AMGA Server Installation and configuration

1
AMGA Server Installation and configuration

• Tony Calanducci
• INFN Catania
• Third EELA Tutorial for Managers and Users
• Rio de Janeiro, 26-30 June 2006

2
Outline

• How to install an AMGA Server
• AMGA Server Configuration
• Reference

3
Installation requirements

• Start from a fresh install of SLC 3.0.x
• Verify that apt is installed and properly
  configured
• rpm -qa grep apt
• Install apt if necessary
• Create a /etc/apt/source.list.d/egee-ca.list file
  with this line
• rpm  http//grid018.ct.infn.it/rep glite_sl3-i386
  security
• Run apt-get update
• Configure ntpd as illustrated in the SysAdmin
  Intro tutorial

4
Security pre-requisites

• Install the RPMs of all the CA supported by EGEE
• apt-get install lcg-CA
• If you plan to use certificates released by
  unsupported EGEE CAs, be sure that their public
  key, signing policy and CRLs (usually distributed
  with an rpm) are installed in /etc/grid-security/c
  ertificates.
• For the VO GILDA, the RPM is available at
• https//gilda.ct.infn.it/RPMS/ca_GILDA-1.0-2.i386
  .rpm
• Additionally install the RPMs of GILDA and EELA
  VOMS
• https//gilda.ct.infn.it/RPMS/edg-voms-vo-gilda-1.
  0-0.noarch.rpm
• https//gilda.ct.infn.it/RPMS/lcg-voms-vo-eela_1.0
  -0_noarch.rpm

5
Security pre-requisites (II)

• Download and install edg-utils-system RPM from
• http//grid018.ct.infn.it/rep/glite_sl3-i386/RPMS/
  edg-utils-system-1.8.2-1_sl3.noarch.rpm
• Edit /etc/cron.d/edg-fetch-crl to look like
• PATH/sbin/bin/usr/sbin/usr/bin
• 39 2,8,14,20 root /opt/edg/etc/cron/edg-fetc
  h-crl-cron gtgt /var/log/edg-fetch-crl-cron.log
  2gt1
• Request a X509 host certificate for the AMGA
  Server you are going to install from a
  Certification Autority (CA). For example, to get
  host certificates from the GILDA CA, go to
• https//gilda.ct.infn.it/CA/mgt/restricted/srvreq.
  php
• Install host certificates (hostcert.pem and
  hostkey.pem) in /etc/grid-security.
• chmod 644 hostcert.pem
• chmod 400 hostkey.pem

6
AMGA Server and Client RPMs

• The following packages are necessary to use AMGA
  and must be installed first unixODBC, libxml2
  and Boost-lib. You can get the package via
• apt-get install unixODBC
• apt-get install libxml2
• apt-get install boost
• Download and install the latest AMGA server and
  client from the AMGA download directory
  (http//project-arda-dev.web.cern.ch/project-arda-
  dev/metadata/downloads/)
• http//project-arda-dev.web.cern.ch/project-arda-d
  ev/metadata/downloads/glite-amga-server-1.2.3-1.SL
  C3.i386.rpm
• http//project-arda-dev.web.cern.ch/project-arda-d
  ev/metadata/downloads/glite-amga-cli-1.2.3-1.SLC3.
  i386.rpm

7
DB and ODBC installation

• You also need a database and the appropriate ODBC
  driver. AMGA currently supports 4 different
  database backends via ODBC drivers (PostgreSQL,
  MySQL, Oracle and SQLite).
• Install postgreSQL that comes with SLC with
• apt-get install rh-postgresql-server
  rh-postgresql
• Install a postgreSQL ODBC driver (at least
  version 08.01.0200)
• Download it from http//project-arda-dev.web.cern
  .ch/project-arda-dev/metadata/downloads/amga-odbc.
  tar.gz
• Just run the INSTALL.sh script after unpacking
• NB dont use the postgresql-odbc package that
  comes with SLC. Its too old and AMGA will not
  work with it

8
postgreSQL configuration

• Initialize the DB configuration
• /etc/init.d/rhdb start
• /etc/init.d/rhdb stop
• Uncomment out the line and set the parameter to
  true in /var/lib/pgsql/data/postgresql.conf as
  follow
• tcpip_socket true
• This is needed to enable TCP/IP connections used
  by the ODBC driver
• Add the following lines to /var/lib/pgsql/data/pg_
  hba.conf
• host    metadata arda            127.0.0.1
  255.255.255.255      trust
• local   metadata    arda                     
  trust
• (Used to authorize the arda db user to connect
  to the metadata db)

9
postgreSQL configuration (II)

• Start again postgreSQL
• /etc/init.d/rhdb start
• Create the DB user arda allowing him to create
  new DBs
• su postgres -c 'createuser -d -A arda'
• Create the Unix user arda
• adduser arda
• Let arda user create metadata DB
• su arda -c 'createdb metadata'
• Allow stored procedures for metadata db
• su postgres c createlang -d metadata plpgsql

10
ODBC driver configuration

• The ODBC data source is created by appending the
  following lines to /etc/odbc.ini
• PSQL  Description     AMGA metadata
  catalogue database  Driver          PostgreSQL
   Trace           No  TraceFil       
  /tmp/metadata/odbc.log  Database       
  metadata  Servername      localhost
   Port            5432  ReadOnly        No
• Double check the /etc/odbcinst.ini ensuring it
  contains the proper settings for the postgreSQL
  ODBC driver (it should have been configure by the
  INSTALL.sh during the installation)

