Create justIN service certs and put in VOMS

[Andrew-McNab-UK]

Want to stop using Andrew's personal certificate for justIN jobs and have an appropriate cert for the "read only" proxies without VOMS roles given to user jobscripts.

1) Andrew has applied for UK e-Science certs for justin-jobs-production.dune.hep.ac.uk and justin-jobs-no-roles.dune.hep.ac.uk

2) Need them adding to VOMS. This can no longer be done by users from the VOMS web interface?

/C=UK/O=eScience/OU=Manchester/L=HEP/CN=justin-jobs-production.dune.hep.ac.uk /C=UK/O=eScience/OU=Manchester/L=HEP/CN=justin-jobs-no-roles.dune.hep.ac.uk

both with this issuer: /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B

[Andrew-McNab-UK]

I now have certificates for the above DNs and also one for /C=UK/O=eScience/OU=Manchester/L=HEP/CN=justin-jobs-analysis.dune.hep.ac.uk - all with the same CA DN as above.

Steve, could you add them to my DUNE VOMS membership. I can then start making VOMS proxies with the corresponding roles (or lack of) and using them for storage tests to see what combinations can do what where.

[StevenCTimm]

Yes I will add them to the DUNE VOMS (which must be done through FERRY). DUNE voms-admin never has worked directly to add certiticates.

[StevenCTimm]

Those 3 DN's now in Ferry, they should propagate to VOMS in about 10 minutes

[Andrew-McNab-UK]

I've looked again just now and they are not yet on my page on https://voms1.fnal.gov:8443 I've also tried directly using the production one with voms-proxy-init and the DN isn't recognised.

[StevenCTimm]

I think I know what happened, will try to add again.

[StevenCTimm]

(namely that if you happen to have a voms proxy instead of a bare certificate in your environment, FERRY just fails quietly with no error message.. I found that some other certs I thought I had added earlier yesterday didn't get added either.)

[StevenCTimm]

now 10:42 CST, they should hit voms at 11:05 CST. Ping me if they don't.

[StevenCTimm]

I see them now. Ok to close this?

[Andrew-McNab-UK]

Yes, I can do voms-proxy-init with them.

[Andrew-McNab-UK]

Sorry: one last thing. Could you add /C=UK/O=eScience/OU=Manchester/L=HEP/CN=justin-jobs-production.dune.hep.ac.uk to dunepro in Rucio too.

[StevenCTimm]

Ok this one has been added and should hit VOMS in 15 minutes.

Note that certificate DN's are attached to people, not to roles.. so these four are attached to you personally in VOMS and they can be dunepro (or not) because you have that role and can request it if you choose.

[StevenCTimm]

ok /C=UK/O=eScience/OU=Manchester/L=HEP/CN=justin-jobs-production.dune.hep.ac.uk is added to dunepro account in rucio closing this.