Difference between revisions of "DUNE third party copy IC to RAL"
(→Third party copies Imperial dCache to RAL ECHO) |
|||
Line 7: | Line 7: | ||
'''Issues''' | '''Issues''' | ||
− | # | + | # Expired delegation is not updated (happens when you start testing on a Friday and come back on a Monday): <br> Short term solution: remove delegation from dCache, start afresh. <br> Long term solution: wait for dCache [https://github.com/DmitryLitvintsev/dcache/wiki/DCacheDelegationPatch fix] provided by Dmitry to make it into the release. <br> |
− | Short term solution: remove delegation from dCache, start afresh <br> | + | # Checksums on ECHO: Apparently it doesn't provide any. <br> Short term solution: Set webdav.enable.third-party.requiring-verification-by-default = false in dcache.conf on the head node. <br> Long term solution: ??? <br> |
− | Long term solution: wait for dCache [https://github.com/DmitryLitvintsev/dcache/wiki/DCacheDelegationPatch fix] provided by Dmitry to make it into the release | + | # dynafed's QuoVadis certificate <br> Dynafed needs an intermediate CA (QuoVadis Global SSL ICA G3). |
− | # Checksums on ECHO: Apparently it doesn't provide any. <br> | + | Short term solution: Procure certificate from from here: [https://www.quovadisglobal.com/QVRepository/DownloadRootsAndCRL.aspx Downloads]. Distribute it on the head and pool nodes. Remember to make the .0 file and create a link: |
− | Short term solution: Set webdav.enable.third-party.requiring-verification-by-default = false in dcache.conf on the head node. <br> | + | |
− | Long term solution: ??? <br> | + | |
− | # dynafed's QuoVadis certificate <br> | + | |
− | Dynafed needs an intermediate CA (QuoVadis Global SSL ICA G3) | + | |
<pre> | <pre> | ||
[root@blah certificates]# openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash | [root@blah certificates]# openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash | ||
Line 20: | Line 16: | ||
[root@blah certificates]# ln -s QuoVadis-SSL-ICA-G3.pem 35e514f6.0 | [root@blah certificates]# ln -s QuoVadis-SSL-ICA-G3.pem 35e514f6.0 | ||
openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash | openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash | ||
− | </pre> | + | </pre> Make a QuoVadis-SSL-ICA-G3.crl_url file while you are at it. <br> |
− | Make a QuoVadis-SSL-ICA-G3.crl_url file while you are at it. <br> | + | |
− | + | ||
Revision as of 15:51, 12 September 2018
Third party copies Imperial dCache to RAL ECHO
Baseline versions
dCache version: 3.2.15-1
gfal-* on an up-to-date CentOS 7 node (lxplus7.cern.ch will do) with gfal2-util version 1.5.1 (gfal2 2.15.4)
Issues
- Expired delegation is not updated (happens when you start testing on a Friday and come back on a Monday):
Short term solution: remove delegation from dCache, start afresh.
Long term solution: wait for dCache fix provided by Dmitry to make it into the release.
- Checksums on ECHO: Apparently it doesn't provide any.
Short term solution: Set webdav.enable.third-party.requiring-verification-by-default = false in dcache.conf on the head node.
Long term solution: ???
- dynafed's QuoVadis certificate
Dynafed needs an intermediate CA (QuoVadis Global SSL ICA G3).
Short term solution: Procure certificate from from here: Downloads. Distribute it on the head and pool nodes. Remember to make the .0 file and create a link:
[root@blah certificates]# openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hash 35e514f6 [root@blah certificates]# ln -s QuoVadis-SSL-ICA-G3.pem 35e514f6.0 openssl x509 -in QuoVadis-SSL-ICA-G3.pem -noout -hashMake a QuoVadis-SSL-ICA-G3.crl_url file while you are at it.
Side note: How to remove a delegation
use 'delegation' from dcache-srmclient-3.0.9-1.noarch (certificates must be installed in /etch/grid-security/certificates):
lx> delegation
$ endpoint https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation ← find this in the gfal-copy -vvv log
[https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation]> $ help
[...]
[https://gfe02.grid.hep.ph.ic.ac.uk:8445/srm/delegation] $ destroy 1234 ← I can't remember where I found this.
__NOTITLE__