Folks
Please note that on your UI and RBs it is necessary to change the DN
of lcg-voms.cern.ch as given below.
This applies to VOMS servers for dteam, atlas, cms, alice, lhcb (and
less importantly ops).
Other issues:
1. The central LFC for dteam (at least) does not recognise proxies
signed by lcg-voms.cern.ch. See https://gus.fzk.de/ws/ticket_info.php?
ticket=22426.
2. The VOMS DNs given by yaimtool (https://lcg-sft.cern.ch/yaimtool/
yaimtool.py) are wrong. See https://gus.fzk.de/ws/ticket_info.php?
ticket=22444.
3. The VOMS DNs given in various YAIM example files are wrong. See
https://gus.fzk.de/ws/ticket_info.php?ticket=22445.
Cheers
Graeme
Begin forwarded message:
> From: Graeme Stewart <[log in to unmask]>
> Date: 24 May 2007 15:50:24 BDT
> To: [log in to unmask]
> Subject: Re: [Scotgrid-tech-discuss] Fwd: LAST WARNING: lcg-
> voms.cern.ch certificate will be changed on May 24th!
>
> Ah yes, well spotted.
>
> Can everyone please make sure their VOMS file for dteam-lcg-
> voms.cern.ch is:
>
> "dteam" "lcg-voms.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/
> CN=lcg-voms.cern.ch" "dteam"
>
> i.e., with the DN updated.
>
> N.B. this needs to be changed in /opt/edg/etc/vomses and /opt/glite/
> etc/vomses so that both versions of voms-proxy-init (edg and glite
> flavours) work.
>
> Speaking to Greig has revealed that neither of us can get a proxy
> from voms.cern.ch, despite having the same configuration as Matt in
> Lancaster - this turned out to be an issue with the DN of
> voms.cern.ch changing way back last year. The correct configuration
> is:
>
> "dteam" "voms.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/
> CN=voms.cern.ch" "dteam"
>
> And why was this? Because it's wrong in the VOs.def example
> distributed with YAIM. (It's correct in the sample site-info.def -
> but hard to pick up on that fact when trying to track changes.)
>
> The correct site-info.def entry is:
>
> VO_DTEAM_VOMSES="'dteam lcg-voms.cern.ch 15004 /DC=ch/DC=cern/
> OU=computers/CN=lcg-voms.cern.ch dteam' 'dteam voms.cern.ch 15004
> DC=ch/DC=cern/OU=computers/CN=voms.cern.ch dteam'"
>
> N.B. it's also wrong in yaimtool (https://lcg-sft.cern.ch/yaimtool/
> yaimtool.py).
>
> I will raise a ticket about the poor information - in the meantime
> can you all ensure that your vomses directories contain the correct
> information...
>
> Oh bugger, in fact it's the wrong DN for all of the LHC VOs now.
>
> I offer the following, to be run in /opt/{glite,edg}/etc/vomses:
>
> # perl -i.bak -pe 's/\/C=CH\/O=CERN\/OU=GRID\/CN=host\//\/DC=ch\/
> DC=cern\/OU=computers\/CN=/' *
>
> Cheers
>
> Graeme
>
> On 24 May 2007, at 11:51, sskipsey wrote:
>
>> Graeme - I believe so. I have the emails you sent around
>> originally on the issue.
>>
>> By the way, I noticed that I didn't /just/ have to install the new
>> voms certificates - I also had to change the contents of some of
>> the vomses files in /opt/edg/etc/vomses/
>> I may have missed this being given as an instruction, but I
>> thought I'd mention it.
>>
>> Sam
--
Dr Graeme Stewart - http://wiki.gridpp.ac.uk/wiki/User:Graeme_stewart
ScotGrid - http://www.scotgrid.ac.uk/ http://scotgrid.blogspot.com/
|