CmsVoBox < CmsTier3

<!-- keep this as a security measure:
   #uncomment if the subject should only be modifiable by the listed groups 
   * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.CMSAdminGroup
   * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.CMSAdminGroup
   #uncomment this if you want the page only be viewable by the listed groups
   # * Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.CMSAdminGroup
-->

---+!! Node Type: %CALC{"$SUBSTITUTE(%TOPIC%,NodeType,)"}%

---++!! Firewall requirements

| *local port* | *open to* | *reason* |
<!-- Example line
 #| 22/tcp      | * |  Example entry for ssh |
-->

----------------

%TOC{title="Table of contents"}%

---+ Regular Maintenance work

---++ Manually renew the proxy certificate for the phedex transfers

The present host certificate from SWITCH has problems with myproxy renewals. Therefore we cannot use renewal at this point of time (the new SWITCH certs no longer have this problem, but they only have become available in July, and we need to get them).

*Therefore, an operator needs to personally place a valid proxy certificate in the phedex account every few days!*

All this is done on t3ui01:
<pre>
# On the UI
# At least we try to make a very long lived proxy
voms-proxy-init -voms cms -hours 120 -vomslife 120:00

# copy it to the right place in the phedex account (it's best that an admin operator installs ssh keys, so that you can do this without passwords)
scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert
</pre>


---++ <strike>Renew myproxy certificate for !PhEDEx transfers</strike>

<pre> 
voms-proxy-init -voms cms
myproxyserver=myproxy.cern.ch
servicecert="/DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/OU=AIT/CN=t3cmsvobox.psi.ch"
myproxy-init -s $myproxyserver -l psi_phedex -x \
     -R "$servicecert" -c 720
scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert
#  for testing, you can try
myproxy-info -s $myproxyserver -l psi_phedex
</pre>

 As the phedex user do 
<pre>
chmod 600 ~/gridcert/proxy.cert
</pre>

 You should test whether the renewal of the certificate works for the phedex user: 
unset X509_USER_PROXY # make sure that the service credentials from ~/.globus are used!

<pre>
voms-proxy-init  # initializes the service proxy cert that is allowed to retrieve the user cert
myproxyserver=myproxy.cern.ch
myproxy-get-delegation -s $myproxyserver -v -l psi_phedex \
            -a /home/phedex/gridcert/proxy.cert -o /tmp/gagatest

export X509_USER_PROXY=/tmp/gagatest
srm-get-metadata srm://t3se01.psi.ch:8443/srm/managerv1?SFN=/pnfs/psi.ch/cms
rm /tmp/gagatest
</pre>

---+ Emergency Measures
<!--
 #List any measures that must be taken in case of some major incident, e.g. whether a mailing
 #list must be contacted or whether other services need to be shut down, etc. 
-->


---+ Installation
<!--
 #Comment here on any peculiarities of the installation, e.g. on special packages needed, special setup
 #procedures which are not obvious
-->



---+ Services
<!--
 #List all the important services, their installation, configuration and how to start and stop them
-->
---++ PhEDEx
Refer to the description on the [[LCGTier2/CmsVObox][Tier-2 VOBox]].

There is one important difference: While we use FTS channels for the transfers to the Tier-2, we use the SRM backend for transfers to the Tier-3, because we do not have a FTS channel for PSI. This issue is linked to registering PSI as a regular grid site, which until recently was not possible, since we only sport a Grid SE, but no CE.

So, there is no fts.map file in the configuration area for the !PhEDEx services.

---+ Backups


-- Main.DerekFeichtinger - 19 Jan 2009
NodeTypeForm
Hostnames	t3ui01
Services	PhEDEx
Hardware	SUN X4150, 1Xeon E5410, 8GB RAM, 2146 GB SAS disk
Install Profile	none
This topic: CmsTier3 > WebHome > AdminArea > CmsVoBox
Topic revision: r4 - 2009-11-02 - DerekFeichtinger