Difference between revisions of "Tools/Manuals/TS14"

From EGIWiki
Jump to: navigation, search
(Created page with '{{TOC_right}} Category:FAQ ------ Back to Troubleshooting Guide ------ = Host certificate update = == Introduction == Upda…')
 
(Examples of services to be restarted)
 
(13 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{TOC_right}}
+
{{Template:Op menubar}} {{Template:Doc_menubar}} {{TOC_right}}  
[[Category:FAQ]]
+
[[Category:Operations_Manuals]]
------
 
Back to [[Manuals/Troubleshooting/SiteProblemsFollowUp|Troubleshooting Guide]]
 
------
 
  
= Host certificate update =
+
----
  
== Introduction ==
+
Back to [[Tools/Manuals/SiteProblemsFollowUp|Troubleshooting Guide]]
  
Updating the host certificate in /etc/grid-security is not always sufficent:
+
----
some services have a copy of this certificate which they started with.
 
Some services need to be restarted when their certificate changes.
 
  
This page gives some examples.
+
= Host certificate update  =
  
== Location and ownership of copies ==
+
== Introduction  ==
  
Copies of the host certificate and key in general have the following rights:
+
Updating the host certificate in /etc/grid-security is not always sufficient: some services have a copy of this certificate which they started with. It is therefore necessary to update those copies and restart these services.  
644 for the public key (the certificate) and 600 for the private key.
 
  
* FTS
+
For an '''automatic''' update using the YAIM configuration tool:
  
-rw-r--r--    1 glite    root        4599 Apr 17 10:47 /etc/grid-security/glite-data-transfer-agents-cert.pem
+
*update host certificates under /etc/grid-security directory
-r--------    1 glite    root          887 Apr 17 10:47 /etc/grid-security/glite-data-transfer-agents-key.pem
+
*reconfigure the whole node using YAIM, not forgetting to use all services (node-types) that need to be mentioned as arguments of the command line.
-rw-r--r--    1 tomcat  root        4599 Jan 16 10:57 /etc/grid-security/tomcat-cert.pem
+
 
-r--------    1 tomcat  root          887 Jan 16 10:57 /etc/grid-security/tomcat-key.pem
+
For a '''manual''' configuration please follow the advices bellow:
 +
 
 +
*find all locations where you have put copies of the host cert & key files
 +
*ensure the right ownership and permissions are maintained
 +
*restart specific services
 +
 
 +
== Location and ownership of copies  ==
 +
 
 +
*Copies of certificate shold have the following permissions:
 +
**644 for public key (hostcert.pem)
 +
**600 for the private key (hostkey.pem)
 +
*Generally you can easily find the location using ''locate'' unix command: <br> <pre>locate cert.pem
 +
</pre>
  
* LFC
+
locate key.pem
  
-rw-r--r--    1 lfcmgr  lfcmgr      4689 May 30  2006 /etc/grid-security/lfcmgr/lfccert.pem
+
This will help in case paths have changes between different versions of the same service or they are different between different services. For example you can find also: tomcat-cert.pem &amp; tomcat-key.pem  
-r--------    1 lfcmgr  lfcmgr        902 May 30  2006 /etc/grid-security/lfcmgr/lfckey.pem
 
  
* VOMS
+
*'''CREAM CE''': <br>
 +
<pre># ll /etc/grid-security/*.pem
 +
-rw-r--r-- 1 root  root 1428 Oct 22 10:19 /etc/grid-security/hostcert.pem
 +
-r-------- 1 root  root  887 Oct 22 10:19 /etc/grid-security/hostkey.pem
 +
-rw-r--r-- 1 tomcat root 1428 Nov 12 16:01 /etc/grid-security/tomcat-cert.pem
 +
-r-------- 1 tomcat root  887 Nov 12 16:01 /etc/grid-security/tomcat-key.pem</pre>
 +
<br>
  
