Re: Error retrieving credentials using certificates/private keys returned by OA4MP service

[Akos Hajnal]

Raminder,

Yes, it helped. By moving bcprov jar to the lib solves this exception issue.
I use apache-tomcat-7.0.42, no other webapps contain 
X509CertificateObject in any jars or classes folders.

What I don't know, why this class cannot be reloaded on redeloy. I 
switched on tomcat's -verbose:class option,
lots of classes loaded, could not figure out what is wrong.

I have to move on, but if you find a better solution later, please let 
me know, because I am curious.

Regards, Akos

Raminder Singh wrote:

Akos, 

Try to find this class in your tomcat webapps folder and if the jar is in multiple projects then delete them and have a single copy of the jar to lib folder of tomcat (tomcat 6+ does not have shared lib added to configuration). Its a class loading issue and this may help. If you want we can have a Skype session to debug this together. My Skype id is sandhu_raman1.  

find apache-tomcat-7.0.39/webapps/  -name "*.jar" -exec grep -Hls 
org.bouncycastle.jce.provider.X509CertificateObject {} \;

Thanks
Raminder

On Oct 3, 2013, at 7:42 AM, Akos Hajnal <akos.l.haj...@gmail.com> wrote:

 

Dear Raminder,

I've tried the patched version together with bcprov16, but the same exception 
after redeploy.

Now  it seems that on tomcat removes class 
org.bouncycastle.jce.provider.X509CertificateObject on undeploy, and cannot 
re-load this class
on redeploy. If I put bcprov-jdk14-140.jar into tomcat/lib, 
X509CertificateObject is not unloaded, and it seems to work without exception.
I don't know why, and how to fix it.

I don't know Airavata. Maybe I search for it...

Regards, Akos Hajnal

ps.
//test proxy file exception
GlobusCredential cred = new GlobusCredential("x509up");
for (X509Certificate cert: cred.getCertificateChain()) {
             Class<? extends X509Certificate> c = cert.getClass();
             log.info(c.getName() + " class is from jar " + c.getResource('/'+ 
c.getName().replace('.', '/')+".class")); // <- see error below
             ...
}

Oct 03, 2013 1:20:03 PM org.apache.catalina.loader.WebappClassLoader 
findResourceInternal
INFO: Illegal access: this web application instance has been stopped already.  
Could not load org/bouncycastle/jce/provider/X509CertificateO
bject.class.  The eventual following stack trace is caused by an error thrown 
for debugging purposes as well as to attempt to terminate the
thread which caused the illegal access, and has no functional impact.

Raminder Singh wrote:

   

Hi Akos,

I faced similar problem with cog-jglobus and patched a version of cog-jglobus. You can be download patched version from http://community.ucs.indiana.edu:9090/archiva/repository/ogce.m2.all/cog-jglobus/cog-jglobus/1.8.0_bc/ repository. You need to update bouncycastle version to jdk1.6.1.46. I will not recommend you to go this path. If you can use Airavata 0.9 release you don't need cog-jgloubs. Airavata 0.9 and later uses Jglobus 2.0.6 and is a better library to use to handle grid security and job submission. 
<dependency>
  <groupId>cog-jglobus</groupId>
  <artifactId>cog-jglobus</artifactId>
  <version>1.8.0_bc</version>
</dependency>
<dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bcprov-jdk16</artifactId>
  <version>1.46</version>
</dependency>

Please let us know if you need any help with Airavata.  Thanks
Raminder

On Oct 2, 2013, at 8:44 AM, Marlon Pierce <marpi...@iu.edu 
<mailto:marpi...@iu.edu>> wrote:

     

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Akos--

You may want to take this question to the Apache Airavata dev list:
dev@airavata.apache.org <mailto:dev@airavata.apache.org> (cc'd).


Marlon

On 10/2/13 5:37 AM, Akos Hajnal wrote:

       

I don't know what "OA4MP" is, but I guess we use the
same cog-jglobus-1.8.jar-bcprov-jdk14-140.jar libs (downloaded my maven),
and get
the same Exception.

What is amazing the exception is thrown
in BouncyCastleUtil.getIdentity(X509Certificate cert), in a line
         

silimar to

       

if (! (cert instanceof
org.bouncycastle.jce.provider.X509CertificateObject) ) {
System.out.println(cert.getClass()); throw new Exception(); }

and the classname printed is:
"org.bouncycastle.jce.provider.X509CertificateObject". Another X-file...

Regards, Akos Hajnal



2013. október 1., kedd 17:42:05 UTC+2 időpontban Jeff Gaynor a következőt
írta:

         

What version of OA4MP are you using and where did you get it from?

Jeff

On 09/30/2013 08:43 AM, Akos Hajnal wrote:

Dear Jeff,ďż˝
I tried:
Security.addProvider(new BouncyCastleProvider());
setProvider("BC");
installSecureRandomProvider();

(the same as static code of�CertUtil)
at the very beginning when my webapp is deployed, but I get the same
exception.
Maybe something stucked earlier. On the first deploy it works without
exception, but never after redeploy.
I use v1.8.

