Re: [gt-user] credentials of certificates which have been revoked
The myproxy-server rejects revoked certificates. It checks CRLs by default and can be optionally configured to query OCSP. It's not necessary to use OCSP if you have CRLs in place. The myproxy-server reads the CRL files in /etc/grid-security/certificates for every request, so it immediately discovers any updates to the CRL files. I ran my own tests to confirm. With no CRL in place I get: $ myproxy-init -s localhost -c 0 Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney Creating proxy ... Done Proxy Verify OK Your proxy is valid until: Fri Jan 18 03:35:17 2013 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 11 hours (0.5 days) for user jbasney now exists on localhost. When I create a CRL revoking my certificate and install it in /etc/grid-security/certificates on my myproxy-server, I get: $ myproxy-init -s localhost -c 0 Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney Creating proxy .. Done Proxy Verify OK Your proxy is valid until: Fri Jan 18 03:35:17 2013 Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization globus_gsi_gssapi: Unable to verify remote side's credentials globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: /SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert certificate revoked SSL alert number 44 When I install the CRL on the client side, I get an earlier error, because myproxy-init verifies the credential before trying to use it: $ myproxy-init -s localhost -c 0 -v Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney Creating proxy Done Error: Couldn't verify the authenticity of the user's credential to generate a proxy from. grid_proxy_init.c:971: globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: The certificate has been revoked: Serial number = 57 (0x39) Subject=/O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney grid-proxy-init failed So my guess is your certificate's serial number isn't listed in the CRL you generated, or you didn't install the CRL in /etc/grid-security/certificates/hash.r0 on the myproxy-server. You can use openssl to check if your certificate is revoked: $ openssl verify \ -CApath /etc/grid-security/certificates -crl_check usercert.pem usercert.pem: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney error 23 at 0 depth lookup:certificate revoked $ openssl crl -text -noout -in 86863cfb.r0 Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Globus Simple CA Last Update: Jan 17 21:41:27 2013 GMT Next Update: Jan 31 21:41:27 2013 GMT Revoked Certificates: Serial Number: 39 Revocation Date: Jan 17 21:40:23 2013 GMT Signature Algorithm: sha1WithRSAEncryption 28:9b:1f:f0:15:50:a5:43:d5:57:d1:e2:2c:f4:ac:91:56:04: 6a:f1:bc:52:b7:e0:56:83:58:16:82:30:fc:ed:23:e2:1a:8d: b0:db:89:ee:3c:1a:12:20:b1:46:d0:ef:e6:c0:d8:26:76:2d: 8a:19:6f:11:bd:bd:4e:de:3a:e4:99:d2:76:b8:fb:bb:32:6d: cf:ca:71:70:f3:5e:dd:7c:ee:e3:98:1b:cc:59:c3:69:f4:03: 9f:f2:0b:3e:66:14:dc:1b:ab:93:57:30:48:56:25:d9:05:b8: c2:6b:04:7f:ce:40:c1:7c:51:0d:c3:b5:30:f2:37:2b:b5:e4: 43:cb $ openssl x509 -noout -serial -in usercert.pem serial=39 On 1/17/13 3:15 PM, leo_cu...@lavabit.com wrote: Is it posible to avoid the storage of a credential for revoked certificates? I found something interesting in myproxy-server.config comments, like the ocsp protocol used to check the validity of credentials stored in the myproxy-server repository before they may be delegated to an user. But in this case do I have to enable an OCSP server with a crl distribution site in order to achieve my task? I haven't found how to make myproxy automatically discover the revoked certificates from the crl certificate in /etc/grid-security/certificates, so that stop making proxy certificates to revoked certificates. I created a certificate and key pair with a CA of my own. I test the myproxy-init and myproxy-logon: all ok. I follow revoking this certificate, download the ca new crl and rewrite the /etc/grid-security/certificates/hash.r0 file, but I was yet able to store the credentials of the revoke certificate.
Re: [gt-user] update CRLs within /etc/grid-security/certificates folder
Please refer to the Revocation section of http://grid.ncsa.illinois.edu/myproxy/ca/ which provides example scripts for using the 'openssl ca' command to generate CRLs for use with MyProxy. The MyProxy software doesn't create CRLs itself. MyProxy requires the use of 'openssl ca' or equivalent for CRL creation. On 1/14/13 2:30 PM, leo_cu...@lavabit.com wrote: In order to myproxy service to generate the proxy certificates is necessary trusted CA certificates in /etc/grid-security/certificates folder, the CA certificate hash, signing policy and the crl certificate and some oders. I obtained those needed files, creating a CA through command line ( openssl way ) giving it a validity period of a year. I created the crl file for this CA the same way, but, with the same validity period, cause I didn'nt want to have problem with the invalid crl problem. But now I want my system supports the revocation of users certicates and that means if I revoque a user with my CA, myproxy should know it and consequently wouldn't generate a credential for it, the next myproxy-init. The way to do this is lowering the validity of the crl (.r0) file less than a hour and updating the crl within a period of time ( less than a hour or so ), using system tools like cron, but my question is if there some myproxy tool that may do this...
[gt-user] MacOS 10.8 install
Hi, In case it might be helpful to others, here's my recipe for a successful GT 5.2.2 install on MacOS 10.8. Two things caused trouble for me: default gcc32dbg flavor and missing ltdl (Libtool Dynamic Module Loader). I got the following errors: error: ltdl.h: No such file or directory dyld: lazy symbol binding failed: Symbol not found: _lt_dlinit I worked around these issues by installing ltdl via fink and explicitly choosing flavor gcc64dbg: fink install libtool2 libtool2-shlibs ln -s /sw/lib/libltdl* /usr/lib ln -s /sw/include/ltdl.h /sw/include/libltdl /usr/include cd gt5.2.2-all-source-installer ./configure --prefix=$GLOBUS_LOCATION \ --with-buildopts=-verbose --with-flavor=gcc64dbg make install install.log 21 -Jim
Re: [gt-user] Problem with MyProxy and certificate_issuer_subca_certfile
What are the contents of /var/lib/myproxy/.globus/simpleCA/cacert.pem? On 6/11/12 3:38 PM, Lukasz Lacinski wrote: We use MyProxy server with Simple CA to issue user credentials. And wanted to use the certificate_issuer_subca_certfile option to add a certificate of the Simple CA to a certificate chain sent by MyProxy server. Unfortunately, the option causes the following error: Jun 11 13:36:34 auth1 myproxy-server[17900]: Error parsing certificate chain error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large error:0906D06C:PEM routines:PEM_read_bio:no start line Failed to load sub-CA certs from file (/var/lib/myproxy/.globus/simpleCA/cacert.pem)! CA failed to generate certificate We are using Ubuntu Oneiric. root@ca:~# openssl version OpenSSL 0.9.8k 25 Mar 2009 root@ca:~# The version we are running is: root@auth1:/var/log# myproxy-server --version myproxy-server version MYPROXYv2 (v5.5 5 Sep 2011 PAM OCSP) root@ca:~# ldd /usr/local/globus-5.0.3/sbin/myproxy-server linux-vdso.so.1 = (0x7fff02dff000) libmyproxy_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libmyproxy_gcc64dbg.so.0 (0x7f7aa91d) libpam.so.0 = /lib/libpam.so.0 (0x7f7aa8fb1000) libglobus_gss_assist_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_gss_assist_gcc64dbg.so.0 (0x7f7aa8da1000) libglobus_gssapi_gsi_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_gssapi_gsi_gcc64dbg.so.0 (0x7f7aa8b7a000) libglobus_gsi_proxy_core_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_gsi_proxy_core_gcc64dbg.so.0 (0x7f7aa8966000) libglobus_gsi_credential_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_gsi_credential_gcc64dbg.so.0 (0x7f7aa8752000) libglobus_gsi_callback_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_gsi_callback_gcc64dbg.so.0 (0x7f7aa8546000) libglobus_oldgaa_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_oldgaa_gcc64dbg.so.0 (0x7f7aa833b000) libglobus_gsi_sysconfig_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_gsi_sysconfig_gcc64dbg.so.0 (0x7f7aa812c000) libglobus_gsi_cert_utils_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_gsi_cert_utils_gcc64dbg.so.0 (0x7f7aa7f25000) libglobus_usage_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_usage_gcc64dbg.so.0 (0x7f7aa7d2) libglobus_openssl_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_openssl_gcc64dbg.so.0 (0x7f7aa7b1c000) libglobus_xio_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_xio_gcc64dbg.so.0 (0x7f7aa78a) libglobus_openssl_error_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_openssl_error_gcc64dbg.so.0 (0x7f7aa769a000) libglobus_callout_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_callout_gcc64dbg.so.0 (0x7f7aa7494000) libglobus_proxy_ssl_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_proxy_ssl_gcc64dbg.so.0 (0x7f7aa728e000) libglobus_common_gcc64dbg.so.0 = /usr/local/globus-5.0.3/lib/libglobus_common_gcc64dbg.so.0 (0x7f7aa7044000) libltdl_gcc64dbg.so.3 = /usr/local/globus-5.0.3/lib/libltdl_gcc64dbg.so.3 (0x7f7aa6e39000) libm.so.6 = /lib/libm.so.6 (0x7f7aa6bb6000) libdl.so.2 = /lib/libdl.so.2 (0x7f7aa69b2000) libssl.so.0.9.8 = /lib/libssl.so.0.9.8 (0x7f7aa675f000) libcrypto.so.0.9.8 = /lib/libcrypto.so.0.9.8 (0x7f7aa63cf000) libc.so.6 = /lib/libc.so.6 (0x7f7aa604c000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x7f7aa5e12000) /lib64/ld-linux-x86-64.so.2 (0x7f7aa9411000) libz.so.1 = /lib/libz.so.1 (0x7f7aa5bfa000) root@auth1:/var/log# There is no problem with reading the CA certificate by openssl. Did anybody experienced such a problem with the certificate_issuer_subca_certfile? Thanks, Lukasz
Re: [gt-user] Building gt5.2.1 From Source
configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7255 Work-around: Edit gt5.2.1-all-source-installer/source-trees/gssapi-openssh/openssh/configure to delete the two lines marked with '-' in the following diff: -if test -z $GLOBUS_LDFLAGS ; then LIBS=-lcrypto $LIBS -fi so that LIBS=-lcrypto $LIBS is always set. It is fixed in GSI-OpenSSH 5.5.
Re: [gt-user] How to renew proxy credential?
