Date: 25-May-2005 Author: Karthik Purpose: GUMS server installation notes Location: GUMS is installed on OUHEP2 at /opt/gums which is a softlink to /home3/ouhep2/software/gums GUMS version: ?? This is a part of VDT 1.3.6 release Installation instructions followed from the GUMS administration site at http://osg.ivdgl.org/twiki/bin/view/Integration/GumsAdmins Installation Notes: set VDT_LOCATION=/opt/gums cd $VDT_LOCATION Make sure no old version of GUMS is installed by doing a ls gums-service. If it shows no such file then there is no gums installed. pacman -get http://www.cs.wisc.edu/vdt/vdt_136_cache:GUMS Output: ------ Package [GUMS] found in [http://www.cs.wisc.edu/vdt/vdt_135_cache]... Package [GUMS-Questions] found in [http://www.cs.wisc.edu/vdt/vdt_135_cache]... Package [GUMS-Service] found in [http://www.cs.wisc.edu/vdt/vdt_135_cache]... Package [GUMS-Service-Questions] found in [http://www.cs.wisc.edu/vdt/vdt_135_cache]... etc.etc...... Skipped this step: Verify that you have access to your GUMS services. Go to your GUMS web interface (in a certificate-enabled browser) at https://your-gums-server:8443/gums. You should get a screen up. You won't be able to do anything until you configure GUMS. After the installation has completed, you will also be able to view the licenses in the "licenses" directory. Do you agree to the licenses? [y/n] y If you would like, we can configure GUMS to start automatically at boot time. Configuring the GUMS daemon requires - changes to /etc/init.d (or /etc/rc.d/init.d) - starting up a MySQL server - starting up an Apache and Tomcat server Would you like to enable the GUMS server to run automatically? Choices: y (yes), n(no), s (skip this question): y The VDT typically installs public certificates and signing policy files for the well-known public CA's. This is necessary in order for you to perform GSI authentication with any remote Grid services (that have service/host certificates signed by these CA's). For more information please refer to the VDT documentation: http://www.cs.wisc.edu/vdt/setup_ca.html Where would you like to install CA files? Choices: r (root) - install into /etc/grid-security/certificates (existing CA files will be preserved) l (local) - install into $VDT_LOCATION/globus/share/certificates n (no) - do not install l Output: Downloading [globus-user-env.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [Globus-User-Environment]. Downloading [GUMS-Service-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [GUMS-Service-Questions]. Downloading [licenses-1.3.6-5.tar.gz] from [www.cs.wisc.edu]... 44/44 kB downloaded... Installing package [Licenses]. Package [JDK-1.4-Questions] found in [http://www.cs.wisc.edu/vdt/vdt_136_cache]... Package [JDK-1.4-Questions] found in [http://www.cs.wisc.edu/vdt/vdt_136_cache]... Downloading [JDK-1.4-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [JDK-1.4-Questions]. Downloading [j2sdk-1.4.2_07-linux-i586.tar.gz] from [www.cs.wisc.edu]... 43/43 MB downloaded... Installing package [JDK-1.4]. Downloading [Globus-Base-Essentials-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [Globus-Base-Essentials-Questions]. Package [Perl-Environment] found in [http://www.cs.wisc.edu/vdt/vdt_136_cache]... Package [Expat] found in [http://www.cs.wisc.edu/vdt/vdt_136_cache]... Package [Perl-Environment] found in [http://www.cs.wisc.edu/vdt/vdt_136_cache]... Downloading [perl-environment-1-24.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [Perl-Environment]. Package [Expat] found in [http://www.cs.wisc.edu/vdt/vdt_136_cache]... Downloading [expat-1.95.6.x86_rh_7.2.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [Expat]. Downloading [perl-modules-6-1.3.4.x86_rh_7.2.tar.gz] from [www.cs.wisc.edu]... 6/6 MB downloaded... Installing package [Perl-Modules]. Downloading [gpt-3.2.x86_rh_7.2.tar.gz] from [www.cs.wisc.edu]... 