Hi
Chris rightly pointed out that .lsc does work for lcg-CE and vomscerts works for creamce too. Both lcg-CE and creamce look for .lsc file first and if it fails then it checks vomscerts. I don’t think there was any problem with use of .lsc files by lcg-CE for long time if .lsc files were configured properly.
In glite 3.1, lcg-vomcerts were installed by default with lcg-CE so nobody noticed this issue even if .lsc is not present or mis-configured. In glite3.2, since lcg-vomscerts is not present in repository so it is not installed with creamce.
There was another issue with gridpp and ngs vo's but it was due to a bug in voms server and it was related to presence of emailaddress in host certificate of voms server. I am not sure about the status of that bug
Cheers
Kashif
-----Original Message-----
From: Testbed Support for GridPP member institutes [mailto:[log in to unmask]] On Behalf Of Christopher J.Walker
Sent: 09 February 2011 11:04
To: [log in to unmask]
Subject: Re: LFC down?
Alessandra Forti wrote:
>> Perhaps UoM would be nice to chase the LCG people to ensure that their
> updated certificates are added to the 'lcg-vomscerts' package. I wonder
>> which other VOMS servers are in the same situation.
>
> Only LHC experiments and biomed VOMS certificates are included in
> lcg-vomscerts rpm. Other VOs have to find their own solutions.
>
> The requirement of having a host certificate for VOMS on each service
> has always been a pain. This is why .lsc files were introduced in the
> first place, however it is taking several years to migrate all the
> services to this method operationally simpler.
Agreed.
> Still now it's not clear
> which services use what, for example it seems, from observed behaviour,
> the CREAM CE now uses only .lsc files so whether the certificate is
> there or not doesn't make any difference. DPM/WMS/LFC can use both (but
> perhaps it depends on the version) and lcg-CE still uses only the
> certificate AFAIK.
QMUL's lcg-CE ce03.esc.qmul.ac.uk uses the .lsc files. Well strictly,
the pem files are there, but all but voms.gridpp.ac.uk.hostcert.pem have
now expired (and that's presumably the one that has just been replaced).
In other words, lsc files work on lcg-CEs.
I do occasionally hear people complaining about things not working, but
the only problem I've come across is that if you use YAIM and have two
servers, you also need to remember to have two certificate authorities
listed.
If there are problems with ce03, then please do report them.
> The situation is not that simple and a cert
> update/replacement has rarely passed without a number of jobs crashing
> (even from LHC VOs) even if announced. Some sites have updated now to
> the "new" GridPP VOMS DN that was changed >2 years ago and announced a
> number of times only because you opened tickets about phenogrid jobs.
That affected .lsc files too of course (but is another reason for trying
to avoid changing things).
Chris
|