Hi Lukasz, What is the myproxy-server log output? What is your full myproxy-server.config? By any chance do you have pam required rather than pam sufficient in myproxy-server.config? It works for me: $ myproxy-logon -s localhost Enter MyProxy pass phrase: A credential has been received for user jbasney in /tmp/x509up_u501. # myproxy-logon -s localhost -l jbasney -a /tmp/x509up_u501 A credential has been received for user jbasney in /tmp/x509up_u0. # cat /etc/myproxy-server.config pam sufficient authorized_retrievers * authorized_renewers * default_renewers * certificate_issuer_cert /Users/jbasney/.globus/simpleCA/cacert.pem certificate_issuer_key /Users/jbasney/.globus/simpleCA/private/cakey.pem certificate_issuer_key_passphrase myproxy certificate_serialfile /Users/jbasney/.globus/simpleCA/serial certificate_mapfile /Users/jbasney/myproxy-grid-mapfile # -Jim On 5/15/12 4:53 PM, Lukasz Lacinski wrote: Hi, I am using MyProxy server with MyProxy CA. I use myproxy-logon to get a user credential issued by MyProxy CA. When I try to renew the credential I get the error: $ myproxy-logon -l lukasz -s myproxy.nothing.com -a /tmp/x509up_u501 Failed to receive credentials. ERROR from myproxy-server: invalid password $ I have authorized_renewers* default_renewers * in myproxy configuration file. How to renew a user credential? Thanks, Lukasz
Re: [gt-user] Could not GSISSH the remote host
On 4/27/12 7:19 AM, Hameed Alzahrani wrote: Connection closed by remote host Look in logs on the remote host for the cause. http://grid.ncsa.illinois.edu/ssh/ts_common.html
Re: [gt-user] Problems adding users to globus
The certificate signature failure message indicates a problem with the nextuser certificate created by myproxy-admin-adduser. The certificate should be in /var/lib/myproxy/nextuser.creds. You can use grid-proxy-init to check the certificate for errors: grid-proxy-init -debug -verify \ -cert /var/lib/myproxy/nextuser.creds \ -key /var/lib/myproxy/nextuser.creds If you post the contents between -BEGIN CERTIFICATE- and -END CERTIFICATE- from that file, maybe someone on the list can identify what's causing the signature failure. However, be careful not to post the contents between -BEGIN RSA PRIVATE KEY- and -END RSA PRIVATE KEY- to the mailing list. On 3/23/12 12:18 PM, Lance Westerhoff wrote: Hello All- I am new to Globus, and I'm trying to get my head around the setup. For background, our goal with this work is to communication with PBS/torque jobs using Java (such as through a webservice). Through some extensive research, it looks like Gridway/Globus is a good choice. So I installed the following software: globus-5.0.4 gridway-5.8.1 On top of: torque-3.0.2 maui-3.2.6p21 152 64bit core CentOS5 cluster All has been well for some time with torque/maui. And with a lot of work, I think I figured out most of the globus/gw install to the point where user globus can submit jobs without too much trouble. Granted, the whole credential requirement has made this install much harder then it needs to be for a small internal cluster, but I think we are there. I can now use gwsubmit from the globus user just fine, and jobs go through globus into the PBS queue as expected. However, I can't seem to add users to the list of users able to submit. I already emailed the gridway list and they suggest that it is a globus problem and that I should email you instead. Here is the process I went through: [root@cluster]# myproxy-admin-adduser -c Next User -l nextuser [root@cluster]# grid-mapfile-add-entry -dn /O=Grid/OU=GlobusTest/OU=simpleCA-cluster.host.com/OU=host.com/CN=Next User -ln nextuser But then I get this when trying to use it: [nextuser@cluster]$ myproxy-logon -v -s cluster.host.com MyProxy v5.4 22 Apr 2011 PAM OCSP Attempting to connect to 192.168.3.50:7512 Successfully connected to cluster.host.com:7512 Expecting non-standard server DN /O=Grid/OU=GlobusTest/OU=simpleCA-cluster.host.com/CN=host/cluster.host.com using trusted certificates directory /etc/grid-security/certificates no valid credentials found -- performing anonymous authentication server name: /O=Grid/OU=GlobusTest/OU=simpleCA-cluster.host.com/CN=host/cluster.host.com checking that server name is acceptable... server name matches /O=Grid/OU=GlobusTest/OU=simpleCA-cluster.host.com/CN=host/cluster.host.com authenticated server name is acceptable Enter MyProxy pass phrase: Failed to receive credentials. ERROR from myproxy-server: X509_verify_cert() failed: certificate signature failure Compared with the user globus: [globus@cluster ~]$ myproxy-logon -v -s cluster.host.com MyProxy v5.4 22 Apr 2011 PAM OCSP Attempting to connect to 192.168.3.50:7512 Successfully connected to cluster.host.com:7512 Expecting non-standard server DN /O=Grid/OU=GlobusTest/OU=simpleCA-cluster.host.com/CN=host/cluster.host.com using trusted certificates directory /etc/grid-security/certificates server name: /O=Grid/OU=GlobusTest/OU=simpleCA-cluster.host.com/CN=host/cluster.host.com checking that server name is acceptable... server name matches /O=Grid/OU=GlobusTest/OU=simpleCA-cluster.host.com/CN=host/cluster.host.com authenticated server name is acceptable Enter MyProxy pass phrase: A credential has been received for user globus in /tmp/x509up_u28889. What am I missing in the setup of new users? Thanks for your help! -Lance
Re: [gt-user] gt421 debian package
Use 'make gsi-myproxy install' to build and install only MyProxy and its dependencies using the GT installer. Why use GT 4.2.1? The current release is GT 5.0.4: http://www.globus.org/toolkit/downloads/latest-stable/ On 10/25/11 7:15 AM, leo_cu...@lavabit.com wrote: I compiled globus toolkit 421 for debian squeeze to make a deb package. The whole application weights about 100 MB, my question: is there any way to erase all but all the necesary for myproxy service. I don't use gramFTP, neither gridFTP or the webservices. Are there dependencies between these apps and the myproxy service? Do you have to install it all?
Re: [gt-user] PAM module suppor using MyProxy server
http://wiki.ngs.ac.uk/index.php?title=MEG On 10/25/11 10:47 AM, Lukasz Lacinski wrote: I would like to configure /etc/pam.d/login to use MyProxy server as an external authentication mechanism and accept all users who are successfully authenticated by the MyProxy server. Is such a PAM module already written by anybody and available anywhere? Thanks, Lukasz
Re: [gt-user] problems with gt421
On 9/7/11 8:52 AM, leo_cu...@lavabit.com wrote: I wonder if this error ( Error authenticating: Connection closed. ) is an authentication problem, some PAM issue with myproxy, or everything is the /etc/grid-security/certificates directory. To answer this question, check your myproxy-server logs: http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html
Re: [gt-user] problems with gt421
myproxy-init -v -C key.pem -y cert.pem -l user -s DebianLocal.localdomain It appears you've got the -C and -y options backwards. Try: myproxy-init -v -C cert.pem -y key.pem ...
Re: [gt-user] Problem adding a myproxy user
On 6/28/11 1:57 PM, Amitav Mohanty wrote: On 06/21/2011 03:47 AM, Jim Basney wrote: If you don't want myproxy-admin-adduser to use your existing $GLOBUS_LOCATION/var/myproxy directory, then move/remove that directory or use the myproxy-admin-adduser -s option. Well I was doing a fresh install following the admin guide and I got the following error [root@fool dknight]# myproxy-server -d myproxy-server v5.3 17 Jan 2011 PAM OCSP starting at Wed Jun 29 00:22:04 2011 reading configuration file /etc/myproxy-server.config Processing usage_stats_target (usage-stats.cilogon.org:4810) USAGE-STATS: Initialized (usage-stats.cilogon.org:4810) (VvtrlLB) using storage directory /home/dknight/soc/gt/var/myproxy WARNING: safe_is_path_trusted_r: /home/dknight/soc/gt/var/myproxy can be modified by users/groups other than uid=0/gid=0 /home/dknight/soc/gt/var/myproxy not owned by root Exiting. Please fix errors with storage directory and restart. My earlier query was because of a discrepancy between the output I was getting and the output that I am supposed to get according to the guide. I am getting a line saying using storage directory /home/dknight/soc/gt/var/myproxy while I think I am supposed to get the following. using storage directory /var/myproxy I think this is also why I am getting the warning. Probably you ran myproxy-admin-adduser as non-root which created the $GLOBUS_LOCATION/var/myproxy directory. You must consistently run myproxy-server and myproxy-admin-adduser from the same account. -Jim
Re: [gt-user] CA setup
Hi Petar, There's a hierarchy of TERENA CAs, and you need to have the full CA hierarchy installed in /etc/grid-security/certificates. For example: $ openssl x509 -subject -issuer -noout ff783690.0 subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root There are links to each CA in the certificate chain at http://www.terena.org/activities/tcs/repository/ But it'd probably be easier to install the CAs you need from the current IGTF distribution at https://dist.eugridpma.org/distribution/current/ because that will give you the .signing_policy files too. Also, I recommend that you use the TERENA eScience CAs for grid applications. -Jim P.S. For TERENA CA questions, I suggest posting on the t...@terena.org mailing list (http://www.terena.org/activities/tcs/mailing-lists.html). On 6/24/11 10:00 AM, Forai, Petar wrote: Dear list, We're in the process of setting up a simple GridFTP infrastructure for use with GlobusOnline. For this we've got a gridftp and myproxy host set up. However we're struggling to get the proper CA setup with Globus running. For testing purposes we've been trying to copy files via gsiftp from the gridftp to the myproxy machine (as both have host certificates signed by the same CA). We're not able to roll our own CA and have to use TERENA SSL provided by our NREN for signing hosts. The ``/etc/grid-security/certificates/'' directory looks like: 9df51c42.0 9df51c42.signing_policy TERENA_SSL_CA.pem where the hash was generated by running ``$GLOBUS_LOCATION/bin/openssl x509 -hash -noout TERENA_SSL_CA.pem'' Of course both hosts have a proper ``hostkey.pem'' and ``hostcert.pem'' in ``/etc/grid-security/'' signed by TERENA SSL CA. I'm getting an error from ``globus-url-copy'' which complains about a not found CA certificate with another hash (``ff783690'' as opposed to ``9df51c42'') as seen here: error: globus_ftp_control: gss_init_sec_context failed OpenSSL Error: s3_clnt.c:983: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Cannot find trusted CA certificate with hash ff783690 in /etc/grid-security/certificates When I check the host certs they where signed by the same CA and the CN strings etc match. Can anyone explain what I'm missing here? I know that I'm not even at the step where user certificates come into play but I wanted to see if the host communication/setup was working before I proceed to molest my NREN to give me per user certificates. TIA! P Petar Forai — GMI IT/HPC Engineer mailto: petar.fo...@gmi.oeaw.ac.at GPG/PGP-Fingerprint: F4D15 F20B 6BB0 F68D 9580 2828 D17D BB4E 4DFF B82B
Re: [gt-user] Problem adding a myproxy user
If you don't want myproxy-admin-adduser to use your existing $GLOBUS_LOCATION/var/myproxy directory, then move/remove that directory or use the myproxy-admin-adduser -s option. On 6/19/11 12:41 PM, Amitav Mohanty wrote: Hello Following the quickstart guide for installing the Globus Toolkit I got the following error during adding a new user for myproxy. [root@fool quickstart]# myproxy-admin-adduser -c Dark Knight -l dknight Enter PEM pass phrase: Verifying - Enter PEM pass phrase: To sign the request please enter the password for the CA key: The new signed certificate is at: /root/.globus/simpleCA//newcerts/02.pem using storage directory /home/dknight/soc/gt/var/myproxy WARNING: safe_is_path_trusted_r: /home/dknight/soc/gt/var/myproxy can be modified by users/groups other than uid=0/gid=0 /home/dknight/soc/gt/var/myproxy not owned by root Unable to store credentials. /home/dknight/soc/gt/var/myproxy not owned by root Certificate subject is: /O=Grid/OU=GlobusTest/OU=simpleCA-fool.man.machine/OU=man.machine/CN=Dark Knight It should be using /var/myproxy as storage directory. Instead it is trying to use $GLOBUS_LOCATION/var/myproxy. Please help me in this regard. Regards Amitav
Re: [gt-user] Globus-simple-ca sign and mit kerberos with pkinit
