Instruction for VO administrators

From GridPP Wiki
Jump to: navigation, search

A short overview for VO administrators - becoming a VO administrator

(NOT 'VOMS administrators')

  1. If your VO is not existing yet 
    then start from: New VO deployment.
    1. Check the GridPP VOMS Admin Interface for existing VOs.
    2. Each new VO must be registered following this procedure.
    3. You can find a full instruction in CERN document by Maria Dimou. Here is some specific hints:
      • For a "unique VO name" choose <vo-name>
      • As a bases for you own "Acceptable Use Policy" you can use this one issued by Joint Security Policy Group.
      • Links to the current voms server certificate (unless you have it already) can be found here.
      • The "VOMS server endpoint" is "group vomss://<vo-name>"
      • Information on "Host and ports" can be found at<vo-name>/configuration/configuration.action It is use to be "<vo-name>" "" "150**", where the second name is the "Host" and the last number (with all digits) is the port.
    4. After successful registration add an URL (if you can) to or let us know the URL and we will add it for you.
    5. Also, after finishing successfully (or if any doubts) please open a ticket via email using the emails in the GridPP VOMS support section. We will complete the technical process of creating the VO on our VOMS server.
    6. Remember, registration is the duty of a (potential) VO manager.
  2. If VO already exists
    then to be an Admin of the VO you have to be at least a member of it.
    1. To register go to<vo-name>/register/start.action having a valid certificate in your browser and make a request.
    2. Each VO user must obey the Acceptable Use Policy (AUP).
    3. On successful completion of your registration please inform us and we will associate your membership account with the VO Administrator Role. Now you will be able manage the VO database.
    4. A useful configuration information (e.g. VOMS server 'end-point' etc) is at<vo-name>/configuration/configuration.action

The term 'VO Administrator' potentially covers

  1. registration of a new VO following the instruction above;
  2. manager of the registration of users and their associated groups and roles in the VOMS database;
    By agreement with you the formal registration of a new user can be done by VOMS administration after your confirmation on any new user request. Otherwise you will be receiving e-mail notification and do the registration yourself.
  3. manager of the registration of groups;
  4. manager of the registration of roles.
    All these can be handled via VO-admin web page on VOMS<vo-name>/user/search.action
    which is self explanatory.
  5. Manager should know the setup of its VO.
  6. The VOMS certificate should be on your VO ID card where you as a VO manager should maintain it. Means in case the VOMS certificate was expired or revoked and changed with a new one (we should inform you ASAP if it has happened) you should inform your sites managers and get the new VOMS certificate from the link provided.
  7. Also you have to keep contact with members of your VO and ask them to follow the AUP.

GridPP VOMS support

  • Any problem with GridPP VOMS should be reported via a GGUS ticket (
  • The VOMS administrator is Robert Frank: Robert.Frank@(NOSPAM) however private emails should be avoided as difficult to track.

Communication with UK sites

  1. If something is not working at one or more sites you can open a ticket in GGUS:
    • email:
  2. If you need to communicate something like a change in configuration to all the sites you can use the broadcast tool on the CIC portal. There is a tick box to select all NGI_UK sites:
  3. More informal but useful complement to contact sites is the mail list. All grid sys admins have subscribed this list. You can ask general users questions to this mailing list. For example if you don't know how to do something.
  4. There is also a weekly Tuesday Operations (EVO) meeting which has a regular agenda section covering issues with VOs. It is possible to attend this if you wish to communicate to the sites, core operations staff and the site administrators directly.

CA rollover

The eScience CA is going through a process called rollover. Without going into detail this means that the CA DN (or Issuer DN) has changed while the users DN haven't. Most of the software recognises the user DN as the unique identifier of a user and therefore for most pourposes the process is transparent to the user. However the VOMS system checks the uniqueness of the combination Issuer DN+User DN. What does this mean in practical terms? It means that a user with a new certificate will have to add the new certificate in the VOMS system because VOMS doesn't recignise the new combination (A bug has been opened against VOMS to get at least an option to avoid the double check and get in line with the rest of the EGEE software The most recent rollover started oin September 2011 and the problem of handling certificates with an old Issuer DN will therefore last until September 2012 when all the certificates created before the rollover started will be renewed.

The process of adding a new certificate is different depending on which VOMS administartive interface is used: VOMS-Admin or VOMRS.


The user has to register again. With the new certificate loaded in their browser they have to go to<vo-name>/register/start.action the VO Admin will then approve the new request. <vo-name> needs to be substituted by your VO name (as it appears on this page).

