EPP Grid - HOW-TO set up a gLite VOMS server and a VOMRS server

Start of topic | Skip to actions

HOW-TO set up a gLite VOMS server and a VOMRS server

Introduction

This HOW-TO will describe the process of setting up gLite VOMS (gLite r1.4) and VOMRS (v 1.2).

gLite VOMS

  • Start from a base installation of Scientific Linux 3.0.5 (I chose the minimal installation option).

  • download the VOMS installation script 

wget http://glite.web.cern.ch/glite/packages/R1.4/R20050916/installers/glite-voms-server-mysql_installer.sh

  • for some reason, the installer doesn't not "get" the required dependencies, so, you'll need to get them yourself. Edit the apt sources file to include the following repository: 

rpm http://linuxsoft.cern.ch  cern/slc305/i386/apt  os updates extras
rpm-src http://linuxsoft.cern.ch  cern/slc305/i386/apt  os updates extras
rpm http://grid-deployment.web.cern.ch/grid-deployment/gis apt/LCG-2_6_0/sl3/en/i386 lcg_sl3 lcg_sl3.updates

  • get the necessary packages 

apt-get update
apt-get install 4Suite perl-DateManip perl-URI  perl-XML-Parser perl-libwww-perl perl-libxml-enno

  • run the installation script

bash glite-voms-server-mysql_installer.sh

At this point the script should commence downloading the required packages, and, provided the dependencies have been satisfied, will begin to install them. If there were errors (probably only dependency errors at this point), resolve them prior to continuing.

  • set the mysql root password

mysqladmin -u root password 'someSecretPassword'

  • cd /opt/glite/etc/config

  • cp templates/*.xml .

  • edit the files for your site.

Some notes from my own installation.

1) There should be 6 config files:
glite-global.cfg.xml
glite-rgma-servicetool.cfg.xml
glite-voms-server.cfg.xml
security_checks.cfg.xml
glite-rgma-common.cfg.xml
glite-security-utils.cfg.xml

A seventh file "glite-rgma-servicetool-serviceName.cfg.xml" is not needed. Some notes I found from LCG stated this. I don't remember seeing a reason why.

2) Some specific notes regarding the files (I don't have reasons for some of these so there's no point asking : )

Unless specified, the defaults for any other variables should be fine.

glite-global.cfg.xml:
site.config.url can be left blank unless you have a global site configuration file somehwere (read the gLite documentation - www.glite.org)
JAVA_HOME needs to be set correctly

glite-rgma-servicetool.cfg.xml:
rgma.server.hostname, rgma.schema.hostname and rgma.registry.hostname can be set to "localhost"
rgma.secure.mode is set to "false"

glite-rgma-common.cfg.xml:
rgma.servicetool.sitename is set to "localhost"

glite-security-utils.cfg.xml:
cron.mailto is the email address to whom cron notifications should be sent

glite-voms-server.cfg.xml:
voms.db.type set to "mysql"
voms.db.host set to the hostname of the server running the VOMS server - note that a hostname with a dash (e.g. lcg-voms) will cause problems for VOMRS
voms.admin.smtp.host set to the name of your institutions smtp server
voms.mysql.admin.password - the mysql database password - should be the same password as set earlier - remember, this password is stored in a plain text file
voms.port.number set to the port on which you want voms to listed

In the section on configuring VO instances:

voms.vo.name set to the name of the VO
voms.db.name set to the name of the mysql database
voms.db.user.name set to "root" - you should be able to specify another user for the database although I couldn't get it to work so I went for root
voms.db.user.password set to the same password as the mysql server
voms.admin.notification.e-mail set to the email address of the VOMS server administrator
voms.admin.certificate the location of the administrator's Grid certificate (e.g./root/admin-usercert.pem)

In the section on configuring the RGMA service tool:

rgma.servicetool.enable set to false

  • logout and log back in so that you get a gLite environment

  • install the host certificate and key in /etc/grid/security

Remember to install the Certificate Authority certificate, signing policy and CRL if your are using a CA which is not yet recognised by LCG (and thus distributed with it).

  • run the configuration script 

cd /opt/glite/etc/config/scripts
./glite-voms-server-config.py --configure

Troubleshooting

At the point where the configuration script tries to create the VO database, the following error (or something like it) will most likely be seen: 

Creating the database...
ERROR 1045 (28000): Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YES)
INFO  [main] Booting VOMS admin service for the apdg VO -  service.Configuration
INFO  [main] Loaded JDBC driver com.mysql.jdbc.Driver -  connection.ConnectionPool
ERROR [main] An SQL exception occured.  Details follow -  service.DatabaseError
ERROR [main] 28000 - Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YES) -  service.DatabaseError
WARN  [main] Retrying failed internal transaction (1) -  database.Database
ERROR [main] An SQL exception occured.  Details follow -  service.DatabaseError
ERROR [main] 28000 - Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YES) -  service.DatabaseError
WARN  [main] Retrying failed internal transaction (2) -  database.Database
ERROR [main] An SQL exception occured.  Details follow -  service.DatabaseError
ERROR [main] 28000 - Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YES) -  service.DatabaseError
WARN  [main] Retrying failed internal transaction (3) -  database.Database
ERROR [main] An SQL exception occured.  Details follow -  service.DatabaseError
ERROR [main] 28000 - Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YES) -  service.DatabaseError
WARN  [main] Retrying failed internal transaction (4) -  database.Database
ERROR [main] An SQL exception occured.  Details follow -  service.DatabaseError
ERROR [main] 28000 - Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YES) -  service.DatabaseError
WARN  [main] Retrying failed internal transaction (5) -  database.Database
ERROR [main] An SQL exception occured.  Details follow -  service.DatabaseError
ERROR [main] 28000 - Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YES) -  service.DatabaseError
WARN  [main] Max retry count exceeded, transaction failed -  database.Database
ERROR [main] Database error (see service log for details): java.sql.SQLException: Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YES) -  database.Database
Exception in thread "main" java.lang.RuntimeException: Database error (see service log for details): java.sql.SQLException: Access denied for user  'root'@'dg13.cc.kek.jp' (using password: YES)
        at org.glite.security.voms.database.Database.main(Database.java:905)
Caused by: Database error (see service log for details): java.sql.SQLException: Access denied for user 'root'@'dg13.cc.kek.jp' (using password: YE S)
        at org.glite.security.voms.database.connection.ConnectionPool.connect(ConnectionPool.java:143)
        at org.glite.security.voms.database.connection.ConnectionPool.get(ConnectionPool.java:206)
        at org.glite.security.voms.database.connection.DirectUpdate.begin(DirectUpdate.java:77)
        at org.glite.security.voms.database.Database.execute(Database.java:720)
        at org.glite.security.voms.database.Database.create(Database.java:750)
        at org.glite.security.voms.database.Database.main(Database.java:888)
Database deployment failed.  Inspect above messages for an explanation.
You will need to clean up the database using the 'remove' command before trying again.
Configuring voms and voms-admin                            [FAILED]