Yes, 'grid-proxy-info -path' shows the path to the text file containing your proxy credential, which you can open in an editor of your choice and look at the certificates in the chain. For each BEGIN CERTIFICATE / END CERTIFICATE block, you can use 'openssl x509 -text' to see a human readable version of the certificate. On 6/1/11 9:54 AM, Mike Coyne wrote: Thank you for your reply. You were correct in your first assumption i did create/ attempt to create a end user certificate inside of the myproxy server and retrived a proxy with myproxy-logon. the proxy does seem be valid and globus accepts as far as i have been able to tell but i was un-able to show the certificate chain with grid-proxy-info -path ? It seemed to want to give me the file system path to my proxy certificate. I am using globus 5.0.4 under linux rhel 5.6 and the ssl is somewhat dated OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, is there another way to show the full certificate chain? On Tue, 2011-05-31 at 11:12 -0500, Jim Basney wrote: grid-proxy-info -path
Re: [gt-user] Globus-simple-ca sign and mit kerberos with pkinit
when i do a grid-cert-info with the kerberized credential ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: 1.3.6.1.5.2.3.4 X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement 1.3.6.1.4.1.3536.1.222: critical 0.0 ..+... Signature Algorithm: md5WithRSAEncryption ... This looks like an end entity certificate. where as a normal credential shows ... X509v3 extensions: Proxy Certificate Information: critical Path Length Constraint: infinite Policy Language: Inherit all ... This is a proxy certificate. Which would appear to have overwritten the proxy extensions with the kerberos rather than appending them? Could it be instead that you created a proxy certificate from the end entity certificate, so the end entity certificate still has the extensions you want, but it's no longer the last certificate in the chain? I suggest looking in the file at 'grid-proxy-info -path' to see the different certificates in the certificate chain. WHat is the correct way to merge this or is it even possible? to get mit's pkinit to work with globus credentials ? My guess is that pkinit doesn't understand proxy certificates, so you need to restrict yourself to end entity certificates. Some possible options: 1) After you do myproxy-admin-adduser, use myproxy-retrieve rather than myproxy-logon so you get an end entity certificate rather than a proxy certificate. In this case you'll need to set authorized_key_retrievers default_key_retrievers in myproxy-server.config and also possibly use 'myproxy-admin-adduser -E' depending on your value of default_key_retrievers to allow direct access to the end entity credential rather than just access to proxy credentials. 2) Rather than using myproxy-admin-adduser, setup a MyProxy CA (http://myproxy.ncsa.uiuc.edu/ca) to issue end entity credentials. In this case, you can use certificate_extfile or certificate_extapp to include the kinit extensions in the issued certificates. 3) In case pkinit can work with proxy certificates (i.e., using a recent OpenSSL version with OPENSSL_ALLOW_PROXY set to a non-empty value in the environment), and for some reason pkinit isn't finding the extension in the end entity certificate in the certificate chain, you can tell MyProxy to include extensions in proxy certificates using the myproxy-server.config proxy_extfile or proxy_extapp settings. Hope that helps. -Jim
Re: [gt-user] help regarding globus-url-copy
On 5/31/11 9:35 AM, Amitav Mohanty wrote: I was wondering why without adding any lines to hosts.allow and hosts.deny I can have credentials exchanged successfully when both the server and the client are started on different terminals. If you run the myproxy-server outside of xinetd, then /etc/hosts.allow and /etc/hosts.deny have no effect. It's xinetd, not myproxy-server, that's applying the rules from these files. -Jim
Re: [gt-user] MyProxy CA
On 5/26/11 10:59 AM, Alan Sill wrote: On May 26, 2011, at 11:51 AM, Lukasz Lacinski wrote: I would like to issue user credentials using a MyProxy server, MyProxy CA and PAM. But I would like to avoid adding a certificate of the MyProxy CA to /etc/grid-security/certificates. I am thinking of taking a user credential signed by a IGTF-accredited CA (most of GridFTP servers and client machines should trust that) and use this user credential in MyProxy CA to sign other certificates. Is it possible to omit that way the step of adding the MyProxy CA certificate to /etc/grid-security/certificates? No: user certificates to not have the proper X509v3 key usage extension to allow certificate signing; usually only digital signature, key encipherment, and data encipherment are enabled. Also: X509v3 Basic Constraints: critical CA:FALSE And for good reason: we don't want users to impersonate each other. You can add any CA certificate to your server's certificate area, if you trust the way that CA is run. If not, you shouldn't be using its certificates; if so, what id the problem with adding it in? Alan
Re: [gt-user] MyProxy CA
You can add any CA certificate to your server's certificate area, if you trust the way that CA is run. If not, you shouldn't be using its certificates; if so, what id the problem with adding it in? If someone manages a client grid workstation, users have to ask him to add a certificate of MyProxy CA they want to use from that workstation. Or they can just run 'myproxy-logon --bootstrap'. -Jim
Re: [gt-user] MyProxy CA
On 5/26/11 11:50 AM, Lukasz Lacinski wrote: On 5/26/11 12:24 PM, Jim Basney wrote: You can add any CA certificate to your server's certificate area, if you trust the way that CA is run. If not, you shouldn't be using its certificates; if so, what id the problem with adding it in? If someone manages a client grid workstation, users have to ask him to add a certificate of MyProxy CA they want to use from that workstation. Or they can just run 'myproxy-logon --bootstrap'. It downloads a host certificate a MyProxy server uses. This certificate does not have to be signed by a MyProxy CA used with that MyProxy server. But this is a light in a tunnel. If owners of a MyProxy server use a host certificate signed by MyProxy CA it will solve problems. It also installs any trust roots that the MyProxy CA delivers to it (see myproxy-server.config cert_dir setting). -Jim
Re: [gt-user] MyProxy CA
On 5/26/11 11:52 AM, Jim Basney wrote: On 5/26/11 11:50 AM, Lukasz Lacinski wrote: On 5/26/11 12:24 PM, Jim Basney wrote: You can add any CA certificate to your server's certificate area, if you trust the way that CA is run. If not, you shouldn't be using its certificates; if so, what id the problem with adding it in? If someone manages a client grid workstation, users have to ask him to add a certificate of MyProxy CA they want to use from that workstation. Or they can just run 'myproxy-logon --bootstrap'. It downloads a host certificate a MyProxy server uses. This certificate does not have to be signed by a MyProxy CA used with that MyProxy server. But this is a light in a tunnel. If owners of a MyProxy server use a host certificate signed by MyProxy CA it will solve problems. It also installs any trust roots that the MyProxy CA delivers to it (see myproxy-server.config cert_dir setting). More details here: http://grid.ncsa.illinois.edu/myproxy/trustroots/ -Jim
Re: [gt-user] Globus installation error
http://lists.globus.org/pipermail/gt-user/2011-February/009685.html On 2/12/11 6:00 AM, kasim saeed wrote: quser@choate:~$ myproxy-logon -s choate Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 83 bytes Hi all I am new to Globus and need it to install for my academic purposes. I am using * http://www.globus.org/toolkit/docs/5.0/5.0.2/admin/quickstart/*; link for installation. OS in Ubuntu 10.04 Globus version is 5.0.2. All went well except when i gave the command myproxy-logon -s choate following is the output. quser@choate:~$ myproxy-logon -s choate Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 83 bytes If i give myproxy-logon -v -s choate quser@choate:~$ myproxy-logon -v -s choate MyProxy v5.2 22 Jun 2010 OCSP Attempting to connect to 127.0.1.1:7512 Successfully2 connected to choate:7512 using trusted certificates directory /etc/grid-security/certificates no valid credentials found -- performing anonymous authentication Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 77 bytes Please help Regards Kaasim Saeed.
Re: [gt-user] Globus installation error
What did you find when you checked the myproxy-server logs? On 2/12/11 7:54 AM, kasim saeed wrote: That is not making any difference.. Any other idea. Please Help Regards Kaasim Saeed. On Sat, Feb 12, 2011 at 6:15 PM, Jim Basney jbas...@ncsa.uiuc.edu wrote: http://lists.globus.org/pipermail/gt-user/2011-February/009685.html On 2/12/11 6:00 AM, kasim saeed wrote: quser@choate:~$ myproxy-logon -s choate Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 83 bytes Hi all I am new to Globus and need it to install for my academic purposes. I am using * http://www.globus.org/toolkit/docs/5.0/5.0.2/admin/quickstart/* link for installation. OS in Ubuntu 10.04 Globus version is 5.0.2. All went well except when i gave the command myproxy-logon -s choate following is the output. quser@choate:~$ myproxy-logon -s choate Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 83 bytes If i give myproxy-logon -v -s choate quser@choate:~$ myproxy-logon -v -s choate MyProxy v5.2 22 Jun 2010 OCSP Attempting to connect to 127.0.1.1:7512 Successfully2 connected to choate:7512 using trusted certificates directory /etc/grid-security/certificates no valid credentials found -- performing anonymous authentication Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 77 bytes Please help Regards Kaasim Saeed.
Re: [gt-user] Globus installation error
The error message indicates a permissions problem on the myproxy-server storage directory (/sandbox/globus/globus5a/var/myproxy not owned by root). My guess is you ran myproxy-admin-adduser as non-root, so now you have a myproxy-server storage directory not owned by root. You might want to start again with the quickstart instructions, being careful to run commands as root when required, or I suspect you're going to have a lot of trouble with files not owned by root when they need to be. The myproxy-server storage directory (in this case, /sandbox/globus/globus5a/var/myproxy) must be owned by the account the myproxy-server is running under (i.e., root) and must be accessible only by that account (i.e., 0700 permissions). On 2/12/11 8:56 AM, kasim saeed wrote: This is the message written in log when i gave the above command. Feb 12 19:54:38 choate myproxy-server[8098]: /sandbox/globus/globus5a/var/myproxy not owned by root Feb 12 19:54:38 choate myproxy-server[8098]: Exiting. Please fix errors with storage directory and restart. Regards Kaasim Saeed. On Sat, Feb 12, 2011 at 7:13 PM, Jim Basney jbas...@ncsa.uiuc.edu wrote: What did you find when you checked the myproxy-server logs? On 2/12/11 7:54 AM, kasim saeed wrote: That is not making any difference.. Any other idea. Please Help Regards Kaasim Saeed. On Sat, Feb 12, 2011 at 6:15 PM, Jim Basney jbas...@ncsa.uiuc.edu wrote: http://lists.globus.org/pipermail/gt-user/2011-February/009685.html On 2/12/11 6:00 AM, kasim saeed wrote: quser@choate:~$ myproxy-logon -s choate Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 83 bytes Hi all I am new to Globus and need it to install for my academic purposes. I am using * http://www.globus.org/toolkit/docs/5.0/5.0.2/admin/quickstart/* link for installation. OS in Ubuntu 10.04 Globus version is 5.0.2. All went well except when i gave the command myproxy-logon -s choate following is the output. quser@choate:~$ myproxy-logon -s choate Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 83 bytes If i give myproxy-logon -v -s choate quser@choate:~$ myproxy-logon -v -s choate MyProxy v5.2 22 Jun 2010 OCSP Attempting to connect to 127.0.1.1:7512 Successfully2 connected to choate:7512 using trusted certificates directory /etc/grid-security/certificates no valid credentials found -- performing anonymous authentication Failed reading length 0 Enter MyProxy pass phrase: Failed to receive credentials. Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 77 bytes Please help Regards Kaasim Saeed.
Re: [gt-user] Globus Container Serialization
I think the serialization code is in the org.globus.delegation.service.DelegationResource store() and load() methods in ws-delegation/service/java/source/src/org/globus/delegation/service/DelegationResource.java which use java.io.ObjectInputStream and java.io.ObjectOutputStream. On 1/25/11 1:50 AM, Christopher Kunz wrote: Hi, I'm writing here in the hopes that someone has an idea about what I'm seeing (and/or could maybe forward to gt-dev). I'm trying to manually deserialize the contents of the .globus/persisted/ip-port/DelegatedResource directory on a GT 4.0.x container. The serialized files contain the credentials (which I'm after for my Auditing project), but these aren't fully plaintext. There's control characters in regular distances within the credentials, rendering them unusable. I have manually found out that the characters are a z, followed by two to four bytes of non-ASCII stuff. However, I have got no idea what brings them there. From browsing the source I think I have deducted that the serialization process inherits from the BeanSerialization class, but I'm not sure where exactly the DelegatedResource handling is in the Container code. Can someone point me in the right direction? Regards, --ck
Re: [gt-user] GT4.0 WS-GRAM proxy serials
Hi Christopher, I can only offer guesses and some pointers... One scenario is a Java WS-GRAM client using the GT4 Delegation Service. In this case, I believe the serial numbers for proxy certificates are set randomly in org.globus.gsi.bc.BouncyCastleCertProcessingFactory.createProxyCertificate() to be equal to the number added in the new /CN= element in the proxy certificate (see the serialNum and delegDN variables in the code). It's possible the Java random number generator isn't being properly seeded and is giving the same number multiple times, which could be a bug... Here's a link to the code: http://viewcvs.globus.org/viewcvs.cgi/jglobus/src/org/globus/gsi/bc/BouncyCastleCertProcessingFactory.java?root=Java+COGview=markup If you're using a C client, I believe the serial numbers are set to the hash of the public key in globus_l_gsi_proxy_sign_key() in gsi/proxy/proxy_core/source/library/globus_gsi_proxy.c. In this case, be aware that the GT4 Delegation Service re-uses keys (http://www.globus.org/toolkit/docs/4.0/security/delegation/admin-index.html#id2529246), and this could explain why you're seeing the same serial number over and over again. Considering that RFC 3820 says: The serial number of a Proxy Certificate (PC) SHOULD be unique amongst all Proxy Certificates issued by a particular Proxy Issuer. However, a Proxy Issuer MAY use an approach to assigning serial numbers that merely ensures a high probability of uniqueness. It seems the approach of generating serial numbers by hashing the public key, when combined with the re-use of keys in the GT4 Delegation Service, results in non-compliance with that SHOULD (i.e., it sounds like a bug). If you're able to confirm any of my guesses, please do post your results to the list. -Jim On 1/20/11 1:51 AM, Christopher Kunz wrote: Hi, in working with my Auditing project, I have noticed that the proxies created automatically by GT 4.0 WS-GRAMs do not seem to have unique serials, instead I can see that a lot of times serials seem to be reused. In my experiments, the serial 2031473274 seems to be used for authentication and delegation proxies a lot. Is this a known issue? Is this configurable? Regards, --ck
Re: [gt-user] Quick Install
It seems something went wrong when you ran myproxy-admin-addservice -c helium.adiroy.com -l helium on hydrogen. What is the output of myproxy-admin-query on hydrogen? It should show the helium.adiroy.com certificate in the repository. anonymous just means you don't have a certificate yet on helium. That shouldn't be causing the problem. On 11/16/10 5:33 PM, Roy, Kevin (LNG-SEA) wrote: I followed the quick install step-by-step. When I setup my second machine and try to retrieve the myproxy service which I just created on the first machine. I receive the following error. r...@helium:~# myproxy-retrieve -s hydrogen -k helium.adiroy.com -l helium Enter MyProxy pass phrase: ERROR from myproxy-server: anonymous not authorized by server's default authorized_key_retrievers policy How do I get around this problem? Should I be looking into why I am anonymous? I would assume that I would be root. Also my authorized_key_retrievers is set to * shouldn't that let anyone to the proxy server? Thanks in advance, Kevin
Re: [gt-user] Environmental variables
I see that the call that's failing is gss_accept_sec_context(). That's a server-side call. (The corresponding client-side call is gss_init_sec_context().) So I think the issue is the server-side environment variables, not the client-side. Maybe you need to set X509_CERT_DIR in the /etc/xinetd.d entry for your gridftp server or create an /etc/grid-security/certificates directory/symlink for the server-side to use. On 10/28/10 10:34 AM, Estanislao Gonzalez wrote: Hi, I'm having a headaches understanding how are environmental variables read and in which order. I'm running globus-url-copy from the same machine running a grid server and the user X509_CERT_DIR is apparently not being used... e...@ipcc-mpi:~$ env | grep 509 X509_CERT_DIR=/pf/k/egon/.globus_ipcc/certificates-esg X509_USER_PROXY=/pf/k/egon/.globus_ipcc/certificate-file e...@ipcc-mpi:~$ ll -d $X509_CERT_DIR drwxr-sr-x 2 egon k204 2048 Oct 22 16:41 /pf/k/egon/.globus_ipcc/certificates-esg/ e...@ipcc-mpi:~$ GLOBUS_ERROR_OUTPUT=1 GLOBUS_ERROR_VERBOSE=1 globus-url-copy -list 'gsiftp://ipcc-mpi.dkrz.de//cmip5/output/MPI-M/ECHAM6-MPIOM-TR/amip/6hr/atmos/6hrPlev/r1i1p1/v20100928/psl/' globus_error_put(): globus_gsi_system_config.c:globus_i_gsi_sysconfig_check_certfile_unix:4967: File is not owned by current user: /etc/grid-security/hostcert.pem is not owned by current user [...] 500 500-Command failed. : globus_xio_gsi: gss_accept_sec_context failed. 500-globus_gsi_gssapi: Error with gss context 500-globus_gsi_gssapi: Error with GSI credential 500-globus_sysconfig: Could not find a valid trusted CA certificates directory: The trusted certificates directory could not be found in any of the following locations: 500-1) env. var. X509_CERT_DIR 500-2) $HOME/.globus/certificates 500-3) /etc/grid-security/certificates 500-4) $GLOBUS_LOCATION/share/certificates 500- 500 End. Any idea why? Thanks, Estani
Re: [gt-user] problem in installing gt-5.0.0 on MacOSX 10.6.4
I suggest trying GT 5.0.2 (latest stable), rather than GT 5.0.0. Also, see the MacOS platform notes: http://www.globus.org/toolkit/docs/5.0/5.0.2/admin/install/#gtadmin-platform-macosx On 10/28/10 3:28 PM, skil...@cct.lsu.edu wrote: Hello Globus users, I have been getting the following error message when I try to install globus-5.0.0 on my Mac (arch = i386). I was trying to download from the 'Source Download' link through the Globus website. I highly appreciate your help and suggestions in this regard. Error: /usr/bin/gcc -g -fno-common -Wall -o grid-proxy-init grid_proxy_init.o globus_stdio_ui.o -L/tmp/globus5.0.0/lib /tmp/globus5.0.0/lib/libglobus_gss_assist_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_gssapi_gsi_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_gsi_proxy_core_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_gsi_credential_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_gsi_callback_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_oldgaa_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_gsi_sysconfig_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_gsi_cert_utils_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_openssl_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_openssl_error_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_callout_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_proxy_ssl_gcc32dbg.dylib /tmp/globus5.0.0/lib/libglobus_common_gcc32dbg.dylib /tmp/globus5.0.0/lib/libssl_gcc32dbg.dylib /tmp/globus5.0.0/lib/libcrypto_gcc32dbg.dylib /tmp/globus5.0.0/lib/libltdl_gcc32dbg.dylib ld: warning: in /tmp/globus5.0.0/lib/libssl_gcc32dbg.dylib, file was built for i386 which is not the architecture being linked (x86_64) ld: warning: in /tmp/globus5.0.0/lib/libcrypto_gcc32dbg.dylib, file was built for i386 which is not the architecture being linked (x86_64) Undefined symbols: _UI_set_result, referenced from: _globus_l_stdio_ui_read in globus_stdio_ui.o _OBJ_sn2nid, referenced from: _globus_l_gsi_proxy_utils_extension_callback in grid_proxy_init.o _globus_l_gsi_proxy_utils_extension_callback in grid_proxy_init.o _UI_set_default_method, referenced from: _globus_l_stdio_ui_activate in globus_stdio_ui.o _globus_l_stdio_ui_deactivate in globus_stdio_ui.o _BIO_free, referenced from: _main in grid_proxy_init.o _UI_method_set_writer, referenced from: _globus_l_stdio_ui_activate in globus_stdio_ui.o _UI_destroy_method, referenced from: _globus_l_stdio_ui_deactivate in globus_stdio_ui.o _OBJ_obj2nid, referenced from: _globus_l_gsi_proxy_utils_extension_callback in grid_proxy_init.o _UI_get0_output_string, referenced from: _globus_l_stdio_ui_write in globus_stdio_ui.o _OBJ_create, referenced from: _main in grid_proxy_init.o _UI_create_method, referenced from: _globus_l_stdio_ui_activate in globus_stdio_ui.o _UI_get_default_method, referenced from: _globus_l_stdio_ui_activate in globus_stdio_ui.o _EVP_set_pw_prompt, referenced from: _main in grid_proxy_init.o _main in grid_proxy_init.o _X509_EXTENSION_get_object, referenced from: _globus_l_gsi_proxy_utils_extension_callback in grid_proxy_init.o _UI_method_set_reader, referenced from: _globus_l_stdio_ui_activate in globus_stdio_ui.o ld: symbol(s) not found collect2: ld returned 1 exit status make[2]: *** [grid-proxy-init] Error 1 make[1]: *** [all-recursive] Error 1 Thank you for your time and patience.
Re: [gt-user] error while installing globus toolkitb 5.0.1 by using quickstart
By any chance did you skip step 2.3? Did you successfully run the myproxy-retrieve command in step 2.3 before proceeding to step 2.4? Also make sure both your machines have accurate system clocks. Sometimes system clock problems cause low-level SSL errors like this. On 6/8/10 1:50 AM, Deepti Malhotra wrote: Hi, I am installing globus tollkit 5.0.1 on my machine. I have done successfully with my first machine named nodeA on 4th june and now 2day i have been working on second machine named webserver. In step 2.4 i.e GridFTP of second machine by using quickstart [r...@webserver grid-security]# vim /etc/xinetd.d/gridftp [r...@webserver grid-security]# vim /etc/services [r...@webserver grid-security]# /etc/init.d/xinetd reload Reloading configuration: [ OK ] [r...@webserver ~]# export GLOBUS_LOCATION=/usr/local/globus-5.0.1/ [r...@webserver ~]# source $GLOBUS_LOCATION/etc/globus-user-env.csh -bash: /usr/local/globus-5.0.1//etc/globus-user-env.csh: line 167: syntax error: unexpected end of file [r...@webserver ~]# source $GLOBUS_LOCATION/etc/globus-user-env.sh [r...@webserver ~]# myproxy-logon -s nodeA Enter MyProxy pass phrase: Error authenticating: Connection closed. Error writing: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: internal problem with SSL BIO: SSL failed wrapping entire message: SSL_write wrote -1 bytes, should be 79 bytes Do i have to perform all the steps on both the machines each time. Can anyboby suggest me do i have to perform all the steps on machine first i.e nodeA again. Regards Deepti Malhotra Research Scholar Deptt.Of Computer Science IT Jammu University Jammu
Re: [gt-user] error in installing globus toolkit 5.0.1 by using quickstart
It appears you skipped the vim /etc/myproxy-server.config step to uncomment (remove the '#' character) from the following lines: accepted_credentials * authorized_retrievers * default_retrievers* authorized_renewers * default_renewers none authorized_key_retrievers * default_key_retrievers none By default, the myproxy-server.config does not enable any access. Uncommenting these lines is necessary to allow (authorize) access as required by the quickstart. On 6/3/10 3:01 AM, Deepti Malhotra wrote: Hi all I want to install globus toolkit 5.0.1 om my PC . I am following the quickstart given in http://www.globus.org/toolkit/docs/5.0/5.0.1/admin/quickstart/#q-security. nodeA is the name of my machine and quser is the name of the user created by using the command [r...@nodea ~]# myproxy-admin-adduser -c QuickStart User -l quser In step 1.5. Set up GridFTP when i gave the below command i got the following errors [qu...@nodea ~]$ myproxy-logon -s nodeA Enter MyProxy pass phrase: Failed to receive credentials. ERROR from myproxy-server: anonymous not authorized by server's trusted_retrievers policy anonymous not authorized by server's authorized_retrievers policy anonymous not authorized by server's authorized_renewers policy Can anybody plz help me in sorting out this error Regards Deepti
Re: [gt-user] certificate verify failed
If by any chance you're using OpenSSL 1.0.0, likely your CA files were named using the new OpenSSL hash algorithm, whereas the Globus Java components are looking for CA files using the old hash names. In that case, you may find the documentation at http://www.cilogon.org/openssl1 helpful for diagnosing and correcting the problem. On 5/4/10 10:40 AM, Lukasz Lacinski wrote: Hi, Did one of these CAs (6c72648e, fa9133d3) issued the user certificate that you use to submit a job? Definitely, you use somewhere a certificate issued by a CA with hash aacc0995. Regards, Lukasz On May 4, 2010, at 7:38 AM, Luis wrote: Hello, That is what I firstly though. However, in the /etc/grid-security/certificates directory I have the next files: -rw-r--r-- 1 root root 1,4K may 3 13:39 grid-security.conf.6c72648e -rw-r--r-- 1 root root 2,8K may 3 13:39 globus-user-ssl.conf.6c72648e -rw-r--r-- 1 root root 2,7K may 3 13:39 globus-host-ssl.conf.6c72648e -rw-r--r-- 1 root root 1,4K may 3 13:39 6c72648e.signing_policy -rw-r--r-- 1 root root 924 may 3 13:39 6c72648e.0 -rw-r--r-- 1 root root 1,4K may 3 14:02 fa9133d3.signing_policy -rw-r--r-- 1 root root 944 may 3 14:02 fa9133d3.0 Which are the certificates for the local CA (6c72648e*) and the ones for the other CA (fa9133d3*). It is possible that the certificates are searched in other directory? El mar, 04-05-2010 a las 05:16 -0500, Lukasz Lacinski escribió: The command globusrun-ws verifies the authenticity of GRAM4 service you submit a job to. To do that the command globusrun-ws search in $HOME/.globus/certificates or in /etc/grid-security/certificates for the certificate of the Certificate Authority that signed the GRAM4 service certificate. The error message you got suggests that you do not have the file aacc0995.0 with the certificate of that Certificate Authority. At the same time you are able to submit a job to resourceB, because you have the certificate of another Certificate Authority that issued the service certificate for the resourceB. Regards, Lukasz On May 4, 2010, at 4:37 AM, Luis wrote: Hello, I have some problems to execute a basic globusrun-ws command. When I execute: globusrun-ws -submit -c /bin/hostname The output is: Submitting job...Failed. globusrun-ws: Error submitting job OpenSSL Error: s3_clnt.c:842: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Untrusted self-signed certificate in chain with hash aacc0995 Do you know what the problem is? I have a valid certificate and I can make transfers (globus-url-copy) to and from this resource. Moreover, I can execute this command but setting another resource to execute the job, for example: globusrun-ws -submit -F resourceB -c /bin/hostname Thank you! Best regards!
