Difference between revisions of "Tools/Manuals/TS14"
< Tools
Jump to navigation
Jump to search
(6 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{Template:Op menubar}} {{Template:Doc_menubar}} {{TOC_right}} | {{Template:Op menubar}} {{Template:Doc_menubar}} {{TOC_right}} | ||
[[Category:Operations_Manuals]] | |||
---- | ---- | ||
Line 42: | Line 43: | ||
-rw-r--r-- 1 tomcat root 1428 Nov 12 16:01 /etc/grid-security/tomcat-cert.pem | -rw-r--r-- 1 tomcat root 1428 Nov 12 16:01 /etc/grid-security/tomcat-cert.pem | ||
-r-------- 1 tomcat root 887 Nov 12 16:01 /etc/grid-security/tomcat-key.pem</pre> | -r-------- 1 tomcat root 887 Nov 12 16:01 /etc/grid-security/tomcat-key.pem</pre> | ||
<br> | |||
and, depending on the '''glite''' user home directory: | |||
and, depending on the '''glite''' user home directory: | <pre># ll /var/glite/.certs/*.pem | ||
-rw-r--r-- 1 glite glite 1419 Dec 13 12:00 /var/glite/.certs/hostcert.pem | -rw-r--r-- 1 glite glite 1419 Dec 13 12:00 /var/glite/.certs/hostcert.pem | ||
-r-------- 1 glite glite 887 Dec 5 16:59 /var/glite/.certs/hostkey.pem | -r-------- 1 glite glite 887 Dec 5 16:59 /var/glite/.certs/hostkey.pem | ||
</pre> | </pre> | ||
OR | OR | ||
<pre># ll /home/glite/.certs/*.pem | <pre># ll /home/glite/.certs/*.pem | ||
Line 54: | Line 55: | ||
-r-------- 1 glite glite 887 Nov 12 16:03 /home/glite/.certs/hostkey.pem | -r-------- 1 glite glite 887 Nov 12 16:03 /home/glite/.certs/hostkey.pem | ||
</pre> | </pre> | ||
*FTS | *'''FTS''' | ||
-rw-r--r-- 1 glite root 4599 Apr 17 10:47 | -rw-r--r-- 1 glite root 4599 Apr 17 10:47 | ||
Line 63: | Line 64: | ||
-r-------- 1 tomcat root 887 Jan 16 10:57 /etc/grid-security/tomcat-key.pem | -r-------- 1 tomcat root 887 Jan 16 10:57 /etc/grid-security/tomcat-key.pem | ||
*LFC | *'''LFC''' | ||
<pre> -rw-r--r-- 1 lfcmgr lfcmgr 4689 May 30 2006 /etc/grid-security/lfcmgr/lfccert.pem | <pre> -rw-r--r-- 1 lfcmgr lfcmgr 4689 May 30 2006 /etc/grid-security/lfcmgr/lfccert.pem | ||
-r-------- 1 lfcmgr lfcmgr 902 May 30 2006 /etc/grid-security/lfcmgr/lfckey.pem | -r-------- 1 lfcmgr lfcmgr 902 May 30 2006 /etc/grid-security/lfcmgr/lfckey.pem | ||
</pre> | </pre> | ||
*VOMS | *'''VOMS''' | ||
<pre> | <pre> /etc/grid-security/vomscert.pem | ||
/etc/grid-security/vomskey.pem | |||
</pre> | </pre> | ||
== Examples of services to be restarted == | == Examples of services to be restarted == | ||
Line 98: | Line 100: | ||
**Nothing to restart | **Nothing to restart | ||
*'''VOMS ''' | *'''VOMS ''' | ||
** | **voms | ||
** | **voms-admin | ||
**in case of change of certificate DN - the DN is registered in the VOMS database, so you need to update it: | **in case of change of certificate DN - the DN is registered in the VOMS database, so you need to update it: | ||
<pre> $ mysql -h <DB_HOST> -u <DB_USER> -p | |||
mysql> use voms_<VO name>; | mysql> use voms_<VO name>; | ||
mysql> update admins set dn="<new DN>" where dn like "%<old DN>%"; | mysql> update admins set dn="<new DN>" where dn like "%<old DN>%"; | ||
mysql> exit | mysql> exit | ||
</pre> | |||
**update files: /etc/voms-admin/<VO>/lsc, /etc/voms-admin/<VO>/vomses | |||
== Revision History == | |||
{| border="3" | |||
|- | |||
! Version | |||
! Authors | |||
! Date | |||
! Comments | |||
|- | |||
| | |||
| Alessandro Paolini | |||
| 2017-10-30 | |||
| updated the VOMS information | |||
|- | |||
| | |||
| | |||
| | |||
| | |||
|} |
Latest revision as of 11:23, 8 March 2018
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Documentation menu: | Home • | Manuals • | Procedures • | Training • | Other • | Contact ► | For: | VO managers • | Administrators |
Back to Troubleshooting Guide
Host certificate update
Introduction
Updating the host certificate in /etc/grid-security is not always sufficient: some services have a copy of this certificate which they started with. It is therefore necessary to update those copies and restart these services.
