EMI3 WMS

Release notes.
This is a clean install on CentOS 6.4. using the initial EMI3 release of the WMS software. The LB is installed on a different machine.

(1) Repos and Software
CAs:
wget http://repository.egi.eu/sw/production/cas/1/current/repo-files/EGI-trustanchors.repo -O /etc/yum.repos.d/EGI-trustanchors.repo
yum install ca-policy-egi-core

yum install yum-protectbase
yum install yum-priorities
EPEL:
wget http://www.nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -i epel-release-6-8.noarch.rpm
EMI3:
rpm --import http://emisoft.web.cern.ch/emisoft/dist/EMI/3/RPM-GPG-KEY-emi
wget http://emisoft.web.cern.ch/emisoft/dist/EMI/3/sl6/x86_64/base/emi-release-3.0.0-2.el6.noarch.rpm
yum localinstall emi-release-3.0.0-2.el6.noarch.rpm
yum clean all
yum install emi-wms argus-gsi-pep-callout emir-serp condor-emi

(2) Preliminaries
At this point, set the WMS to drain, so it can be configured in peace:
cd /var
create .drain (remove when done)
selinux still doesn't work properly, so turn it off for now (pah).
setenforce 0

(3) Host certs
I haven't tried yet if I still need SL5 (opennssl 0.9.8e) to convert the host certs as I have been reusing the ones from the previous SL5 install.
(openssl pkcs12 -clcerts -nokeys -out hostcert.pem -in wms02.p12
openssl pkcs12 -nocerts -nodes -out hostkey.pem -in wms02.p12 )

(4) Configuration
Needs: siteinfo.def, users.conf and groups.conf and vo.d.
export GLITE_LB_MSG_BROKER=false
/opt/glite/yaim/bin/yaim -d6 -c -s /opt/glite/yaim/siteinfo/siteinfo-wms02.def -n WMS
/opt/glite/yaim/examples/edgusers.conf: change the infosys group, as 156 is already taken on the system:
Executing... groupadd -g 156 infosys
ERROR: Group infosys with gid '156' failed to be created.
The glite user sepcified in the same file is ignore though.

(5) Open ports
see also here
iptables and ip6tables:
# WMS
-A INPUT -p tcp --dport 20000:25000 -j ACCEPT
-A INPUT -p tcp --dport 7443 -j ACCEPT
-A INPUT -p tcp --dport 2811 -j ACCEPT
-A INPUT -p tcp --dport 2170 -j ACCEPT
-A INPUT -p tcp --dport 9000:9003 -j ACCEPT
-A INPUT -p tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp --dport 5120 -j ACCEPT
-A INPUT -p tcp --dport 9618 -j ACCEPT
-A INPUT -p udp --dport 9618 -j ACCEPT
# WMS end

(6) Test the bdii
add SLAPD: ALL to /etc/hosts.allow
[root@wms02 var]# /usr/bin/ldapsearch -x -H ldap://wms02.grid.hep.ph.ic.ac.uk:2170 -b o=glue | grep Implementation
GLUE2EndpointImplementationVersion: package glite-wms-wmproxy is not installed
GLUE2EndpointImplementationName: WMS
It's not quite working, see GGUS 92464.
(7) Banning troublesome CEs
nslookup [ipaddress] (make sure we've got the right one)
route add -host [ipaddress] reject
lift the ban: route del -host [ipaddress] reject

(8) See what our users are up to
grep -B 3 'some meaningful part of cert here' /var/log/wms/wmproxy.log | grep 'Called Operation' | awk '{ print $NF }' | sort | uniq -c
queryDb -u -v | sort | uniq -c