Firewall requirements
Regular Maintenance work
Manually renew the proxy certificate for the phedex transfers
The present host certificate from SWITCH has problems with myproxy renewals. Therefore we cannot use renewal at this point of time (the new SWITCH certs no longer have this problem, but they only have become available in July, and we need to get them).
Therefore, an operator needs to personally place a valid proxy certificate in the phedex account every few days!
All this is done on t3ui01:
# On the UI
# At least we try to make a very long lived proxy
voms-proxy-init -voms cms -hours 120 -vomslife 120:00
# copy it to the right place in the phedex account (it's best that an admin operator installs ssh keys, so that you can do this without passwords)
scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert
Renew myproxy certificate for PhEDEx transfers
voms-proxy-init -voms cms
myproxyserver=myproxy.cern.ch
servicecert="/DC=com/DC=quovadisglobal/DC=grid/DC=switch/DC=hosts/C=CH/ST=Aargau/L=Villigen/O=Paul-Scherrer-Institut (PSI)/OU=AIT/CN=t3cmsvobox.psi.ch"
myproxy-init -s $myproxyserver -l psi_phedex -x -R "$servicecert" -c 720
scp ~/.x509up_u$(id -u) phedex@t3ui01:gridcert/proxy.cert
# for testing, you can try
myproxy-info -s $myproxyserver -l psi_phedex
As the phedex user do
chmod 600 ~/gridcert/proxy.cert
You should test whether the renewal of the certificate works for the phedex user:
unset X509_USER_PROXY # make sure that the service credentials from ~/.globus are used!
voms-proxy-init # initializes the service proxy cert that is allowed to retrieve the user cert
myproxyserver=myproxy.cern.ch
myproxy-get-delegation -s $myproxyserver -v -l psi_phedex -a /home/phedex/gridcert/proxy.cert -o /tmp/gagatest
export X509_USER_PROXY=/tmp/gagatest
srm-get-metadata srm://t3se01.psi.ch:8443/srm/managerv1?SFN=/pnfs/psi.ch/cms
rm /tmp/gagatest
Emergency Measures
Installation
Services
Refer to the description on the
Tier-2 VOBox.
There is one important difference: While we use FTS channels for the transfers to the Tier-2, we use the SRM backend for transfers to the Tier-3, because we do not have a FTS channel for PSI. This issue is linked to registering PSI as a regular grid site, which until recently was not possible, since we only sport a Grid SE, but no CE.
So, there is no fts.map file in the configuration area for the PhEDEx services.
Backups
--
DerekFeichtinger - 19 Jan 2009