588/588 kB downloaded... Installing package [GPT]. Downloading [vdt-configure-base-1-41.tar.gz] from [www.cs.wisc.edu]... 3/3 kB downloaded... Installing package [VDT-Configure-Base]. Downloading [setup_cert_request-3-40.tar.gz] from [www.cs.wisc.edu]... 5/5 kB downloaded... Installing package [Configure-Cert-Request]. Downloading [vdt_globus_essentials-VDT1.3.3-rh7.tar.gz] from [www.cs.wisc.edu]... 17/17 MB downloaded... Installing package [Globus-Base-Essentials]. Downloading [MySQL-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [MySQL-Questions]. Downloading [vdt-install-service-1-35.tar.gz] from [www.cs.wisc.edu]... 3/3 kB downloaded... Installing package [VDT-Install-Service]. Downloading [configure_mysql-1-39.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [Configure-MySQL]. Downloading [mysql-4.0.23a.x86_rh_7.2.tar.gz] from [www.cs.wisc.edu]... 5/5 MB downloaded... Installing package [MySQL]. Downloading [Tomcat-5-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [Tomcat-5-Questions]. Downloading [Apache-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [Apache-Questions]. Downloading [configure_apache-1-50.tar.gz] from [www.cs.wisc.edu]... 2/2 kB downloaded... Installing package [Configure-Apache]. Downloading [CA-Certificates-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [CA-Certificates-Questions]. Downloading [certificates-5-5.tar.gz] from [www.cs.wisc.edu]... 89/89 kB downloaded... Installing package [CA-Certificates-Base]. Downloading [certificates-install-4-13.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [CA-Certificates]. Installing into /opt/gums/globus/share/certificates... Downloading [python-2.3.4.x86_rh_7.2.tar.gz] from [www.cs.wisc.edu]... 8/8 MB downloaded... Installing package [Python]. Downloading [apache-2.0.54.x86_rh_7.2.tar.gz] from [www.cs.wisc.edu]... 7/7 MB downloaded... Installing package [Apache]. Downloading [configure_tomcat-1-45.tar.gz] from [www.cs.wisc.edu]... 2/2 kB downloaded... Installing package [Configure-Tomcat]. Downloading [jakarta-tomcat-5.0.28.tar.gz] from [www.cs.wisc.edu]... 10/10 MB downloaded... Installing package [Tomcat-5]. Downloading [GUMS-Service-Extras-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [GUMS-Service-Extras-Questions]. Downloading [gums-service-extras-1-15.tar.gz] from [www.cs.wisc.edu]... 2/2 MB downloaded... Installing package [GUMS-Service-Extras]. Downloading [configure_gums-1-48.tar.gz] from [www.cs.wisc.edu]... 2/2 kB downloaded... Installing package [Configure-GUMS]. Downloading [gums-service-1.0.1.tar.gz] from [www.cs.wisc.edu]... 4/4 MB downloaded... Installing package [GUMS-Service]. Downloading [GUMS-Client-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [GUMS-Client-Questions]. Downloading [VOMS-Client-1.3.6.tar.gz] from [www.cs.wisc.edu]... 1/1 kB downloaded... Installing package [VOMS-Client-Questions]. Downloading [voms-essentials-1.4.1-openssltest_2-x86_rh_7.2.tar.gz] from [www.cs.wisc.edu]... 3/3 MB downloaded... Installing package [VOMS-Essentials]. Downloading [voms-client-1.4.1-openssltest_2-x86_rh_7.2.tar.gz] from [www.cs.wisc.edu]... 765/765 kB downloaded... Installing package [VOMS-Client]. Downloading [gums-client-1.0.1.tar.gz] from [www.cs.wisc.edu]... 