I have been slowly putting together an understanding of the VOMS certificate story. In particular for those sites with legacy gLite 3.1 nodes. My summary so far follows, and then some questions.
In theory on gLite 3.2 nodes there is no need for VOMS certificates, as '.lsc' files in '/opt/glite/yaim/etc/vo.d/'
replace them completely, *except* for WMS, FTS and FTA nodes:
https://twiki.cern.ch/twiki/bin/view/LCG/VomsFAQforServiceManagers#How_to_get_rid_of_the_whole_host
However apparently if VOMS certificates are present, they must be correct.
In gLite 3.1 however it seems that VOMS certificates are necessary, and they should as a rule be installed in '/etc/grid-security/vomsdir/'. Another difference seems that 3.1 and 3.2 YAIM seems to require the
Also as to '.lsc' files I found on the server nodes I have inherited (almost all SL4/gLite 3.1) that certificates in there come from one of these sources (and there are slightly different subsets on different nodes):
* RPM ig-vomscerts-all-1.1
* RPM lcg-vomscerts
* RPM lcg-vomscerts-desy
* RPM voms.gridpp.ac.uk.hostcert.pem
Is the above a good list?
We also have a few certificates copied from various sources (at our site via manual download and Cfengine). Also it turns out that there are a few updates to the above RPMs that I have to install. One I am not sure about is lcg-vomscerts as there is an ETICS 6.3.0 but not in gLite (yet IIRC).
The main question is whether there is somewhere a good list of where to get the right '.lsc's "scriptably" and the same for VOMS certificate RPMS or the certificates themselves. I am aware of the VO list at
http://www.gridpp.ac.uk/wiki/GridPP_approved_VOs
but it seems somewhat out of date. What I am trying to get at is a relatively low-maintenance way of keeping the VOMS ".lsc"s and certificates current, a bit like the 'lcg-CA' package does at a higher level in the policy tree.
|