  1. This process is independent from the old certificate being still valid or not.
  2. If the user had any Roles or belonged to any group those have to be recreated for the new registration.
  3. After the new registration is complete and the roles reassigned you can delete the old entry (housekeeping there is no need to maintain entries that are not valid anymore).
  4. If you are the user in question you probably will have to ask for the VOMS administrator ( assistance to reassign you the VO-Admin role. You can try to approve your new entry with the old certificate loaded in your browser, if this is still valid, and reassign the VO-Admin role to yourself. But here we are on uncharted territory so if you try let us know the results.


There are 2 ways depending on the old user certificate having expired or not. In both cases the entry point is the LCG registration page:

  • If the old certificate has expired
    The user has to re-register with the new certificate loaded in their browser. You need to delete the user before the user can reregister because the VOMRS interface doesn't check the Issuer DN and therefore believes that the user is trying to register the same certificate. Below the instructions to do that
    1. At the VOMRS service, using the left-hand menu controls -
    2. You have to follow the chain of links Open menu VO Registration Home -> Open menu Members -> Remove
      To open the menus click on [+]
    3. Use the form to search for the user to remove. (the percent sign "%" can be used as a wildcard)
    4. Select the user to be removed by clicking the appropriate row in the right-hand 'Select' column from the search results displayed. (Note: sometimes scroll-right is needed to see the select column!)
    5. Click the 'Submit' button to remove the user. Confirmation or failure reason will be given by VOMRS.
    6. Comprehensive help is available at the "Help about.." link on the Registration Homepage
    If you are the user in question and you let your old certificate expire I hope you are not the only person who's managing the VO else ask Maria Dimou.
  • If the old certificate hasn't expired
    The user can Add their new certificate.
    1. The user has to access the registration page with the old certificate loaded in the browser to add the new one.
    2. The user has then to follow the chain of links Open menu Member Info -> Open menu Certificates -> Add Certificate.
      To open the menus click on [+]
    3. The user will be asked the DN and the SN (Serial Number) and the Issuer DN. The SN is apparently not essential, as we know of certificates approved without and there is a menu to chose from for the Issuer DN. The new eScience DN is: /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA.
    4. You will have to approve the addition. The user will receive a notification of the changes requested and of the approval. Without the approval from the VO manager the certificate is not considered valid and will not being inserted into VOMS.

VO manager tasks

User membership extension

Dealing with Acceptable Use Polocies


VOMS configurations etc

VOMS server certificates

Current certificates

Up-to-date VOMS server certificates have to be installed on all services machines and UIs in /etc/grid-security/vomsdir with root as the owner and "644" as file permissions.

The current certificate is available as:

Certificate renewals

The VOMS server certificate is renewed once a year. The date when the certificate on the VOMS server is updated will be announced using the EGEE broadcast. The certificates provided in the previous section are updated prior to the announcement. To allow a smooth update, service machines and UIs should support both certificates, the old and the new one, until the update on the VOMS server is completed. Therefore the RPM package that is distributed via this page and the yum/apt repository provides both certificates. An updated package which contains only the new certificate is provided after the certificate on the server has been updated.

As the previous section links to the new certificate after the announcement, the plain text (PEM) version of the old one can be found here: previous certificate

Yum/Apt/RPM instructions

  • Instructions for yum.conf (TESTED)
  • Instructions for apt sources.list or equivalent:
rpm sysadmin-hep voms-certs
  • Instructions for manual RPM installation

Multiple versions of the package cannot be installed concurrently, as a newer version replaces an older one. If there is already a version installed it can either be upgraded by running

rpm -U<version>.rpm

(replace <version> with the package version) or it has to be removed before installing the new one.

rpm -e
rpm -i<version>.rpm

News and Updates


The certificate has been updated.


The certificate has been updated with a version without the email address in the DN. This certificate will be deployed tomorrow (14/02/2012).


The current server certificate will expire on the 19th of February. The certificate on the VOMS server will be updated on the 14th of February between 8 and 8.30 am (GMT).

Please be aware that the DN of the issuing certificate changes as well due to the rollover of the UK eScience CA. Because of this some software might have to be re-configured (LSC files).

The yum repository has been updated, the latest rpm file there contains both, the old and the new certificate. The links to the certificates on this page have been updated.


The yum repository has been updated, the latest rpm file there contains both, the old and the new certificate. The links to the certificates on this page have been updated.


The current server certificate will expire on the 18th of February. The certificate on the VOMS server will be updated on the 8th of February between 8 and 8.30 am (GMT).


The current server certificate will expire on the 11th of February. The new certificate is now available via this page and the RPM packages have been updated. The certificate on the VOMS server will be updated on the 1st of February between 8 and 8.30 am (GMT).


From the 15th of January 2009 the previous server certificate has expired and the new one needs to be installed in the directory /etc/grid-security/vomsdir with root as the owner and the attribute "644" on all services machines and UIs.