CmsVoBox < CmsTier3

<!-- keep this as a security measure:
   #uncomment if the subject should only be modifiable by the listed groups 
   * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.CMSAdminGroup
   * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.CMSAdminGroup
   #uncomment this if you want the page only be viewable by the listed groups
   # ######* Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.CMSAdminGroup
-->

---+!! Node Type: %CALC{"$SUBSTITUTE(%TOPIC%,NodeType,)"}%

---++!! Firewall requirements

| *local port* | *open to* | *reason* |
<!-- Example line
 #| 22/tcp      | * |  Example entry for ssh |
-->

----------------

%TOC{title="Table of contents"}%

---+ Regular Maintenance work

---++ Renew myproxy certificate for !PhEDEx transfers (once per month)

The present myproxy servers have problems with host certificates for PSI from SWITCH, because they contain a "(PSI)" substring, and the parentheses are not correctly escaped in the regexp matching of the myproxy code.
Therefore, the renewer DN (-R argument to myproxy-init below) and the _allowed renewers policy on the myproxy server_ need to be defined with wildcards to enable the matching to succeed.

<pre> 
voms-proxy-init -voms cms
myproxyserver=myproxy.cern.ch
<strike>servicecert="/DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/OU=AIT/CN=t3cmsvobox.psi.ch"</strike>
servicecert='*/CN=t3cmsvobox.psi.ch'
myproxy-init -s $myproxyserver -l psi_phedex -x \
     -R "$servicecert" -c 720
scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert
#  for testing, you can try
myproxy-info -s $myproxyserver -l psi_phedex
</pre>

 As the phedex user do 
<pre>
chmod 600 ~/gridcert/proxy.cert
</pre>

 You should test whether the renewal of the certificate works for the phedex user: 
unset X509_USER_PROXY # make sure that the service credentials from ~/.globus are used!

<pre>
voms-proxy-init  # initializes the service proxy cert that is allowed to retrieve the user cert
myproxyserver=myproxy.cern.ch
myproxy-get-delegation -s $myproxyserver -v -l psi_phedex \
            -a /home/phedex/gridcert/proxy.cert -o /tmp/gagatest

export X509_USER_PROXY=/tmp/gagatest
srm-get-metadata srm://t3se01.psi.ch:8443/srm/managerv1?SFN=/pnfs/psi.ch/cms
rm /tmp/gagatest
</pre>

---+ Emergency Measures
<!--
 #List any measures that must be taken in case of some major incident, e.g. whether a mailing
 #list must be contacted or whether other services need to be shut down, etc. 
-->


---+ Installation
<!--
 #Comment here on any peculiarities of the installation, e.g. on special packages needed, special setup
 #procedures which are not obvious
-->



---+ Services
<!--
 #List all the important services, their installation, configuration and how to start and stop them
-->
---++ PhEDEx
Refer to the description on the [[LCGTier2/CmsVObox][Tier-2 VOBox]].

There is one important difference: While we use FTS channels for the transfers to the Tier-2, we use the SRM backend for transfers to the Tier-3, because we do not have a FTS channel for PSI. This issue is linked to registering PSI as a regular grid site, which until recently was not possible, since we only sport a Grid SE, but no CE.

So, there is no fts.map file in the configuration area for the !PhEDEx services.

---+ Backups


-- Main.DerekFeichtinger - 19 Jan 2009
NodeTypeForm
Hostnames	t3vm01 (t3cmsvobox)
Services	PhEDEx
Hardware	VM
Install Profile	none
Guarantee/maintenance until	none
This topic: CmsTier3 > WebHome > AdminArea > CmsVoBox
Topic revision: r8 - 2010-06-17 - DerekFeichtinger