8/8 MB downloaded... Installing package [GUMS-Client]. ====================> GUMS installation complete --------- cd /opt/gums/ . setup.sh $VDT_LOCATION/vdt/setup/setup-cert-request ./globus/bin/grid-cert-request -host ouhep2.nhn.ou.edu -service http ======================================================================== A private http key and a certificate request has been generated with the subject: /DC=org/DC=doegrids/OU=Services/CN=http/ouhep2.nhn.ou.edu ---------------------------------------------------------- The private key is stored in /opt/gums/globus/etc/http/httpkey.pem The request is stored in /opt/gums/globus/etc/http/httpcert_request.pem Please go to https://pki1.doegrids.org and choose the "Grid or SSL Server" menu item on the Enrollment page Then and cut and paste the file /opt/gums/globus/etc/http/httpcert_request.pem into the PKCS#10 text field. To install this http certificate, follow the URL link in the message sent to you by the CA, and cut and paste the "Base64 encoded certificate" into the /opt/gums/globus/etc/http/httpcert.pem ======================= httpcert.pem from web page: -----BEGIN CERTIFICATE----- MIIDNzCCAh+gAwIBAgICEjwwDQYJKoZIhvcNAQEFBQAwaTETMBEGCgmSJomT8ixkARkWA29yZzEY MBYGCgmSJomT8ixkARkWCERPRUdyaWRzMSAwHgYDVQQLExdDZXJ0aWZpY2F0ZSBBdXRob3JpdGll czEWMBQGA1UEAxMNRE9FR3JpZHMgQ0EgMTAeFw0wNTA1MjUyMTIyMDJaFw0wNjA1MjUyMTIyMDJa MGMxEzARBgoJkiaJk/IsZAEZFgNvcmcxGDAWBgoJkiaJk/IsZAEZFghkb2VncmlkczERMA8GA1UE CxMIU2VydmljZXMxHzAdBgNVBAMTFmh0dHAvb3VoZXAyLm5obi5vdS5lZHUwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAO+NyI4Hq8CRcgVhlhXt/VurngDS1TiHYmA16Ym0/CUDnWJ3+k+kqiVh M7MV3/nBLELbXJdV41xyOOyrfC3/Xgy6P/347ns9Pk3v6fIrPaA7+fX2dWUBM7tkde+B2p8ahE/B cZruS5+hP5L9z2lWnZ0Bogb96PFZCgxujG+fi4pdAgMBAAGjczBxMBEGCWCGSAGG+EIBAQQEAwIF 4DAOBgNVHQ8BAf8EBAMCBPAwKwYDVR0RBCQwIoIRb3VoZXAyLm5obi5vdS5lZHWBDWhzQG5obi5v dS5lZHUwHwYDVR0jBBgwFoAUyhkdEo5upDhdQtQxDgjb2Y0XDV0wDQYJKoZIhvcNAQEFBQADggEB AHYaV6W2srp4lPTKML5gW+VEkxRzZuUJy5jmgPuuff2sMOOhz5tS7TaRv7npmax0C5Ar6BVyePaS WItEuQfi9YStrCXAlp7f/xFInb9m5Sx69cdoZ79snQZzCHeNDjOLLKoS1glRfJcHQ1feS7Al819z Mmh4F1lFrdBFoXBd4v9KxxKF27ywoL2ljcbT3fWSOLg7pDEOhbJbwNB3dFJ2fvza6DEan1vdEz16 fJigurkDhCue30xUomSX62GJqZFCw4XIFZAiBRTWKTklQjMT/cr3zS45K6KWwe0hUJDcBypz/d6S 2gLSjDBdGgyGCQ6YvLoHLsolP1Dt/pejwWRb6Ss= -----END CERTIFICATE----- Then move certificates around to make it work: cd /opt/gums mkdir -p globus/grid-security ln -s /opt/gums/globus/grid-security /etc/grid-security ln -s /opt/osg/globus/share/certificates /etc/grid-security/certificates mv /opt/gums/globus/share/certificates /opt/gums/globus/share/certificates.old ln -s /opt/osg/globus/share/certificates /opt/gums/globus/share/certificates ln -s ../etc/http globus/grid-security/http chmod go-r globus/etc/http/httpkey.pem chown -R daemon globus/etc/http Configuring GUMS: cd /opt/gums/gums-service/sbin WARNING: You must have created the database before running this script! =====> Ignore this warning. The database was created during the installation Configure GUMS server: [root@ouhep2 gums]# cd /opt/gums/gums-service/sbin ./addAdmin "/DC=org/DC=doegrids/OU=People/CN=Karthik Arunachalam 265532" => this is the DN or Distinguished Name WARNING: You must have created the database before running this script! Adding the following DN to the local database: Certificate DN for administrator: "/DC=org/DC=doegrids/OU=People/CN=Karthik Arunachalam 265532" Is this correct? (Enter 'yes' to proceed) yes Adding the admin: Enter the root mysql password Verify you have administrative capabilities in GUMS: * Go to your gums web interface at https://your-gums-server:8443/gums. * Click "Generate Grid Mapfile". * Enter anything (e.g., xyz) as host computer just to test that the process runs. * You should get "null" as a response. ==============> verified => got a null response for both me and Horst Modify the gums.config file A default gums.config file is installed in $VDT_LOCATION/tomcat/v5/webapps/gums/WEB-INF/classes/gums.config (Note that $VDT_LOCATION/gums is symlinked to /$VDT_LOCATION/gums-service/var/war). This file has two groupMapping elements (i.e., groupMapping with no "s" at the end), both of which need to be replaced. They fall inside the one groupMappings element (with an "s"). You can choose to follow the "instant gratification" path, below, or follow the GumsConfigStepByStep path. To get some instant gratification: 1. first replace the groupMapping elements with the following element: Note that this sample groupMapping element points to a VOMS server at Indiana and to the /vos/osg group, that it uses group account mapping (the className attribute of accountMapping element contains the GroupAccountMapper class), and the group account which it maps to is osg (the groupName attribute of accountMapping element). 