Regards, Akos Hajnal

2013. m�jus 22., szerda 22:58:39 UTC+2 id�pontban Jeff Gaynor a
k�vetkez�t �rta:

           

Hmmm. You might try the following two lines of code

Security.addProvider(new
org.bouncycastle.jce.provider.BouncyCastleProvider());
CertUtil.setCertFactory(CertificateFactory.getInstance("X.509", "BC"));

The first call is from java.security and the CertUtil is in OA4MP.ďż˝
This will require that the bouncy castle provider be used. This
             

should be

       

used as early in your code as possible, before any OA4MP calls.

There is also a chance this might be a class loader issue, but it would
be good to check this possibility out first since it is easy.

Jeff


On 05/22/2013 03:26 PM, Amila Jayasekara wrote:

Hi All,

I am getting following error when trying to communicate with MyProxy
server to create credentials.

*An error occurred while retrieving credentials from credential store.
But continuing with password credentials.ďż˝*
*java.lang.IllegalArgumentException: [JGLOBUS-35] Unexpected
             

certificate

       

type: "class sun.security.x509.X509CertImpl"*
* at

             

org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:453)

       

*
* at

             

org.globus.gsi.bc.BouncyCastleUtil.getIdentity(BouncyCastleUtil.java:470)

       

*
* at
org.globus.gsi.GlobusCredential.getIdentity(GlobusCredential.java:401)*
* at

             

org.globus.gsi.gssapi.GlobusGSSCredentialImpl.<init>(GlobusGSSCredentialImpl.java:70)

       

*
* at

             

org.apache.airavata.gfac.utils.MyProxyManager.getCredentialsFromStore(MyProxyManager.java:231)

       

*
at

             

org.apache.airavata.gfac.context.security.GSISecurityContext.getGssCredentials(GSISecurityContext.java:82)

       

at

             

org.apache.airavata.gfac.handler.GramDirectorySetupHandler.invoke(GramDirectorySetupHandler.java:80)

       

at
org.apache.airavata.gfac.GFacAPI.invokeInFlowHandlers(GFacAPI.java:132)
at org.apache.airavata.gfac.GFacAPI.schedule(GFacAPI.java:63)
at org.apache.airavata.gfac.GFacAPI.submitJob(GFacAPI.java:53)
at

             

org.apache.airavata.xbaya.invoker.EmbeddedGFacInvoker.invoke(EmbeddedGFacInvoker.java:334)

       

at

             

org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.handleWSComponent(WorkflowInterpreter.java:710)

       

at

             

org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.executeDynamically(WorkflowInterpreter.java:530)

       

at

             

org.apache.airavata.xbaya.interpretor.WorkflowInterpreter.access$000(WorkflowInterpreter.java:89)

       

at

             

org.apache.airavata.xbaya.interpretor.WorkflowInterpreter$1.run(WorkflowInterpreter.java:197)

       

In�*org.apache.airavata.gfac.utils.MyProxyManager*�I have
             

following

       

code;

X509Certificate[] certificates = new X509Certificate[1];
certificates[0] = <certificate from oa4mp>


GlobusCredential newCredential = new GlobusCredential(<privateKey
from oa4mp>,
ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ ďż˝ certificates);

return new GlobusGSSCredentialImpl(newCredential,
� � � � � � �GSSCredential.INITIATE_AND_ACCEPT);


I debugged and confirmed that the assetResponse returned by OA4MP
server has "*sun.security.x509.X509CertImpl" *object type.

What am I doing wrong here ?
Any help to resolve this issue is appreciated.

Thanks in advance.
Regards,
Amilaďż˝

--
You received this message because you are subscribed to the Google
             

Groups

       

"science gateway security discussion" group.
To unsubscribe from this group and stop receiving emails from it,
             

send an

       

email to discuss+u...@sciencegatewaysecurity.org 
<http://sciencegatewaysecurity.org>.
Visit this group at

             

http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/?hl=en-US

       

.
ďż˝
ďż˝


--
             

You received this message because you are subscribed to the Google
           

Groups

       

"science gateway security discussion" group.
To unsubscribe from this group and stop receiving emails from it,
           

send an

       

email to discuss+u...@sciencegatewaysecurity.org <javascript:>.
Visit this group at
http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.



           

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSTBUTAAoJEOEgD2XReDo5zskH/jebarHRrjMG2XBCB43PEH0A
2MY+zfrS1YieGGeFggRUV1j10iirn2doDPtvIfek1P8hXWbzHd7AAX0vMwvaVi+4
05J0Ydj3a+wGObGqd3h6rYmr535jmkWvgL7NhnSqvQfYbAi/0SxrUjW8fTadFNvg
d139jrKsmYEpnRg2gWxERfi1jqQoJw1ZrXgbvytoL7+nXNC4/z6YoEQy8EwwG3LC
oW6H480imcQGQOlCnW1ZrOIz8M2RecR/rvlt+0Cic1565e0GyzkUReHCnSgOPU5v
hi9+ZguHPl6oEFfwn+3BpoAhD/2+1evqzefm9rw2Bs9G2OiooqFKfmHFvzjVYQA=
=d026
-----END PGP SIGNATURE-----

--
You received this message because you are subscribed to the Google Groups "science 
gateway security discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to discuss+unsubscr...@sciencegatewaysecurity.org.
Visit this group at 
http://groups.google.com/a/sciencegatewaysecurity.org/group/discuss/.