11
ODBC Testing and metadata DB creation

• To test if the ODBC was set up correctly you can
  use the generic unixODBC CLI tool
• isql PSQL metadata
• Now you can initialize the database using the
  createInitialXXX.sql scripts (where XXX has to be
  replaced with the DB of choice which you will
  find in /opt/glite/share/doc/glite-amga-server-1.2
  .3/)
• su arda psql metadata lt /opt/glite/share/doc/gli
  te-amga-server-1.2.3/createInitialPG.sql
• If you want to use also ACL per entries you need
  also to create some store procedures with
• psql metadata lt /opt/glite/share/doc/glite-amga-se
  rver-1.2.3/proceduresPSQL.sql

12
AMGA initial configuration

• /etc/mdserver.conf contains all the variables you
  need to set up and fine tune the AMGA server. By
  default it configures AMGA with no authentication
  checks.
• Start the AMGA server with
• /etc/init.d/mdservice start
• AMGA server demon should be listening on 8822
  port
• lsof -i grep 8822
• mdserver 13856 root 6u IPv4 27296
  TCP 8822 (LISTEN)
• mdserver 13857 root 6u IPv4 27296
  TCP 8822 (LISTEN)
• mdserver 13860 root 6u IPv4 27296
  TCP 8822 (LISTEN)

13
AMGA testing

• Log in into a User Interface where the AMGA
  Client tools are installed.
• You can check it with rpm qa grep -i amga
• Copy the amga client template config file from
  /etc/mdclient.config to your home as
  .mdclient.config
• cp /etc/mdclient.config HOME/.mdclient.config
• Edit the Host variable filling it with the right
  hostname and ensure Login one equals to root
• Connect to the AMGA server using the AMGA
  mdclient tool
• mdclient
• Connecting to amgarm3.trigrid.it8822...
• ARDA Metadata Server 1.2.3
• Querygt whoami
• gtgt root
• Querygt

14
Create a root user

• Inside the Mdclient shell, create the root user
  (called also role inside AMGA) with
• Querygt user_create root
• Bind the amga root role to the subject of the
  AMGA administrator (you in this case)
• Querygt user_subject_add root 'C IT, O GILDA,
  OU Personal Certificate, L INFN Catania, CN
  Tony Calanducci, emailAddress
  tony.calanducci_at_ct.infn.it
• You can get it by
• openssl x509 -in usercert.pem -subject -noout
  -nameopt oneline
• You can also define an AMGA root passwd if you
  plan to enable also password authentication,
  with
• Querygt user_password_change root bondia

15
Enabling Certificate Authentication

• Edit /etd/mdserver.config in AMGA server and
  change the following variables
• UseSSL 1
• RequireAuthentication 1
• AllowCertificateAuthentication 1
• CertFile /etc/grid-security/hostcert.pem
• KeyFile /etc/grid-security/hostkey.pem
• TrustedCertDir /etc/grid-security/certificates
• AllowGridProxyLogin 1
• MyProxyHack 1
• Enable the users from the VOs you want to give
  access to
• VirtualOrganizations gilda(gilda), eela(eela)
• VOGroupMap gilda/gilda(gildausers),
  eela(eelausers)
• Restart the AMGA server with
• /etc/init.d/mdserver restart

16
Test the VOMS proxy authentication

• Log in to the UI and edit the HOME/.mdclient.conf
  ig
• Login NULL
• UseSSL require
• AuthenticateWithCertificate 1
• UseGridProxy 1
• Initialize your proxy asking the membership to
  one of the enabled VO (gilda for example)
• Start the mdclient tool. You should be
  authenticated as gilda user(role) belonging to
  gildausers group
• mdclient
• Connecting to amgarm3.trigrid.it8822...
• ARDA Metadata Server 1.2.3
• Querygt whoami
• gtgt gilda
• Querygt grp_member
• gtgt gildausers

17
Set up a collection per each VO

• Initialize the voms proxy with the user defined
  as root.
• Change the previous HOME/.mdclient.config to
  login as root
• Start the Mdclient. You should be authenticated
  as root (by your subject)
• mdclient
• Connecting to amgarm3.trigrid.it8822...
• ARDA Metadata Server 1.2.3
• Querygt whoami
• gtgt root
• Create a root collection for each VO you support.
  You can also create specific collection to
  support specific roles or applications.
• createdir /gilda
• createdir /eela

18
Set up collections for VOs (II)

• Anyone will be allowed to read the new
  collections, but we want also grant write
  permissions to the VO users
• Querygt acl_show /gilda
• gtgt root rwx
• gtgt systemanyuser rx
• Querygt acl_add /gilda gildausers rwx
• Querygt acl_show gilda
• gtgt root rwx
• gtgt gildausers rwx
• gtgt systemanyuser rx
• You could achieve the same results changing the
  ownership of the /gilda collection with
• chown /gilda gilda
• If you dont allow others to read inside /gilda
  collection remove from the ACLs the
  systemanyuser group
• Querygt acl_remove /gilda/ systemanyuser

19
References

• AMGA project Homepage
• http//project-arda-dev.web.cern.ch/project-arda-d
  ev/metadata/
• AMGA Documentation
• http//project-arda-dev.web.cern.ch/project-arda-d
  ev/metadata/pages.html
• AMGA Users and Administrators manual
• http//project-arda-dev.web.cern.ch/project-arda-d
  ev/metadata/downloads/amga-manual_1_2_3.pdf
• AMGA Installation Notes on GILDA Team Wiki
• https//grid.ct.infn.it/twiki/bin/view/GILDA/AMGA