Node Type: CmsVoBox

Firewall requirements

local port open to reason


Regular Maintenance work

Manually renew the proxy certificate for the phedex transfers

The present host certificate from SWITCH has problems with myproxy renewals. Therefore we cannot use renewal at this point of time (the new SWITCH certs no longer have this problem, but they only have become available in July, and we need to get them).

Therefore, an operator needs to personally place a valid proxy certificate in the phedex account every few days!

All this is done on t3ui01:

# On the UI
# At least we try to make a very long lived proxy
voms-proxy-init -voms cms -hours 120 -vomslife 120:00

# copy it to the right place in the phedex account (it's best that an admin operator installs ssh keys, so that you can do this without passwords)
scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert

Renew myproxy certificate for PhEDEx transfers

 
voms-proxy-init -voms cms
myproxyserver=myproxy.cern.ch
servicecert="/DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/OU=AIT/CN=t3cmsvobox.psi.ch"
myproxy-init -s $myproxyserver -l psi_phedex -x      -R "$servicecert" -c 720
scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert
#  for testing, you can try
myproxy-info -s $myproxyserver -l psi_phedex

As the phedex user do

chmod 600 ~/gridcert/proxy.cert

You should test whether the renewal of the certificate works for the phedex user: unset X509_USER_PROXY # make sure that the service credentials from ~/.globus are used!

voms-proxy-init  # initializes the service proxy cert that is allowed to retrieve the user cert
myproxyserver=myproxy.cern.ch
myproxy-get-delegation -s $myproxyserver -v -l psi_phedex             -a /home/phedex/gridcert/proxy.cert -o /tmp/gagatest

export X509_USER_PROXY=/tmp/gagatest
srm-get-metadata srm://t3se01.psi.ch:8443/srm/managerv1?SFN=/pnfs/psi.ch/cms
rm /tmp/gagatest

Emergency Measures

Installation

Services

PhEDEx

Refer to the description on the Tier-2 VOBox.

There is one important difference: While we use FTS channels for the transfers to the Tier-2, we use the SRM backend for transfers to the Tier-3, because we do not have a FTS channel for PSI. This issue is linked to registering PSI as a regular grid site, which until recently was not possible, since we only sport a Grid SE, but no CE.

So, there is no fts.map file in the configuration area for the PhEDEx services.

Backups

-- DerekFeichtinger - 19 Jan 2009

NodeTypeForm
Hostnames t3ui01
Services PhEDEx
Hardware SUN X4150, 1*Xeon E5410, 8GB RAM, 2*146 GB SAS disk
Install Profile none
Edit | Attach | Watch | Print version | History: r50 | r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2009-11-02 - DerekFeichtinger
 
  • Edit
  • Attach
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback