...
- To install/replace the CERT on the IDC
Code Block The steps to import the cert and key and update the user in the OSCARS webUI. This works for both .pem and .crt files. -- If cert is in a .pem file do this: openssl x509 -in yourcert.pem > yourhost.crt openssl rsa -in yourcert.pem -out yourhost.key -- Import the cert and key to the oscars.jks and localhost.jks to overwrite the previous entry [root@yourhost ~]# cd /opt/oscars/tools/bin/ [root@yourhost bin]# ./idc-importkeypair -s /etc/oscars/keystores/oscars.jks -a mykey -k /rootpath to/yourhost.key -c /rootpath to/yourhost.crt -p changeit -O [root@yourhost bin]# ./idc-importkeypair -s /etc/oscars/keystores/localhost.jks -a mykey -k /rootpath to/yourhost.key -c /rootpath to/yourhost.crt -p changeit -O -- Retrive the updated subject and issuer and update the Local IDC Account (yoursite-idc) in the OSCARS webUI: https://yourhost.edu:8443/OSCARS/ keytool -printcert -file /rootpath to/yourhost.crt|egrep "Owner:|Issuer:" Owner: CN=<whatever is there>, OU=Services, DC=doegrids, DC=org Issuer: CN=DOEGrids CA 1, OU=Certificate Authorities, DC=DOEGrids, DC=org -- Copy the new cert and key to the proper places -- Make sure permissions are 644 cp /rootpath to/yourhost.crt /etc/pki/tls/certs cp /rootpath to/yourhost.key /etc/pki/tls/private -- Update the new cert and key locations in the relevant places (if they've changed) /etc/oess/database.xml /etc/httpd/conf.d/ssl.conf -- Restart OSCARS service oscars restart -- Restart HTTPD service httpd restart -- Restart OESS (may not be necessary) service oess restart
- To install/replace the CERT on the FDT server
Code Block The cert and the key are stored under: /home/dynes/FDTAgent/conf/OSCARS.jks To import a new certificate and the key: 1) Go to /home/dynes/FDTAgent/bin 2) Import the certs using the `dynesfdt cert` command: ./dynesfdt cert -import -key </path/to/private/key> -cert </path/to/cert> The certs will be imported under a new file (in case the user wants to backup the previous one): /home/dynes/FDTAgent/conf/OSCARS.jks.NEW This file must be copied over: /home/dynes/FDTAgent/conf/OSCARS.jks 3) To list the certificate currently installed in the OSCARS.jks file: ./dynesfdt cert should print the certificate and the validity. - Stuck circuit creation
- Circuits that don’t terminate
- Instructions on how to interact with the database
- Error in signature with X509Token
Code Block log into your OSCARS UI: https:idc.net.<site>.edu:8443/OSCARS/ lookup the reservation examine the error message. - Can't access both the IDC and FDT iDRAC using Firefox. This is due to all Dell iDRACs using the same cert serial number. Firefox (for some reason) doesn't allow this to be ignored and continue. The workaround is to delete the certs from the first iDRAC accessed or use another browser. Details on removing the certs can be found here.
- Mistakenly "Decommissioned" the switch
Code Block # mysql -u root -p Enter password: <enter mysql root password> mysql> use oess; mysql> select * from node; <- Your switch will likely be node=1 Decoming the device sets an end_epoch for it in the node_instantiation table. You must login to mysql as root. mysql> select * from node_instantiation; ----------------------------------------------------------------------------+ node_id end_epoch start_epoch management_addr_ipv4 admin_state dpid ----------------------------------------------------------------------------+ 1 1376100241 1374712867 2170417085 active 281483173139793 ----------------------------------------------------------------------------+ 1 row in set (0.00 sec) Set the end_epoch to -1 and it'll be active. mysql> update node_instantiation set end_epoch =-1 where node_id =1; Query OK, 1 row affected (0.04 sec) Rows matched: 1 Changed: 1 Warnings: 0 mysql> select * from node_instantiation; ---------------------------------------------------------------------------+ node_id end_epoch start_epoch management_addr_ipv4 admin_state dpid ---------------------------------------------------------------------------+ 1 -1 1374712867 2170417085 active 281483173139793 ---------------------------------------------------------------------------+ 1 row in set (0.00 sec)
- Reported by MAX
Code Block Problem: -- Decommissioned the node -- Lost the node and could not rediscover -- Deleted oess database -- Reran oess_setup.pl to restore database to clean state -- Discovered and re-added the node and all interfaces -- re-add remote link and click "Submit Topology" This didn't re-submit the topology I believe the correct steps are: -- Go 'admin' page -- Click 'Workgroups' then choose 'OSCARS IDC' -- Add new interfaces in "Allowed Edge Ports" -- Click "Remote Links" then click "Submit Topology"
- Change IDC peer link
Code Block -- First display the current IDC peer # ./oscars-idclist -- This will list Location: under Protocols: and domain= under Relationships: -- Example output for Internet2 as the current peer -- ID: 1 Type: IDC Expiration: NEVER Protocols: Type: http://oscars.es.net/OSCARS/06 Location: https://ion.net.internet2.edu:9001/OSCARS Relationships: [controls] urn:ogf:network:domain=ion.internet2.edu ID: 2 Type: IDC Expiration: NEVER Protocols: Type: http://oscars.es.net/OSCARS/06 Location: https://ion.net.internet2.edu:9001/OSCARS Relationships: [controls] urn:ogf:network:domain=ion.internet2.edu -- -- Now delete the current peer specifying -d and -l from the above output for your site -- # /opt/oscars/lookup/bin/oscars-idcdel ./oscars-idcdel A domain must me specified Option Description ------ ----------- -c, --context context in which to run the client -d, --domain required. the domain with the IDC to delete -h, --help prints this help screen -u, --url the URL of the OSCARS lookup module to contact -- -- Now add the new peer -- /opt/oscars/lookup/bin/oscars-idcadd A domain must me specified Option Description ------ ----------- -c, --context context in which to run the client -d, --domain required. the domain to add -h, --help prints this help screen -l, --location required. the URL of the IDC -p, --protocol the protocol spoken by the IDC. May be OSCARS5, OSCARS6, or a namespace URL. Defaults to OSCARS6. -u, --url the URL of the OSCARS lookup module to contact -- -- Sample (use this to add Internet2's ION as a peer) -- /opt/oscars/lookup/bin/oscars-idcmod -d ion.internet2.edu -l https://ion.net.internet2.edu:9001/OSCARS Note: The new peer must also do oscars-idcadd or equivalent. If Internet2 is being added as a peer please contact the Internet2 NOC giving your location and domain information along with your X.509 certificate Subject and Issuer. This must be a signed certificate if peering with Internet2. -- -- To modify a current peer's information. -- # /opt/oscars/lookup/bin/oscars-idcmod A domain must me specified Option Description ------ ----------- -c, --context context in which to run the client -d, --domain required. the domain with the IDC to modify -h, --help prints this help screen -l, --location the URL of the IDC -p, --protocol the protocol spoken by the IDC. May be OSCARS5, OSCARS6, or a namespace URL. Defaults to OSCARS6. -u, --url the URL of the OSCARS lookup module to contact - Errors due to OSCARS not being able to access localhost.jks or oscars.jks
Code Block -- Make sure both files are owned by the id oscars # ll /etc/oscars/keystores/ total 32 -rw------- 1 oscars oscars 7083 Feb 4 19:30 localhost.jks -rw------- 1 oscars oscars 7083 Jan 17 16:48 oscars.jks