Hi Peter,
I don't think there's a way to keep the .lsc files automatically
current, but then they should hardly ever change (exceptions are the
recent dteam change) . As for the RPMs, the list is fine, but
lcg-vomscerts is at 6.3.0-1, they just don't put it in all the repos
anymore
(I think I get mine from the WMS repo - there's not glite 3.2 version
for the WMS, hence the WMS will need these certs, no matter what).
Daniela
On 15 February 2011 15:39, Peter Grandi <[log in to unmask]> wrote:
> I have been slowly putting together an understanding of the VOMS certificate story. In particular for those sites with legacy gLite 3.1 nodes. My summary so far follows, and then some questions.
>
> In theory on gLite 3.2 nodes there is no need for VOMS certificates, as '.lsc' files in '/opt/glite/yaim/etc/vo.d/'
> replace them completely, *except* for WMS, FTS and FTA nodes:
>
> https://twiki.cern.ch/twiki/bin/view/LCG/VomsFAQforServiceManagers#How_to_get_rid_of_the_whole_host
>
> However apparently if VOMS certificates are present, they must be correct.
>
> In gLite 3.1 however it seems that VOMS certificates are necessary, and they should as a rule be installed in '/etc/grid-security/vomsdir/'. Another difference seems that 3.1 and 3.2 YAIM seems to require the
>
> Also as to '.lsc' files I found on the server nodes I have inherited (almost all SL4/gLite 3.1) that certificates in there come from one of these sources (and there are slightly different subsets on different nodes):
>
> * RPM ig-vomscerts-all-1.1
> * RPM lcg-vomscerts
> * RPM lcg-vomscerts-desy
> * RPM voms.gridpp.ac.uk.hostcert.pem
>
> Is the above a good list?
>
> We also have a few certificates copied from various sources (at our site via manual download and Cfengine). Also it turns out that there are a few updates to the above RPMs that I have to install. One I am not sure about is lcg-vomscerts as there is an ETICS 6.3.0 but not in gLite (yet IIRC).
>
> The main question is whether there is somewhere a good list of where to get the right '.lsc's "scriptably" and the same for VOMS certificate RPMS or the certificates themselves. I am aware of the VO list at
>
> http://www.gridpp.ac.uk/wiki/GridPP_approved_VOs
>
> but it seems somewhat out of date. What I am trying to get at is a relatively low-maintenance way of keeping the VOMS ".lsc"s and certificates current, a bit like the 'lcg-CA' package does at a higher level in the policy tree.
>
--
-----------------------------------------------------------
[log in to unmask]
HEP Group/Physics Dep
Imperial College
Tel: +44-(0)20-75947810
http://www.hep.ph.ic.ac.uk/~dbauer/
|