Re: [gt-user] gss gsi mechglue
I'm fairly certain that the GSI GSSAPI libraries do not have an equivalent to mechglue_internal_krb5_init or gss_mech_initialize. These functions are not part of the standard GSSAPI. - Ricardo Rocha ricardo.ro...@cern.ch wrote: I'm using version 0.1-4 (libgssglue0, coming with debian unstable), and i see in /etc/gssapi_mech.conf: # NOTE: # The initiaiization function mechglue_internal_krb5_init # is used for the MIT krb5 gssapi mechanism. This special # function name indicates that an internal function should # be used to determine the entry points for the MIT gssapi # mechanism funtions. # # library initialization function # == # The MIT K5 gssapi library, use special function for initialization. #/usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init /usr/lib/libgssapi_krb5.so.2mechglue_internal_krb5_init # # The SPKM3 gssapi library function. Use the function spkm3_gss_initialize. # /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so spkm3_gss_initialize It might be that passing the right initialization function i can just use the unpatched mechglue. I'll investigate a bit more, but if you have a guess for what this function could be... Thank you very much, Ricardo On Wed, Apr 14, 2010 at 3:51 PM, Jim Basney jbas...@ncsa.uiuc.edu wrote: Last time I looked into it, the original GSSAPI mechglue library required the underlying GSSAPI libraries to be mechglue aware (i.e., have something like gss_mech_initialize). The patched version removes that requirement. - Ricardo Rocha ricardo.ro...@cern.ch wrote: Hi Jim. Thanks for the link. I had seen it in my searches, but i thought it was only needed for openssh gsi. I thought the mechglue library was accepting any gssapi plugin implementation, and that its purpose was exactly to load multiple mechanisms on the same machine. Why do i need a patched version to use the gsi plugin? Thanks again, Ricardo On Wed, Apr 14, 2010 at 3:32 PM, Jim Basney jbas...@ncsa.uiuc.edu wrote: Hi Ricardo, For a modified version of the gssapi-mechglue library that works with the GSI GSSAPI libraries, please see: http://grid.ncsa.illinois.edu/gssapi-mechglue/ It includes a gss_initialize() function that does the initialization. -Jim - Ricardo Rocha ricardo.ro...@cern.ch wrote: Hi. (i've sent this same message yesterday, but i wasn't subscribed to the list) I'm trying to use the gssapi globus gsi plugin, via the gssglue (mechglue) libraries. I've configured gssapi_mech.conf with something similar to the default krb5 config: # globus gsi /usr/lib/libglobus_gssapi_gsi.so.4 (i'm fetching the globus libraries from debian unstable) From here i get the following error: /usr/lib/libglobus_gssapi_gsi.so.4.3.0: undefined symbol: gss_mech_initialize: searching for symbol 'gss_mech_initialize' in '/usr/lib/libglobus_gssapi_gsi.so.4.3.0' I've tried to specify the initialization function (as is done for krb5), but i don't know the name of the function that mechglue should be calling in the globus plugin (guessing around i keep getting segfaults). Can someone give me a hand with this? Or maybe point me to some docs (my google searches are giving nothing)? Thanks, Ricardo
Re: [gt-user] Using a non-standard proxy location with gsissh
Hi Erik, Yes, you can set the X509_USER_PROXY environment variable to the path of your proxy file. The gsissh command respects the standard GSI C environment variables (http://www.globus.org/toolkit/docs/latest-stable/security/gsic/pi/#gsic-env-var). I agree we should document it on the gsissh man page and web site. -Jim - Erik Schnetter schnet...@cct.lsu.edu wrote: I want to use gsissh with a proxy at a non-standard location, e.g. as created by grid-proxy-init with the -out option. Is there a command line option or environment variable for gsissh for this? I couldn't find this on the man page and web page. Thanks, -erik -- Erik Schnetter schnet...@cct.lsu.edu http://www.cct.lsu.edu/~eschnett/
Re: [gt-user] MyProxy vs. TeraGrid MyProxy
Hi Lukasz, The myproxy.teragrid.org server is configured to act as a certificate authority: http://grid.ncsa.illinois.edu/myproxy/teragrid.html http://grid.ncsa.illinois.edu/myproxy/ca/ Regards, Jim - Original Message - From: Lukasz Lacinski luk...@ci.uchicago.edu To: GT User gt-u...@globus.org Sent: Thursday, April 1, 2010 12:29:46 PM Subject: [gt-user] MyProxy vs. TeraGrid MyProxy Hi, TG users can obtain credentials from myproxy.teragrid.org using the command myproxy-logon. These credentials are signed using users EEC. It would mean that EECs play a role of credentials stored using the command myproxy-store. But, what is interesting, users cannot retrieve nor destroy these credentials. How to configure MyProxy server to do so? Regards, Lukasz
Re: [gt-user] Error while creating user certificates
What is the output of 'which grid-cert-request'? Did you 'source $GLOBUS_LOCATION/etc/globus-user-env.sh' to setup your environment? On 3/19/10 1:59 AM, Ankuj Gupta wrote: Hi!! I had setup the Myproxy and I was trying to get a user certificate for our sample user. I had used QuickStart User as the first and last name and quser as the UNIX account name for my user and ran the following command *#myproxy-admin-adduser -c QuickStart User -l quser* But I got the following error *Error: grid_cert_request not found.* I have successfully got the certificates for Host and also Myproxy was also setup successfully . Ankuj
Re: [gt-user] host cert. question
Hi Bill, Yes, you can create a host certificate for any hostname, like this: grid-cert-request -host hpsstst01e.ucar.edu It looks like you've already got a hpsstst01e.ucar.edu certificate installed. It seems the problem is the hpsstst01i.ucar.edu expected name which is who the client thinks it's connecting to. If you're passing hpsstst01e.ucar.edu on the globus-url-copy command-line, then somehow that's being converted to hpsstst01i.ucar.edu by the resolver. Check /etc/hosts and /etc/resolv.conf. Also check that hpsstst01e.ucar.edu resolves via DNS in both directions. I see: $ host hpsstst01e.ucar.edu hpsstst01e.ucar.edu has address 128.117.12.53 $ host 128.117.12.53 Host 53.12.117.128.in-addr.arpa. not found: 3(NXDOMAIN) The missing DNS entry for 128.117.12.53 could be a problem. GSI by default will do a reverse DNS lookup to find the canonical hostname. There's lots more details at: http://dev.globus.org/wiki/C_Security:_Server_Identity_Processing_In_GSI_C http://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6331 At those URLs you can find details on how the GSI hostname processing can support wildcards, check subjectAltNames, and disable DNS lookups via the GLOBUS_GSSAPI_NAME_COMPATIBILITY environment variable. -Jim On 2/9/10 11:14 AM, Bill Anderson wrote: Hi there, I have a host with multiple IP addresses and I'd like to use globus-url-copy to connect to one of those addresses. However, the address I want to use does not correspond to the hostname for the host that shows up with 'uname -a'. I've created a host certificate for the hostname that does correspond to the IP address I'm trying to connect to, but I continue to get error messages like: 530-globus_gsi_gssapi: Authorization denied: The name of the remote host (hpsstst01e.ucar.edu), and the expected name for the remote host (hpsstst01i.ucar.edu) do not match. This happens when the name in the host certificate does not match the information obtained from DNS and is often a DNS configuration problem. 530 End. I'm trying to connect to hpsstst01e.ucar.edu via globus-url-copy, but the hostname that's reported by 'uname -a' is 'hpsstst01i.ucar.edu. My host certificate is shown below. Is is possible to create a host certificate for a host where there may be differences between the hostname used in connecting to the server and the name reported by 'uname'? Thanks for any help, Bill Certificate: Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: md5WithRSAEncryption Issuer: O=Grid, OU=GlobusTest, OU=simpleCA-hpsstst01i.ucar.edu, CN=Globus Simple CA Validity Not Before: Feb 9 17:03:12 2010 GMT Not After : Feb 9 17:03:12 2011 GMT Subject: O=Grid, OU=GlobusTest, OU=simpleCA-hpsstst01i.ucar.edu, CN=host/hpsstst01e.ucar.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ab:df:67:42:80:e2:2f:ee:e9:0b:f8:e1:46:15: e1:4d:0d:66:66:c0:1c:a7:90:28:25:42:e6:ed:ab: 33:e4:a5:fc:73:1a:2c:cd:3a:90:dd:c1:5b:a9:fa: 2a:75:40:89:e4:09:f1:b7:ab:fa:08:f8:6c:a5:3b: f6:74:dd:3d:5f:62:90:23:47:46:5f:5a:38:e4:5c: c1:53:87:97:74:96:39:db:11:4d:11:56:09:68:30: 95:a0:d9:c0:ca:70:d2:e6:95:14:1d:a2:b2:e8:2a: 5a:50:34:b0:26:68:01:7f:d5:58:cb:08:0f:b3:ad: 2c:f0:10:f5:6e:1a:2f:06:31 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, SSL Server, S/MIME, Object Signing Signature Algorithm: md5WithRSAEncryption 52:b7:3a:d3:55:17:3f:54:50:46:18:3d:e7:e3:dc:ff:20:b5: 05:d3:30:11:6a:7c:b6:ae:ab:22:64:b7:07:5b:67:63:6c:13: 95:ec:f3:3d:bd:82:ee:1d:32:fc:67:ed:eb:57:c3:40:f5:8e: 4b:1b:39:d4:68:ca:33:e8:cb:30:b3:fb:c9:ff:bb:6f:db:8e: cb:bd:ae:63:81:dd:f9:79:95:9f:91:c4:65:2e:74:0a:65:44: f9:70:12:8a:d9:5e:ea:2c:84:02:19:48:48:10:93:b9:4a:9d: 71:3f:75:e6:ff:e0:2a:3b:16:aa:39:9d:79:ac:e0:ef:bf:1a: 1d:52 .
