Timeline
The voms servers at CERN will be transferred to new hosts that use the newer SHA-2 certificate standard. The changes are described in this post:
CERN VOMS service will move to new hosts
The picture below lays out the timeline for the change.
 | |
| Timeline for Cern Voms Server Changes |
New VOMS Server Hosts
The VOs associated with these changes are alice, atlas, cms, lhcb and ops. Sites supporting any of those will have to make a plan to update.
The new hosts have been set up already and entered against the related VOs in the ops portal. The table below summarises the current set up (ignoring vo.racf.bnl.gov) as advertised in the operations portal (as of 7th May 2014).
| VO | Vomses Port | Old Server | Is admin? | New Server | IsAdmin? |
|---|---|---|---|---|---|
| atlas | 15001 | lcg-voms.cern.ch | No | lcg-voms2.cern.ch | Yes |
| atlas | 15001 | voms.cern.ch | Yes | voms2.cern.ch | Yes |
| alice | 15000 | lcg-voms.cern.ch | No | lcg-voms2.cern.ch | Yes |
| alice | 15000 | voms.cern.ch | Yes | voms2.cern.ch | Yes |
| cms | 15002 | lcg-voms.cern.ch | No | lcg-voms2.cern.ch | Yes |
| cms | 15002 | voms.cern.ch | Yes | voms2.cern.ch | Yes |
| lhcb | 15003 | lcg-voms.cern.ch | No | lcg-voms2.cern.ch | Yes |
| lhcb | 15003 | voms.cern.ch | Yes | voms2.cern.ch | Yes |
| ops | 15009 | lcg-voms.cern.ch | No | lcg-voms2.cern.ch | Yes |
| ops | 15009 | voms.cern.ch | Yes | voms2.cern.ch | Yes |
Notes: The IsAdmin flag tells whether the server could be used to download used to create the DN grid-map file. The port numbers are unaffected by the change.
VOMS Server RPMS
As described in the announcement (see link at the top), a set of rpms have been created, one per WLCG-related VO:- wlcg-voms-alice
- wlcg-voms-atlas
- wlcg-voms-cms
- wlcg-voms-lhcb
- wlcg-voms-ops
The rpms are hosted in the yum repository WLCG repository. To install, e.g.
$ cd /etc/yum.repos.d/
$ wget http://linuxsoft.cern.ch/wlcg/wlcg-sl6.repo
Local Measures at Liverpool
At Liverpool, the configuration of the following servers will need to be changed:- Argus
- Cream CE
- DPM SE
- WN and
...
- UI (eventually)
There will be a gap of some weeks (see the picture) between the deadline for sites to update their services which consume certificates (e.g. Argus, Cream CE, DPM SE, and WN etc.) and the deadline for sites to update their UIs. This is to prevent the use of new-style certificates that cannot be interpreted.
So, to effect this change, Liverpool will apply the RPMS on our consuming service nodes in early May. As soon as the all-sites deadline has passed (2nd June) Liverpool will update its UIs in a similar manner.
If all goes well, Liverpool will remove reference to the old servers after the final deadline, 1st July. The plan in this case is to effect the change using the traditional yaim/site-info.def/vo.d method as these changes will need to be permanently maintained.
Effects on Approved VOs, VomsSnooper etc.
For tracking proposes, the GridPP Approved VOs document will attempt to remain synchronised with the operations portal, but the VomsSnooper process is asynchronous so there may be discrepancies around the deadlines. Sites are advised to watch out for these race conditions.Note: while the servers are being changed (i.e from now until 2nd June for certificate consuming services, and from 2nd June to 1 July (for consuming producing services, e.g. UIs) there can no canonical form of the VOMS records because different sites have their own implementation schedule and may use different settings temporarily, as described in my post above.
