Re: [gt-user] Authentication failed [Caused by: Failure unspecified at GSS-API level [Caused by: Unknown CA]]

Wed, 12 Sep 2007 08:09:40 -0700 

On Sep 12, 2007, at 9:53 AM, Fabian Lueghausen wrote:


The grid-proxy-init on client side is okay:
Okay. Can you "ls /home/fabian/globus-4.0.5/etc/grid-security/ certificates" for me? 


The CA I'm using on client side is the same CA installed on server
side.
Can you run grid-proxy-init -verify -debug on the server, and ls the Trusted CA directory on that machine?
It sounds like your server is using one CA, and your client another. The client trusts itself, so the -verify -debug works. It doesn't trust the one in use by the server, so it fails. When you run it on the server itself, you're getting the server's trusted CA set, so it works again.
You can fix this by checking all of your certs (usercert, hostcert, containercert) with openssl x509 -issuer and replacing whichever ones are using the CA from (*) in your counter-client example. Or you can just add the server's CA to your clients certificates directory so your client will trust it. 


Charles


When I try to invoke the CounterService I get this (client on my local
machine):

        [EMAIL PROTECTED] ~]$ counter-client -s
        https://ingrid:9000/wsrf/services/CounterService

        Error: ; nested exception is:
                org.globus.common.ChainedIOException: Authentication
        failed [Causedby: Failure unspecified at GSS-API level [Caused
        by: Bad certificate (The signature of
        'O=Grid,OU=GlobusTest,OU=simpleCA-
        ingrid.scai.fraunhofer.de,CN=host/ingrid.scai.fraunhofer.de'
        certificate does not match its issuer)]]  (*)

But the CA I'm using is a different one:

        [EMAIL PROTECTED] ~]$ grid-proxy-info
        subject  : /O=Grid/OU=GlobusTest/OU=simpleCA-
        mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=Fabian
        Lueghausen/CN=1719743474
        issuer   : /O=Grid/OU=GlobusTest/OU=simpleCA-
        mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=Fabian
        Lueghausen
        (**)
        identity : /O=Grid/OU=GlobusTest/OU=simpleCA-
        mertens.scai.fraunhofer.de/OU=scai.fraunhofer.de/CN=Fabian
        Lueghausen
        type     : Proxy draft (pre-RFC) compliant impersonation proxy
        strength : 512 bits
        path     : /tmp/x509up_u4106
        timeleft : 11:54:12

But executing the CounterClient on the server side results in this:

        [EMAIL PROTECTED] SafetyHelloWorld]# counter-client -s
        https://ingrid:9000/wsrf/services/CounterService
        Got notification with value: 3
        Counter has value: 3
        Got notification with value: 13

No I'm wondering about the certificate marked with (*). Don't know why
my client is using this certificate. And where this certificate comes
from, because my current certificate (**) is a newer one and it's also
the only certificate installed on my machine.


Thanks for your suggestion !!

Fabian



Am Mittwoch, den 12.09.2007, 09:32 -0500 schrieb Charles Bacon:
What happens from the client machine if you "grid-proxy-init - verify - 
debug"?  The client doesn't usually bother to verify its own proxy,
this will check the results against the installed certificates.

You are using the same CA on both the client and server, right?


Charles

On Sep 12, 2007, at 6:51 AM, Fabian Lueghausen wrote:


Hello !

I have a big problem with my CA.
I wrote a simple hello world service and deployed it into a service
container.
Then I tried to invoke this service with my client using transport
layer
security.

But the result was not very satisfying.. The client is not able to
find
my CA although I made a valid grid-proxy-init.


++++ Client side: ++++

[EMAIL PROTECTED] SafetyHelloWorld]$ ant runClient
Buildfile: build.xml

setGlobus:

checkGlobus:
     [echo] Globus: /home/fabian/globus-4.0.5

defineClasspaths:

runClient:
     [echo] Connecting to service:
https://ingrid:9000/wsrf/services/mpcci/SafetyHelloWorld
     [java] JVM args ignored when same JVM is used.
     [java] Running the Grid Service Client
     [java] AxisFault
     [java]  faultCode:
{http://schemas.xmlsoap.org/soap/envelope/}Server.userException
     [java]  faultSubcode:
     [java]  faultString: org.globus.common.ChainedIOException:
Authentication failed [Caused by: Failure unspecified at GSS-API level 
[Caused by: Unknown CA]]
     [java]  faultActor:
     [java]  faultNode:
     [java]  faultDetail:
[java] {http://xml.apache.org/axis/} stackTrace:Authentication 
failed. Caused by Failure unspecified at GSS-API level. Caused by
COM.claymoresystems.ptls.SSLThrewAlertException: Unknown CA
     [java]     at COM.claymoresystems.ptls.SSLConn.alert
(SSLConn.java:235)
     [java]     at
COM.claymoresystems.ptls.SSLHandshake.recvCertificate
(SSLHandshake.java:304)
     [java]     at
COM.claymoresystems.ptls.SSLHandshakeClient.processTokens
(SSLHandshakeClient.java:128)
     [java]     at
COM.claymoresystems.ptls.SSLHandshake.processHandshake
(SSLHandshake.java:135)
     [java]     at
org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext
(GlobusGSSContextImpl.java:483)
     [java]     at
org.globus.gsi.gssapi.net.GssSocket.authenticateClient
(GssSocket.java:102)
[java] at org.globus.gsi.gssapi.net.GssSocket.startHandshake 
(GssSocket.java:140)
[java] at org.globus.gsi.gssapi.net.GssSocket.getOutputStream 
(GssSocket.java:161)
     [java]     at
org.apache.axis.transport.http.HTTPSender.writeToSocket
(HTTPSender.java:433)
     [java]     at org.apache.axis.transport.http.HTTPSender.invoke
(HTTPSender.java:135)
[java] at org.apache.axis.strategies.InvocationStrategy.visit 
(InvocationStrategy.java:32)
     [java]     at org.apache.axis.SimpleChain.doVisiting
(SimpleChain.java:118)
     [java]     at org.apache.axis.SimpleChain.invoke
(SimpleChain.java:83)
     [java]     at org.apache.axis.client.AxisClient.invoke
(AxisClient.java:165)
     [java]     at org.apache.axis.client.Call.invokeEngine
(Call.java:2727)
[java] at org.apache.axis.client.Call.invoke(Call.java: 2710) [java] at org.apache.axis.client.Call.invoke(Call.java: 2386) [java] at org.apache.axis.client.Call.invoke(Call.java: 2309) [java] at org.apache.axis.client.Call.invoke(Call.java: 1766) 
     [java]     at
de.fhg.scai.mpcci.stubs.bindings.SafetyHelloWorldPortTypeSOAPBinding St 
ub.getServiceSecurityMetadata
(SafetyHelloWorldPortTypeSOAPBindingStub.java:722)
     [java]     at

(.......)


++++ Server side: ++++

2007-09-12 12:55:10,139 ERROR container.GSIServiceThread
[ServiceThread-14,process:145] Error processing request
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java: 168) 
        at org.globus.gsi.gssapi.SSLUtil.read(SSLUtil.java:37)
at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readToken 
(GSIGssInputStream.java:64)
        at
org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken
(GSIGssInputStream.java:54)
        at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken
(GSIGssSocket.java:60)
        at org.globus.gsi.gssapi.net.GssSocket.authenticateServer
(GssSocket.java:122)
        at org.globus.gsi.gssapi.net.GssSocket.startHandshake
(GssSocket.java:142)
        at org.globus.gsi.gssapi.net.GssSocket.getOutputStream
(GssSocket.java:161)
        at org.globus.wsrf.container.GSIServiceThread.process
(GSIServiceThread.java:102)
        at org.globus.wsrf.container.ServiceThread.run
(ServiceThread.java:302)


++++ ++++ ++++
The curious is that it works when I'm just executing the client at the 
same machine the server runs on. (*) But not when I'm running the
client
on my local machine.
Perhaps the cause is related to the fact that I installed my CA as
root
at the server and as non-root at my local machine? This is what I
guess.

Hope that you can help me??

Best greets from St. Augustin,

  Fabian



_______________________________
*)
  [EMAIL PROTECTED] SafetyHelloWorld]# ant runClient
  Buildfile: build.xml

  setGlobus:

  checkGlobus:
       [echo] Globus: /usr/local/globus-4.0.3

  defineClasspaths:

  runClient:
         [echo] Connecting to service:
https://ingrid:9000/wsrf/services/mpcci/S
       [java] JVM args ignored when same JVM is used.
       [java] Running the Grid Service Client

       [java] Hello Alice.
       [java] I recently read your message: "How are you?"
       [java] Yours Bob.
       [java] Zeit: 13:3

  BUILD SUCCESSFUL
  Total time: 12 seconds

Reply via email to