2. In the hostGroup element, below, change the groups attribute to osg to match the inserted element (delete groupA and groupB) and change the wildcard attribute value from '*.site.com' to the CE or gatekeeper host(s) that the group mappings apply to (*.fnal.gov shown in example below). As indicated, you can use a wildcard to specify a set of hosts. 3. On your GUMS web interface at https://your-gums-server:8443/gums, * click "Update users" => and then the 'Update VO Members Database' submit button This retrieves the members of the /vos/osg group from the Indiana VOMS server, and inserts them into the mysql database. =================== <==== Shouldn't be necessary now because of correct cert installation (see above:) Struggled with this step for a long time, since this gave an error (Java IO exception). Emailed the osg-int group and folks asked me to look into the gums install log files for further details. On looking at the log file found the following error in the /opt/gums/tomcat/v5/logs/gums-service-developer.log java.security.cert.CertificateException: Identity reading failed: /etc/grid-security/http/httpkey.pem (Permission denied) osg-int group folks told that this is caused due to the /etc/grid-security/http/httpcert.pem and httpkey.pm not owned by the user deamon. Hence I changed the file ownership for these files to 'karunach'. But still GUMS failed with a error in this step. Then on more closely looking at the file, found the following error in the /opt/gums/tomcat/v5/logs/gums-service-developer.log faultString: java.lang.Exception: The trusted certificate authority certificates reading failed: java.io.IOException: No CA files found matching "/etc/grid-security/certificates/*.0 Then I realized that this error is caused due to the /etc/grid-security/certificates directory missing in OUHEP2. This is found only in OUHEP1 where the OSG is installed. Hence did a scp of the entire /etc/grid-security/certificates directory from OUHEP1 to OUHEP2. ************************************************************************ After scp of the /etc/grid-security/certificates directory from OUHEP1 to OUHEP2 the 'Update VO members database' successfully worked.! ************************************************************************ More permanent fix because of CRL updates: rm -rf /etc/grid-security/certificates ln -s /opt/osg/globus/share/certificates /etc/grid-security/certificates ===================== <==== 4. Still on your GUMS web interface, * Click on "Generate Grid Mapfile," * Enter the hostname that you want to generate the grid mapfile for Key point: In step 3, you specified certain hosts in the wildcard attribute of the hostGroup element that these mappings applied to. This is the value you would enter here. For example, if you had entered wildcard="*.fnal.gov", you can enter any host with a .fnal.gov domain. * Click "Generate grid-mapfile." You should get the text of a grid-mapfile formatted output (as of this writing): #---- members of vo: osg ----# "/DC=org/DC=doegrids/OU=People/CN=Alexis Rodriguez 233072" osg "/DC=org/DC=doegrids/OU=People/CN=Andrew Zahn 730598" osg "/DC=org/DC=doegrids/OU=People/CN=Craig Phillip Prescott 50911" osg Setting up email notification for GUMS errors GUMS has the capability to notify an administrator via email of any errors that may occur. The $VDT_LOCATION/tomcat/v5/webapps/gums/WEB-INF/classes/log4j.properties contains these entries but are