-rw-r--r--   1 tomcat  root        4624 Mar 27 15:45 /etc/grid-security/tomcat-cert.pem
+
and, depending on the '''glite''' user home directory:
-r--------   1 tomcat  root          891 Mar 27 15:45 /etc/grid-security/tomcat-key.pem
+
<pre># ll /var/glite/.certs/*.pem
 +
-rw-r--r-- 1 glite glite 1419 Dec 13 12:00 /var/glite/.certs/hostcert.pem
 +
-r-------- 1 glite glite 887 Dec 5 16:59 /var/glite/.certs/hostkey.pem
 +
</pre>
 +
OR
 +
<pre># ll /home/glite/.certs/*.pem
 +
-rw-r--r-- 1 glite glite 1428 Dec 13 12:00 /home/glite/.certs/hostcert.pem
 +
-r-------- 1 glite glite  887 Nov 12 16:03 /home/glite/.certs/hostkey.pem  
 +
</pre>
 +
*'''FTS'''
  
== Examples of services to be restarted ==
+
-rw-r--r--    1 glite    root        4599 Apr 17 10:47
 +
/etc/grid-security/glite-data-transfer-agents-cert.pem
 +
-r--------    1 glite    root          887 Apr 17 10:47
 +
/etc/grid-security/glite-data-transfer-agents-key.pem
 +
-rw-r--r--    1 tomcat  root        4599 Jan 16 10:57 /etc/grid-security/tomcat-cert.pem
 +
-r--------    1 tomcat  root          887 Jan 16 10:57 /etc/grid-security/tomcat-key.pem
  
* FTS
+
*'''LFC'''
** tomcat
+
<pre> -rw-r--r--    1 lfcmgr  lfcmgr      4689 May 30  2006 /etc/grid-security/lfcmgr/lfccert.pem
** transfer-agents
+
-r--------    1 lfcmgr  lfcmgr        902 May 30  2006 /etc/grid-security/lfcmgr/lfckey.pem
 +
</pre>
 +
*'''VOMS'''
 +
<pre> /etc/grid-security/vomscert.pem
 +
/etc/grid-security/vomskey.pem
 +
</pre>
  
* LCG-CE
+
== Examples of services to be restarted  ==
** gatekeeper
 
  
* LFC
+
*'''CREAM-CE'''
** Nothing to restart
+
**tomcat5 for SL5
 +
**tomcat6 for SL6
 +
**globus-gridftp
 +
**glite-lb-locallogger
 +
*'''SE StoRM'''
 +
**storm-backend, storm-frontend, storm-checksum
 +
**globus-gridftp
 +
*'''SE DPM'''
 +
**dpm, dpmcopyd, dpm-gsiftp, dpm-httpd, dpnsdaemon
 +
**srmv1, srmv2, srmv2.2
 +
**globus-gridftp
 +
*'''WMS'''
 +
**gLite
 +
*'''FTS'''
 +
**tomcat
 +
**transfer-agents
 +
*'''LCG-CE '''
 +
**globus-gatekeeper
 +
**globus-gridftp
 +
*'''LFC'''
 +
**Nothing to restart  
 +
*'''MyProxy '''
 +
**Nothing to restart
 +
*'''VOMS '''
 +
**voms
 +
**voms-admin
 +
**in case of change of certificate DN - the DN is registered in the VOMS database, so you need to update it:
  
* MyProxy
+
<pre> $ mysql -h &lt;DB_HOST&gt; -u &lt;DB_USER&gt; -p
** Nothing to restart
+
mysql&gt; use voms_&lt;VO name&gt;;
 +
mysql&gt; update admins set dn="&lt;new DN&gt;" where dn like "%&lt;old DN&gt;%";
 +
mysql&gt; exit
 +
</pre>
 +
**update files:  /etc/voms-admin/<VO>/lsc, /etc/voms-admin/<VO>/vomses
  
* VOMS
+
== Revision History  ==
** tomcat
 
** gLite
 
** in case of change of certificate DN - the DN is registered in the VOMS database, so you need to update it:
 
  
    $ mysql -h <DB_HOST> -u <DB_USER> -p
+
{| border="3"
    mysql> use voms_<VO name>;
+
|-
    mysql> update admins set dn="<new DN>" where dn like "%<old DN>%";
+
! Version
    mysql> exit
+
! Authors
 +
! Date
 +
! Comments
 +
|-
 +
|
 +
| Alessandro Paolini
 +
| 2017-10-30
 +
| updated the VOMS information
 +
|-
 +
|
 +
|
 +
|
 +
|
 +
|}

Latest revision as of 11:23, 8 March 2018

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators



Back to Troubleshooting Guide


Host certificate update

Introduction

Updating the host certificate in /etc/grid-security is not always sufficient: some services have a copy of this certificate which they started with. It is therefore necessary to update those copies and restart these services.

For an automatic update using the YAIM configuration tool:

  • update host certificates under /etc/grid-security directory
  • reconfigure the whole node using YAIM, not forgetting to use all services (node-types) that need to be mentioned as arguments of the command line.

For a manual configuration please follow the advices bellow:

  • find all locations where you have put copies of the host cert & key files
  • ensure the right ownership and permissions are maintained
  • restart specific services

Location and ownership of copies

  • Copies of certificate shold have the following permissions:
    • 644 for public key (hostcert.pem)
    • 600 for the private key (hostkey.pem)
  • Generally you can easily find the location using locate unix command:
    locate cert.pem

locate key.pem

This will help in case paths have changes between different versions of the same service or they are different between different services. For example you can find also: tomcat-cert.pem & tomcat-key.pem

  • CREAM CE:
# ll /etc/grid-security/*.pem
-rw-r--r-- 1 root   root 1428 Oct 22 10:19 /etc/grid-security/hostcert.pem
-r-------- 1 root   root  887 Oct 22 10:19 /etc/grid-security/hostkey.pem
-rw-r--r-- 1 tomcat root 1428 Nov 12 16:01 /etc/grid-security/tomcat-cert.pem
-r-------- 1 tomcat root  887 Nov 12 16:01 /etc/grid-security/tomcat-key.pem


and, depending on the glite user home directory:

# ll /var/glite/.certs/*.pem
-rw-r--r-- 1 glite glite 1419 Dec 13 12:00 /var/glite/.certs/hostcert.pem
-r-------- 1 glite glite 887 Dec 5 16:59 /var/glite/.certs/hostkey.pem 

OR

# ll /home/glite/.certs/*.pem
-rw-r--r-- 1 glite glite 1428 Dec 13 12:00 /home/glite/.certs/hostcert.pem
-r-------- 1 glite glite  887 Nov 12 16:03 /home/glite/.certs/hostkey.pem 
  • FTS
-rw-r--r--    1 glite    root         4599 Apr 17 10:47 
/etc/grid-security/glite-data-transfer-agents-cert.pem
-r--------    1 glite    root          887 Apr 17 10:47 
/etc/grid-security/glite-data-transfer-agents-key.pem
-rw-r--r--    1 tomcat   root         4599 Jan 16 10:57 /etc/grid-security/tomcat-cert.pem
-r--------    1 tomcat   root          887 Jan 16 10:57 /etc/grid-security/tomcat-key.pem
  • LFC
 -rw-r--r--    1 lfcmgr   lfcmgr       4689 May 30  2006 /etc/grid-security/lfcmgr/lfccert.pem
 -r--------    1 lfcmgr   lfcmgr        902 May 30  2006 /etc/grid-security/lfcmgr/lfckey.pem
  • VOMS
 /etc/grid-security/vomscert.pem
 /etc/grid-security/vomskey.pem

Examples of services to be restarted

  • CREAM-CE
    • tomcat5 for SL5
    • tomcat6 for SL6
    • globus-gridftp
    • glite-lb-locallogger
  • SE StoRM
    • storm-backend, storm-frontend, storm-checksum
    • globus-gridftp
  • SE DPM
    • dpm, dpmcopyd, dpm-gsiftp, dpm-httpd, dpnsdaemon
    • srmv1, srmv2, srmv2.2
    • globus-gridftp
  • WMS
    • gLite
  • FTS
    • tomcat
    • transfer-agents
  • LCG-CE
    • globus-gatekeeper
    • globus-gridftp
  • LFC
    • Nothing to restart
  • MyProxy
    • Nothing to restart
  • VOMS
    • voms
    • voms-admin
    • in case of change of certificate DN - the DN is registered in the VOMS database, so you need to update it:
 $ mysql -h <DB_HOST> -u <DB_USER> -p
 mysql> use voms_<VO name>;
 mysql> update admins set dn="<new DN>" where dn like "%<old DN>%";
 mysql> exit
    • update files: /etc/voms-admin/<VO>/lsc, /etc/voms-admin/<VO>/vomses

Revision History

Version Authors Date Comments
Alessandro Paolini 2017-10-30 updated the VOMS information