RGMA
From SysadminWiki
| Table of contents |
RGMA checks
To check that everything is fine on the RGMA there are two RGMA commandsdescribed on this RGMA page (https://twiki.cern.ch/twiki/bin/view/EGEE/RGMATrouble)
rgma-server-check
This commands checks that the RGMA servers are ok. The following is the correct output
rgma-server-check *** Running R-GMA server tests on my-mon-box.my-domain *** Checking Tomcat is running on the local machine... Successfully connected to Tomcat. Java VM version: 1.4.2_08 (OK) Connecting to https://lcgic01.gridpp.rl.ac.uk:8443/R-GMA/SchemaServlet... Successfully connected to Schema. Using PongServlet (1) on https://lcgic01.gridpp.rl.ac.uk:8443/R-GMA/PongServlet. Using certificate /var/lib/tomcat5/conf/hostcert.pem. Using key /var/lib/tomcat5/conf/hostkey.pem. Checking other servlets... Connecting to https://my-mon-box.my-domain:8443/R-GMA/PrimaryProducerServlet:OK Checking clock synchronization: OK Connecting to https://my-mon-box.my-domain:8443/R-GMA/SecondaryProducerServlet:OK Checking clock synchronization: OK Connecting to https://my-mon-box.my-domain:8443/R-GMA/OnDemandProducerServlet:OK Checking clock synchronization: OK Connecting to https://my-mon-box.my-domain:8443/R-GMA/ConsumerServlet:OK Connecting to streaming port 8088 on my-mon-box.my-domain:OK Checking clock synchronization: OK *** R-GMA server test successful ***
rgma-client-check
To run rgma-client-check you need a proxy so you should run it from your UI. The following is a good output:
rgma-client-check *** Running R-GMA client tests on my-ui.my-domain *** Checking C API: Success Checking C++ API: Success Checking CommandLine API: Success Checking Java API: Success Checking Python API: Success *** R-GMA client test successful ***
RGMA Errors
RGMA-host-cert-valid
You might receive a ticket from the COD saying that your site is failing the RGMA tests (which affects Apel (http://www.sysadmin.hep.ac.uk/wiki/Apel)) with the following error:
*RGMA-host-cert-valid* is failing on my-mon-box.my-domain (site: MY-SITE-NAME)
So you need to check that you certificates:
- have the right permissions
- are still valid
RGMA machine (or Mon box) has 3 copies of hostcert.pem and hostkey.pem and you need to check them all.
Permission checks
An easy way to find them and checking their permission is to use locate (http://www.linfo.org/locate.html) command line. For example:
my-mon-box> ls -l `locate host|grep pem` -rw-r--r-- 1 root root 2372 Dec 19 2006 /etc/grid-security/hostcert.pem -r-------- 1 root root 1869 Dec 19 2006 /etc/grid-security/hostkey.pem -rw-r--r-- 1 tomcat4 tomcat4 2372 Dec 19 2006 /etc/tomcat5/hostcert.pem -rw------- 1 tomcat4 tomcat4 1869 Dec 19 2006 /etc/tomcat5/hostkey.pem -rw-r--r-- 1 rgma rgma 2372 Dec 19 2006 /opt/glite/var/rgma/.certs/hostcert.pem -rw------- 1 rgma rgma 1869 Dec 19 2006 /opt/glite/var/rgma/.certs/hostkey.pem
Validity checks
If you want to check the ending date (which should be the same for all of them) you can still use locate on the hostcert.pem and openssl (http://www.openssl.org/docs/apps/openssl.html):
my-mon-box>for a in `locate hostcert.pem`; do echo -n "$a: "; openssl x509 -noout -enddate -in $a; done /etc/grid-security/hostcert.pem: notAfter=Apr 20 16:15:45 2008 GMT /etc/tomcat5/hostcert.pem: notAfter=Apr 20 16:15:45 2008 GMT /opt/glite/var/rgma/.certs/hostcert.pem: notAfter=Apr 20 16:15:45 2008 GMT
ADDITIONAL NOTES
locate (http://www.linfo.org/locate.html) is the quickest way to check if a file is on your file system. However it is so fast because it reads from a database. The database needs to be refreshed periodically to match the file system. Normally there is a cron job installed to do that once a day, but if it is not there you can do it by hand runnning updatedb as root. locate (http://www.linfo.org/locate.html) will warn you if the DB is older than 8 days.
RGMA links
- RGMA solutions from LCG trouble shooting guide
