Yes, it looks like you need a new certificate with CA:FALSE. The magic
depends on the software your CA uses.
Howard Lander wrote:
Ah, very helpful ...
I didn't know about grid-cert-info but I was just reading
http://www.globus.org/cog/distribution/1.1/api/org/globus/gsi/bc/BouncyCastleUtil.html#getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure)
and was guessing that somehow my "certificate contains a
BasicConstraints extension and it is marked as CA." when your email
arrived.
Looking at the output of grid-cert-info, I do indeed see
X509v3 Basic Constraints:
CA:TRUE
How do I get rid of this? Do I need to ask my sysadm to generate a new
cert for me? If so, is there some magic he needs to use?
Thanks much.
Howard
Jim Basney wrote:
OK, digging a little deeper, I see this error indicates a proxy
certificate signed by a CA certificate. When you run grid-cert-info,
does the output for your certificate contain the following?
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
It should.
Or is your user certificate in /etc/grid-security/certificates? (I
would not expect it to be.)
Is there any difference between the CA of your previous certificate
and the CA of your new certificate?
I'm trying to think of a reason the Java ProxyPathValidator code would
classify your user certificate (which signed the proxy certificate) as
a CA certificate.
Howard Lander wrote:
Jim
Thanks for the response.
We should have mentioned that we had tried all of the settings of
GT_PROXY_MODE we know of (none, old and rfc). I just tried again with
GT_PROXY_MODE=old and got the same application failure
For reference here is the result of a grid-proxy-info
$ grid-proxy-info
subject : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard
Lander/CN=proxy/CN=proxy/CN=proxy
issuer : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard
Lander/CN=proxy/CN=proxy
identity : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard Lander
type : full legacy globus proxy
strength : 1024 bits
path : /tmp/x509up_u1014
timeleft : 11:59:52
Looks reasonable enough to me, but I clearly don't know what to look
for, or I'd have fixed this by now! :)
Any thoughts?
Thanks
Howard
Jim Basney wrote:
Steve,
Just a guess... Maybe the new proxy in the myproxy-server is of a
different "type" than the old one
(http://dev.globus.org/wiki/Security/ProxyCertTypes), and some
software in your software stack isn't upgraded to handle that new
proxy type. You may want to have Howard try setting
GT_PROXY_MODE="old" in his environment and running myproxy-init
again. This will store a "legacy globus proxy" in the MyProxy
repository. (You can verify the proxy type by running
myproxy-get-delegation then grid-proxy-info.) If that fixes the
problem, you may want to investigate to see what software needs to
be updated to work with the new proxy types. If not, maybe someone
else on the list will have a better suggestion...
-Jim
Steve Thorpe wrote:
Hello Globus and CoG Friends,
Have been struggling with my colleague Howard Lander from RENCI
since yesterday on a Globus proxy related problem. We've had a
functioning workflow for a couple years now, that sends globus jobs
out to various sites on the grid.
The other day Howard's credential expired, so he got it upgraded
and uploaded it to the myproxy server the system uses. Success of
this process was confirmed from the command line to the remote
resources, by using myproxy-get-delegation then globus-job-run and
globus-url-copy.
Next we tried submitting from our Java-based system that uses GRAM
to run remote jobs, after first retrieving the proxy from the
MyProxy server. Although the command-line tests run remote jobs
just fine, from the Java system we're suddenly getting "Defective
Credential Detected" Exceptions, as in:
[java] 11:13:58 Apr 29 2008 ERROR [Thread-10]
(GassServer.java:427) - Error writing response: Authentication
failed [Caused by: Defective credential detected [Caused by: CA
certificate cannot sign Proxy Certificate]]
(See below for a stack trace if you're interested in the gory
details).
This is frustrating the heck out of us, as things were working fine
for so long, and in fact still work fine from the command line.
Wonder if anyone might possibly have any suggestions?
Many thanks,
Steve
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Running
scoops.itsc.uah.edu:/state/partition1/home/thorpe/estimateNumFreeCPUsUAH_cluster.sh
with non-null cred
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Cred name:
/O=RENCI/OU=Globus/OU=renci.org/CN=Howard Lander
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Remaining
lifetime: 43199
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - GASS URL:
https://152.54.1.70:40000
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Writing proxy
file: /tmp/x509up_u200
[java] 11:13:53 Apr 29 2008 INFO [main] (?:?) - Sending job
request to: scoops.itsc.uah.edu
[java] 11:13:53 Apr 29 2008 INFO [main] (?:?) - with non-null
credential
[java] 11:13:53 Apr 29 2008 ERROR [Thread-4]
(GassServer.java:427) - Error writing response: Authentication
failed [Caused by: Defective credential detected [Caused by: CA
certificate cannot sign Proxy Certificate]]
[java] Authentication failed
