discovers any updates to the CRL files.
I ran my own tests to confirm. With no CRL in place I get:
$ myproxy-init -s localhost -c 0
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney
Creating proxy ... Done
Proxy Verify OK
Your proxy is valid until: Fri Jan 18
Please refer to the Revocation section of
http://grid.ncsa.illinois.edu/myproxy/ca/ which provides example scripts
for using the 'openssl ca' command to generate CRLs for use with
MyProxy. The MyProxy software doesn't create CRLs itself. MyProxy
requires the use of 'openssl ca' or equivalent for
Hi,
In case it might be helpful to others, here's my recipe for a successful
GT 5.2.2 install on MacOS 10.8.
Two things caused trouble for me: default gcc32dbg flavor and missing
ltdl (Libtool Dynamic Module Loader). I got the following errors:
error: ltdl.h: No such file or directory
dyld:
What are the contents of /var/lib/myproxy/.globus/simpleCA/cacert.pem?
On 6/11/12 3:38 PM, Lukasz Lacinski wrote:
We use MyProxy server with Simple CA to issue user credentials. And
wanted to use the certificate_issuer_subca_certfile option to add a
certificate of the Simple CA to a
configure: error: *** Can't find recent OpenSSL libcrypto (see
config.log for details) ***
https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7255
Work-around:
Edit
gt5.2.1-all-source-installer/source-trees/gssapi-openssh/openssh/configure
to delete the two lines marked with '-' in the
Hi Lukasz,
What is the myproxy-server log output? What is your full
myproxy-server.config? By any chance do you have pam required rather
than pam sufficient in myproxy-server.config?
It works for me:
$ myproxy-logon -s localhost
Enter MyProxy pass phrase:
A credential has been received for user
On 4/27/12 7:19 AM, Hameed Alzahrani wrote:
Connection closed by remote host
Look in logs on the remote host for the cause.
http://grid.ncsa.illinois.edu/ssh/ts_common.html
The certificate signature failure message indicates a problem with the
nextuser certificate created by myproxy-admin-adduser. The certificate
should be in /var/lib/myproxy/nextuser.creds. You can use
grid-proxy-init to check the certificate for errors:
grid-proxy-init -debug -verify \
-cert
Use 'make gsi-myproxy install' to build and install only MyProxy and its
dependencies using the GT installer.
Why use GT 4.2.1? The current release is GT 5.0.4:
http://www.globus.org/toolkit/downloads/latest-stable/
On 10/25/11 7:15 AM, leo_cu...@lavabit.com wrote:
I compiled globus toolkit
http://wiki.ngs.ac.uk/index.php?title=MEG
On 10/25/11 10:47 AM, Lukasz Lacinski wrote:
I would like to configure /etc/pam.d/login to use MyProxy server as an
external authentication mechanism and accept all users who are
successfully authenticated by the MyProxy server. Is such a PAM module
On 9/7/11 8:52 AM, leo_cu...@lavabit.com wrote:
I wonder if this error ( Error authenticating: Connection closed. ) is
an authentication problem, some PAM issue with myproxy, or everything is
the /etc/grid-security/certificates directory.
To answer this question, check your myproxy-server
myproxy-init -v -C key.pem -y cert.pem -l user -s DebianLocal.localdomain
It appears you've got the -C and -y options backwards. Try:
myproxy-init -v -C cert.pem -y key.pem ...
On 6/28/11 1:57 PM, Amitav Mohanty wrote:
On 06/21/2011 03:47 AM, Jim Basney wrote:
If you don't want myproxy-admin-adduser to use your existing
$GLOBUS_LOCATION/var/myproxy directory, then move/remove that directory
or use the myproxy-admin-adduser -s option.
Well I was doing a fresh
Hi Petar,
There's a hierarchy of TERENA CAs, and you need to have the full CA
hierarchy installed in /etc/grid-security/certificates.
For example:
$ openssl x509 -subject -issuer -noout ff783690.0
subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
If you don't want myproxy-admin-adduser to use your existing
$GLOBUS_LOCATION/var/myproxy directory, then move/remove that directory
or use the myproxy-admin-adduser -s option.
On 6/19/11 12:41 PM, Amitav Mohanty wrote:
Hello
Following the quickstart guide for installing the Globus Toolkit I
-rhel5 01 Jul 2008, is there another
way to show the full certificate chain?
On Tue, 2011-05-31 at 11:12 -0500, Jim Basney wrote:
grid-proxy-info -path
when i do a grid-cert-info with the kerberized credential
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
1.3.6.1.5.2.3.4
X509v3 Key Usage: critical
Digital Signature, Key
On 5/31/11 9:35 AM, Amitav Mohanty wrote:
I was wondering why without adding any lines to hosts.allow and
hosts.deny I can have credentials exchanged successfully when both the
server and the client are started on different terminals.
If you run the myproxy-server outside of xinetd, then
On 5/26/11 10:59 AM, Alan Sill wrote:
On May 26, 2011, at 11:51 AM, Lukasz Lacinski wrote:
I would like to issue user credentials using a MyProxy server, MyProxy
CA and PAM. But I would like to avoid adding a certificate of the
MyProxy CA to /etc/grid-security/certificates. I am thinking of
You can add any CA certificate to your server's certificate area, if
you trust the way that CA is run. If not, you shouldn't be using its
certificates; if so, what id the problem with adding it in?
If someone manages a client grid workstation, users have to ask him to
add a certificate of
On 5/26/11 11:50 AM, Lukasz Lacinski wrote:
On 5/26/11 12:24 PM, Jim Basney wrote:
You can add any CA certificate to your server's certificate area, if
you trust the way that CA is run. If not, you shouldn't be using its
certificates; if so, what id the problem with adding it in?
If someone
On 5/26/11 11:52 AM, Jim Basney wrote:
On 5/26/11 11:50 AM, Lukasz Lacinski wrote:
On 5/26/11 12:24 PM, Jim Basney wrote:
You can add any CA certificate to your server's certificate area, if
you trust the way that CA is run. If not, you shouldn't be using its
certificates; if so, what id
http://lists.globus.org/pipermail/gt-user/2011-February/009685.html
On 2/12/11 6:00 AM, kasim saeed wrote:
quser@choate:~$ myproxy-logon -s choate
Failed reading length 0
Enter MyProxy pass phrase:
Failed to receive credentials.
Error authenticating: Connection closed.
Error writing: GSS
What did you find when you checked the myproxy-server logs?
On 2/12/11 7:54 AM, kasim saeed wrote:
That is not making any difference.. Any other idea.
Please Help
Regards
Kaasim Saeed.
On Sat, Feb 12, 2011 at 6:15 PM, Jim Basney jbas...@ncsa.uiuc.edu wrote:
http://lists.globus.org
/globus/globus5a/var/myproxy not owned by root
Feb 12 19:54:38 choate myproxy-server[8098]: Exiting. Please fix errors
with storage directory and restart.
Regards
Kaasim Saeed.
On Sat, Feb 12, 2011 at 7:13 PM, Jim Basney jbas...@ncsa.uiuc.edu wrote:
What did you find when you checked
I think the serialization code is in the
org.globus.delegation.service.DelegationResource store() and load()
methods in
ws-delegation/service/java/source/src/org/globus/delegation/service/DelegationResource.java
which use java.io.ObjectInputStream and java.io.ObjectOutputStream.
On 1/25/11 1:50
Hi Christopher,
I can only offer guesses and some pointers...
One scenario is a Java WS-GRAM client using the GT4 Delegation Service.
In this case, I believe the serial numbers for proxy certificates are
set randomly in
org.globus.gsi.bc.BouncyCastleCertProcessingFactory.createProxyCertificate()
It seems something went wrong when you ran
myproxy-admin-addservice -c helium.adiroy.com -l helium
on hydrogen. What is the output of myproxy-admin-query on hydrogen? It
should show the helium.adiroy.com certificate in the repository.
anonymous just means you don't have a certificate yet on
I see that the call that's failing is gss_accept_sec_context(). That's a
server-side call. (The corresponding client-side call is
gss_init_sec_context().) So I think the issue is the server-side
environment variables, not the client-side. Maybe you need to set
X509_CERT_DIR in the /etc/xinetd.d
I suggest trying GT 5.0.2 (latest stable), rather than GT 5.0.0.
Also, see the MacOS platform notes:
http://www.globus.org/toolkit/docs/5.0/5.0.2/admin/install/#gtadmin-platform-macosx
On 10/28/10 3:28 PM, skil...@cct.lsu.edu wrote:
Hello Globus users,
I have been getting the following
By any chance did you skip step 2.3?
Did you successfully run the myproxy-retrieve command in step 2.3 before
proceeding to step 2.4?
Also make sure both your machines have accurate system clocks.
Sometimes system clock problems cause low-level SSL errors like this.
On 6/8/10 1:50 AM, Deepti
It appears you skipped the vim /etc/myproxy-server.config step to
uncomment (remove the '#' character) from the following lines:
accepted_credentials *
authorized_retrievers *
default_retrievers*
authorized_renewers *
default_renewers none
authorized_key_retrievers *
If by any chance you're using OpenSSL 1.0.0, likely your CA files were
named using the new OpenSSL hash algorithm, whereas the Globus Java
components are looking for CA files using the old hash names. In that
case, you may find the documentation at
http://www.cilogon.org/openssl1 helpful for
the unpatched mechglue. I'll investigate a bit more, but if you
have a guess for what this function could be...
Thank you very much,
Ricardo
On Wed, Apr 14, 2010 at 3:51 PM, Jim Basney jbas...@ncsa.uiuc.edu
wrote:
Last time I looked into it, the original GSSAPI mechglue library
Hi Erik,
Yes, you can set the X509_USER_PROXY environment variable to the path of your
proxy file. The gsissh command respects the standard GSI C environment
variables
(http://www.globus.org/toolkit/docs/latest-stable/security/gsic/pi/#gsic-env-var).
I agree we should document it on the
Hi Lukasz,
The myproxy.teragrid.org server is configured to act as a certificate authority:
http://grid.ncsa.illinois.edu/myproxy/teragrid.html
http://grid.ncsa.illinois.edu/myproxy/ca/
Regards,
Jim
- Original Message -
From: Lukasz Lacinski luk...@ci.uchicago.edu
To: GT User
What is the output of 'which grid-cert-request'? Did you 'source
$GLOBUS_LOCATION/etc/globus-user-env.sh' to setup your environment?
On 3/19/10 1:59 AM, Ankuj Gupta wrote:
Hi!!
I had setup the Myproxy and I was trying to get a user certificate for our
sample user. I had used QuickStart User
Hi Bill,
Yes, you can create a host certificate for any hostname, like this:
grid-cert-request -host hpsstst01e.ucar.edu
It looks like you've already got a hpsstst01e.ucar.edu certificate
installed. It seems the problem is the hpsstst01i.ucar.edu expected
name which is who the client thinks
Hello Arn,
The myproxy-admin-adduser command is just a simple perl script that
calls grid-cert-request, grid-ca-sign, and
myproxy-admin-load-credential. You could try running the underlying
commands manually in sequence to see which one is hanging.
Probably it'd be good for us to add a -verbose
Hi,
Does setting ForceCommand in $GLOBUS_LOCATION/etc/ssh/sshd_config do
what you need? It's documented in the man page:
http://grid.ncsa.illinois.edu/ssh/man/sshd_config.5.html
-Jim
On 1/29/10 7:08 AM, Henning Perl wrote:
Hello!
I am trying to make gitosis (git repository hosting) work
Hi Brian,
Host key verification failed is an ssh client-side error. The top hit
from Google for this error message is
http://www.securityfocus.com/infocus/1806 which looks like a good
reference on the topic. I suspect you need to populate and distribute
/etc/ssh_known_hosts files between your
, the problem state is the same (launching server and client the
same way as in the 1st email gives the same output).
Regards.
2009/10/27 Jim Basney jbas...@ncsa.uiuc.edu
That helps us focus the problem investigation. :)
The next reference I suggest is:
http://security.ncsa.uiuc.edu
Hi,
I can only guess at what that OpenSSL error message is telling us. Since
the client-side credentials verify OK, maybe there's a problem with the
server's credentials. To check them, run:
grid-proxy-init -debug -verify \
-cert /etc/grid-security/hostcert.pem \
-key
: in library: rsa routines, function
RSA_EAY_PUBLIC_DECRYPT: padding check failed
OpenSSL Error: rsa_pk1.c:100: in library: rsa routines, function
RSA_padding_check_PKCS1_type_1: block type is not 01
*
Any ideas?
Regards.
2009/10/27 Jim Basney jbas...@ncsa.uiuc.edu
Hi,
I can only
This is a test message to confirm the globus.org mailing lists are
working again after the mcs.anl.gov downtime.
I recommend using globus_gsi_cert_utils_get_x509_name() to parse DN
strings in C code.
http://viewcvs.globus.org/viewcvs.cgi/gsi/cert_utils/source/library/globus_gsi_cert_utils.c?view=markup
In Java I suggest org.globus.gsi.gssapi.GlobusGSSName().
You need to delegate full proxies to your service rather than limited
proxies, so your service has the rights to submit jobs. How are you
delegating proxies to your service? MyProxy delegates full (not limited)
proxies by default, so my guess is that limited proxies are being
introduced at some
Does it not work to run gpt-build in
gt4.2.1-branch-all-source-installer/source-trees-thr/wsrf/java/core/source?
Vanja Milosevski wrote:
Hello,
How do I compile any changes I make to Java files within Globus?
Again, this without recompiling the entire toolkit.
Particularly, I want to
Do it from the
gt4.2.1-branch-all-source-installer/source-trees-thr/wsrf/java/core/source
directory.
Vanja Milosevski wrote:
For some reason it doesn't work.
This is what I get:
---
[glo...@ip-115-134-dhcp authorization]$ gpt-build
ERROR: Source pkgdata file not found in
It looks like you need to decrypt your hostkey:
openssl rsa -in /etc/grid-security/hostkey.pem \
-out /etc/grid-security/hostkey.pem
JuanPablo wrote:
hi,
I have a problem with the gatekeeper.
if I try start the globus-gatekeeper to make a globus-job-run, but get
this output
The MyProxy client must be configured to trust the CA that issued the
MyProxy server's certificate. Likewise the MyProxy server must be
configured to trust the CA that signed your client-side certificate.
http://www.globus.org/toolkit/docs/4.2/4.2.1/security/gsic/admin/
Denim Becker wrote:
Did you scp your $GLOBUS_LOCATION/share/certificates directory from
nodea to nodeb according to
http://www.globus.org/toolkit/docs/latest-stable/admin/quickstart/#q-security2?
Alternatively, you could try adding -T to your myproxy-retrieve
command-line.
arindam choudhury wrote:
Sir,
I am
You should have a $GLOBUS_LOCATION/share/certificates directory on nodeb
containing 5776aba7.0 and 5776aba7.signing_policy files after doing the
scp. The error from myproxy-retrieve is about not finding those CA files.
If you do have those files and you still get the error from
myproxy-retrieve,
I don't know about fsssh but if it works with ssh, it should work with
gsissh.
Alexander Beck-Ratzka wrote:
Hi Folks,
fsssh allowsx to mount a remote file system directory to a local directory.
All what is needed for this is an ssh access
to the remote machine.
I would like to know,
Check syslog for errors.
See also:
http://grid.ncsa.uiuc.edu/ssh/ts_common.html
Christian Szongott wrote:
Hi!
I use GT 4.0.8 and want to connect to a host using GSSAPIAuthentication.
So I followed the installation instructions on
within the SXXsshd script. But
there is no sshd at the specified location ($GLOBUS_LOCATION/sbin/). Any
ideas why?
Christian
Am 23.02.2009 um 14:51 schrieb Jim Basney:
Check syslog for errors.
See also:
http://grid.ncsa.uiuc.edu/ssh/ts_common.html
Christian Szongott wrote:
Hi
of noflavor
/usr/local/gt4/sbin/gpt-postinstall
All of the packages in your GLOBUS_LOCATION are already set up.
Am 23.02.2009 um 19:32 schrieb Jim Basney:
My guess is that your build failed. If you kept a log of your output
from make, check it for errors. Or you could try 'make gsi-openssh
i m using RHEL 5.3 for globus 4.2.1 installation. i used all source
installer. i stuck in the installation process as myproxy-admin-adduser
gave very few verbose that i couldnt find the subject of the certificate, so
i am confused what to write in grid-mapfile.
Yes, we made the output
Hello Doug,
The best way to debug a segmentation fault is with a debugger like gdb.
If you're able to diagnose the problem, please submit a bug report to
http://bugzilla.globus.org/.
I suspect the problem is caused by a shared library version mismatch.
It's risky to use binaries built for one
See:
http://www.globus.org/toolkit/docs/4.2/4.2.0/rn/release_notes.html#rn-changesummaries-security
I suspect the VOMS server logs would have more information about the
error. My guess is that the VOMS server does not accept RFC 3820
compliant proxy certificates, which are generated by default in
60 matches
Mail list logo