An unrecoverable error occurred while configuring the gLite VOMS Server service

You need to:

1) remove the database

./glite-voms-server-config.py --remove-vo=apdg

2) clean up

rm -rf /var/glite/etc/voms-admin/apdg/

3) Reset the mysql password

Following is a session in which this is done. 

[root@dg13 scripts]# mysql -u root -p mysql
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.11-standard

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> UPDATE user SET Password=PASSWORD('yourPassword')
    -> WHERE User='root';
Query OK, 1 row affected (0.00 sec)
Rows matched: 2  Changed: 1  Warnings: 0

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye
[root@dg13 scripts]# service mysql restart
Shutting down MySQL.                                       [  OK  ]
Starting MySQL                                             [  OK  ]
[root@dg13 scripts]#

4) Re run the configuration script

If successful, amongst the copius amounts of output there should be something like: 

Installing vomsd configuration ...
        /opt/glite/etc/voms/apdg/voms.pass
        /opt/glite/etc/voms/apdg/voms.conf
        /var/glite/etc/voms-admin/apdg/voms-admin-apdg.xml
        /var/glite/etc/voms-admin/voms-siblings.xml
Installation complete.
Note that you must start up your new VO services yourself:
    /opt/glite/etc/init.d/voms start apdg
    /opt/glite/etc/init.d/voms-admin start apdg
Configuring voms and voms-admin                            [  OK  ]

Configuring VO 'apdg'             [  OK  ]

  • assuming that was successful

./glite-voms-server-config.py --start

  • If you did not provide an administrator certificate in "glite-voms-server.cfg.xml", then you need to create an administrator for the VO. 

voms-admin --vo VONAME create-user /root/usercert.pem
voms-admin --vo VONAME add-member /VONAME/Role=VO-Admin /root/usercert.pem

* go to the front page to check it all worked. With your certificate loaded in your browser, go to:

https://hostname.domainname.of.server:8443/voms/VONAME/

* now you need to allow anyone (person or certificate) with a valid, accepted certificate to list the contents of the VO. From the global ACL page.

allow: list: anyone who presents a known certificate.

gLite VOMRS

  • get the VOMRS server package.

The VOMRS-1.2 server package from the main download page is for LCG VOMS. It does not work with gLite VOMS. 

wget http://www.uscms.org/SoftwareComputing/Grid/VO/RPMS_GLITE_1.4/vomrs-1.2-0.noarch.rpm

  • install the package

rpm -ivh rpm -ivh vomrs-1.2-0.noarch.rpm

  • cd /opt/vomrs-1.2/sbin

  • ./vomrs_configure

This is an interactive installer - that is, it will ask you questions.

Some points to consider:

1) For the question "Enter directory name for webapps (default: $CATALINA_HOME/webapps):"

If using Tomcat4, the answer is "$CATALINA_HOME/webapps"
If using Tomcat5, the answer is /var/lib/tomcat5/conf/Catalina/localhost

This is due to differences in configuration between Tomcat4 and Tomcat5.

2) for the question regarding admin certificate or DN/CA. If the user certificate does not have the person's email, either:

use DN/CA and fill in everything manually,

OR

edit /opt/vomrs-1.2/var/etc/vomrs_VONAME/member.data to include the email.

If you choose to edit /opt/vomrs-1.2/var/etc/vomrs_VONAME/member.data, then you will need to run the following command:

./loader /opt/vomrs-1.2/var/etc/vomrs_VONAME/vomrs.xml /opt/vomrs-1.2/etc/dbms/code-related-data/sequences.data /opt/vomrs-1.2/etc/dbms/code-related-data/roles.data /opt/vomrs-1.2/etc/dbms/code-related-data/services.data /opt/vomrs-1.2/etc/dbms/code-related-data/personal_info.General.data /opt/vomrs-1.2/etc/dbms/code-related-data/interfaces.data /opt/vomrs-1.2/etc/dbms/code-related-data/events.data /opt/vomrs-1.2/var/etc/vomrs_VONAME/member.data

This will recreate the database.

  • Fingers crossed - browse to:

https://hostname.domainname.of.server:8443/vo/VONAME/vomrs/ 

End of topic
Skip to actions | Back to top

key Log In Revision:  r4 - 25 Jan 2006 - MarcoLaRosa
Authorised by:  Geoff Taylor (G.Taylor @ physics.unimelb.edu.au)
Maintained using:  This site is powered by the TWiki collaboration platform
Copyright © 2000-2009 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.