 |
 |
Hi, The installed VOMS certificate on the UI does not play any role in the voms-proxy-init -voms biomed sequence that he has performed. That is only an issue on the server side at the VOMS Server and at the sites. When the user executes voms-proxy-info -all or submits a job will the installed VOMS certificates be used to verify the VOMS attributes' signatures. Actions to take (maybe already be done partially): 1.) Revoke the certificate that is not used by the VOMS server in question (task for VOMS Admin and/or CA) 2.) The VOMS server admin must publish which certificate is in use (task VOMS Admin) 3.) The sites should install only that published certificate through the use of the set procedures. The sites may neglect the existance of the unused VOMS certificate after step 1. is done (task for VO collaboration and site sysadmins) 4.) Up date the VOMS certificate on the user's UI. The job-submission tools will verify the VOMS aatributes there first AFAIK (task user or sys admin of UI) 5.) The user should perform a new voms-proxy-init -voms <VO name here> and submit a job (task user) 6.) check logs at sites cheers, Oscar david bouvet wrote: > Hi Gonçalo, > > This confirms that original user probably used an UI which still uses > the old certificate. > > To site admins who read this : > > please do not forget to change public key of VOMS server > cclcgvomsli01.in2p3.fr on your _*UIs*_* in /etc/grid-security/vomsdir > * The new one can be retrieved at:* > *https://cic.gridops.org/common/all/documents/VOMS/biomed-VOMSPublicKey-20070328-143040.txt > > > Cheers, > David. > > > Cheers, > David. > > Gonçalo Borges wrote: >> Hi again, >> >> I still didn't received feedback from the original user but another >> user (David Aristegui), also belonging to the biomed VO, read my first >> email to the LCG-ROLLOUT and tried to submit to my site. He managed to >> run jobs and was correctly mapped to biomed pool accounts through VOMS: >> >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> LCMAPS 7: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> Initialization LCMAPS version 0.0.30 >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-startPluginManager(): Reading LCMAPS database >> /opt/edg/etc/lcmaps/lcmaps.db >> LCMAPS 5: 2007-04-02.15:40:46.266982.0000021996.0000065441 : LCMAPS >> credential mapping request >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-runPlugin(): found plugin >> /opt/edg/lib/lcmaps/modules/lcmaps_voms.mod >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-runPlugin(): running plugin >> /opt/edg/lib/lcmaps/modules/lcmaps_voms.mod >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps_plugin_voms-plugin_run(): voms plugin succeeded >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-runPlugin(): found plugin >> /opt/edg/lib/lcmaps/modules/lcmaps_voms_localgroup.mod >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-runPlugin(): running plugin >> /opt/edg/lib/lcmaps/modules/lcmaps_voms_localgroup.mod >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps_plugin_voms_localgroup-plugin_run(): voms_localgroup plugin >> succeeded >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-runPlugin(): found plugin >> /opt/edg/lib/lcmaps/modules/lcmaps_voms_poolaccount.mod >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-runPlugin(): running plugin >> /opt/edg/lib/lcmaps/modules/lcmaps_voms_poolaccount.mod >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps_plugin_voms_poolaccount-plugin_run(): voms_poolaccount plugin >> succeeded >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-runPlugin(): found plugin >> /opt/edg/lib/lcmaps/modules/lcmaps_posix_enf.mod >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-runPlugin(): running plugin >> /opt/edg/lib/lcmaps/modules/lcmaps_posix_enf.mod >> LCMAPS 6: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps_plugin_posix_enf-log_cred(): uid=7061(biomed061):pgid=7000(biomed) >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-lcmaps_run(): succeeded >> LCMAPS 7: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> Termination LCMAPS >> LCMAPS 0: 2007-04-02.15:40:46.266982.0000021996.0000065441 : >> lcmaps.mod-lcmaps_term(): terminating >> Notice: 5: Requested service: jobmanager-fork >> Notice: 5: Authorized as local user: biomed061 >> Notice: 5: Authorized as local uid: 7061 >> Notice: 5: and local gid: 7000 >> >> I asked him what was the VOMS certificate he was using and this is his >> reply: >> >>> David Garcia Aristegui wrote: Hello: i've executed a "voms-proxy-init >>> -voms biomed" >>> >>> The cert: >>> [david@villon examples]$ openssl x509 -text -noout -in >>> /etc/grid-security/vomsdir/cclcgvomsli01.in2p3.fr >>> Certificate: >>> Data: >>> Version: 3 (0x2) >>> Serial Number: 1881 (0x759) >>> Signature Algorithm: sha1WithRSAEncryption >>> Issuer: C=FR, O=CNRS, CN=GRID-FR >>> Validity >>> Not Before: Mar 1 14:01:52 2007 GMT >>> Not After : Mar 1 14:01:52 2008 GMT >>> Subject: O=GRID-FR, C=FR, O=CNRS, OU=CC-LYON, >>> CN=cclcgvomsli01.in2p3.fr >>> Subject Public Key Info: >>> Public Key Algorithm: rsaEncryption >>> RSA Public Key: (1024 bit) >>> Modulus (1024 bit): >>> 00:d3:81:8b:c1:9e:ef:6f:e3:4e:36:5e:b8:5f:d3: >>> (...) >>> >>> Tell me if you need me to execute more tests. >>> Cheers. >>> >> So, I guess the problem is still on the original user side... >> >> Cheers >> Goncalo Borges >> >