Hi,
Re: Change of a VOMS server certificate (voms-01.pd.infn.it), i.e. CDF,
PLANCK etc.
I haven't forgotten this change (see below), and I'll update the
Approved VOs soon.
Unfortunately, at present, there a bug that's stopping it.
https://ggus.eu/index.php?mode=ticket_info&ticket_id=118651
But it will be fixed soon.
Steve
-------- Forwarded Message --------
[ EGI BROADCAST ] Change of a VOMS server certificate (voms-01.pd.infn.it)
Subject:
Date: Mon, 14 Dec 2015 14:38:44 +0100
From: EGI BROADCAST <[log in to unmask]>
To: VO supporting sites/planck <[log in to unmask]>
---------------------------------------------------------------------------------------------------------------
EGI BROADCAST TOOL : https://operations-portal.egi.eu/broadcast
---------------------------------------------------------------------------------------------------------------
Publication from : Sergio Traldi <[log in to unmask]>
Targets : VO supporting sites/planck <[log in to unmask]>
----------------------------------------------------------------------------------------------------------------
Dear site managers,
Starting from the 3rd November 2015 the INFN CA is using a new root certificate.
Unfortunately this change, in particular the fact that there is a *change of the CA DN*, creates issues to the VOs managed through VOMS servers that acquired new server certificates released recently by the INFN CA.
At this moment we have a new server certificate for the voms-01.pd.infn.it, that is supporting the following VOs:
• argo
• cdf
• compchem
• enea
• gridit
• inaf
• infngrid
• pamela
• planck
• theophys
• virgo
Therefore the configuration of grid services (SEs, CEs, UIs, WNs, ...) must be updated to ensure the correct function with the VO proxy certificates.
We would like to kindly ask you to update the LSC files (in /etc/grid-security/vomsdir/"vo_name"/ to match the configuration described here:
https://voms-01.pd.infn.it:8443/voms/"vo_name"/configuration/configuration.action
Please replace "vo_name" with the actual VO name from the ones listed above
You get this email because your site supports at least one VO hosted on this server or you are a VO-manager of one of the interested VOs (just for information).
Bellow there are some details that can help you:
The steps to be followed in order to update the .lsc file are the following:
a. For services whose configuration is done using *YAIM*:
- Update the /"path_to"/"your_site_info.def" or /"path_to"/vo.d/"vo_name_file" to contain the new CA_DN, for the respective VOs.
For example, for the VO argo, there should be present the following lines:
SW_DIR=$VO_SW_DIR/argo
DEFAULT_SE=$SE_HOST
STORAGE_DIR=$CLASSIC_STORAGE_DIR/argo
VOMS_SERVERS="'vomss://voms.cnaf.infn.it:8443/voms/argo?/argo' 'vomss://voms-01.pd.infn.it:8443/voms/argo?/argo'"
VOMSES="'argo voms.cnaf.infn.it 15012 /C=IT/O=INFN/OU=Host/L=CNAF/CN=voms.cnaf.infn.it argo' 'argo voms-01.pd.infn.it 15012 /C=IT/O=INFN/OU=Host/L=Padova/CN=voms-01.pd.infn.it argo'"
VOMS_CA_DN="'/C=IT/O=INFN/CN=INFN Certification Authority' '/C=IT/O=INFN/CN=INFN CA'"
- Reconfigure the node by using only the config_vomsdir function:
# /opt/glite/yaim/bin/yaim -d 6 -r -s /"path_to"/"your_site_info.def" -f config_vomsdir
- Check that the resulted .lsc file is correct
# cat /etc/grid-security/vomsdir/argo/voms-01.pd.infn.it.lsc
/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms-01.pd.infn.it
/C=IT/O=INFN/CN=INFN Certification Authority
b. For services whose configuration is *NOT done through YAIM*, please update your configuration tools, if any, to correctly set the content of the .lsc file for the respective VOs and the VOMS server indicated, like in the example:
# cat /etc/grid-security/vomsdir/argo/voms-01.pd.infn.it.lsc
/C=IT/O=INFN/OU=Host/L=CNAF/CN=voms-01.pd.infn.it
/C=IT/O=INFN/CN=INFN Certification Authority
All the Best,
Sergio Traldi
for the NGI_IT
----------------------------------------------------------------------------------------------------------------
link to this broadcast : https://operations-portal.egi.eu/broadcast/archive/id/1321
----------------------------------------------------------------------------------------------------------------
|