Quick Start: glite 3.2 Argus Installation¶
Installation and Configuration¶
The PAP, PDP, and PEPd are bundled together as the gLite node type
glite-ARGUS
.
YUM Repository¶
Copy the
http://grid-deployment.web.cern.ch/grid-deployment/glite/repos/3.2/glite-ARGUS.repo
repository file into your local /etc/yum.repos.d
directory.
Packages Installation¶
To install and initially configure the service do the following: 1
Install the EUGridPMA trust anchors bundle:<br> yum install lcg-CA
1
If not already installed, install the Java VM OpenJDK 1.6:<br>
yum install java-1.6.0-openjdk
1 Install the glite-ARGUS
metapackage:<br> yum install glite-ARGUS
1 In your YAIM
site-info.def
configuration set at least the following variables:
- the
ARGUS_HOST
property to the hostname of the machine on which you are installing - the
PAP_ADMIN_DN
property to the subject DN of your user certificate. Allow the use thepap-admin
command - the
USERS_CONF
,GROUP_CONF
, andVOS
property to their appropriate values for your site 1 Configure theARGUS_server
node type with YAIM:<br>yaim -c -s site-info.def -n ARGUS_server
Example Configuration¶
Example site-info.def
for the ARGUS_server
node type:
#
# glite-ARGUS hostname
#
ARGUS_HOST=vesta.switch.ch
# users and groups
USERS_CONF=/opt/glite/yaim/etc/users.conf
GROUPS_CONF=/opt/glite/yaim/etc/groups.conf
# Supported VOs
VOS="dteam"
VO_DTEAM_VOMS_CA_DN="'/DC=ch/DC=cern/CN=CERN Trusted Certification Authority' '/DC=ch/DC=cern/CN=CERN Trusted Certification Authority' '/DC=ch/DC=cern/CN=CERN Trusted Certification Authority'"
VO_DTEAM_VOMSES="'dteam lcg-voms.cern.ch 15004 /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch dteam 24' 'dteam voms.cern.ch 15004 /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch dteam 24' 'dteam lxbra2309.cern.ch 15002 /DC=ch/DC=cern/OU=computers/CN=lxbra2309.cern.ch dteam 24'"
# PAP administrator DN
PAP_ADMIN_DN="/DC=org/DC=acme/CN=John Doe"
At this point, you should have a running PAP, PDP, and PEP daemon.
Operation Environment¶
You should now have Argus installed.
Directories¶
There a few directories that you should be aware of:
/opt/argus/pap
contains the PAP component of Argus/opt/argus/pdp
contains the PDP component of Argus/opt/argus/pepd
contains the PEPd component of Argus/etc/grid-security/certificates
contains the CAs trusted by Argus/etc/grid-security/grid-mapfile
contains the mappings from DN/FQANs to local user accounts/etc/grid-security/groupmapfile
contains the mappings from FQANs to local groups/etc/grid-security/gridmapdir
contains grid user to local user account mappings/etc/grid-security/vomsdir
contains the VOMS servers trusted by Argus
Note, if you have an existing site and wish to use your existing account
mappings you can move your existing mappings over to the Argus host.
Simply tar your existing mappings
(tar -cf gridmap.tar /etc/grid-security/gridmapdir
) and then
transfer them over the Argus host and untar them
(tar -xf gridmap.tar
).
Endpoint URL¶
Argus is a network service. Like other network services you should ensure that your network settings only allow anticipated clients communicate with the service.
- Argus 1.1 enables by default client authentication on the service endpoint, therefore the endpoint URL scheme is now HTTPS.
- Client applications must be able to contact the service port 8154
- Example Argus 1.1 endpoint URL (with client authN):
https://argus.example.org:8154/authz
- All other ports (8150-8153) should only be accessible within the Argus service host itself.
Starting/Stopping the Services¶
To start/stop the PAP you can use the command
/etc/init.d/pap-standalone start|stop
.
To start/stop the PDP you can use the command
/etc/init.d/pdp start|stop
. You can also force a reload of the
policies, retrieved from the PAP, with /etc/init.d/pdp reloadpolicy
.
To start/stop the PEPd you can use the command
/etc/init.d/pepd start|stop
. You can also clear the responses cache
with /etc/init.d/pepd clearcache
.
You should always start the PAP before the PDP or else the PDP will not be to retrieve its policy from the PAP.
Installation is now complete, proceed to setting up your site policies.
Global Banning Configuration¶
The following are the required steps to make your Argus server import the global grid banning policies. These policies are maintained by OSCT / EGI CSIRT. The server is located at CERN.
Notice that in following the steps below you will be trusting the global banning server and its policies, so that e.g. users banned by the OSCT / EGI CSIRT will also be rejected at your site as a result.
The pap-admin
command is normally installed in
/opt/argus/pap/bin
Add the Global Banning PAP server from CERN as a remote PAP:
pap-admin add-pap centralbanning argus.cern.ch
"/DC=ch/DC=cern/OU=computers/CN=argus.cern.ch"
The CERN PAP is now listed but is by default still disabled.
pap-admin enable-pap centralbanning
The CERN PAP is now enabled.
pap-admin set-paps-order centralbanning default
The CERN PAP policies are now parsed before the local policies, so that e.g. a user banned by OSCT is immediately rejected. This step is important as only with this order can black listing work.
pap-admin refresh-cache centralbanning
The local pap cache, comprising also the CERN policies, is refreshed and
the new policies are made available. The policies are then fetched
automatically by the server every polling interval
seconds or
manually when the a refresh-cache
command is sent to the server.
%META:TOPICMOVED{by=”ad968f62f612332eff6b” date=”1271340916” from=”EGEE.AuthzQSYaimInstall” to=”EGEE.AuthzQSYumYaimInstall”}%