JISCMail - TB-SUPPORT Archives

Hello Chris,

These are the changes to site-info.def I've made. It's probably better 
that one site confirms first it work for them too (though it did for me 
but see ROLLOUT) before the others do it.

<--
VO_ALICE_VOMSES="alice lcg-voms.cern.ch 15000 /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch alice"

VO_ATLAS_VOMSES="atlas lcg-voms.cern.ch 15001 /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch atlas"

VO_CMS_VOMSES="cms lcg-voms.cern.ch 15002 /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch cms"

VO_DTEAM_VOMSES="dteam lcg-voms.cern.ch 15004 /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch dteam"

VO_LHCB_VOMSES="lhcb lcg-voms.cern.ch 15003 /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch lhcb"

VO_OPS_VOMSES="ops lcg-voms.cern.ch 15009 /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch ops"
-->

and then I ran the config_vomses yaim function, which created new files 
in /opt/edg/etc/vomses/ Note, that I removed first the old *.cern.ch 
files in that directory as the old files caused me some trouble.
                                                                                                 
The content of the new files that yaim generated is for example:

$ cat /opt/edg/etc/vomses/atlas-lcg-voms.cern.ch
"atlas" "lcg-voms.cern.ch" "15001" "/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch" "atlas"
$ cat /opt/edg/etc/vomses/dteam-lcg-voms.cern.ch
"dteam" "lcg-voms.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch" "dteam"
$


Yves



On Thu, 24 May 2007, Brew, CAJ (Chris) wrote:

> Hi,
> 
> If someone has already worked them out could the post the relavant lines
> from site-info.def.
> 
> Thanks,
> Chris. 
> 
> > -----Original Message-----
> > From: Testbed Support for GridPP member institutes 
> > [mailto:[log in to unmask]] On Behalf Of Graeme Stewart
> > Sent: 24 May 2007 16:11
> > To: [log in to unmask]
> > Subject: Issues from lcg-voms.cern.ch certificate change
> > 
> > Folks
> > 
> > Please note that on your UI and RBs it is necessary to change the DN  
> > of lcg-voms.cern.ch as given below.
> > 
> > This applies to VOMS servers for dteam, atlas, cms, alice, lhcb (and  
> > less importantly ops).
> > 
> > Other issues:
> > 
> > 1. The central LFC for dteam (at least) does not recognise proxies  
> > signed by lcg-voms.cern.ch. See 
> > https://gus.fzk.de/ws/ticket_info.php? 
> > ticket=22426.
> > 
> > 2. The VOMS DNs given by yaimtool (https://lcg-sft.cern.ch/yaimtool/ 
> > yaimtool.py) are wrong. See https://gus.fzk.de/ws/ticket_info.php? 
> > ticket=22444.
> > 
> > 3. The VOMS DNs given in various YAIM example files are wrong. See  
> > https://gus.fzk.de/ws/ticket_info.php?ticket=22445.
> > 
> > Cheers
> > 
> > Graeme
> > 
> > Begin forwarded message:
> > 
> > > From: Graeme Stewart <[log in to unmask]>
> > > Date: 24 May 2007 15:50:24 BDT
> > > To: [log in to unmask]
> > > Subject: Re: [Scotgrid-tech-discuss] Fwd: LAST WARNING: lcg- 
> > > voms.cern.ch	certificate will be changed on May 24th!
> > >
> > > Ah yes, well spotted.
> > >
> > > Can everyone please make sure their VOMS file for dteam-lcg- 
> > > voms.cern.ch is:
> > >
> > > "dteam" "lcg-voms.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/ 
> > > CN=lcg-voms.cern.ch" "dteam"
> > >
> > > i.e., with the DN updated.
> > >
> > > N.B. this needs to be changed in /opt/edg/etc/vomses and 
> > /opt/glite/ 
> > > etc/vomses so that both versions of voms-proxy-init (edg and glite  
> > > flavours) work.
> > >
> > > Speaking to Greig has revealed that neither of us can get a proxy  
> > > from voms.cern.ch, despite having the same configuration as 
> > Matt in  
> > > Lancaster - this turned out to be an issue with the DN of  
> > > voms.cern.ch changing way back last year. The correct 
> > configuration  
> > > is:
> > >
> > > "dteam" "voms.cern.ch" "15004" "/DC=ch/DC=cern/OU=computers/ 
> > > CN=voms.cern.ch" "dteam"
> > >
> > > And why was this? Because it's wrong in the VOs.def example  
> > > distributed with YAIM. (It's correct in the sample site-info.def -  
> > > but hard to pick up on that fact when trying to track changes.)
> > >
> > > The correct site-info.def entry is:
> > >
> > > VO_DTEAM_VOMSES="'dteam lcg-voms.cern.ch 15004 /DC=ch/DC=cern/ 
> > > OU=computers/CN=lcg-voms.cern.ch dteam' 'dteam voms.cern.ch 15004  
> > > DC=ch/DC=cern/OU=computers/CN=voms.cern.ch dteam'"
> > >
> > > N.B. it's also wrong in yaimtool (https://lcg-sft.cern.ch/yaimtool/ 
> > > yaimtool.py).
> > >
> > > I will raise a ticket about the poor information - in the meantime  
> > > can you all ensure that your vomses directories contain the 
> > correct  
> > > information...
> > >
> > > Oh bugger, in fact it's the wrong DN for all of the LHC VOs now.
> > >
> > > I offer the following, to be run in /opt/{glite,edg}/etc/vomses:
> > >
> > > # perl -i.bak -pe 's/\/C=CH\/O=CERN\/OU=GRID\/CN=host\//\/DC=ch\/ 
> > > DC=cern\/OU=computers\/CN=/' *
> > >
> > > Cheers
> > >
> > > Graeme
> > >
> > > On 24 May 2007, at 11:51, sskipsey wrote:
> > >
> > >> Graeme - I believe so. I have the emails you sent around  
> > >> originally on the issue.
> > >>
> > >> By the way, I noticed that I didn't /just/ have to install 
> > the new  
> > >> voms certificates - I also had to change the contents of some of  
> > >> the vomses files in /opt/edg/etc/vomses/
> > >> I may have missed this being given as an instruction, but I  
> > >> thought I'd mention it.
> > >>
> > >> Sam
> > 
> > --
> > Dr Graeme Stewart - http://wiki.gridpp.ac.uk/wiki/User:Graeme_stewart
> > ScotGrid - http://www.scotgrid.ac.uk/ http://scotgrid.blogspot.com/
> > 
>