Hi,
Step 1 is already done.
Step 2 : already done in EGEE Broadcast. The certificate is published at
https://cic.gridops.org/common/all/documents/VOMS/biomed-VOMSPublicKey-20070328-143040.txt
Cheers,
David.
Oscar Koeroo wrote:
> Hi,
>
> The installed VOMS certificate on the UI does not play any role in the
> voms-proxy-init -voms biomed sequence that he has performed. That is
> only an issue on the server side at the VOMS Server and at the sites.
>
> When the user executes voms-proxy-info -all or submits a job will the
> installed VOMS certificates be used to verify the VOMS attributes'
> signatures.
>
>
> Actions to take (maybe already be done partially):
> 1.) Revoke the certificate that is not used by the VOMS server in
> question (task for VOMS Admin and/or CA)
> 2.) The VOMS server admin must publish which certificate is in use
> (task VOMS Admin)
> 3.) The sites should install only that published certificate through
> the use of the set procedures. The sites may neglect the existance of
> the unused VOMS certificate after step 1. is done (task for VO
> collaboration and site sysadmins)
> 4.) Up date the VOMS certificate on the user's UI. The job-submission
> tools will verify the VOMS aatributes there first AFAIK (task user or
> sys admin of UI)
> 5.) The user should perform a new voms-proxy-init -voms <VO name here>
> and submit a job (task user)
> 6.) check logs at sites
>
>
> cheers,
>
> Oscar
>
>
>
>
> david bouvet wrote:
>> Hi Gonçalo,
>>
>> This confirms that original user probably used an UI which still uses
>> the old certificate.
>>
>> To site admins who read this :
>>
>> please do not forget to change public key of VOMS server
>> cclcgvomsli01.in2p3.fr on your _*UIs*_* in /etc/grid-security/vomsdir
>> * The new one can be retrieved at:*
>> *https://cic.gridops.org/common/all/documents/VOMS/biomed-VOMSPublicKey-20070328-143040.txt
>>
>>
>> Cheers,
>> David.
>>
>>
>> Cheers,
>> David.
>>
>> Gonçalo Borges wrote:
>>> Hi again,
>>>
>>> I still didn't received feedback from the original user but another
>>> user (David Aristegui), also belonging to the biomed VO, read my
>>> first email to the LCG-ROLLOUT and tried to submit to my site. He
>>> managed to run jobs and was correctly mapped to biomed pool accounts
>>> through VOMS:
>>>
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> LCMAPS 7: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> Initialization LCMAPS version 0.0.30
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-startPluginManager(): Reading LCMAPS database
>>> /opt/edg/etc/lcmaps/lcmaps.db
>>> LCMAPS 5: 2007-04-02.15:40:46.266982.0000021996.0000065441 : LCMAPS
>>> credential mapping request
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-runPlugin(): found plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_voms.mod
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-runPlugin(): running plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_voms.mod
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps_plugin_voms-plugin_run(): voms plugin succeeded
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-runPlugin(): found plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_voms_localgroup.mod
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-runPlugin(): running plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_voms_localgroup.mod
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps_plugin_voms_localgroup-plugin_run(): voms_localgroup plugin
>>> succeeded
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-runPlugin(): found plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_voms_poolaccount.mod
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-runPlugin(): running plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_voms_poolaccount.mod
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps_plugin_voms_poolaccount-plugin_run(): voms_poolaccount plugin
>>> succeeded
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-runPlugin(): found plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_posix_enf.mod
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-runPlugin(): running plugin
>>> /opt/edg/lib/lcmaps/modules/lcmaps_posix_enf.mod
>>> LCMAPS 6: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps_plugin_posix_enf-log_cred():
>>> uid=7061(biomed061):pgid=7000(biomed)
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-lcmaps_run(): succeeded
>>> LCMAPS 7: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> Termination LCMAPS
>>> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 :
>>> lcmaps.mod-lcmaps_term(): terminating
>>> Notice: 5: Requested service: jobmanager-fork
>>> Notice: 5: Authorized as local user: biomed061
>>> Notice: 5: Authorized as local uid: 7061
>>> Notice: 5: and local gid: 7000
>>>
>>> I asked him what was the VOMS certificate he was using and this is
>>> his reply:
>>>
>>>> David Garcia Aristegui wrote: Hello: i've executed a
>>>> "voms-proxy-init -voms biomed"
>>>>
>>>> The cert:
>>>> [david@villon examples]$ openssl x509 -text -noout -in
>>>> /etc/grid-security/vomsdir/cclcgvomsli01.in2p3.fr
>>>> Certificate:
>>>> Data:
>>>> Version: 3 (0x2)
>>>> Serial Number: 1881 (0x759)
>>>> Signature Algorithm: sha1WithRSAEncryption
>>>> Issuer: C=FR, O=CNRS, CN=GRID-FR
>>>> Validity
>>>> Not Before: Mar 1 14:01:52 2007 GMT
>>>> Not After : Mar 1 14:01:52 2008 GMT
>>>> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON,
>>>> CN=cclcgvomsli01.in2p3.fr
>>>> Subject Public Key Info:
>>>> Public Key Algorithm: rsaEncryption
>>>> RSA Public Key: (1024 bit)
>>>> Modulus (1024 bit):
>>>> 00:d3:81:8b:c1:9e:ef:6f:e3:4e:36:5e:b8:5f:d3:
>>>> (...)
>>>>
>>>> Tell me if you need me to execute more tests.
>>>> Cheers.
>>>>
>>> So, I guess the problem is still on the original user side...
>>>
>>> Cheers
>>> Goncalo Borges
>>>
>>
--
*David BOUVET*
/EGEE Project team/
IN2P3/CNRS Computing Centre - Lyon (FRANCE)
http://grid.in2p3.fr
Tel. : +33 4 72 69 41 62 | Fax. : +33 4 72 69 41 70 | e-mail :
[log in to unmask]
|