During the transition from X.509 certificates to JWT, it could be necessary to migrate all the users from a VOMS server to the experiment IAM instance and keep periodically synchronized the two databases.
In this regard, a voms-importer script has been developed at CNAF: https://github.com/indigo-iam/voms-importer.
In order to properly implement the script above, a user needs to be both a VO and IAM administrator.
The first steps are the following:
- ensure that the personal X.509 certificate is linked to the IAM account
- create an X.509 grid-proxy from the command line interface (
grid-proxy-init)
- add the grid proxy to the own IAM account
After that, it is enough to pull the docker container available on the Docker Hub and run it.
docker pull indigoiam/voms-importer
A useful full set of commands to run the container follows below.
docker run -it --entrypoint /bin/bash indigoiam/voms-importer sudo su cat >/etc/yum.repos.d/egi.repo <<EOF [EGI-trustanchors] name=EGI-trustanchors baseurl=https://repository.egi.eu/sw/production/cas/1/current/ gpgkey=https://repository.egi.eu/sw/production/cas/1/GPG-KEY-EUGridPMA-RPM-3 gpgcheck=1 EOF yum install ca-policy-egi-core -y cp /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/ update-ca-trust exit oidc-gen -w device <client-name> export IAM_ENDPOINT=<iam-URL> export OIDC_AGENT_ALIAS=<client-name> export OIDC_AGENT_SECRET=*** export REQUESTS_CA_BUNDLE=/etc/pki/tls/cert.pem init-credentials.sh vomsimporter --vo <vo-name> --voms-host <voms-server-host> --voms-port <voms-server-port> --iam-host <iam-hostname>