<!-- keep this as a security measure: #uncomment if the subject should only be modifiable by the listed groups * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.CMSAdminGroup * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.CMSAdminGroup #uncomment this if you want the page only be viewable by the listed groups # * Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.CMSAdminGroup --> ---+!! Node Type: %CALC{"$SUBSTITUTE(%TOPIC%,NodeType,)"}% ---++!! Firewall requirements | *local port* | *open to* | *reason* | <!-- Example line #| 22/tcp | * | Example entry for ssh | --> ---------------- %TOC{title="Table of contents"}% ---+ Regular Maintenance work ---++ Manually renew the proxy certificate for the phedex transfers The present host certificate from SWITCH has problems with myproxy renewals. Therefore we cannot use renewal at this point of time (the new SWITCH certs no longer have this problem, but they only have become available in July, and we need to get them). *Therefore, an operator needs to personally place a valid proxy certificate in the phedex account every few days!* All this is done on t3ui01: <pre> # On the UI # At least we try to make a very long lived proxy voms-proxy-init -voms cms -hours 120 -vomslife 120:00 # copy it to the right place in the phedex account (it's best that an admin operator installs ssh keys, so that you can do this without passwords) scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert </pre> ---++ <strike>Renew myproxy certificate for !PhEDEx transfers</strike> <pre> voms-proxy-init -voms cms myproxyserver=myproxy.cern.ch servicecert="/DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/OU=AIT/CN=t3cmsvobox.psi.ch" myproxy-init -s $myproxyserver -l psi_phedex -x \ -R "$servicecert" -c 720 scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert # for testing, you can try myproxy-info -s $myproxyserver -l psi_phedex </pre> As the phedex user do <pre> chmod 600 ~/gridcert/proxy.cert </pre> You should test whether the renewal of the certificate works for the phedex user: unset X509_USER_PROXY # make sure that the service credentials from ~/.globus are used! <pre> voms-proxy-init # initializes the service proxy cert that is allowed to retrieve the user cert myproxyserver=myproxy.cern.ch myproxy-get-delegation -s $myproxyserver -v -l psi_phedex \ -a /home/phedex/gridcert/proxy.cert -o /tmp/gagatest export X509_USER_PROXY=/tmp/gagatest srm-get-metadata srm://t3se01.psi.ch:8443/srm/managerv1?SFN=/pnfs/psi.ch/cms rm /tmp/gagatest </pre> ---+ Emergency Measures <!-- #List any measures that must be taken in case of some major incident, e.g. whether a mailing #list must be contacted or whether other services need to be shut down, etc. --> ---+ Installation <!-- #Comment here on any peculiarities of the installation, e.g. on special packages needed, special setup #procedures which are not obvious --> ---+ Services <!-- #List all the important services, their installation, configuration and how to start and stop them --> ---++ PhEDEx Refer to the description on the [[LCGTier2/CmsVObox][Tier-2 VOBox]]. There is one important difference: While we use FTS channels for the transfers to the Tier-2, we use the SRM backend for transfers to the Tier-3, because we do not have a FTS channel for PSI. This issue is linked to registering PSI as a regular grid site, which until recently was not possible, since we only sport a Grid SE, but no CE. So, there is no fts.map file in the configuration area for the !PhEDEx services. ---+ Backups -- Main.DerekFeichtinger - 19 Jan 2009
NodeTypeForm
Hostnames
t3ui01
Services
PhEDEx
Hardware
SUN X4150, 1*Xeon E5410, 8GB RAM, 2*146 GB SAS disk
Install Profile
none
This topic: CmsTier3
>
WebHome
>
AdminArea
>
CmsVoBox
Topic revision: r4 - 2009-11-02 - DerekFeichtinger
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback