Yep, that appears to be the case.
I've already asked for this.
Thanks again for your help, energy and interest.
Howard
Jim Basney wrote:
Yes, it looks like you need a new certificate with CA:FALSE. The
magic depends on the software your CA uses.
Howard Lander wrote:
Ah, very helpful ...
I didn't know about grid-cert-info but I was just reading
http://www.globus.org/cog/distribution/1.1/api/org/globus/gsi/bc/BouncyCastleUtil.html#getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure)
and was guessing that somehow my "certificate contains a
BasicConstraints extension and it is marked as CA." when your email
arrived.
Looking at the output of grid-cert-info, I do indeed see
X509v3 Basic Constraints:
CA:TRUE
How do I get rid of this? Do I need to ask my sysadm to generate a
new cert for me? If so, is there some magic he needs to use?
Thanks much.
Howard
Jim Basney wrote:
OK, digging a little deeper, I see this error indicates a proxy
certificate signed by a CA certificate. When you run
grid-cert-info, does the output for your certificate contain the
following?
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
It should.
Or is your user certificate in /etc/grid-security/certificates? (I
would not expect it to be.)
Is there any difference between the CA of your previous certificate
and the CA of your new certificate?
I'm trying to think of a reason the Java ProxyPathValidator code
would classify your user certificate (which signed the proxy
certificate) as a CA certificate.
Howard Lander wrote:
Jim
Thanks for the response.
We should have mentioned that we had tried all of the settings of
GT_PROXY_MODE we know of (none, old and rfc). I just tried again
with GT_PROXY_MODE=old and got the same application failure
For reference here is the result of a grid-proxy-info
$ grid-proxy-info
subject : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard
Lander/CN=proxy/CN=proxy/CN=proxy
issuer : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard
Lander/CN=proxy/CN=proxy
identity : /O=RENCI/OU=Globus/OU=renci.org/CN=Howard Lander
type : full legacy globus proxy
strength : 1024 bits
path : /tmp/x509up_u1014
timeleft : 11:59:52
Looks reasonable enough to me, but I clearly don't know what to
look for, or I'd have fixed this by now! :)
Any thoughts?
Thanks
Howard
Jim Basney wrote:
Steve,
Just a guess... Maybe the new proxy in the myproxy-server is of a
different "type" than the old one
(http://dev.globus.org/wiki/Security/ProxyCertTypes), and some
software in your software stack isn't upgraded to handle that new
proxy type. You may want to have Howard try setting
GT_PROXY_MODE="old" in his environment and running myproxy-init
again. This will store a "legacy globus proxy" in the MyProxy
repository. (You can verify the proxy type by running
myproxy-get-delegation then grid-proxy-info.) If that fixes the
problem, you may want to investigate to see what software needs to
be updated to work with the new proxy types. If not, maybe
someone else on the list will have a better suggestion...
-Jim
Steve Thorpe wrote:
Hello Globus and CoG Friends,
Have been struggling with my colleague Howard Lander from RENCI
since yesterday on a Globus proxy related problem. We've had a
functioning workflow for a couple years now, that sends globus
jobs out to various sites on the grid.
The other day Howard's credential expired, so he got it upgraded
and uploaded it to the myproxy server the system uses. Success
of this process was confirmed from the command line to the remote
resources, by using myproxy-get-delegation then globus-job-run
and globus-url-copy.
Next we tried submitting from our Java-based system that uses
GRAM to run remote jobs, after first retrieving the proxy from
the MyProxy server. Although the command-line tests run remote
jobs just fine, from the Java system we're suddenly getting
"Defective Credential Detected" Exceptions, as in:
[java] 11:13:58 Apr 29 2008 ERROR [Thread-10]
(GassServer.java:427) - Error writing response: Authentication
failed [Caused by: Defective credential detected [Caused by: CA
certificate cannot sign Proxy Certificate]]
(See below for a stack trace if you're interested in the gory
details).
This is frustrating the heck out of us, as things were working
fine for so long, and in fact still work fine from the command
line. Wonder if anyone might possibly have any suggestions?
Many thanks,
Steve
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Running
scoops.itsc.uah.edu:/state/partition1/home/thorpe/estimateNumFreeCPUsUAH_cluster.sh
with non-null cred
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Cred name:
/O=RENCI/OU=Globus/OU=renci.org/CN=Howard Lander
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Remaining
lifetime: 43199
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - GASS URL:
https://152.54.1.70:40000
[java] 11:13:52 Apr 29 2008 INFO [main] (?:?) - Writing
proxy file: /tmp/x509up_u200
[java] 11:13:53 Apr 29 2008 INFO [main] (?:?) - Sending job
request to: scoops.itsc.uah.edu
[java] 11:13:53 Apr 29 2008 INFO [main] (?:?) - with
non-null credential
[java] 11:13:53 Apr 29 2008 ERROR [Thread-4]
(GassServer.java:427) - Error writing response: Authentication
failed [Caused by: Defective credential detected [Caused by: CA
certificate cannot sign Proxy Certificate]]
[java] Authentication failed
--
Howard Lander <mailto:[EMAIL PROTECTED]>
Senior Research Software Developer
Renaissance Computing Institute <http://www.renci.org>
The University of North Carolina at Chapel Hill
Duke University
North Carolina State University
100 Europa Drive
Suite 540
Chapel Hill, NC 27517
919-445-9651
