On Oct 12, 2006, at 12:00 PM, Sophie Lemaitre wrote:
> The LFC daemon is not running as root, that's why the host
> certificate and key need to be put somewhere else as well.
> The same is true for other services not running as root, like the
> FTS for instance.
>
> Maybe you don't mind restarting the service, but *you should not*
> do it, unless it is necessary. (It is not necessary here).
> If you restart the service, *the LFC users will loose their open
> sessions.*
Copying the certifcates over to the new location could be added to
both the start method and
also the reload method. So a reload can be done updating the services
without actually restarting
the service.
Steve
>
> If you really need it, I can write a script that does the host cert
> copy under /etc/grid-security/lfcmgr, and include it in the RPM.
>
> Let me know.
> Thanks, Sophie.
>
>
>
>> Hi Sophie,
>>
>> It is clear from the documentation that you don't _have_ to
>> restart the service when changing the host certificate, and that
>> it is enough to put the certificate files to some weird place (in
>> addition to their default location).
>>
>> However, this was not the question here - we don't mind restarting
>> the service, actually we would be _very happy_ if restarting this
>> particular service will do the magic for new host certificates,
>> without manual steps.
>> That way you don't have to worry when replacing host certificates
>> and look at the different troubleshooting pages for all node types
>> you may have when old certificates expire... Of course, the same
>> applies to other node types that require host certificate.
>>
>> Regards, Antun
>>
>> -----
>> Antun Balaz
>> Research Assistant
>> E-mail: [log in to unmask]
>> Web: http://scl.phy.bg.ac.yu/
>>
>> Phone: +381 11 3160260, Ext. 152
>> Fax: +381 11 3162190
>>
>> Scientific Computing Laboratory
>> Institute of Physics, Belgrade, Serbia
>> -----
>>
>> ---------- Original Message -----------
>> From: Sophie Lemaitre <[log in to unmask]>
>> To: [log in to unmask]
>> Sent: Thu, 12 Oct 2006 10:34:59 +0200
>> Subject: Re: [LCG-ROLLOUT] LFC problem
>>
>>
>>> Hello Antun & Rod,
>>>
>>> For the LFC and DPM, you don't have to restart the daemons after
>>> changing the host certificate.
>>>
>>> That's why modifying the init.d scripts will not help...
>>>
>>> The procedure to follow when changing the host certificate is
>>> already described in the FAQ :
>> https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>>
>>> (see third bullet).
>>>
>>> Cheers, Sophie.
>>>
>>>
>>>> Hi Sophie,
>>>>
>>>> Is it possible to apply the following approach: each service
>>>> using host certificate can cp the needed files from their
>>>> default location
>> in /etc/grid-
>>
>>>> security when started? This way the problem Torsten encountered
>>>> would be much easier to solve - just restart the service and it
>>>> would pick new certificate automatically? The same applies to
>>>> e.g. MON box...
>>>>
>>>> I believe that problems with the permissions of hostkey.pem
>>>> "r--------"
>> can
>>>> be easily avoided.
>>>>
>>>> Thanks, Antun
>>>>
>>>> -----
>>>> Antun Balaz
>>>> Research Assistant
>>>> E-mail: [log in to unmask]
>>>> Web: http://scl.phy.bg.ac.yu/
>>>>
>>>> Phone: +381 11 3160260, Ext. 152
>>>> Fax: +381 11 3162190
>>>>
>>>> Scientific Computing Laboratory
>>>> Institute of Physics, Belgrade, Serbia
>>>> -----
>>>>
>>>> ---------- Original Message -----------
>>>> From: Sophie Lemaitre <[log in to unmask]>
>>>> To: [log in to unmask]
>>>> Sent: Wed, 11 Oct 2006 15:45:34 +0200
>>>> Subject: Re: [LCG-ROLLOUT] LFC problem
>>>>
>>>>
>>>>
>>>>> Hi Torsten,
>>>>>
>>>>> Do you have copied and renamed the host certificate under /etc/
>>>>> grid-security/lfcmgr/ as well ?
>>>>>
>>>>> $ ll /etc/grid-security/lfcmgr | grep lfc
>>>>> -rw-r--r-- 1 lfcmgr lfcmgr 5423 May 30 13:58
>>>>> lfccert.pem
>>>>> -r-------- 1 lfcmgr lfcmgr 1675 May 30 13:58 lfckey.pem
>>>>>
>>>>> Did you check the LFC troubleshooting page ?
>>>>> https://uimon.cern.ch/twiki/bin/view/LCG/LfcTroubleshooting
>>>>>
>>>>> Cheers, Sophie.
>>>>>
>>>>>
>>>>>
>>>>>> Hi Stephen,
>>>>>>
>>>>>> thanks for the quick reply:
>>>>>>
>>>>>> Burke, S (Stephen) wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> LHC Computer Grid - Rollout
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> [mailto:[log in to unmask]] On Behalf Of
>>>>>>>> Torsten Harenberg said:
>>>>>>>> Cns_serv: Could not establish security context:
>>>>>>>> server_establish_context_ext: Could not acquire the local
>>>>>>>> server credentials !
>>>>>>>>
>>>>>>>> No other log entries are written anymore.
>>>>>>>>
>>>>>>>> Does anybody know what it should tell me?
>>>>>>>>
>>>>>>>>
>>>>>>> Host certificate expired?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> unfortunately not - it's brand new:
>>>>>>
>>>>>> Certificate:
>>>>>> Data:
>>>>>> Version: 3 (0x2)
>>>>>> Serial Number: 2649 (0xa59)
>>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>>> Issuer: C=DE, O=GermanGrid, CN=GridKa-CA
>>>>>> Validity
>>>>>> Not Before: Oct 6 09:21:39 2006 GMT
>>>>>> Not After : Nov 5 09:21:39 2007 GMT
>>>>>> Subject: O=GermanGrid, OU=UniWuppertal, CN=host/grid-
>>>>>> lfc.physik.uni-wuppertal.de
>>>>>>
>>>>>> But I had to replace the host certificate (explaination below)
>>>>>> and since approx. then it happened. I re-used the old-one
>>>>>> (which was still valid), but the errors stays.
>>>>>>
>>>>>> Hope that the problem is not again deep in SSL, we had trouble
>>>>>> with the FNAL VOMS server and it turned out that the German
>>>>>> host certificates missed the "SSL client" option. This was the
>>>>>> reason why I replaced the certificate by a new one, allthough
>>>>>> the old one is still valid.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Torsten
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> ------- End of Original Message -------
>>>>
>>>>
>> ------- End of Original Message -------
>>
--
Steve Traylen
[log in to unmask]
CERN, IT-GD-OPS.
|