Peter Grandi wrote:
> I have been slowly putting together an understanding of the VOMS certificate story. In particular for those sites with legacy gLite 3.1 nodes. My summary so far follows, and then some questions.
>
> In theory on gLite 3.2 nodes there is no need for VOMS certificates, as '.lsc' files in '/opt/glite/yaim/etc/vo.d/'
> replace them completely, *except* for WMS, FTS and FTA nodes:
>
> https://twiki.cern.ch/twiki/bin/view/LCG/VomsFAQforServiceManagers#How_to_get_rid_of_the_whole_host
>
> However apparently if VOMS certificates are present, they must be correct.
>
I have some out of date ones on ce03, and lcg-CE, - but I'm not aware of
problems that is causing. I can't speak for other node types.
> In gLite 3.1 however it seems that VOMS certificates are necessary,
Untrue on an lcg-CE where .lsc files work fine (at least for me).
If you are using YAIM, then for VOs with multiple VOMS servers, you need
to list a CA for each - otherwise they won't work.
https://gus.fzk.de/ws/ticket_info.php?ticket=63614
Clearly, if you've got the .lsc file wrong, it may be falling through to
the certificate.
> and they should as a rule be installed in '/etc/grid-security/vomsdir/'. Another difference seems that 3.1 and 3.2 YAIM seems to require the
>
> Also as to '.lsc' files I found on the server nodes I have inherited (almost all SL4/gLite 3.1) that certificates in there come from one of these sources (and there are slightly different subsets on different nodes):
>
> * RPM ig-vomscerts-all-1.1
> * RPM lcg-vomscerts
> * RPM lcg-vomscerts-desy
> * RPM voms.gridpp.ac.uk.hostcert.pem
>
> Is the above a good list?
>
> We also have a few certificates copied from various sources (at our site via manual download and Cfengine). Also it turns out that there are a few updates to the above RPMs that I have to install. One I am not sure about is lcg-vomscerts as there is an ETICS 6.3.0 but not in gLite (yet IIRC).
>
> The main question is whether there is somewhere a good list of where to get the right '.lsc's "scriptably" and the same for VOMS certificate RPMS or the certificates themselves. I am aware of the VO list at
>
> http://www.gridpp.ac.uk/wiki/GridPP_approved_VOs
>
> but it seems somewhat out of date.
If you can point out where, I'm sure someone here will be along to fix it.
There's an argument for a repository (or indeed a package) of vo.d/
directory snippets. IIRC the cic portal even had a way of generating them.
> What I am trying to get at is a relatively low-maintenance way of keeping the VOMS ".lsc"s and certificates current, a bit like the 'lcg-CA' package does at a higher level in the policy tree.
Get the .lsc files correct and then you won't need to bother with the
certificates would seem to be a good start.
Chris
|