Re: [gt-user] Trouble with myproxy adding new users and services
Hello Arn, The myproxy-admin-adduser command is just a simple perl script that calls grid-cert-request, grid-ca-sign, and myproxy-admin-load-credential. You could try running the underlying commands manually in sequence to see which one is hanging. Probably it'd be good for us to add a -verbose option to myproxy-admin-adduser for troubleshooting cases like this. I created a bug (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6963) so we don't forget to add it. -Jim On 2/3/10 1:11 PM, Arn wrote: Hi, I've setup a basic system (gridftp + RFT + globus-container + myproxy) with 3 nodes by following the quickstart document for GT 4.2.1 . The main node serves as the MyProxy server and RFT iniitiation host. The other two are plain gridFTP nodes. I was able to create a user certificate and add it to myproxy and then test out some gridftp file transfers which worked fine. However now when I try to add another user to myproxy, i.e. create another user certificate using myproxy-admin-adduser -c First Lastname -l username , it just hangs and does nothing. I'm trying this as root on the MyProxy host machine. if I try myproxy-info , it lists the existing certificate but I am not able to add any new users. I'm also not able to add a new service using myproxy-admin-addservice . This too worked fine earlier when I added the 2 gridftp hosts. What am I doing wrong ? Note that I am exporting the correct paths and env variables before attempting the adduser and addservice Thanks in advance Arn
Re: [gt-user] command-like feature for cert-based ssh login
Hi, Does setting ForceCommand in $GLOBUS_LOCATION/etc/ssh/sshd_config do what you need? It's documented in the man page: http://grid.ncsa.illinois.edu/ssh/man/sshd_config.5.html -Jim On 1/29/10 7:08 AM, Henning Perl wrote: Hello! I am trying to make gitosis (git repository hosting) work with gsi-openssh using certificates. This is how gitosis usually works: 1. All users log in using user `git' with a public key 2. In ~git/.ssh/authorized_keys, for each public key there is a `command=gitosis-serve' entry 3. gitosis-serve gets called and inspects the $SSH_ORIGINAL_COMMAND env-variable to grant or deny permission based on username and repository to access My question is: Is there a way to supply a command that gets called *instead of* the command the user supplied and have the user's command saved in some environment variable? I already found `~/.ssh/rc', but with this two problems remain: 1. The original command gets called too (after the rc-script) 2. I have no access to the original command in the rc-script Does anyone have a clue about how to do this? Best regards, Henning Perl
Re: [gt-user] yet another Host key verification failed question
Hi Brian, Host key verification failed is an ssh client-side error. The top hit from Google for this error message is http://www.securityfocus.com/infocus/1806 which looks like a good reference on the topic. I suspect you need to populate and distribute /etc/ssh_known_hosts files between your nodes. -Jim Brian Pratt wrote: Actually more of a logging question - I don't expect anyone to solve the problem by remote control, but I'm having a bit of trouble figuring out which node (server or client) the error is coming from. Here's the scenario: a node running globus/ws-gram/pbs_server/pbs_sched and one running pbs_mom. Using the globus simple ca. Job-submitting user is labkey on the globus node, and there's a labkey user on the client node too. I can watch decrypted SSL traffic on the client node with ssldump and simpleca private key and can see the job script being handed to the pbs_mom node. passwordless ssh/scp is configured between the two nodes. job-submitting user's .globus directory is shared via nfs with the mom node. UIDs agree on both nodes. globus user can write to it. Jobs submitted with qsub are fine. qsub -o ~labkey/globus_test/qsubtest_output.txt -e ~labkey/globus_test/qsubtest_err.txt qsubtest cat qsubtest #!/bin/bash date env logger hello from qsubtest, I am $(whoami) and indeed it executes on the pbs_mom client node. Jobs submitted with fork are fine. globusrun-ws -submit -f gramtest_fork cat gramtest_fork job executable/mnt/userdata/gramtest_fork.sh/executable stdoutglobus_test/gramtest_fork_stdout/stdout stderrglobus_test/gramtest_fork_stderr/stderr /job but those run local to the globus node, of course. But a job submitted as globusrun-ws -submit -f gramtest_pbs -Ft PBS cat gramtest_pbs job executable/usr/bin/env/executable stdoutgramtest_pbs_stdout/stdout stderrgramtest_pbs_stderr/stderr /job Gives this: cat globusrun-ws -submit -f gramtest_pbs -Ft PBS Host key verification failed. /bin/touch: cannot touch `/home/labkey/.globus/c5acdc30-e04c-11de-9567-d32d83561bbd/exit.0': No such file or directory /var/spool/torque/mom_priv/jobs/ 1.domu-12-31-38-00-b4-b5.compute-1.internal.SC: 59: cannot open /home/labkey/.globus/c5acdc30-e04c-11de-9567-d32d83561bbd/exit.0: No such file [: 59: !=: unexpected operator I'm stumped - what piece of the authentication picture am I missing? And how to identify the actor that emitted that failure message? Thanks, Brian Pratt
Re: [gt-user] MyProxy OpenSSL error
I assume if you run the following command, you'll see the same error as
from grid-proxy-init:
openssl verify -CApath /etc/grid-security/certificates -verbose \
/etc/grid-security/hostcert.pem
Please post your hostcert.pem file and your CA certificate file(s) from
/etc/grid-security/certificates. (Don't post your hostkey.pem file.)
I still think there must be some problem/mismatch with the CA certificate.
cmasmas cmasmas wrote:
Hi there,
first of all thanks a lot for your help.
I've done the tests you mention, but the problem still goes on.
I've created both new hostcert and new hostkey, and then veryfied them with
the script on the OpenSsl page (the one on Verify A Certificate Matches A
Private Key javascript:showHideDiv('taskmatchcert',-1) ) and the result is
that they match.
In this machine there's only one CA installed so just one that signs.
As I said, the problem state is the same (launching server and client the
same way as in the 1st email gives the same output).
Regards.
2009/10/27 Jim Basney jbas...@ncsa.uiuc.edu
That helps us focus the problem investigation. :)
The next reference I suggest is:
http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php
I suggest following the Verify A Certificate Matches A Private Key
instructions to confirm that your hostcert.pem and hostkey.pem match.
You can use the View The Signer Of A Certificate instructions to
identify the CA that signed your certificate and inspect the
corresponding CA certificate in /etc/grid-security/certificates.
Looking in the mailing list archives, it seems a common source of this
OpenSSL error message is creating multiple CAs with the same name,
resulting in confusion as to which CA instance signed each user/host
certificate. It seems this error message may occur when there's a CA
certificate with a subject matching the issuer of the user/host
certificate but with a public key that doesn't match the signature on
the user/host certificate (because it was signed by a different CA
instance).
Creating new hostcert.pem and hostkey.pem files may solve the problem.
cmasmas cmasmas wrote:
Hi:
First of all, thanks for your answer. Here is the output:
*glo...@debian:/root$ grid-proxy-init -debug -verify-cert
/etc/grid-security/hostcert.pem-key /etc/grid-security/hostkey.pem
User Cert File: /etc/grid-security/hostcert.pem
User Key File: /etc/grid-security/hostkey.pem
Trusted CA Cert Dir: /etc/grid-security/certificates
Output File: /tmp/x509up_u1001
Your identity: /O=Grid/OU=GlobusTest/OU=
simpleCA-debian.xxx.es/CN=host/debian.xxx.es
Creating proxy ..
...
Done
Error: Couldn't verify the authenticity of the user's credential to
generate
a proxy from.
grid_proxy_init.c:971: globus_credential: Error verifying
credential:
Failed to verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Could not verify credential: certificate
signature failure
OpenSSL Error: a_verify.c:168: in library: asn1 encoding routines,
function
ASN1_item_verify: EVP lib
OpenSSL Error: rsa_eay.c:699: in library: rsa routines, function
RSA_EAY_PUBLIC_DECRYPT: padding check failed
OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function
RSA_padding_check_PKCS1_type_1: block type is not 01
*
Any ideas?
Regards.
2009/10/27 Jim Basney jbas...@ncsa.uiuc.edu
Hi,
I can only guess at what that OpenSSL error message is telling us. Since
the client-side credentials verify OK, maybe there's a problem with the
server's credentials. To check them, run:
grid-proxy-init -debug -verify \
-cert /etc/grid-security/hostcert.pem \
-key /etc/grid-security/hostkey.pem
(as recommended at
http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html).
-Jim
cmasmas cmasmas wrote:
Hi there,
i'm installing Globus 4.2.1 on Debian5 and i'm stuck on the step to
prove
that gridftp server works.
I'm following the globus quickstart tutorial on the web.
I've run on separate consoles myproxy client and server, and this is
what
each prompts when i try to log in:
In the client console:
glo...@debian:~$ myproxy-init -s debian
Your identity: my identity
Enter GRID pass phrase for this identity:
Creating proxy . Done
Proxy Verify OK
Your proxy is valid until: Tue Nov 3 00:14:18 2009
Error authenticating: GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
OpenSSL Error: a_verify.c:168: in library: asn1 encoding routines,
function
ASN1_item_verify: EVP lib
OpenSSL Error: rsa_eay.c:699: in library: rsa routines, function
RSA_EAY_PUBLIC_DECRYPT: padding check failed
OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function
RSA_padding_check_PKCS1_type_1: block type is not 01
In the server console (in debug and verbose mode):
glo...@debian
Re: [gt-user] MyProxy OpenSSL error
Hi, I can only guess at what that OpenSSL error message is telling us. Since the client-side credentials verify OK, maybe there's a problem with the server's credentials. To check them, run: grid-proxy-init -debug -verify \ -cert /etc/grid-security/hostcert.pem \ -key /etc/grid-security/hostkey.pem (as recommended at http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html). -Jim cmasmas cmasmas wrote: Hi there, i'm installing Globus 4.2.1 on Debian5 and i'm stuck on the step to prove that gridftp server works. I'm following the globus quickstart tutorial on the web. I've run on separate consoles myproxy client and server, and this is what each prompts when i try to log in: In the client console: glo...@debian:~$ myproxy-init -s debian Your identity: my identity Enter GRID pass phrase for this identity: Creating proxy . Done Proxy Verify OK Your proxy is valid until: Tue Nov 3 00:14:18 2009 Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: a_verify.c:168: in library: asn1 encoding routines, function ASN1_item_verify: EVP lib OpenSSL Error: rsa_eay.c:699: in library: rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01 In the server console (in debug and verbose mode): glo...@debian:/etc/grid-security$ myproxy-server -dv myproxy-server v4.3 2 Sep 2008 PAM starting at Tue Oct 27 00:14:07 2009 reading configuration file /etc/myproxy-server.config using storage directory /var/myproxy Starting myproxy-server on localhost:7512... using trusted certificates directory /etc/grid-security/certificates Failed reading length 0 Error authenticating client: Connection closed. Failure: error in myproxy_send() Running previously grid-proxy-init generates a valid proxy. Must say that myproxy server loads but crashes when i try to log in. Does anyone know where could be the problem? Thanks in advice
Re: [gt-user] MyProxy OpenSSL error
That helps us focus the problem investigation. :) The next reference I suggest is: http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php I suggest following the Verify A Certificate Matches A Private Key instructions to confirm that your hostcert.pem and hostkey.pem match. You can use the View The Signer Of A Certificate instructions to identify the CA that signed your certificate and inspect the corresponding CA certificate in /etc/grid-security/certificates. Looking in the mailing list archives, it seems a common source of this OpenSSL error message is creating multiple CAs with the same name, resulting in confusion as to which CA instance signed each user/host certificate. It seems this error message may occur when there's a CA certificate with a subject matching the issuer of the user/host certificate but with a public key that doesn't match the signature on the user/host certificate (because it was signed by a different CA instance). Creating new hostcert.pem and hostkey.pem files may solve the problem. cmasmas cmasmas wrote: Hi: First of all, thanks for your answer. Here is the output: *glo...@debian:/root$ grid-proxy-init -debug -verify-cert /etc/grid-security/hostcert.pem-key /etc/grid-security/hostkey.pem User Cert File: /etc/grid-security/hostcert.pem User Key File: /etc/grid-security/hostkey.pem Trusted CA Cert Dir: /etc/grid-security/certificates Output File: /tmp/x509up_u1001 Your identity: /O=Grid/OU=GlobusTest/OU= simpleCA-debian.xxx.es/CN=host/debian.xxx.es Creating proxy .. ... Done Error: Couldn't verify the authenticity of the user's credential to generate a proxy from. grid_proxy_init.c:971: globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Could not verify credential: certificate signature failure OpenSSL Error: a_verify.c:168: in library: asn1 encoding routines, function ASN1_item_verify: EVP lib OpenSSL Error: rsa_eay.c:699: in library: rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01 * Any ideas? Regards. 2009/10/27 Jim Basney jbas...@ncsa.uiuc.edu Hi, I can only guess at what that OpenSSL error message is telling us. Since the client-side credentials verify OK, maybe there's a problem with the server's credentials. To check them, run: grid-proxy-init -debug -verify \ -cert /etc/grid-security/hostcert.pem \ -key /etc/grid-security/hostkey.pem (as recommended at http://grid.ncsa.illinois.edu/myproxy/troubleshooting.html). -Jim cmasmas cmasmas wrote: Hi there, i'm installing Globus 4.2.1 on Debian5 and i'm stuck on the step to prove that gridftp server works. I'm following the globus quickstart tutorial on the web. I've run on separate consoles myproxy client and server, and this is what each prompts when i try to log in: In the client console: glo...@debian:~$ myproxy-init -s debian Your identity: my identity Enter GRID pass phrase for this identity: Creating proxy . Done Proxy Verify OK Your proxy is valid until: Tue Nov 3 00:14:18 2009 Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: a_verify.c:168: in library: asn1 encoding routines, function ASN1_item_verify: EVP lib OpenSSL Error: rsa_eay.c:699: in library: rsa routines, function RSA_EAY_PUBLIC_DECRYPT: padding check failed OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function RSA_padding_check_PKCS1_type_1: block type is not 01 In the server console (in debug and verbose mode): glo...@debian:/etc/grid-security$ myproxy-server -dv myproxy-server v4.3 2 Sep 2008 PAM starting at Tue Oct 27 00:14:07 2009 reading configuration file /etc/myproxy-server.config using storage directory /var/myproxy Starting myproxy-server on localhost:7512... using trusted certificates directory /etc/grid-security/certificates Failed reading length 0 Error authenticating client: Connection closed. Failure: error in myproxy_send() Running previously grid-proxy-init generates a valid proxy. Must say that myproxy server loads but crashes when i try to log in. Does anyone know where could be the problem? Thanks in advice
[gt-user] test
This is a test message to confirm the globus.org mailing lists are working again after the mcs.anl.gov downtime.
