NORDUGRID-MEMO-12

VOMS Usage Notes

VOMS stands for Virtual Organisation Management Service and is one of the most commonly used grid technologies needed to provide user access to resources. It was originally developed for the EU DataGrid project, and for complete information refer to the VOMS Web page

VOMS is a set of tools to assist authorisation of users based on their affiliation. A group of users united by some common goal, e.g., working on a same project, and requesting access to Grid resources, is often referred to as a Virtual Organisation (VO). In order to authorise them by group, VOMS keeps a database of users, providing information on the user's relationship with Virtual Organisations: membership, group attachments, roles and capabilities. It also provides a set of tools to retreive and store such information.

You will need VOMS client tools if your access to various Grid resources is granted on the basis of your Virtual Organisation affiliation, and/or if your VO has a complex membership structure. Typically, VOMS clients are included in all Grid middleware distributions. NorduGrid offers a customized for better portability version of VOMS

VOMS works with users that have valid grid certificates. It keeps databases of users grouped as Virtual Organizations (VOs). Such databases can be used by grid resource owners in order to authorise VO members at their resources. VOMS allows to create fine-grained VO structures that can be used to allocate different privileges to different users.

VOMS technology provides interfaces for users to apply for VO membership, for administrators to manage the users, and for other grid services to query stored information (user lists, roles etc).

Preliminary steps and VO membership application

Before starting using VOMS, make sure you have a valid grid certificate (see also Grid certificates howto). Then proceed to the steps needed to use the VOMS Web interface:

1. Convert your Grid certificate to the format accepted by Web browsers:
   cd ~/.globus
   openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12
   This procedure will ask you for a new password - pick any you like
2. Load the result (cert.p12 in the example above) into your favorite browser (use Security or Certificates menu or similar); you will have to enter the password you set in Step 1.

You are now ready to apply for VO memberships via VOMS. Here are some relevant VOMS servers:

• VO nordugrid.org: https://voms.ndgf.org:8443/voms/nordugrid.org/
• VO knowarc.eu: https://arthur.hep.lu.se:8443/voms/knowarc.eu/
• VO gin.ggf.org: https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/

VOMS servers typically offer "New User Registration" from the menu; proceed there. Make sure you read and agree to the Usage Rules and the Acceptable Use Contract, if such are available. If requested, please fill in your contact person name (e.g. site admin or research project leader) in the "comment" field.

You typically must receive an automatic e-mail that is meant to confirm validity of your e-mail address. Follow the link in the message, or instructions how to use the Web interface for validations.

Authorized VO manager will study your request and may contact you or your supervisor in order to make the judgement. You will be notified of the decision by e-mail. In case of a positive outcome, you will be able to access resources granted to the VO.

Usage: VOMS-extended proxies

Many grid services rely on VOMS extensions in user proxies in order to identify a user with a VO and to assess user privileges. VOMS provides a special tool that creates VOMS-extended proxy certificates.

To request VOMS-extended proxy certificates one should use the voms-proxy-init command which is available in Grid clients, including ARC clients. Different versions may have slight variations in behaviour. The command tries to be as similar as possible to grid-proxy-init and will produce normal grid proxy certificates if one fails to instruct it which VO one wants credentials from. The VOs should therefore be identified in the file $HOME/.voms/vomses where each VO is listed on one row as

Here alias is any name you prefer to associate with the VO, machine address and tcp port is the VOMS server address and port, host dn is VOMS server subject (DN) as listed in its certificate (see Certificates How-to for details), and official vo name is the official name of the VO as defined at the server.

VOMS client versions v1.8.4 and higher require VOMS server credentials to be installed. There are two ways of doing this: either download the public key of your VOMS server, or create a special file containing server's DN and its CA DN. The step by step procedure follows:

• Create the directory that will contain all the VOMS configuration:
  mkdir $HOME/.voms
  export X509_VOMS_DIR=$HOME/.voms
  
• For convenience, you may want to define X509_CERT_DIR to point to the directory where you have all CA keys installed, e.g.:
  export X509_CERT_DIR=$HOME/nordugrid-arc-standalone/share/certificates
• If you want to use the public key option, do for each VOMS server:
  openssl s_client -CApath $X509_CERT_DIR -prexit -connect <server:port> 2>/dev/null | openssl x509 > tmp.0
  openssl x509 -in tmp.0 -noout -hash
  mv tmp.0 $X509_VOMS_DIR/<hashvalue>.0

  Here <server> is the host name of the VOMS server (as in vomses file below), and <port> is typically the standard VOMS https interface port, 8443.

• If you prefer to use the DN list option, do for each VOMS server:
  mkdir $X509_VOMS_DIR/<voname>
  cd $X509_VOMS_DIR/<voname>
  openssl s_client -CApath $X509_CERT_DIR -prexit -connect <server:port> 2>/dev/null | grep "issuer\|subject" |sed -e s/^[^=]*=// > <server>.lsc

  Here <voname> and <server> are your VO name and the host name of the VOMS server (as in vomses file below), and <port> is typically the standard VOMS https interface port, 8443.

The last example may be preferrable for many, because DNs change much less frequently than certificates.

vomses file example

Download a working vomses file (save as $HOME/.voms/vomses when using an ARC client, or $HOME/.glite/vomses when using a gLite UI).

Usage examples

• Getting a proxy from a VO (note that the alias of the VO is used):
  voms-proxy-init -voms knowarc.eu
• Getting a proxy with a special role (the default is not to include any roles in the proxy):
  voms-proxy-init -voms knowarc.eu:/knowarc.eu/Role=VO-Admin
  Here knowarc is the alias (first word of the line) in your vomses file, knowarc.eu is the actual official VO name, and Role=VO-Admin is the desired role.
• Getting a proxy with a special group (the default is to include all groups in the proxy):
  voms-proxy-init -voms knowarc.eu:/knowarc.eu/testers
• If your vomses configuration file is located in a non-standard place, do
  voms-proxy-init -voms nordugrid.org -conf <your path>/vomses
• Listing data about the current proxy certificate:
  voms-proxy-info -all
  Note that leaving out the -all option makes voms-proxy-info hide all VOMS specific information.

When using voms-proxy- commands, you may get the following message:
WARNING: Unable to verify signature! Server certificate possibly not installed.
This is a harmless warning.
However, if an error message occurs:
Error: Cannot verify AC signature!
you must cross-check whether you have most recent VOMS server credentials installed (see above for details).

Server side setup

In order to identify VOs system wide they should be listed in the file /etc/vomses. Each VO should be written on one line in the format (download an example vomses file):

Certificates of trusted VOMS servers should reside in /etc/grid-security/vomsdir named by their hashes. If you happened to get the certificate file named differently, rename it to its hash as displayed by

appended with the suffix of .0, e.g. 96a311cb.0

Currently, there is no easy way to obtain such certificates though, except of asking around. It will be fixed in a future release of VOMS Admin Web interface. From the NorduGrid Web site you can get the following VOMS server certificates:

• NorduGrid VOMS server certificate
• KnowARC VOMS server certificate
• WLCG VOMS server certificate
• GIN VOMS server certificate

Please note that this is not an official source of these certificates! Please always contact the respective VO managers to obtain the latest certificates. In particular, WLCG VOMS server (ATLAS, ALICE etc) certificates are distributed as lcg-vomscerts package with gLite.

If you are desperate still, there is a way to get any certificate as long as you know server address. The procedure has three steps: fetch the certificate, calculate its hash, copy it with the correct name to /etc/grid-security/vomsdir, as shown below.

Here <port> is typically the standard VOMS https interface port, 8443.

Note that you may place VOMS server certificates in any arbitrary place, provided it is defined in the X509_VOMS_DIR environment variable

The information from the VOMS server should also be used to implement VO-based user mapping in the arc.conf file or analogous configuration file of other grid midlewares. Typically, the necessary contact strings are available via "Configuration Information" option in VOMS Web interface. Different mapping utilities use such contact srtings in slightly different manner; below are some examples for ARC:

In file /etc/arc.conf, inside [vo] blocks, one can then use following constructions to map entire VO, a group or a role to a local user::

Note that e.g. the group "testers" should be written /knowarc.eu/testers even though some might construe this as an unnecessary redundancy.

Example of some useful [vo] blocks making use of VOMS are such:

Make sure there are no more than one block with a given id!

VOMS command line tools

Users normally won't need a separate VOMS client installation, as it typically comes bundled with other middleware tools. Still, in case when e.g. an update is necessary, a VOMS client can be installed from the NorduGrid repository. Below instructions for RPM-based systems are given.

Installation

Installation described below typicaly needs system administrator privileges. However, the tools are relocatable, and can be installed from tarballs by any advanced user.

NorduGrid distributes customized for better portability versions of VOMS, available for download at download.nordugrid.org, in the "External software" section (select "VOMS" in the list). For the client part, two packages are needed: voms and voms-clients.

Download either RPM or tarball distributions. Tarballs should be simply unpacked in the root directory. This will install VOMS binaries and libraries in the default directory /opt/voms. RPMs should be installed by executing

rpm -ivh voms-<x.y.z>.i386.rpm voms-clients<x.y.z>.i386.rpm

To set up environment properly, execute

source /etc/profile.d/voms.sh

or for a C shell

source /etc/profile.d/voms.csh

or for a shell without source command

. /etc/profile.d/voms.sh

This will install two command-line tools: voms-proxy-init and voms-proxy-info.

Refer to the "Usage" section for configuration details: they are common for all VOMS clients.