure mappings from the VOMRS project groups to local accounts on a site system using VDT and edg-mkgridmap.
There are two alternative non-VDT methods - install from RPM or use a callout to a GUMS server. See examples documented by Vladimir. Also see PRIMA examples.
- If pacman has not been installed, install pacman
[root@rocks-96 ~]# wget http://physics.bu.edu/pacman/sample_cache/tarballs/pacman-latest.tar.gz [root@rocks-96 ~]# cd /opt [root@rocks-96 opt]# tar xvzf /root/pacman-latest.tar.gz [root@rocks-96 opt]# cd pacman-3.26/ [root@rocks-96 pacman-3.26]# source ./setup.sh
- Install edg-mkgridmap
note - please backup your existing /etc/grid-security/grid-mapfile and answer the questions according to your site requirements and policies.
[root@rocks-96 opt]# mkdir vdt [root@rocks-96 opt]# cd vdt [root@rocks-96 vdt]# pacman -get http://vdt.cs.wisc.edu/vdt_1100_cache:EDG-Make-Gridmap Do you want to add [http://vdt.cs.wisc.edu/vdt_1100_cache] to [trusted.caches]? (y/n/yall): y Beginning VDT prerequisite checking script vdt-common/vdt-prereq-check... All prerequisite checks are satisfied. VDT 1.10.0 installs a variety of software, each with its own license. In order to continue, you must agree to the licenses. You can view the licenses online at: http://vdt.cs.wisc.edu/licenses/1.10.0 After the installation has completed, you will also be able to view the licenses in the "licenses" directory. Do you agree to the licenses? [y/n] y Several services provided by the VDT create unbounded log files. If you wish, we can rotate those file on a daily basis. Would you like to setup daily rotation of VDT log files? Possible answers: y: Yes, I want the service to run automatically (once enabled) n: No, I do NOT want the service to run automatically Note: Services are enabled with vdt-control; see 'post-install/README'. y Do you want to run a cron job that will update the CA certificate revocation lists automatically? This will use the fetch-crl program that comes with the VDT. The cron job will run at a random time between midnight and 6:00am. We select a random time to avoid having all VDT installations fetching CRLs at the same time. Do you want to update the CA certification revocation lists (CRLs) automatically? [y/n] y The VDT typically installs public certificates and signing policy files for the well-known public CA's. This is necessary in order for you to perform GSI authentication with any remote Grid services (that have service/host certificates signed by these CA's). For more information please refer to the VDT documentation: http://vdt.cs.wisc.edu/releases/1.10.0/setup_ca.html Where would you like to install CA files? Choices: r (root) - install into /etc/grid-security/certificates (existing CA files will be preserved) l (local) - install into $VDT_LOCATION/globus/share/certificates n (no) - do not install r Do you want edg-mkgridmap daemon to be run automatically? If so, we will run it four times a day via cron. edg-mkgridmap will update your gridmap file by communicating with VOMS servers. This will only be useful if you are part of a Virtual Organization (VO) or you allow users from VOs. Do you want edg-mkgridmap daemon to be run via cron? [y/n] y Do you want to automatically update your CA certificates? If so, we will check for updates once a day via cron. Do you want to automatically update your CA Certificates? [y/n] y
- Configure vdt-update-certs
If you answered "yes" to automatically update your CA certificaes in the step above, but have not setup automatically update your certificates before, then configure vdt-update-certs. Otherwise, skip this step. To configure vdt-update-certs place non-igtf certs files (for example, files in PRAGMA CA tarball) in /etc/grid-secrity/non-igtf-certs directory, then edit /opt/vdt/vdt/etc/vdt-update-certs.conf to include each non-igtf cert files.
- Create UNIX accounts for the PRAGMA VO groups to map onto.
For example, create account "pragmauser" for PRAGMA USERS group, "afguser" for Avian-Flu-Grid group.
- Create /opt/vdt/edg/etc/edg-mkgridmap.conf file as
[root@rocks-96 etc]# cat /opt/vdt/edg/etc/edg-mkgridmap.conf group vomss://vomrs-pragma.sdsc.edu:8443/voms/PRAGMA?/PRAGMA/Avian-Flu-Grid afguser group vomss://vomrs-pragma.sdsc.edu:8443/voms/PRAGMA?/PRAGMA/USERS pragmauser gmf_local /opt/vdt/edg/etc/grid-mapfile-local
Note - to add new groups in the future, simply add group/user mappings in the /opt/vdt/edg/etc/edg-mkgridmap.conf file.
- Copy /etc/grid-security/grid-mapfile to /opt/vdt/edg/etc/grid-mapfile-local file
- Create /opt/vdt/edg/log/edg-mkgridmap.log (use touch command)
- Backup and remove /etc/grid-security/grid-mapfile
- Run edg-mkgridmap for the first time
[root@rocks-96 opt]# touch /opt/vdt/edg/etc/grid-mapfile-local [root@rocks-96 opt]# /opt/vdt/edg/sbin/edg-mkgridmap --output=/etc/grid-security/grid-mapfile
- Check the results in /etc/grid-security-grid-mapfile. If no problem, then start cron service
[root@rocks-96 vdt]# source setup.sh [root@rocks-96 vdt]# vdt-control --on edg-mkgridmap enabling cron service edg-mkgridmap... no crontab for root ok [root@rocks-96 vdt]# crontab -l 18 1,7,13,19 * * * /opt/vdt/edg/sbin/edg-mkgridmap >> /opt/vdt/edg/log/edg-mkgridmap.log 2>&1
Note - the "no crontab for root" error can be ignored.
- Install VOMS-Client
[root@rocks-96 vdt]# pacman -get http://vdt.cs.wisc.edu/vdt_1100_cache:VOMS-Client
- Create /opt/vdt/glite/etc/vomses/PRAGMA file as
[root@rocks-96 glite]# cat /opt/vdt/glite/etc/vomses/PRAGMA "PRAGMA" "vomrs-pragma.sdsc.edu" "15001" "/DC=NET/DC=PRAGMA-GRID/OU=SDSC/CN=vomrs-pragma.sdsc.edu" "PRAGMA" "https://vomrs-pragma.sdsc.edu:443/vomrs/PRAGMA/services/VOMRS?WSDL"
- Add VDT software path to pragma profile
Add "source /opt/vdt/setup.sh" in /etc/profile.d/pragma.sh.
- Test VOMS client
Login to a VO group user account. For example, if user Cindy Zheng is a member of PRAGMA/USERS group,
[zhengc@rocks-96 ~]$ voms-proxy-init -voms PRAGMA -order /PRAGMA/USERS Enter GRID pass phrase: Your identity: /C=US/O=SDSC/OU=SDSC/CN=Cindy Zheng/USERID=zhengc Creating temporary proxy ..................................................... Done Contacting vomrs-pragma.sdsc.edu:15001 [/DC=NET/DC=PRAGMA-GRID/OU=SDSC/CN=vomrs-pragma.sdsc.edu] "PRAGMA" Done Creating proxy ................................. Done Your proxy is valid until Fri Aug 22 02:26:38 2008
That's it. Congratulations!