For an automatic update using the YAIM configuration tool:
- update host certificates under /etc/grid-security directory
- reconfigure the whole node using YAIM, not forgetting to use all services (node-types) that need to be mentioned as arguments of the command line.
For a manual configuration please follow the advices bellow:
- find all locations where you have put copies of the host cert & key files
- ensure the right ownership and permissions are maintained
- restart specific services
Location and ownership of copies
- Copies of certificate shold have the following permissions:
- 644 for public key (hostcert.pem)
- 600 for the private key (hostkey.pem)
- Generally you can easily find the location using locate unix command:
locate cert.pem
locate key.pem
This will help in case paths have changes between different versions of the same service or they are different between different services. For example you can find also: tomcat-cert.pem & tomcat-key.pem
- CREAM CE:
# ll /etc/grid-security/*.pem -rw-r--r-- 1 root root 1428 Oct 22 10:19 /etc/grid-security/hostcert.pem -r-------- 1 root root 887 Oct 22 10:19 /etc/grid-security/hostkey.pem -rw-r--r-- 1 tomcat root 1428 Nov 12 16:01 /etc/grid-security/tomcat-cert.pem -r-------- 1 tomcat root 887 Nov 12 16:01 /etc/grid-security/tomcat-key.pem
and, depending on the glite user home directory:
# ll /var/glite/.certs/*.pem -rw-r--r-- 1 glite glite 1419 Dec 13 12:00 /var/glite/.certs/hostcert.pem -r-------- 1 glite glite 887 Dec 5 16:59 /var/glite/.certs/hostkey.pem
OR
# ll /home/glite/.certs/*.pem -rw-r--r-- 1 glite glite 1428 Dec 13 12:00 /home/glite/.certs/hostcert.pem -r-------- 1 glite glite 887 Nov 12 16:03 /home/glite/.certs/hostkey.pem
- FTS
-rw-r--r-- 1 glite root 4599 Apr 17 10:47 /etc/grid-security/glite-data-transfer-agents-cert.pem -r-------- 1 glite root 887 Apr 17 10:47 /etc/grid-security/glite-data-transfer-agents-key.pem -rw-r--r-- 1 tomcat root 4599 Jan 16 10:57 /etc/grid-security/tomcat-cert.pem -r-------- 1 tomcat root 887 Jan 16 10:57 /etc/grid-security/tomcat-key.pem
- LFC
-rw-r--r-- 1 lfcmgr lfcmgr 4689 May 30 2006 /etc/grid-security/lfcmgr/lfccert.pem -r-------- 1 lfcmgr lfcmgr 902 May 30 2006 /etc/grid-security/lfcmgr/lfckey.pem
- VOMS
/etc/grid-security/vomscert.pem /etc/grid-security/vomskey.pem
Examples of services to be restarted
- CREAM-CE
- tomcat5 for SL5
- tomcat6 for SL6
- globus-gridftp
- glite-lb-locallogger
- SE StoRM
- storm-backend, storm-frontend, storm-checksum
- globus-gridftp
- SE DPM
- dpm, dpmcopyd, dpm-gsiftp, dpm-httpd, dpnsdaemon
- srmv1, srmv2, srmv2.2
- globus-gridftp
- WMS
- gLite
- FTS
- tomcat
- transfer-agents
- LCG-CE
- globus-gatekeeper
- globus-gridftp
- LFC
- Nothing to restart
- MyProxy
- Nothing to restart
- VOMS
- voms
- voms-admin
- in case of change of certificate DN - the DN is registered in the VOMS database, so you need to update it:
$ mysql -h <DB_HOST> -u <DB_USER> -p mysql> use voms_<VO name>; mysql> update admins set dn="<new DN>" where dn like "%<old DN>%"; mysql> exit
- update files: /etc/voms-admin/<VO>/lsc, /etc/voms-admin/<VO>/vomses
Revision History
Version | Authors | Date | Comments |
---|---|---|---|
Alessandro Paolini | 2017-10-30 | updated the VOMS information | |