Grid Certificates

UMD  Certificate Vendor Link

https://itsupport.umd.edu/itsupport?id=kb_article_view&sysparm_article=KB0015873&sys_kb_id=1934af5d1b2c241069062fc02a4bcb34&spa=1 

Log in to above link  and request a new grid ssl host certificate. It requires csr file.  

ON SE, ce and gridft machines, cd to 

cd /data/site_conf/certs/DIGICERT-2019/  and create  certificate csr and key files. 

CSR/KEY Generation   (once on a new machine not every year)

openssl req -new -newkey rsa:2048 -nodes -out hepcms-ce2_umd.edu.csr -keyout hepcms-ce2.umd.edu.key -subj "/C=us/ST=CO/L=College Park/O=University of Maryland/OU=Physics/CN=hepcms-0.umd.edu/emailAddress=jabeen@umd.edu"

openssl req -new -newkey rsa:2048 -nodes -out hepcms-se2_umd.edu.csr -keyout hepcms-se2.umd.edu.key -subj "/C=us/ST=CO/L=College Park/O=University of Maryland/OU=Physics/CN=hepcms-1.umd.edu/emailAddress=jabeen@umd.edu"

openssl req -new -newkey rsa:2048 -nodes -out hepcms-gridftp2_umd.edu.csr -keyout hepcms-gridftp2.umd.edu.key -subj "/C=us/ST=CO/L=College Park/O=University of Maryland/OU=Physics/CN=hepcms-gridftp.umd.edu/emailAddress=jabeen@umd.edu"

Use above keys  to 

 more hepcms-1.umd.edu.csr 

#copy paste this to  the above website.  All the other fields are automatically filled. Order the certificate and wait for approval.  once you have it, download the  file, copy to /data/site_conf/cert/nnnn/  directory and copy the relevant files to all three machines /etc/grid-security.

#Make sure they have correct permissions. on hepcms-se (hepcms-0) (this is for se and xdroot both)

cp /data/site_conf/certs/DIGICERT-2019/hepcms-0_umd.edu.csr .

 cp /data/site_conf/certs/DIGICERT-2019/hepcms-0_umd_edu_14042245/hepcms-0_umd_edu.crt .

 cp /data/site_conf/certs/DIGICERT-2019/hepcms-0_umd_edu_14042245/DigiCertCA.crt .

 cp /data/site_conf/certs/DIGICERT-2019/hepcms-0.umd.edu.key 

 cp hepcms-0.umd.edu.key hostkey.pem

 cp hepcms-0_umd_edu.crt hostcert.pem

chmod 444 hostcert.pem

 chmod 400 hostkey.pem

cd xrd/

  cp  hostkey.pem xrd/xrdkey.pem

 cp   hostcert.pem xrd/xrdcert.pem

chmod  444 xrd/xrdcert.pem

 chmod 400 xrd/xrdkey.pem

$    

#check the dates and that the cert matches the key

# login  hepcms-ce2; cd to /etc/grid-security  and check the certificates

ssh root@hepcms-ce2

cd /etc/grid-security

openssl x509 -in hostcert.pem -subject -issuer -dates -noout

Output:

subject= /DC=org/DC=incommon/C=US/ST=Maryland/L=College Park/O=University of Maryland/OU=CMNS/CN=hepcms-ce2.umd.edu

issuer= /C=US/O=Internet2/OU=InCommon/CN=InCommon IGTF Server CA

notBefore=Jan  4 00:00:00 2021 GMT

notAfter=Feb  3 23:59:59 2022 GMT

# Check the keys match, output from hostcert and  hostkey should match.

openssl x509 -noout -modulus -in hostcert.pem | openssl md5

Output:

(stdin)= 9661be505150c4c6c8a4dba44877cd70

openssl rsa -noout -modulus -in hostkey.pem | openssl md5

Output:

(stdin)= 9661be505150c4c6c8a4dba44877cd70

#on hepcms-ce2.umd.edu

systemctl status condor-ce

systemctl restart condor-ce

#on hepcms-se2.umd.edu

systemctl status xrootd@clustered

systemctl restart xrootd@clustered

systemctl status xrootd@clustered

systemctl status cmsd@clustered

systemctl restart cmsd@clustered

systemctl status cmsd@clustered

#Same for SE and hepcms-gridftp2.umd.edu  Check that the services are working:

systemctl restart  globus-gridftp-server

systemctl status   globus-gridftp-server

Instructions to check if certificate installation is successfull.

