Hi all,
the changed CA DN only affects people who use the VOMS admin web
interface. Those are:
- users who try to update/view their profiles
- VO admins or members with special permissions who administer the VO or
access restricted areas such as the ACL pages.
This does not affect the issuing of VOMS proxies, users with renewed
certificates are still able to get proxies (we use the --skipcacheck
option which Jens mentioned in his initial email, there's no equivalent
option for voms admin).
The best way of avoiding the problem is to add the new user DN / CA DN
combination as an additional certificate to the user's entry. This has
the advantage that the user keeps group memberships, role assignments
and attributes as compared to creating a new user entry either by
requesting new membership or being created by a VO admin.
A user can request for a new certificate to be added by either
- uploading the new certificate file or
- specifying the certificate DN and CA DN
This request has to be submitted before the old certificate expires and
has to be approved by a VO admin.
VO admins can add the new certificates for their users as well, either
via the web interface (which is unpleasant task if you have a lot of
users) or by using the voms admin command line client. I've put some
instructions on the NGS wiki on how VO admins can update the entries of
all their users with the new certificates:
http://wiki.ngs.ac.uk/index.php?title=VOMS_tools#Adding_new_DN.2FCA_certificate_combinations_in_case_of_CA_rollover
Some may ask now why I don't just do that for all VOs we're hosting. The
reason is that our main responsibility is to provide the service. We
host the VOs on behalf of the VO manager who requested the VO. Managing
the user base of the VO is the responsibility of the VO manager / VO
admins. We will not interfere with the running of the VO unless there's
no other way of solving a problem (e.g., the VO admin looses access to
the VO) and it's authorised by the VO manager or a VO admin. Requests of
ordinary VO users or others should go to the VO admins first and we will
forward such requests to them. If the VO admins have problems they are
welcome to ask us for help.
Cheers,
Robert
On 22/03/12 14:37, Christopher J.Walker wrote:
> On 22/03/12 14:10, John Gordon wrote:
>> Jeremy, Chris was asking about the UK VOMS.
>
> Indeed I was.
>
>> Were the same changes made?
>
> I've just filed:
> https://ggus.eu/ws/ticket_info.php?ticket=80535
>
> asking for them to be made. I'm not sure I've been particularly clear on
> what changes need to be made though. We'll see if I get asked for more
> information.
>
> Chris
>
>>
>> John
>>
>>> -----Original Message-----
>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>> [log in to unmask]] On Behalf Of Jeremy Coles
>>> Sent: 22 March 2012 14:09
>>> To: [log in to unmask]
>>> Subject: Re: Update on the CERN VOMS problem
>>>
>>> I think everyone should have got an email (easily missed) at the time
>>> informing them of the change.
>>>
>>> Jeremy
>>>
>>>
>>> On 22 Mar 2012, at 13:11, John Gordon wrote:
>>>
>>>> For the CERN and dteam VOMS, everyone with a valid UK old cert had
>>> the new one added.
>>>>
>>>> John
>>>>
>>>>> -----Original Message-----
>>>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>>>> [log in to unmask]] On Behalf Of Christopher J.Walker
>>>>> Sent: 22 March 2012 12:39
>>>>> To: [log in to unmask]
>>>>> Subject: Re: Update on the CERN VOMS problem
>>>>>
>>>>> On 14/12/11 14:50, Steve Traylen wrote:
>>>>>> On Dec 14, 2011, at 3:37 PM, John Gordon wrote:
>>>>>>
>>>>>>> Steve, are you also adding the entries for people who haven't yet
>>>>> renewed their certs?
>>>>>>
>>>>>> Yes.
>>>>>>
>>>>>> To be precise it's the people in the DB with a "CN=UK e-Science CA"
>>>>> who have not already added their 2B selves
>>>>>> already. The other dates such as the AUP signing date (valid for
>>> one
>>>>> year) are associated with the user rather
>>>>>> than the individual CA identity.
>>>>>>
>>>>>> So e.g if their "UK e-Science CA" is suspended because they have
>>> not
>>>>> signed the AUP recently enough then
>>>>>> there "2B" will be in the same state. They can use either identity
>>>>> now to sign the AUP at any point which will be on
>>>>>> both of themselves.
>>>>>>
>>>>>> Members can at their leisure switch their primary certificate to be
>>>>> "2B" and delete their old selves but other than for
>>>>>> the purposes of removing junk this is irrelevant if their old
>>> selves
>>>>> remain..
>>>>>>
>>>>>> Maybe that makes sense.
>>>>>>
>>>>>
>>>>> I've just hit what sounds like the same problem with the gridpp voms
>>>>> server.
>>>>>
>>>>> I now have a 2B certificate.
>>>>>
>>>>> voms-proxy-init --voms snoplus.snolab.ca works fine.
>>>>>
>>>>> If I look at:
>>>>>
>>> https://voms.gridpp.ac.uk:8443/voms/snoplus.snolab.ca/register/start.ac
>>>>> tion
>>>>>
>>>>> There are things I can't see, and if I try to remove the pilot role
>>>>> from
>>>>> myself, I have Insufficient privileges.
>>>>>
>>>>> I can however see that the privileges were granted with the old CA.
>>>>>
>>>>> Is there something that can/should be done to the VOMS server -
>>>>> presumably I won't be the only one hitting this.
>>>>>
>>>>> Chris
|