Re: [gt-user] How to escape a slash in a DN?
I recommend using globus_gsi_cert_utils_get_x509_name() to parse DN strings in C code. http://viewcvs.globus.org/viewcvs.cgi/gsi/cert_utils/source/library/globus_gsi_cert_utils.c?view=markup In Java I suggest org.globus.gsi.gssapi.GlobusGSSName(). http://viewcvs.globus.org/viewcvs.cgi/jglobus/src/org/globus/gsi/gssapi/GlobusGSSName.java?root=Java+COGview=markup You don't need to escape '/' characters in grid-mapfiles. It's OK to have '/' characters in DN component values. For example, it's common to have /CN=host/example.com in DNs. Andreas Maier wrote: Dear Globus Support, Looking at http://dev.globus.org/wiki/Gridmap I still wonder how to escape a slash in a DN. I've got a DN like /C=DE/O=Grid/OU=Universitaet Beispiel /OU=Department Chemie/ AK Etwas/CN=Dr. Max Muster Is this a valid DN? I think the slash at .. Chemie/ AK.. should be escaped, shouldn't it? If it is valid, how is the rule to parse it? Are the only allowed attribute types /C=, /O=, /OU=, /CN=, /DC=, /E=, /email=, /emailAddress=, /uid=, /userid= ? Sincerely, Andreas Maier smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] WS-Gram - Limited Proxy Problem - gt4.0.8
You need to delegate full proxies to your service rather than limited
proxies, so your service has the rights to submit jobs. How are you
delegating proxies to your service? MyProxy delegates full (not limited)
proxies by default, so my guess is that limited proxies are being
introduced at some other step in the process. If you're using the
Delegation Service, make sure you're selecting the option for full
delegation.
po...@gmx.net wrote:
Hello
I created a webservice that acts as WS-Gram Client and submitts jobs. The
service worked well under gt4.0.7. Today I installed gt4.0.8 and deployed the
service and started it but on the server side I get errors:
It seems that i have delegated till version gt4.0.7 limited proxies and as i
can see at
http://globus.org/toolkit/docs/4.0/execution/wsgram/WS_GRAM_Release_Notes_408.html
that shouldnt work any more with gt4.0.8. So how can I solve that? Do I
have to change some Code of the service or change the myproxy-init command? I
do a myproxy-init -s pod.globedns.info.
thx
JOB RESOURCE DESTROYED
Fault:
fault type: org.globus.exec.generated.FaultType:
description:
Unable to create sub-jobs.
faultReason:
faultString:
gt2ErrorCode: 0
originator: Address:
https://127.0.0.2:8443/wsrf/services/ManagedJobFactoryService
Reference property[0]:
ns1:ResourceID
xmlns:ns1=http://www.globus.org/namespaces/2004/10/gram/job;428354d0-8f37-11de-9846-d4a94ee48e02/ns1:ResourceID
stackTrace:
org.globus.exec.generated.FaultType: Unable to create sub-jobs.
Timestamp: Sat Aug 22 18:17:18 CEST 2009
Originator: Address:
https://127.0.0.2:8443/wsrf/services/ManagedJobFactoryService
Reference property[0]:
ns1:ResourceID
xmlns:ns1=http://www.globus.org/namespaces/2004/10/gram/job;428354d0-8f37-11de-9846-d4a94ee48e02/ns1:ResourceID
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at java.lang.Class.newInstance0(Class.java:350)
at java.lang.Class.newInstance(Class.java:303)
at org.globus.exec.utils.FaultUtils.makeFault(FaultUtils.java:485)
at
org.globus.exec.service.multi.ManagedMultiJobResource.run(ManagedMultiJobResource.java:283)
at
org.globus.exec.service.multi.PersistentManagedMultiJobResource.run(PersistentManagedMultiJobResource.java:71)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.oasis.wsrf.faults.BaseFaultType: Limited proxy is not accepted
Timestamp: Sat Aug 22 18:17:18 CEST 2009
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
faultSubcode:
faultString: Limited proxy is not accepted
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:Limited proxy is not accepted
at
org.globus.wsrf.impl.security.authentication.SecurityPolicyHandler.handle(SecurityPolicyHandler.java:100)
at
org.globus.wsrf.impl.security.authentication.DescriptorHandler.invoke(DescriptorHandler.java:91)
at
org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:248)
at
org.globus.wsrf.container.ServiceThread.doPost(ServiceThread.java:664)
at
org.globus.wsrf.container.ServiceThread.process(ServiceThread.java:382)
at
org.globus.wsrf.container.GSIServiceThread.process(GSIServiceThread.java:176)
at org.globus.wsrf.container.ServiceThread.run(ServiceThread.java:291)
{http://xml.apache.org/axis/}hostname:pod.globedns.info
Limited proxy is not accepted
at
org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:221)
at
org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:128)
at
org.apache.axis.encoding.DeserializationContext.endElement(DeserializationContext.java:1087)
at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown
Source)
at
org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at
Re: [gt-user] compiling source code
Does it not work to run gpt-build in gt4.2.1-branch-all-source-installer/source-trees-thr/wsrf/java/core/source? Vanja Milosevski wrote: Hello, How do I compile any changes I make to Java files within Globus? Again, this without recompiling the entire toolkit. Particularly, I want to experiment with.. gt4.2.1-all-source-installer/source-trees-thr/wsrf/java/core/source/src/org/globus/wsrf/impl/security/authorization/GridMapPDP.java Thanks. -Vanja On Tue, Jul 28, 2009 at 5:55 PM, Jim Basneyjbas...@ncsa.uiuc.edu wrote: What I do is, in the top-level directory for the source I've modified (i.e., where the configure scripts and Makefiles live), I run: gpt-build -force -verbose gcc32dbg replacing gcc32dbg with whatever flavor I want to build. That will force a rebuild of the specific package I've modified. So to rebuild the package containing globusrun_ws.c, I'd run gpt-build in source-trees/ws-gram/client/c/source. Vanja Milosevski wrote: Hello, I'm doing some trial and error experiments with the globus source code but I cannot seem to compile a single file without removing the entire globus installation and running make from scratch. This process takes about 1.5 hours on my machine, so is there a quick way to recompile things? For example, If I make a change to the globusrun_ws.c file, is there a way to rebuild just this file without re-building the other Globus Toolkit components? Thanks. Regards, -Vanja smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] compiling source code
Do it from the gt4.2.1-branch-all-source-installer/source-trees-thr/wsrf/java/core/source directory. Vanja Milosevski wrote: For some reason it doesn't work. This is what I get: --- [glo...@ip-115-134-dhcp authorization]$ gpt-build ERROR: Source pkgdata file not found in /home/globus/gt4.2.1-all-source-installer/source-trees/wsrf/java/core/source/src/org/globus/wsrf/impl/security/authorization/. Are you sure this is a source package? Can't locate object method initialize via package Pod::Usage at /sandbox/globus/globus-4.2.1/lib/perl/Pod/Usage.pm line 531, FILE line 79. [glo...@ip-115-134-dhcp authorization]$ gpt-build -force -verbose gcc32dbg ERROR: Source pkgdata file not found in /home/globus/gt4.2.1-all-source-installer/source-trees/wsrf/java/core/source/src/org/globus/wsrf/impl/security/authorization/. Are you sure this is a source package? Can't locate object method initialize via package Pod::Usage at /sandbox/globus/globus-4.2.1/lib/perl/Pod/Usage.pm line 531, FILE line 79. [glo...@ip-115-134-dhcp authorization]$ --- Any suggestions? On Tue, Aug 18, 2009 at 3:49 PM, Jim Basneyjbas...@ncsa.uiuc.edu wrote: Does it not work to run gpt-build in gt4.2.1-branch-all-source-installer/source-trees-thr/wsrf/java/core/source? Vanja Milosevski wrote: Hello, How do I compile any changes I make to Java files within Globus? Again, this without recompiling the entire toolkit. Particularly, I want to experiment with.. gt4.2.1-all-source-installer/source-trees-thr/wsrf/java/core/source/src/org/globus/wsrf/impl/security/authorization/GridMapPDP.java Thanks. -Vanja On Tue, Jul 28, 2009 at 5:55 PM, Jim Basneyjbas...@ncsa.uiuc.edu wrote: What I do is, in the top-level directory for the source I've modified (i.e., where the configure scripts and Makefiles live), I run: gpt-build -force -verbose gcc32dbg replacing gcc32dbg with whatever flavor I want to build. That will force a rebuild of the specific package I've modified. So to rebuild the package containing globusrun_ws.c, I'd run gpt-build in source-trees/ws-gram/client/c/source. Vanja Milosevski wrote: Hello, I'm doing some trial and error experiments with the globus source code but I cannot seem to compile a single file without removing the entire globus installation and running make from scratch. This process takes about 1.5 hours on my machine, so is there a quick way to recompile things? For example, If I make a change to the globusrun_ws.c file, is there a way to rebuild just this file without re-building the other Globus Toolkit components? Thanks. Regards, -Vanja smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] Problem with globus-gatekeeper
It looks like you need to decrypt your hostkey: openssl rsa -in /etc/grid-security/hostkey.pem \ -out /etc/grid-security/hostkey.pem JuanPablo wrote: hi, I have a problem with the gatekeeper. if I try start the globus-gatekeeper to make a globus-job-run, but get this output # service globus-gatekeeper start Starting globus-gatekeeperGSS failed getting server credentials: GSS Major Status: General failure GSS Minor Status Error Chain: globus_gsi_gssapi: Error with GSI credential globus_gsi_gssapi: Error with gss credential handle globus_credential: Valid credentials could not be found in any of the possible locations specified by the credential search order. Valid credentials could not be found in any of the possible locations specified by the credential search order. Attempt 1 globus_credential: Error reading host credential globus_credential: Key is password protected: GSI does not currently support password protected private keys. OpenSSL Error: pem_lib.c:401: in library: PEM routines, function PEM_do_header: bad password read Attempt 2 globus_credential: Error reading proxy credential globus_sysconfig: Could not find a valid proxy certificate file location globus_sysconfig: Error with key filename globus_sysconfig: File does not exist: /tmp/x509up_u0 is not a valid file Attempt 3 globus_credential: Error reading user credential globus_credential: Key is password protected: GSI does not currently support password protected private keys. OpenSSL Error: pem_lib.c:401: in library: PEM routines, function PEM_do_header: bad password read Failure: GSS failed to get server credentials [FALLÓ] ... and my hostcert permision. # ls -l /etc/grid-security/host* -rw-r--r-- 1 root root 2155 ago 12 00:29 /etc/grid-security/hostcert.pem -r 1 root root 1929 ago 12 00:29 /etc/grid-security/hostkey.pem any suggestion ? many thanks smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] myproxy-init failure
The MyProxy client must be configured to trust the CA that issued the MyProxy server's certificate. Likewise the MyProxy server must be configured to trust the CA that signed your client-side certificate. http://www.globus.org/toolkit/docs/4.2/4.2.1/security/gsic/admin/ Denim Becker wrote: Hello, i am trying to upload my certificate to a myproxy server that runs in our company. but when i use myproxy-init -s myproxyname i get an error: --- Your identity: myIdentity Enter GRID pass phrase for this identity: Creating proxy Done Proxy Verify OK Your proxy is valid until: Thu Jul 23 14:02:01 2009 Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: s3_clnt.c:842: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Untrusted self-signed certificate in chain with hash dd4b34ea --- im not quite sure what this means and how i can solve this problem. Thanks in advance for your help _ http://redirect.gimas.net/?n=M0906xWLM2009 Neu: Messenger 2009! Hier kostenlos downloaden! smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] problem setting up second node