commented out. Look for these lines: #log4j.appender.mail=org.apache.log4j.net.SMTPAppender log4j.appender.mail.from=gums-admin@nhn.ou.edum #log4j.appender.mail.subject=gums e-mail alert #log4j.appender.mail.SMTPHost=smtp.nhn.ou.edu #log4j.appender.mail.to=karunach@nhn.ou.edu #log4j.appender.mail.layout=org.apache.log4j.PatternLayout #log4j.appender.mail.layout.ConversionPattern=%d{DATE} [%-5p]: %m%n Uncomment them and set the "from", "SMTPHost", and "to" lines to the right values for your site. "From" should be the username under which GUMS runs. Here is a sample: log4j.appender.mail=org.apache.log4j.net.SMTPAppender log4j.appender.mail.from=gums-admin@nhn.ou.edu log4j.appender.mail.subject=gums e-mail alert log4j.appender.mail.SMTPHost=localhost log4j.appender.mail.to=root log4j.appender.mail.layout=org.apache.log4j.PatternLayout log4j.appender.mail.layout.ConversionPattern=%d{DATE} [%-5p]: %m%n Towards the top of the same file (line 22) under the heading "Log for GUMS administrator", you'll see: log4j.logger.gums.resourceAdmin=DEBUG, adminFile #log4j.logger.gums.resourceAdmin=DEBUG, mail, adminFile Comment out the first line and uncomment the second so that the resource info that you need to get comes to you via email in addition to going to a file. After you change these files, stop and restart tomcat-5. To test for notification, force an error. E.g., in gums.config, give an incorrect groupMapping name: Now go to the GUMS-Admin UI https://your.gums.host:8443/gums, click Update Members. You should get an error which (among other text) should contain "Error Message: GUMS is misconfigured: please check the resource admin log for errors, and the gums.config file." You should receive one or more email notifications as well. (The error shown above generated three messages.) One of them contains the solution: "19 May 2005 10:31:00,169 [FATAL]: The configuration wasn't read properly. GUMS is not operational: Error at (32, 97: The groupMapping 'osg' is used within a hostGroup, but it was not defined." Don't forget to fix your error now! .... and restart tomcat!!! Setting the Frequency to Refresh GUMS from VOMS GUMS will query the various VOMS VOs defined in the gums.config file on a periodic basis based on a parameter defined in the following configuration file: $VDT_LOCATION/gums-service/var/war/WEB-INF/web.xml. The third line from the bottom contains the interval in minutes. Default is every 12 hours. 120 You may want to adjust the value. You will need to restart tomcat to effect the change. Put back to 720 now. Added manual local users groups ('localusers' for individual mappings and 'localgroup' for local group mappings to 'grid') and usatlas group to gums.config: -------- ... (and add to hostGroup) -------- Then add local user mappings. Need personal grid proxy in root account on ouhep2. cd /opt/gums . setup.sh grid-proxy-init -old -cert ~hs/.globus/usercert.pem -key ~hs/.globus/userkey.pem (Use "grid-proxy-init -old" because Gums v1.0.1 wants grid-proxy-init of GT2, but comes with that of GT3) to map to individual account: ./gums/bin/gums manualGroup-add mysql localusers "/DC=org/DC=doegrids/OU=People/CN=Horst Severini 926890" ./gums/bin/gums manualMapping-add mysql local "/DC=org/DC=doegrids/OU=People/CN=Horst Severini 926890" hs to map to local group account 'grid': ./gums/bin/gums manualGroup-add mysql localgroup "/DC=org/DC=doegrids/OU=People/CN=Jamie E. Hegarty 930883" Then go back to web interface and generate grid-mapfile. To remove mappings: ./gums/bin/gums manualMapping-remove mysql local "/DC=org/DC=doegrids/OU=People/CN=Horst Severini 926890" hs ./gums/bin/gums manualGroup-remove mysql localusers "/DC=org/DC=doegrids/OU=People/CN=Horst Severini 926890" ./gums/bin/gums manualGroup-remove mysql localgroup "/DC=org/DC=doegrids/OU=People/CN=Jamie E. Hegarty 930883"