Do following from personal account.

export VO_CMS_SW_DIR=/cvmfs/cms.cern.ch/

. $VO_CMS_SW_DIR/cmsset_default.sh

mkdir dummy

cd dummy

cmsrel CMSSW_10_6_15

cd CMSSW_10_6_15/src/

cmsenv

source /cvmfs/cms.cern.ch/crab3/crab.sh

voms-proxy-init -voms cms

crab checkwrite --site=T3_US_UMD

Checkwrite Result:

[bhatti@hepcms-in1 src]$ crab checkwrite --site=T3_US_UMD

Will check write permission in the default location /store/user/<username>

Validating LFN /store/user/bhatti...

LFN /store/user/bhatti is valid.

Will use `gfal-copy`, `gfal-rm` commands for checking write permissions

Will check write permission in /store/user/bhatti on site T3_US_UMD

Will use PFN: davs://hepcms-se.umd.edu:1094/store/user/bhatti/crab3checkwrite_20220926_110455/crab3checkwrite_20220926_110455.tmp

Attempting to create (dummy) directory crab3checkwrite_20220926_110455 and copy (dummy) file crab3checkwrite_20220926_110455.tmp to /store/user/bhatti

Executing command: which scram >/dev/null 2>&1 && eval `scram unsetenv -sh`; gfal-copy -p -v -t 180 file:///home/bhatti/cmssoft/CMSSW_10_6_15/src/crab3checkwrite_20220926_110455.tmp 'davs://hepcms-se2.umd.edu:1094/store/user/bhatti/crab3checkwrite_20220926_110455/crab3checkwrite_20220926_110455.tmp'

Please wait...

Successfully created directory crab3checkwrite_20220926_110455 and copied file crab3checkwrite_20220926_110455.tmp to /store/user/bhatti

Attempting to delete file davs://hepcms-se.umd.edu:1094/store/user/bhatti/crab3checkwrite_20220926_110455/crab3checkwrite_20220926_110455.tmp

Executing command: which scram >/dev/null 2>&1 && eval `scram unsetenv -sh`; gfal-rm -v -t 180 'davs://hepcms-se.umd.edu:1094/store/user/bhatti/crab3checkwrite_20220926_110455/crab3checkwrite_20220926_110455.tmp'

Please wait...

Successfully deleted file davs://hepcms-se.umd.edu:1094/store/user/bhatti/crab3checkwrite_20220926_110455/crab3checkwrite_20220926_110455.tmp

Attempting to delete directory davs://hepcms-se2.umd.edu:1094/store/user/bhatti/crab3checkwrite_20220926_110455/

Executing command: which scram >/dev/null 2>&1 && eval `scram unsetenv -sh`; gfal-rm -r -v -t 180 'davs://hepcms-se2.umd.edu:1094/store/user/bhatti/crab3checkwrite_20220926_110455/'

Please wait...

Successfully deleted directory davs://hepcms-se2.umd.edu:1094/store/user/bhatti/crab3checkwrite_20220926_110455/

Checkwrite Result:

Success: Able to write in /store/user/bhatti on site T3_US_UMD

Check xrdfs 

xrdfs root://hepcms-se2.umd.edu:1094/ ls /store/test/xrootd/T3_US_UMD/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000/

Output:

/store/test/xrootd/T3_US_UMD/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000//A64CCCF2-5C76-E711-B359-0CC47A78A3F8.root

/store/test/xrootd/T3_US_UMD/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000//AE237916-5D76-E711-A48C-FA163EEEBFED.root

/store/test/xrootd/T3_US_UMD/store/mc/SAM/GenericTTbar/AODSIM/CMSSW_9_2_6_91X_mcRun1_realistic_v2-v1/00000//CE860B10-5D76-E711-BCA8-FA163EAA761A.root