Did you scp your $GLOBUS_LOCATION/share/certificates directory from nodea to nodeb according to http://www.globus.org/toolkit/docs/latest-stable/admin/quickstart/#q-security2? Alternatively, you could try adding -T to your myproxy-retrieve command-line. arindam choudhury wrote: Sir, I am trying to install globus 4.2.1 in fedora 8. i have configured the first node. i am following the quickstart guide given in globus.org. when i try to set up security in 2nd machine, i get the following error: [r...@nodeb ~]# myproxy-retrieve -s nodea -k nodeb.grid.tu -l nodeb Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: s3_clnt.c:894: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Untrusted self-signed certificate in chain with hash 5776aba7 Please help Arindam _ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/india/windows/windowslive/photos.aspx smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] problem setting up second node
You should have a $GLOBUS_LOCATION/share/certificates directory on nodeb containing 5776aba7.0 and 5776aba7.signing_policy files after doing the scp. The error from myproxy-retrieve is about not finding those CA files. If you do have those files and you still get the error from myproxy-retrieve, then check if you have an /etc/grid-security/certificates directory or if you have the X509_CERT_DIR environment variable defined that is overriding $GLOBUS_LOCATION/share/certificates. An alternative to copying $GLOBUS_LOCATION/share/certificates via scp is to run myproxy-retrieve -T ... but if you already did the scp, you shouldn't need -T. The usual myproxy-retrieve command from the quickstart should work after the scp. arindam choudhury wrote: Sir, i could not copy it using globus account. It gives me permission denied error. even not doing r...@nodea. so I scp from the root user. should I run the myproxy-retrieve -T -s nodea -k nodeb.grid.tu -l nodeb this command. Arindam Date: Fri, 29 May 2009 06:56:49 -0500 From: jbas...@ncsa.uiuc.edu To: arin...@live.com CC: gt-user@lists.globus.org Subject: Re: [gt-user] problem setting up second node Did you scp your $GLOBUS_LOCATION/share/certificates directory from nodea to nodeb according to http://www.globus.org/toolkit/docs/latest-stable/admin/quickstart/#q-security2? Alternatively, you could try adding -T to your myproxy-retrieve command-line. arindam choudhury wrote: Sir, I am trying to install globus 4.2.1 in fedora 8. i have configured the first node. i am following the quickstart guide given in globus.org. when i try to set up security in 2nd machine, i get the following error: [r...@nodeb ~]# myproxy-retrieve -s nodea -k nodeb.grid.tu -l nodeb Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization OpenSSL Error: s3_clnt.c:894: in library: SSL routines, function SSL3_GET_SERVER_CERTIFICATE: certificate verify failed globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Can't get the local trusted CA certificate: Untrusted self-signed certificate in chain with hash 5776aba7 Please help Arindam _ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/india/windows/windowslive/photos.aspx Get easy photo sharing with Windows Live™ Photos. Drag n’ drop _ Drag n’ drop—Get easy photo sharing with Windows Live™ Photos. http://www.microsoft.com/india/windows/windowslive/photos.aspx smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] Is there something as fsssh available for Globus
I don't know about fsssh but if it works with ssh, it should work with gsissh. Alexander Beck-Ratzka wrote: Hi Folks, fsssh allowsx to mount a remote file system directory to a local directory. All what is needed for this is an ssh access to the remote machine. I would like to know, whether a simliar tool existst for Globus so that it is possible to mount a remote filesystem on a host which can only connected via a globus grid connection? Cheers Alexander smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] GSISSH problem
Check syslog for errors. See also: http://grid.ncsa.uiuc.edu/ssh/ts_common.html Christian Szongott wrote: Hi! I use GT 4.0.8 and want to connect to a host using GSSAPIAuthentication. So I followed the installation instructions on http://globus.org/toolkit/docs/4.0/security/openssh/admin-index.html . When I try to start the daemon by $GLOBUS_LOCATION/sbin/SXXsshd start the message Starting up GSI-OpenSSH sshd server... done. appears but the daemon is not started. I can't connect to the host and the file $GLOBUS_LOCATION/var/sshd.pid which should exists isn't there. The normal ssh daemon starts successfully and I can connect to the host this way. Any suggestions what might have gone wrong or where I can find more debugging information about it? Thanks in advance! Christian smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] GSISSH problem
My guess is that your build failed. If you kept a log of your output from make, check it for errors. Or you could try 'make gsi-openssh install' again and watch for errors. Christian Szongott wrote: It seems to be a more basic problem. I've figured out, that $GLOBUS_LOCATION/sbin/sshd is called within the SXXsshd script. But there is no sshd at the specified location ($GLOBUS_LOCATION/sbin/). Any ideas why? Christian Am 23.02.2009 um 14:51 schrieb Jim Basney: Check syslog for errors. See also: http://grid.ncsa.uiuc.edu/ssh/ts_common.html Christian Szongott wrote: Hi! I use GT 4.0.8 and want to connect to a host using GSSAPIAuthentication. So I followed the installation instructions on http://globus.org/toolkit/docs/4.0/security/openssh/admin-index.html . When I try to start the daemon by $GLOBUS_LOCATION/sbin/SXXsshd start the message Starting up GSI-OpenSSH sshd server... done. appears but the daemon is not started. I can't connect to the host and the file $GLOBUS_LOCATION/var/sshd.pid which should exists isn't there. The normal ssh daemon starts successfully and I can connect to the host this way. Any suggestions what might have gone wrong or where I can find more debugging information about it? Thanks in advance! Christian smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] GSISSH problem
-src gcc32dbg gpt-build CHECKING BUILD DEPENDENCIES FOR gsi_openssh_setup SKIPPING REBUILD of noflavor /usr/local/gt4/sbin/gpt-postinstall All of the packages in your GLOBUS_LOCATION are already set up. Am 23.02.2009 um 19:32 schrieb Jim Basney: My guess is that your build failed. If you kept a log of your output from make, check it for errors. Or you could try 'make gsi-openssh install' again and watch for errors. Christian Szongott wrote: It seems to be a more basic problem. I've figured out, that $GLOBUS_LOCATION/sbin/sshd is called within the SXXsshd script. But there is no sshd at the specified location ($GLOBUS_LOCATION/sbin/). Any ideas why? Christian Am 23.02.2009 um 14:51 schrieb Jim Basney: Check syslog for errors. See also: http://grid.ncsa.uiuc.edu/ssh/ts_common.html Christian Szongott wrote: Hi! I use GT 4.0.8 and want to connect to a host using GSSAPIAuthentication. So I followed the installation instructions on http://globus.org/toolkit/docs/4.0/security/openssh/admin-index.html . When I try to start the daemon by $GLOBUS_LOCATION/sbin/SXXsshd start the message Starting up GSI-OpenSSH sshd server... done. appears but the daemon is not started. I can't connect to the host and the file $GLOBUS_LOCATION/var/sshd.pid which should exists isn't there. The normal ssh daemon starts successfully and I can connect to the host this way. Any suggestions what might have gone wrong or where I can find more debugging information about it? Thanks in advance! Christian smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] problem in gt-4.2.1 installation
i m using RHEL 5.3 for globus 4.2.1 installation. i used all source installer. i stuck in the installation process as myproxy-admin-adduser gave very few verbose that i couldnt find the subject of the certificate, so i am confused what to write in grid-mapfile. Yes, we made the output less verbose: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6324 Probably too much so. Until we fix it in a future release, you can find the certificate subject using myproxy-admin-query: - # myproxy-admin-adduser -c Charles Bacon -l bacon Enter PEM pass phrase: Verifying - Enter PEM pass phrase: To sign the request please enter the password for the CA key: The new signed certificate is at: /var/root/.globus/simpleCA//newcerts/12.pem using storage directory /var/myproxy Credential stored successfully # myproxy-admin-query -l bacon owner: /O=Grid/OU=GlobusTest/OU=simpleCA-suede.ncsa.uiuc.edu/OU=ncsa.uiuc.edu/CN=Charles Bacon username: bacon timeleft: 8760:59:48 (365.0 days) - also myproxy-logon is not working for me. please help me out What is the error from myproxy-logon? smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] Newbie, setting up MyProxy from gt4.2.1-x86_rhas_4-installer
Hello Doug, The best way to debug a segmentation fault is with a debugger like gdb. If you're able to diagnose the problem, please submit a bug report to http://bugzilla.globus.org/. I suspect the problem is caused by a shared library version mismatch. It's risky to use binaries built for one platform on another platform. Since there's no binary distribution for Ubuntu, I suggest using the source installer. -Jim Doug wrote: Hi, I was trying to run a minimal globus toolkit install, purely to run MyProxy with a SimpleCA for testing some other software. I was trying to set this up on an Ubuntu 8.04 system, but after running into some hurdles with gt4.2.1-x86_deb_4.0-installer.tar.gz I switched to the gt4.2.1-x86_rhas_4-installer Anyway, after running ./configure make gsi-myproxy make install and fighting through some of this: http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch07.html I tried the following command: d...@myproxy:~$ grid-proxy-init -debug -verify User Cert File: /home/ddb/.globus/usercert.pem User Key File: /home/ddb/.globus/userkey.pem Trusted CA Cert Dir: /etc/grid-security/certificates Output File: /tmp/x509up_u1001 Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA-myproxy/CN=Doug du Boulay Enter GRID pass phrase for this identity: Creating proxy ... Done Segmentation fault By all accounts it should have said something like: Proxy Verify OK Your proxy is valid until: Sat Mar 20 03:01:46 2004 Is there any way I can debug that to figure out whats going wrong? I tried strace but I couldn't make much out of it. Thanks Doug smime.p7s Description: S/MIME Cryptographic Signature
Re: [gt-user] Difference in GSI layer
See: http://www.globus.org/toolkit/docs/4.2/4.2.0/rn/release_notes.html#rn-changesummaries-security I suspect the VOMS server logs would have more information about the error. My guess is that the VOMS server does not accept RFC 3820 compliant proxy certificates, which are generated by default in GT 4.2. Try 'voms-proxy-init -proxyver 2'. Kakoli Sen wrote: Dear all, Is there any major difference between GSI layer of GT4.0.7 and GT4.2.0? The command voms-proxy-init(which calls grid-proxy-init internally) is giving error with GT4.2. Error: Could not establish authenticated connection with the server. globus_gss_assist token :3: read failure: Connection closed None of the contacted servers for test were capable of returning a valid AC for the user. Is there any way to get more information on the error? Regards, Kakoli Sen KAKOLI SEN Ph:91-80-25341909/215(Extn. 309) C-DAC Knowledge ParkE-mail: #1, Old Madras Road [EMAIL PROTECTED] Bangalore - 560 038, INDIA [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
